Privacy Policy

When you register, we collect your name, email address, and a hashed password. If you sign up via Google or LinkedIn OAuth, we receive your name and email from those providers.

You may upload CV documents (DOCX format) to the platform. These files are processed by our AI systems to extract skills, experience, and other professional data. Your original and optimised CV versions are stored securely in AWS S3.

We collect job search parameters you configure, including job titles, locations, experience levels, and scheduling preferences. This data is used to run automated searches on your behalf.

When you track job applications, we store information about the roles, companies, application status, and any notes you add.

We collect standard server logs including IP address, browser type, pages visited, and timestamps. We also use Google Analytics 4 to collect anonymised usage data such as pages visited, session duration, referring URLs, device type, and approximate geographic location at country or region level — but only after you have given cookie consent via our consent banner. Google Analytics data is collected with IP anonymisation enabled. This data helps us diagnose issues and improve the platform.

Payment processing is handled entirely by Stripe. We do not store your credit card details. We receive limited billing metadata (subscription tier, payment status) from Stripe.

Your CV and job search preferences are used to run job discovery searches, generate ATS-optimised CV versions, and power the application tracking dashboard.

CV content and job descriptions are sent to OpenAI's API for two purposes: (1) AI-powered CV rewriting using GPT-4o — generating tailored CV text aligned with a job description; (2) match scoring using OpenAI's embeddings API (text-embedding-3-small) — converting CV and job description text into numerical vectors to compute a relevance score. This processing is governed by OpenAI's data processing agreements. We do not use your data to train third-party AI models.

To surface relevant job listings, we use an automated job data service that retrieves publicly available job postings from LinkedIn based on your configured search parameters. This process runs on our behalf using the Apify platform, which scrapes publicly visible LinkedIn job listings. We do not access your personal LinkedIn account.

We use your email for authentication, email verification, transactional notifications, and account security. When you register with an email address and password, we send a one-time verification link to confirm you own the address before granting access. Users who sign up via Google or LinkedIn OAuth are verified automatically through those providers. If you forget your password, you may request a reset link sent to your registered email; reset links are single-use, expire after 1 hour, and are cryptographically signed. Whenever a password change occurs — whether via the reset flow or from Settings — we send a security notification email to your registered address. Job notification emails (search results) can be disabled at any time from Settings or via the unsubscribe link in any email. Security emails (verification, password reset, password change confirmation) cannot be opted out of as they are required to protect your account. We do not send marketing emails without your explicit consent.

We use Google Analytics 4 to collect aggregated, anonymised usage data, but only after you have explicitly accepted analytics cookies via our cookie consent banner. Google Analytics operates in consent-denied mode by default — no analytics cookies are set until you accept. This helps us understand how the product is used, measure feature adoption, and identify areas for improvement. We do not use analytics data to identify individual users.

We never sell, rent, or trade your personal information to third parties for their marketing purposes.

We share data with trusted third-party service providers strictly to operate the platform:

CV content and job descriptions are sent to OpenAI's API for AI-powered CV optimisation (GPT-4o) and CV-to-job match scoring (text-embedding-3-small). Data is processed per OpenAI's API data usage policies.

CV files are stored in AWS S3 buckets with encrypted access URLs. AWS processes data per their SOC 2 and ISO 27001 certifications.

All billing and payment processing is handled by Stripe. We share only what Stripe requires to manage your subscription.

We use the Apify platform to run automated job discovery tasks that retrieve publicly available job listings from LinkedIn. Your personal login credentials are never shared with Apify.

Background job queues are managed using Redis. Temporary job task data may pass through these systems.

We use SendGrid to deliver transactional email notifications, including: job search result summaries, email address verification links, password reset links, and password change security alerts. SendGrid processes your email address and the content of these notifications on our behalf. Data may be processed on servers in the United States. SendGrid's privacy policy is available at sendgrid.com/policies/privacy.

We use Google Analytics 4 (operated by Google LLC) to collect anonymised usage data — only after you accept analytics cookies via our consent banner. Google Analytics operates with Consent Mode v2 and defaults to denied. Google may process consented data on servers in the United States and other countries. Data sharing with Google is governed by Google's Analytics Terms of Service and Privacy Policy. You can also opt out globally by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.

We may disclose your information if required by law, court order, or to protect the rights and safety of our users or the public.

We retain your account data for as long as your account remains active. If you delete your account, your personal data is deleted immediately, except where we are required to retain it for legal or billing purposes.

Original and optimised CV files are retained in AWS S3 for the duration of your account. You may delete individual files from your dashboard at any time.

Transaction records may be retained for up to 7 years to comply with financial regulations.

You may request a copy of your personal data at any time by contacting us at [email protected].

You can update your email notification preferences directly from Settings. To update your name or email address, please contact us at [email protected].

You can delete your account and all associated personal data at any time from Settings → Danger Zone. Deletion is immediate and permanent. Alternatively, you may contact [email protected].

If you believe we are processing your data unlawfully or wish to restrict processing for legitimate reasons, please contact us.

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the right to lodge a complaint with your local supervisory authority.

All data in transit is encrypted via HTTPS/TLS. CV files in AWS S3 use server-side encryption. Authentication tokens are signed JWTs (HMAC-SHA256) with a server-side secret, stored in httpOnly cookies. Password reset tokens are HMAC-SHA256 signed, single-use, and expire after 1 hour; they are stored temporarily in Redis and invalidated immediately upon use or when a newer reset is requested.

Access to production systems is restricted to authorised personnel. Passwords are stored as bcrypt hashes and are never stored in plaintext.

While we implement industry-standard security practices, no system is 100% secure. In the event of a data breach affecting your information, we will notify you as required by applicable law.

When you first visit JOBVIAN, a cookie consent banner is displayed. Analytics cookies are not set until you explicitly click Accept. You can reject analytics cookies without affecting core functionality. Your preference is saved in your browser's localStorage so the banner is not shown on every visit.

We use a single HTTP-only cookie named 'token' to maintain your authenticated session (JWT, 7-day expiry). This cookie is required for the service to function and cannot be rejected.

If you accept analytics cookies, Google Analytics 4 sets: _ga (expires after 2 years) — distinguishes unique users; _ga_* (expires after 2 years) — maintains session state. These collect anonymised data such as pages visited and session duration. No personally identifiable information is stored in these cookies. Analytics cookies are never set if you click Reject.

For a complete list of all cookies and how to manage them, see our Cookie Policy.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email. Your continued use of JOBVIAN after changes are posted constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

[email protected]

[email protected]