Privacy Policy
Introduction
Jobloyable ("we," "our," or "us") is an AI-powered career optimization platform operated by Logentive Systems FZ L.L.C. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Jobloyable.
Master Policy
This Privacy Policy is supplemental to and incorporates by reference our Master Privacy Policy, which covers: your full privacy rights under GDPR, CCPA, PIPEDA, and other regulations; international data transfer mechanisms; data security standards; breach notification procedures; age requirements; and jurisdiction-specific provisions for all regions we serve. By using Jobloyable, you agree to both this privacy policy and the Master Privacy Policy. In the event of any conflict, this product-specific privacy policy controls for matters related to the Jobloyable service.
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, and password (encrypted).
- Profile Data: Professional information, preferences, and settings.
- Resume Content: Work history, education, skills, achievements, and other career-related information.
- Headshot Photos (Optional): If you choose to add a photo to your resume, we store the uploaded image in encrypted cloud storage scoped to your account. Photos are automatically processed to remove EXIF metadata (GPS coordinates, device information, camera details) before storage. Photos are only accessible to you through your authenticated session and are not publicly accessible. You can delete your photo at any time.
- Payment Information: Credit card details (processed and stored by our payment processor, Stripe, not by us).
- Communications: Messages, support requests, and feedback.
- Consent Records: When you accept our Terms of Service and Privacy Policy, we record the timestamp, the policy version you accepted, and your IP address. If policies are updated and you re-accept, we record the updated acceptance.
1.2 Information Collected Automatically
- Usage Data: Features used, pages visited, time spent, and click patterns.
- Device Information: Browser type, operating system, and device identifiers.
- Log Data: IP address, access times, and error logs.
- Payment Security Data: When you open or interact with a payment checkout powered by Stripe, Stripe may collect device, browser, network, and checkout interaction data to authenticate payments, detect fraud, and reduce unauthorized transactions.
- Cookies: Essential cookies for authentication and preferences (see our Cookie Policy).
1.3 Information from Third Parties
- Authentication Providers: If you sign in with Google or other OAuth providers, we receive your name, email, and profile picture.
- Payment Processors: Transaction status from Stripe.
2. How We Use Your Information
We use your information for the following purposes:
2.1 Service Provision (Legal Basis: Contract Performance)
- Create and maintain your account.
- Process your resumes with AI enhancement and optimization.
- Generate resume benchmarks and recommendations.
- Store and manage your resume versions.
- Display your headshot photo on resumes and PDF exports, where provided. Photos are embedded directly into exported PDFs and are not fetched from external URLs.
- Provide customer support.
2.2 Payment Processing (Legal Basis: Contract Performance)
- Process subscription payments and manage billing.
- Prevent fraud, card testing, and unauthorized transactions.
- Issue invoices and receipts.
2.3 Email Delivery Tracking (Legal Basis: Legitimate Interest)
- Track email delivery status (sent, delivered, opened, clicked) for transactional emails such as payment receipts, account notifications, and security alerts.
- Maintain delivery evidence for compliance and dispute resolution purposes.
- Monitor email deliverability and suppress addresses that bounce or report complaints.
2.4 Service Improvement (Legal Basis: Legitimate Interest)
- Analyze usage patterns to improve features.
- Monitor and improve AI model performance.
- Debug technical issues and optimize performance.
2.5 Communications (Legal Basis: Consent or Legitimate Interest)
- Send transactional emails (account confirmations, password resets).
- Provide customer support responses.
- Send service announcements and updates (with opt-out option).
2.6 Legal Compliance (Legal Basis: Legal Obligation)
- Comply with applicable laws and regulations.
- Respond to legal requests and prevent fraud.
- Enforce our Terms of Service.
2.7 Fraud Prevention (Legal Basis: Legitimate Interest)
- Detect and prevent payment fraud, chargebacks, and account abuse.
- After permanent account deletion, retain a one-way SHA-256 hash of the deleted account email address for fraud prevention and abusive re-registration blocking.
3. Third-Party Services
We use third-party service providers to deliver and improve our services. Each provider handles data according to their own terms of service and privacy policy.
Service Providers and Sub-Processors
The following third-party service providers process personal data on our behalf. Each sub-processor is contractually bound to process data only as instructed and to maintain appropriate security measures.
