Privacy Policy

    Privacy Policy

    Last Updated: 26 November 2025

    1. Introduction

    JobFlow AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our job application tracking service.

    We act as the data controller for your personal data. This policy applies to all users of JobFlow AI and covers how we process your information in compliance with UK GDPR and Data Protection Act 2018.

    2. Legal Basis for Processing

    We process your personal data under the following legal bases as defined in Article 6(1) of the UK GDPR:

    Contract Performance (Article 6(1)(b))

    • Account creation and management
    • Providing the job tracking service
    • Processing subscription payments
    • Delivering features included in your plan

    Consent (Article 6(1)(a))

    • Accessing and processing your email data
    • Uploading and analyzing your CV/resume
    • Sending marketing communications (where opted in)

    Legitimate Interests (Article 6(1)(f))

    • Service improvement and product analytics
    • Fraud prevention and security monitoring
    • Customer support and issue resolution
    • Internal business operations

    3. Information We Collect

    We collect the following categories of personal data:

    3.1 Account Information

    • Name, email address, and password
    • Authentication data (Google/Microsoft OAuth tokens)
    • Profile preferences and settings

    3.2 Email Data

    • Email subjects, senders, and dates (when you grant permission)
    • Email content excerpts related to job applications
    • Job alert information extracted from emails

    3.3 CV/Resume Data

    • CV file content you voluntarily upload
    • Extracted career information (work history, education, skills)
    • CV health scores and improvement recommendations

    3.4 Job Application Data

    • Company names, job titles, and application status
    • Interview dates and notes you create
    • Job descriptions and URLs
    • Personal notes and reminders

    3.5 Payment Information

    • Payment details processed securely via Stripe (we do not store card numbers)
    • Billing history and subscription status
    • Transaction records for purchases

    3.6 Technical and Usage Data

    • Device information (browser type, operating system)
    • IP address and general location
    • Usage patterns and feature interactions
    • Cookies and similar tracking technologies

    4. How We Use Your Information

    • To automatically detect and organize job applications from your email
    • To provide AI-powered insights and recommendations
    • To generate interview preparation materials and CV analysis
    • To send you notifications about upcoming interviews and follow-ups
    • To improve our AI classification accuracy
    • To provide customer support
    • To detect and prevent fraud or abuse
    • To process payments and manage subscriptions

    5. Automated Decision-Making and AI Profiling

    We use artificial intelligence and automated systems to provide core features of our service. These automated processes include:

    AI Email Classification

    Our system automatically analyzes your emails to identify job-related messages and extract application details. This automated classification determines which emails appear in your job tracking pipeline.

    CV Health Scoring

    When you upload a CV, our AI automatically calculates health scores (content, format, ATS compatibility) and generates improvement recommendations.

    Daily Job Recommendations

    Our system uses automated matching algorithms to rank and recommend jobs based on your preferences and profile.

    Your Rights Regarding Automated Decisions: You have the right to request human review of any automated decision, understand the logic behind AI-generated outputs, and opt out of automated profiling where technically feasible. To exercise these rights, contact us using the details below.

    6. Data Security

    We implement industry-standard security measures to protect your data:

    • All data is encrypted in transit using TLS/SSL
    • OAuth tokens are encrypted at rest
    • Access to your data is restricted by Row-Level Security policies
    • Regular security audits and penetration testing
    • We never sell or share your personal information with third parties for marketing purposes

    7. Third-Party Services

    We use the following third-party service providers to deliver our service:

    Stripe (Payment Processing)

    All payment transactions are processed by Stripe. We do not store your full payment card details. View Stripe's privacy policy at: stripe.com/privacy

    Google & Microsoft (OAuth Authentication)

    When you connect your Gmail or Outlook account, authentication is handled by Google or Microsoft. Your email access tokens are encrypted and stored securely. View their privacy policies at: Google Privacy and Microsoft Privacy

    Supabase (Cloud Infrastructure)

    Our database and backend services are hosted on Supabase infrastructure. View their privacy policy at: supabase.com/privacy

    These third parties have access to your information only to perform specific tasks on our behalf and are contractually obligated not to disclose or use it for other purposes.

    8. Cookies and Tracking Technologies

    We use cookies and similar tracking technologies to improve your experience and understand how you use our service:

    • Essential Cookies: Required for authentication, security, and core functionality
    • Functional Cookies: Remember your preferences and settings (e.g., theme, language)
    • Analytics Cookies: Help us understand usage patterns to improve the service

    You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent certain features from working properly.

    9. Your Rights Under UK GDPR

    You have the following data protection rights under UK GDPR and the Data Protection Act 2018:

    Right of Access (Article 15)

    You can request a copy of all personal data we hold about you, free of charge. We will respond within one month.

    Right to Rectification (Article 16)

    You can request correction of inaccurate or incomplete personal data.

    Right to Erasure (Article 17)

    You can request deletion of your personal data ("right to be forgotten"). This can be done through Settings → Account → Delete Account.

    Right to Restriction of Processing (Article 18)

    You can request that we limit how we use your data in certain circumstances.

    Right to Data Portability (Article 20)

    You can request a copy of your data in a machine-readable format or have it transferred to another service.

    Right to Object (Article 21)

    You can object to processing based on legitimate interests or direct marketing.

    Right to Withdraw Consent

    You can withdraw consent for email access at any time through Settings → Email Connections.

    Right to Lodge a Complaint: If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

    • Website: ico.org.uk
    • Phone: 0303 123 1113
    • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

    10. Data Retention

    We retain your data for as long as your account is active. When you delete your account, we permanently delete all your personal data within 30 days, except where we are required by law to retain certain information for tax, audit, or fraud prevention purposes.

    11. Children's Privacy

    Our service is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we discover that we have collected data from someone under 16, we will delete it immediately.

    12. International Data Transfers

    Your personal data may be transferred to and processed in countries outside the United Kingdom, including the United States and European Economic Area.

    When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

    • Standard Contractual Clauses (SCCs) approved by the UK ICO
    • Adequacy decisions where the destination country provides adequate data protection
    • Binding corporate rules for transfers within multinational organizations

    Our infrastructure providers (Supabase, Google, Microsoft) are based in regions with strong data protection frameworks and comply with UK GDPR requirements.

    13. Data Controller Information

    JobFlow AI acts as the data controller for your personal data.

    For data protection enquiries, contact us at:

    • Email: Contact us via the Contact page
    • Response time: We aim to respond to all data protection requests within one month

    14. Changes to This Policy

    We may update this Privacy Policy from time to time to reflect changes in our Service, legal requirements, or business practices. We will notify you of any material changes by email or through in-app notifications. The "Last Updated" date at the top of this policy indicates when it was last revised.

    15. Contact Us

    If you have questions about this Privacy Policy or our data practices, please contact us through our Contact page.