← Back to Home

Privacy Policy

Last updated: 24 March 2026

1. Who We Are

JobPilotX AI ("we", "us", "our") operates the website jobpilotx.com and provides AI-powered job application automation services. We are the data controller for personal data processed through our platform.

Contact: privacy@jobpilotx.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, password (hashed), profile photo (if using OAuth)
  • Resume data: Uploaded resumes, parsed profile data (work history, skills, education, contact info)
  • Job preferences: Desired roles, locations, salary range, remote preference
  • Application data: Jobs applied to, cover letters generated, application status
  • Payment data: Processed by Stripe — we never store full card numbers
  • Usage data: Pages visited, features used, device info, IP address (anonymized after 30 days)

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your resume, finding jobs, submitting applications — necessary to provide our service
  • Consent (Art. 6(1)(a)): Sending marketing emails, using optional analytics cookies
  • Legitimate interest (Art. 6(1)(f)): Improving our service, fraud prevention, basic analytics
  • Legal obligation (Art. 6(1)(c)): Tax and billing records

4. How We Use Your Data

  • Parse your resume to create your candidate profile
  • Match you with relevant job opportunities
  • Generate tailored cover letters and resumes
  • Submit job applications on your behalf (only with your explicit approval)
  • Process payments and manage your subscription
  • Send transactional emails (application updates, receipts)
  • Improve our AI matching algorithms and service quality

5. AI Processing

We use AI models (including third-party AI providers) to parse resumes, score job matches, generate cover letters, and answer screening questions. Your data is sent to these providers only as needed to deliver the service. We do not allow AI providers to train on your personal data.

Automated decisions: Job match scores are generated by AI. These scores assist you but do not produce legal or similarly significant effects. You always have final control over which jobs to apply to.

6. Data Sharing

We share personal data only with:

  • Supabase (database hosting — EU-compliant)
  • Stripe (payment processing — PCI DSS compliant)
  • AI providers (DeepSeek, MiniMax, OpenRouter) — for resume parsing, scoring, and content generation
  • Resend (transactional email delivery)
  • Vercel (website hosting)
  • Employers — when you explicitly authorize us to submit an application

We never sell your personal data to third parties.

7. International Data Transfers

Some of our processors operate outside the EEA. We ensure adequate safeguards via Standard Contractual Clauses (SCCs) or adequacy decisions where applicable. You may request details of these safeguards by contacting us.

8. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account deletion
  • Resume data: Deleted when you delete your account or remove the file
  • Application history: Retained for 12 months after account deletion for dispute resolution, then deleted
  • Payment records: Retained for 7 years as required by EU tax law
  • Analytics data: IP addresses anonymized after 30 days; aggregated data retained indefinitely

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with your local data protection authority

To exercise any right, email privacy@jobpilotx.com. We respond within 30 days.

10. Cookies

We use:

  • Strictly necessary cookies: Authentication session, CSRF protection (no consent needed)
  • Analytics cookies: Vercel Analytics for page views and performance (anonymized, consent required)

We do not use advertising or tracking cookies.

11. Security

We protect your data using encryption in transit (TLS 1.3), encryption at rest, hashed passwords, Row Level Security (RLS) on our database, and regular security reviews. Despite these measures, no system is 100% secure. If a breach occurs, we will notify affected users and relevant authorities within 72 hours as required by GDPR Art. 33.

12. Children

Our service is not directed at anyone under 16. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "last updated" date at the top reflects the latest revision.