1. Who we are

ApplyIt (“we”, “our”) is an AI-powered job-application platform operated by the ApplyIt team, Cairo, Egypt. Contact: support@useapplyit.com

2. What we collect

• Account data — email address, display name, password hash (stored by Supabase Auth).
• Profile data — CV uploads (text extracted; files not retained after extraction), LinkedIn/GitHub/Portfolio URLs, job-search preferences, phone number (optional, for WhatsApp OTP).
• Career DNA — a vector embedding derived solely from your own materials. Never combined with another user's data; never used to train shared AI models.
• Usage data — API requests, feature counts, plan tier, region. Used for billing, quota enforcement, and product analytics.
• Extension browsing context — when you activate the Chrome extension on a job page, that page's job description is sent to our API for match scoring only. We do not record your browsing history.
• Payment data — we store only transaction reference IDs and order status. Card details are handled entirely by Paymob (MENA) or LemonSqueezy (international).
• Cookies / localStorage — theme, language, session token, consent flag. No third-party tracking cookies unless you accept analytics.

3. How we use your data

• Providing the service: scoring jobs, generating CVs, cover letters, and proposals tailored to your Career DNA.
• Billing and plan enforcement.
• Transactional emails (welcome, payment receipts, follow-up reminders). You may unsubscribe from marketing at any time.
• Product analytics (aggregated, pseudonymous). Choose “Essential only” in the cookie banner to disable.
• Security: fraud detection, HMAC webhook verification, abuse prevention.

We never sell your data. We never use your Career DNA or generated content to train shared AI models.

4. Where data is stored

User data is stored in a Supabase Postgres database hosted in EU West (London). AI generation requests are routed through third-party AI providers under data-processing agreements. Data in transit is encrypted with TLS 1.2+.

5. Data retention

• Account and profile data: retained until you delete your account.
• Career DNA embeddings: deleted within 30 days of account deletion.
• Payment event logs: retained 7 years for legal/accounting compliance.
• Phone OTP codes: expire in 10 minutes; purged daily.
• Application logs: 90 days.

6. Your rights

• Access & Export — view and export your data at Settings → Data export.
• Deletion — delete your account and all data at Settings → Delete account. Payment logs are anonymised (not deleted) for legal retention.
• Correction — update your profile in Settings at any time.
• Analytics opt-out — click “Essential only” in the cookie banner or email us.

Email support@useapplyit.com for any request. We respond within 14 business days.

7. Subprocessors

• Supabase — database & auth (EU West)
• Vercel — frontend hosting
• Render — backend API hosting
• Paymob — payments (MENA)
• LemonSqueezy — payments (international)
• Resend — transactional email
• AI providers — LLM inference for Career DNA and content generation
• PostHog — product analytics (EU region, only if analytics accepted)

8. Security

Row-level security (RLS) on all database tables, HMAC-verified webhooks, JWT session tokens with refresh rotation, bcrypt password hashing, TLS everywhere. Report vulnerabilities to support@useapplyit.com.

9. Children

ApplyIt is not directed at children under 16. Contact us if you believe a child has provided data and we will delete it promptly.

10. Changes

Material changes will be announced by email to registered users at least 14 days before taking effect.

11. Contact

support@useapplyit.com