Your GDPR Rights

Last updated: April 30, 2026 · Applies to users in the EEA, UK, and similar jurisdictions

Under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, you have significant rights over your personal data. We take these rights seriously and have built self-service tools to make exercising them as easy as possible.

Data Controller: ApplyIt Ltd | Contact: privacy@applyit.app | Response time: 30 days

Your Rights Explained

Art. 15

Right of Access

Request a copy of all personal data we hold about you, including your profile, CV, usage history, and payment records.

How to exercise: Use Settings → Account → Export My Data (instant JSON download), or email us.

⏱ Provided within 30 days.

Art. 16

Right to Rectification

Correct any inaccurate or incomplete personal data we hold about you.

How to exercise: Update your name and email directly in Settings → Account. For other corrections, email us.

⏱ Corrected within 5 business days.

Art. 17

Right to Erasure

Request permanent deletion of your account and all associated personal data (CV, analyses, saved jobs, usage records).

How to exercise: Go to Settings → Account → Delete Account, or email us. Payment records are retained for 7 years per financial regulations.

⏱ Data deleted within 30 days.

Art. 20

Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format (JSON) to transfer to another service.

How to exercise: Use Settings → Account → Export My Data. Download includes your profile, CV text, job analyses, saved jobs, and usage history.

⏱ Available instantly via self-service.

Art. 18

Right to Restrict Processing

Request that we limit how we use your data while you contest its accuracy or while a complaint is being resolved.

How to exercise: Email us explaining what processing you wish to restrict and why.

⏱ Restriction applied within 5 business days pending verification.

Art. 21

Right to Object

Object to processing of your personal data based on legitimate interests, including processing for service improvement purposes.

How to exercise: Email us specifying the processing you object to. We will assess whether our legitimate interests override your rights.

⏱ Response within 30 days.

Art. 7(3)

Right to Withdraw Consent

Withdraw any consent you have provided at any time (e.g., marketing emails). Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise: Unsubscribe link in any email, or update your preferences in Settings.

⏱ Immediate effect.

How to Submit a Data Request

You can exercise your rights in three ways:

Self-service (fastest): Settings → Account provides instant Export and Delete options.
Email: Send a request to privacy@applyit.app. Include: your name, registered email address, the specific right you wish to exercise, and any relevant details.
Verification: We may need to verify your identity before processing requests. We will ask you to confirm from your registered email address.

We will respond to all requests within 30 days. If we cannot comply (e.g., due to a legal obligation to retain data), we will explain why.

Legal Basis for Processing

Contract (Art. 6(1)(b)): Processing necessary to provide the Service — account management, AI features, payments.
Legitimate interests (Art. 6(1)(f)): Usage tracking for fair-use enforcement, fraud prevention, service improvement using anonymised data.
Legal obligation (Art. 6(1)(c)): Retaining payment records for tax and financial compliance (7 years).
Consent (Art. 6(1)(a)): Marketing communications — only with explicit opt-in.

International Data Transfers

Some of your data is processed by third-party services outside the EEA, specifically Anthropic (United States) and Stripe (United States). These transfers are protected by Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR. Our database (Supabase) is hosted within the EU.

Data Processors

Supabase: Database and authentication — EU (AWS eu-central-1). DPA in place.
Anthropic: AI processing via API — US. SCCs in place. No model training on API data.
Stripe: Payment processing — US. SCCs and PCI-DSS compliance.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk
Ireland: Data Protection Commission — dataprotection.ie
Germany: BfDI — bfdi.bund.de
Other EU: Your national supervisory authority under Art. 77 GDPR.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please email privacy@applyit.app first.