Privacy Policy

We collect the following categories of personal data:

We process your personal data on the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)) — running your account, generating CVs and cover letters, processing subscription payments, and providing customer support.
• Legitimate interest (Art. 6(1)(f)) — protecting Jobcamp from fraud and abuse, fixing crashes via Sentry, and basic server-side observability.
• Consent (Art. 6(1)(a)) — product analytics (PostHog), in-app support chat (Crisp), and advertising measurement (Meta Pixel and Meta Conversions API). You can withdraw consent at any time from the cookie banner or the cookie-preferences link in our footer; withdrawal does not affect the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — retaining tax-relevant billing records as required by financial law.

For California residents, we treat the equivalent CCPA bases as above and apply Limited Data Use signaling on advertising-measurement events for users we identify as California residents.

We share personal data only with carefully selected sub-processors who act on our instructions under a Data Processing Agreement. The categories of recipients are:

• Authentication and identity — the provider that runs sign-in, session management, and identity verification. Receives your email, name, and profile information.
• Application database and storage — the cloud database that holds your account, applications, and generated content. Our deployment is hosted in the EU.
• Payment processing — Stripe, our payment processor, receives billing identifiers, subscription metadata, and invoice records. Card details are submitted directly to Stripe and never reach our servers.
• Background job and task queue — receives the resume and job-description content you submit, transiently, while we run generation pipelines.
• AI / LLM inference providers — large-language-model providers we use to generate CVs, cover letters, and interview prep. Receives the job description and resume content you submit, transiently, to produce output. Providers do not retain or train on your content.
• Advertising measurement — Meta (Pixel and Conversions API), only with your consent. Receives advertising-measurement events (sign-up, trial start, subscription) tagged with opaque identifiers derived using a server-side secret. Used for ad attribution; we never sell your data.
• Product analytics — only with your consent. EU-hosted. Receives anonymous usage events that help us improve features.
• Customer-support chat — only with your consent. Powers in-app support chat. If you reject analytics, in-app chat will not load and you can still email [email protected].
• Error monitoring — receives stack traces and user IDs but no email or PII payload.
• Advertising acquisition platforms — ad networks we use to acquire new users. They do not receive personal data from us beyond the consent-gated measurement events listed under Advertising measurement above.

A current list of named sub-processors, their roles, locations, and transfer safeguards is available on request — email [email protected] with the subject "Sub-processor list".

We do not sell your personal information. We do not share it with advertisers or other third parties beyond the sub-processors above acting on our instructions.

International transfers. Some sub-processors operate in the United States or globally. These transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework.

How long we keep data. Account and application data are stored for the lifetime of your account, plus a short retention window for billing and audit obligations after deletion. Stripe retains payment records for up to 10 years to meet financial-record obligations. Meta retains advertising-measurement events according to their Conversions API data retention policy. Consent records are retained for up to 13 months under the ePrivacy directive.

If you are in the EU, UK, or California, you have the rights below. We will respond within one calendar month (GDPR) or 45 days (CCPA), free of charge, unless requests are manifestly unfounded or excessive.

• Access & portability — request a copy of the personal data we hold about you. Email [email protected] with the subject "Data export" and we will respond within one calendar month.
• Erasure — ask us to delete your account and associated data. Email [email protected] or use the in-app "Delete account" flow. Records we are legally required to retain (e.g. tax-relevant billing) will be kept for the minimum period required.
• Rectification — correct inaccurate personal data.
• Object & restrict — ask us to limit or stop certain processing.
• Withdraw consent — revisit cookie preferences at any time. Withdrawal does not affect prior processing.
• Lodge a complaint — with your local data-protection authority. In Poland this is UODO; in the UK the ICO; in France the CNIL.

We use TLS in transit and encrypted storage at rest for all account data. Access to production systems is restricted to authorized personnel and audited. Webhooks from Clerk and Stripe are signature-verified before processing. Errors are reported to Sentry without raw PII payloads. We do not provide a guarantee against every form of loss, but we follow industry-standard practices for a service of our size.

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes (such as adding a new processor or extending retention periods) will be highlighted on the homepage or by email when feasible. By continuing to use jobcamp.ai or app.jobcamp.ai after a change takes effect, you accept the updated policy.

For any questions regarding this Privacy Policy or your dealings with this site, please contact us: