Privacy Policy

Last updated: April 30, 2026 · Effective immediately

1. Who We Are

ApplyIt (“we,” “our,” or “us”) is a job application optimization platform operated by ApplyIt Ltd. We provide AI-powered tools to help job seekers create tailored CVs, cover letters, ATS analysis, and interview preparation materials. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, dashboard, and Chrome extension.

Our service is directed at users in the European Union, United Kingdom, Egypt, and internationally. We comply with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and applicable data protection laws.

Data Controller: ApplyIt Ltd.
Contact: privacy@applyit.app

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Email address, password (hashed), name, and profile picture when you register.
• CV / Career DNA: The CV text and structured data you upload. This is used to power all AI features and is stored securely in our database.
• Job data: Job descriptions, company names, and job titles you submit for analysis.
• Payment information: Billing details collected and processed by our payment provider (Stripe). We do not store raw card numbers.
• Communications: Any messages or support requests you send us.

2.2 Information We Collect Automatically

• Usage data: Feature usage counts, request timestamps, and plan tier — used to enforce fair-use limits and display your usage dashboard.
• Technical data: IP address (used for geo-pricing detection only, not stored long-term), browser type, operating system.
• Country/region: Derived from your IP at request time to show correct pricing (e.g., EGP vs USD). This is not stored as a tracking identifier.
• Extension activity: The Chrome extension communicates only with our API. It does not track your browsing history, collect page content outside of supported job sites (LinkedIn, Indeed, Wuzzuf), or send data to third parties.

2.3 Information We Do Not Collect

• We do not collect social security numbers, national identification numbers, or sensitive financial data beyond what Stripe handles.
• We do not collect biometric data.
• We do not use advertising trackers or sell data to advertisers.
• We do not access your email inbox, calendar, or contacts.

3. How We Use Your Information

We use your data for the following purposes, each with a clear legal basis under GDPR:

• Providing the service (Contract): Processing your CV, generating cover letters, scoring ATS matches, creating interview questions, and running the job feed agent.
• Account management (Contract): Creating and maintaining your account, authenticating logins, and managing your subscription.
• Usage enforcement (Legitimate interest): Tracking feature usage counts to enforce your plan's fair-use limits and prevent abuse.
• Payment processing (Contract): Processing subscription payments and handling refunds via Stripe.
• Service improvement (Legitimate interest): Analysing aggregate, anonymised usage patterns to improve features. We do not use your CV content for model training.
• Legal compliance (Legal obligation): Retaining payment records and responding to lawful requests from authorities.
• Communications (Consent / Contract): Sending transactional emails (account confirmation, payment receipts). Marketing emails only with explicit consent.

4. Third-Party Services and Data Processors

We share data with the following third-party processors, each bound by appropriate data processing agreements:

Anthropic (Claude AI)

Your CV text and job descriptions are sent to Anthropic's Claude API to generate AI outputs (cover letters, ATS analysis, interview questions). Anthropic processes this data as a data processor under our instructions. Anthropic does not use API-submitted content to train its models. Data is transmitted over TLS. See Anthropic's privacy policy at anthropic.com/privacy.

Supabase (Database & Auth)

Your account data, CV text, usage records, and generated content are stored in Supabase (PostgreSQL). Supabase is hosted on AWS infrastructure in the EU (eu-central-1 by default). Data is encrypted at rest and in transit.

Stripe (Payments)

Subscription payments are handled by Stripe, Inc. When you subscribe, you are redirected to a Stripe-hosted payment page. We receive a payment confirmation and subscription status; we never see or store your full card number. Stripe is PCI-DSS Level 1 certified.

Cloudflare / Hosting Provider

We use infrastructure providers for hosting and DDoS protection. These providers may process connection-level data (IP addresses, request metadata) as part of normal network operations.

5. Data Retention

• Active account data: Retained for as long as your account is active.
• After account deletion: Your profile, CV, job analyses, cover letters, and saved jobs are permanently deleted within 30 days. Payment records are retained for 7 years to comply with financial regulations (HMRC, etc.).
• Inactive accounts: Accounts with no login for 24 months may be automatically scheduled for deletion, with prior email notification.
• AI cache: In-memory response caches are cleared every 5 minutes and are not persisted to disk.
• Audit logs: Kept for 12 months for security and fraud prevention purposes.

6. Your Rights Under GDPR

If you are located in the EEA, UK, or another jurisdiction with similar data protection laws, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you. Use the “Export My Data” feature in Settings → Account, or email privacy@applyit.app.
• Right to rectification (Art. 16): Correct inaccurate personal data. Update your name and email in Settings.
• Right to erasure (Art. 17): Delete your account and all associated data. Use Settings → Account → Delete Account, or email privacy@applyit.app. We action deletion requests within 30 days.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON). Use the “Export My Data” feature in Settings.
• Right to restrict processing (Art. 18): Request we limit how we use your data while a complaint is resolved.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw any consent you have given at any time.

To exercise any right, email privacy@applyit.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, AEPD in Spain).

7. Cookies and Tracking

ApplyIt uses only strictly necessary cookies and browser storage:

• Authentication token: A JWT stored in localStorage to keep you logged in. No third-party cookies.
• Extension storage: The Chrome extension uses chrome.storage.local to cache your auth token and the last detected job. This data stays on your device.
• No analytics cookies: We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.

8. Data Security

We implement industry-standard security measures: TLS encryption for all data in transit, AES-256 encryption for data at rest in Supabase, bcrypt password hashing, short-lived JWT access tokens (24 hours), role-based access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@applyit.app.

9. International Data Transfers

Your data may be transferred to and processed in the United States (Anthropic API, Stripe) and the EU (Supabase). For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

10. Children's Privacy

ApplyIt is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@applyit.app and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email or via a prominent notice in the app. The “Last Updated” date at the top of this page indicates when the most recent changes were made. Continued use of ApplyIt after changes constitutes acceptance.

12. Contact Us

For privacy questions, data requests, or complaints:
Email: privacy@applyit.app
We aim to respond to all requests within 5 business days and complete data rights requests within 30 days.