Privacy Policy

Last Updated: March 25, 2026

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

1. Information We Collect

We collect several types of information to provide and improve our Service:

1.1 Information You Provide Directly

Account Information:

• Email address
• Full name
• Password (encrypted and hashed)
• Phone number
• Date of birth
• City and country
• Postal/ZIP code
• Complete address

Profile Content:

• Resume/CV files (PDF format)
• Profile photo
• Digital signature
• Professional information and work experience
• Skills and qualifications

Application Data:

• Job recipient information (company names, email addresses, websites, positions)
• Generated cover letters
• Application history and tracking data
• Email correspondence related to applications

Payment Information:

• Credit/debit card information (processed securely through Stripe and Razorpay - we do not store full card details)
• Billing address
• Transaction history
• Credit purchase records

1.2 Information Collected Automatically

Usage Data:

• IP address
• Browser type and version
• Device information (model, operating system, unique device identifiers)
• App version
• Pages visited and features used
• Time and date of visits
• Time spent on pages
• Referring website addresses
• Clickstream data

Technical Data:

• Cookies and similar tracking technologies
• Log files and error reports
• Performance metrics
• API calls and response times

1.3 Information from Third-Party Services

When you authenticate using third-party services, we may receive:

• Google OAuth: Email address, name, profile picture, Google account ID, OAuth access tokens
• Microsoft OAuth: Email address, name, profile picture, Microsoft account ID, OAuth access tokens

1.4 Email Access Permissions (OAuth Users Only)

When you sign in with Google or Microsoft OAuth and use our email features, you grant us permission to:

• Send emails on your behalf: Send job applications directly from your Gmail or Microsoft Outlook account
• Read your email messages: Access your inbox to check for employer replies to job applications sent through CVApplyr
• Store OAuth tokens: Securely maintain authentication tokens to keep you logged in and enable email features

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Provision

• Create and manage your account
• Generate personalized cover letters using AI
• Research companies and job positions
• Send job applications on your behalf
• Store and organize your application history
• Provide customer support

2.2 Service Improvement

• Analyze usage patterns to improve our AI algorithms
• Develop new features and functionalities
• Fix bugs and optimize performance
• Conduct research and development

2.3 Communication

• Send transactional emails (account verification, password reset, application confirmations)
• Notify you about service updates and new features
• Send promotional emails (you can opt-out at any time)
• Respond to your inquiries and support requests

2.4 Security and Fraud Prevention

• Detect and prevent fraudulent activities
• Monitor for security threats
• Enforce our Terms of Service
• Comply with legal obligations

2.5 Analytics and Business Intelligence

• Understand user demographics and preferences
• Measure marketing campaign effectiveness
• Generate aggregate statistics (anonymized)
• Improve user experience and engagement

2.6 Email Access and Reply Detection

For users who authenticate with Google or Microsoft OAuth, we use email access permissions to:

• Send job applications: Send emails directly from your personal email account (Gmail or Outlook) with your resume and cover letter attached
• Check for employer replies: Scan your inbox for responses from companies you applied to through CVApplyr
• Update application status: Automatically mark applications as "replied" when we detect a response from the employer
• Track reply dates: Record the date when an employer responded to your application

What we DO NOT do with email access:

• ❌ Read the content of any emails (yours or employer replies)
• ❌ Access emails unrelated to CVApplyr applications
• ❌ Store or share your email content with third parties
• ❌ Use your email for any purpose other than the features you authorize
• ❌ Send emails without your explicit action (clicking "Send Application")

How reply detection works:

1. You click "Check Replies" in the app
2. We scan your inbox for emails from companies you applied to through CVApplyr
3. We match emails by sender address and date (must be after your application date)
4. We only check metadata (sender, date, subject line) - NOT email content
5. We update your application history with reply status and date
6. We DO NOT read, store, or access the actual email content

Revoking email access:

You can revoke our email access at any time:

• Google: Visit Google Account Permissions and remove CVApplyr
• Microsoft: Visit Microsoft Account Permissions and remove CVApplyr

After revoking, you can still use CVApplyr but email-based features (sending from your account, checking replies) will not work.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on:

• Consent: You have given explicit consent for specific purposes (e.g., marketing emails)
• Contract: Processing is necessary to fulfill our contract with you (providing the Service)
• Legitimate Interests: We have legitimate business interests (e.g., improving our Service, fraud prevention)
• Legal Obligation: We must comply with legal requirements (e.g., tax laws, data retention laws)

4. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our Service:

• Cloud Hosting: Server infrastructure and data storage
• AI Services: Google Gemini AI for cover letter generation
• Payment Processors: Stripe and Razorpay for secure payment processing
• Email Services: SMTP providers for sending application emails
• Analytics: Usage analytics and performance monitoring
• Customer Support: Support ticket management systems

