Privacy Policy

Last updated: 2026-05-20

1. What we collect

• Email address — via Google OAuth (Supabase Auth). We do not access any other Google scope.
• Resume text — as you paste it into the extension.
• Search preferences — region, keywords, notification threshold, experience summary.
• Job matching results — score, matched/missing skills, decision (for audit).
• Email send log — what we sent, when, and whether it succeeded.

We do NOT collect: browsing history, IP geolocation, contacts, screen captures.

2. Where it lives

• Supabase (Postgres, US-West) — auth + DB storage
• Cloudflare Workers — request handling (no persistent storage)
• DeepSeek — your resume text + job description sent for matching (per-request, not retained per DeepSeek's terms)
• Brevo — your email address used as recipient for match alerts

3. Third parties

We share data only with the services above, only as needed to deliver the product. We do not sell or share data for advertising.

4. Job listing sources

We aggregate publicly accessible job listings from LinkedIn's public unauthenticated search endpoint and Canada's Job Bank. We do not require user authentication to scrape, and we do not extract any private or login-walled content. This use is consistent with the hiQ Labs v. LinkedIn precedent (US 9th Circuit, 2019).

5. Your rights (GDPR, CASL, CCPA)

• Access — see all your data via the extension popup
• Deletion — "Delete account" in extension removes everything (cascade)
• Unsubscribe — every email has an unsubscribe link (RFC 2369 List-Unsubscribe header supported)
• Portability — email support@ai-apply.xyz for a data export

6. Retention

• User data: until you delete your account
• Scan run logs: 30 days
• LLM usage logs: 90 days
• Email send logs: 60 days

7. Security

HTTPS-only. JWT-based auth. Supabase Row Level Security enabled. No secrets in client-side code.

8. Children

Service not directed at users under 16.

9. Contact

Questions: support@ai-apply.xyz