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal requests from public authorities (e.g., court orders, subpoenas)
• Law enforcement or government agencies
• Protection of our legal rights and safety
• Investigation of fraud or security issues
• Compliance with regulatory obligations

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Retention

We retain your personal information for as long as necessary to provide our Service and comply with legal obligations:

• Active Accounts: We retain your data while your account is active
• Deleted Accounts: Data is deleted within 30 days of account deletion (subject to legal retention requirements)
• Transaction Records: Payment and transaction data retained for 7 years (tax and accounting requirements)
• Support Communications: Retained for 3 years for quality assurance
• Anonymous Analytics: May be retained indefinitely for research purposes

6. Data Security

We implement industry-standard security measures to protect your personal information:

6.1 Technical Safeguards

• SSL/TLS encryption for data in transit
• AES-256 encryption for data at rest
• Secure password hashing using bcrypt
• JWT tokens for secure authentication
• Encrypted storage of OAuth access tokens in PostgreSQL database
• Secure token refresh mechanisms for Google and Microsoft OAuth
• Regular security audits and penetration testing
• Firewall protection and DDoS mitigation

6.2 OAuth Token Security

For users who authenticate with Google or Microsoft OAuth:

• Encrypted Storage: OAuth access tokens are stored encrypted in our secure PostgreSQL database
• Limited Access: Tokens are used only for features you explicitly authorize (sending emails, checking replies)
• No Sharing: We never share your OAuth tokens with third parties
• Automatic Refresh: Tokens are automatically refreshed to maintain your authenticated session
• Revocable: You can revoke our access at any time through your Google or Microsoft account settings
• Scope Limitations: We only request the minimum permissions needed for our features

Current OAuth Permissions:

• Google: profile, email, gmail.send (send emails), gmail.metadata (check for reply headers)
• Microsoft: user.read (profile), Mail.Send (send emails), Mail.Read (check for replies), offline_access (maintain session)

6.3 Organizational Safeguards

• Access controls and role-based permissions
• Employee confidentiality agreements
• Security awareness training
• Incident response procedures
• Regular backup and disaster recovery plans

6.4 Security Limitations

While we strive to protect your personal information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

7. Your Rights and Choices

You have the following rights regarding your personal information:

7.1 Access and Portability

• Request a copy of your personal data
• Download your data in a machine-readable format (JSON/CSV)
• Access your account information through your profile settings

7.2 Correction and Update

• Update your profile information at any time
• Correct inaccurate or incomplete data
• Change your email address and password

7.3 Deletion and Erasure

• Request deletion of your account and personal data
• Delete specific content (cover letters, recipients, files)
• Request erasure under GDPR "right to be forgotten"

7.4 Restriction and Objection

• Restrict processing of your personal data
• Object to processing based on legitimate interests
• Withdraw consent for specific processing activities

7.5 Marketing Communications

• Opt-out of promotional emails via unsubscribe link
• Manage email preferences in account settings
• Continue to receive transactional emails (cannot opt-out)

7.6 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: support@cvapplyr.com
• Subject line: "Privacy Rights Request"
• Include: Your full name, email address, and specific request

We will respond to your request within 30 days (or as required by applicable law).

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Essential Cookies: Required for the Service to function (session management, authentication)

Performance Cookies: Help us understand how users interact with our Service

Functional Cookies: Remember your preferences and settings

Analytics Cookies: Collect anonymous usage statistics

8.2 Managing Cookies

You can control cookies through your browser settings:

• Block all cookies
• Delete existing cookies
• Allow cookies from specific websites
• Receive notifications when cookies are set

Note: Blocking essential cookies may affect Service functionality.

9. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Privacy Shield Framework (where applicable)
• Data Processing Agreements with service providers
• Compliance with GDPR for EEA users

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at support@cvapplyr.com with "CCPA Request" in the subject line.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

Our Data Protection Officer can be reached at: support@cvapplyr.com

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending an email notification to your registered email address
• Displaying an in-app notification
• Updating the "Last Updated" date at the top of this page

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Third-Party Links

Our Service may contain links to third-party websites and services (e.g., company websites for job applications). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

15. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify you via email within 72 hours of discovery (as required by GDPR)
• Describe the nature of the breach
• Explain the potential consequences
• Inform you of the measures taken to address the breach
• Provide recommendations to protect yourself

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

17. Consent

By using our Service, you consent to the collection, use, and sharing of your information as described in this Privacy Policy.

---

Your privacy matters to us. We are committed to protecting your personal information and being transparent about our data practices.

← Back to Home | Terms of Service | Refund Policy