| Sub-Processor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| OpenAI | AI-powered resume analysis, ATS scoring, and content generation | Resume text and related inputs submitted for AI analysis, scoring, and content generation | Configured OpenAI processing region depends on project configuration; current deployments may include processing outside the European Union | View |
| PostHog | Consent-based product analytics and web analytics | Page views, feature usage events, user flows, referral metadata, and device/browser signals used for analytics when enabled by your consent preferences | European Union | View |
| Supabase | Database, authentication, and file storage | All user data, documents, account information, and uploaded photos | European Union | View |
| Vercel | Application hosting and edge functions | HTTP requests, page views, and application logs | European function region where configured; global CDN and static asset delivery may process internationally | View |
| Railway | Hosting for PDF generation and document parsing services | Resume documents, parsed resume content, PDF generation payloads, request metadata, and service logs | European Union | View |
| Stripe | Payment processing and subscription management | Payment method details, billing address, transaction history, and device, browser, IP, and checkout interaction data used for payment authentication and fraud prevention | International processing that may include the United States | View |
| Resend | Transactional email delivery | Email addresses, transactional email content, and delivery metadata | United States email sending region; account data, logs, metadata, and API records stored in the United States | View |
| Sentry | Error monitoring and performance tracking | Error logs, performance metrics, and browser information (PII scrubbed) | European Union | View |
| Cloudflare | Content delivery and security services | IP addresses and HTTP request metadata for content delivery and abuse prevention | Global network; stricter European localization requires Cloudflare Data Localization Suite | View |
We will provide at least 30 days' advance notice before adding or replacing a sub-processor that handles personal data. This notice will be communicated via email to affected users and updated on this page.
If you object to a new sub-processor, you may contact us within the notice period. If we cannot reasonably address your concern, you may terminate your account without penalty.
Note: We may change service providers from time to time to improve our services. This page will always reflect our current providers. Significant changes affecting data handling will be communicated in advance.
3.1 Data Residency
Our primary customer data storage, document parsing, PDF generation, product analytics, and error monitoring use European Union or European Economic Area regions where configured. The exact data center location within the EU/EEA may vary by provider and service configuration unless the provider agreement gives a specific country-level commitment. Some service providers that support payments, email delivery, AI processing, authentication, hosting, CDN, security, and abuse prevention may process data internationally, including in the United States, under applicable contractual safeguards. For information about international data transfer mechanisms and safeguards, please see our Master Privacy Policy and the service provider list above.
We describe our current sub-processors and their operating locations on this page so you can understand which parts of the service are EU-hosted and which may involve cross-border processing.
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information to third parties.
We may share your information only in the following circumstances:
- With Your Consent: When you explicitly authorize sharing.
- Service Providers: With third-party vendors who assist in operations (as described in Section 3).
- Legal Requirements: To comply with court orders, legal processes, or government requests.
- Protection of Rights: To protect our rights, property, safety, or that of our users.
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users).
- Aggregated Data: Non-personally identifiable aggregated data for analytics and research.
5. Your Privacy Rights
For a complete description of your privacy rights under GDPR, CCPA/CPRA, PIPEDA, Australian Privacy Act, New Zealand Privacy Act, Singapore PDPA, and other applicable regulations, please see our Master Privacy Policy.
Your Rights Under the GDPR and UK GDPR
If you reside in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:
- Right of access: Obtain confirmation of whether we process your personal data and receive a copy of that data.
- Right to rectification: Have inaccurate personal data corrected and incomplete personal data completed.
- Right to erasure: Request deletion of your personal data, subject to legal retention obligations described in Section 6.
- Right to restriction of processing: Limit how we use your personal data in specific circumstances (for example, while a rectification request is pending).
- Right to data portability: Receive the personal data you have provided in a structured, commonly used, machine-readable format, and transmit it to another controller.
- Right to object: Object to processing based on legitimate interest (see Section 2), including any direct marketing.
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: File a complaint with your local data protection supervisory authority. EEA residents can locate their authority via the European Data Protection Board member list; UK residents can contact the Information Commissioner's Office.
How to Exercise Your Rights in Jobloyable
- Data Export:Use the "Export My Data" button in Settings, then Profile
- Account Deletion:Use the "Delete Account" button in Settings, then Profile (30-day recovery window applies)
- Photo Deletion: Remove your headshot photo from any resume via the resume editor
- Cookie Preferences: Manage via the cookie consent banner or browser settings
- Other Requests: Contact us via our Support Page (select "Privacy & Data Request")
We will respond to verified requests within 30 days, or as required by applicable law.
If you cannot access Settings, need help deleting a specific resume, or want to submit another privacy/data request manually, use our Support Page and choose "Privacy & Data Request".
6. Data Retention
We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy:
- Active Accounts: For the duration of your account plus 30 days after deletion request
- Resume Content: Until you delete specific resumes or your account
- Headshot Photos: Deleted when you remove the photo, delete the associated resume, or delete your account. Permanently purged from storage within the 30-day post-deletion retention period.
- Payment Records: 7 years (tax and accounting requirements)
- Support Communications: 2 years after resolution
- Usage Logs: 90 days (security monitoring and compliance)
- Email Delivery Events: 18 months (delivery proof for compliance and dispute resolution)
- Accounts Auto-Cancelled for Inactivity: Eligible monthly subscriptions that we cancel for inactivity are retained for 18 months from last activity, then receive a 30 days deletion notice before permanent deletion
- Consent Records: For the lifetime of your account plus the post-deletion retention period (proof of policy acceptance)
- Marketing Consents: Until withdrawn or 2 years of inactivity
- Deleted Account Fraud-Prevention Hashes: 7 years (A one-way SHA-256 hash of a deleted account email address is retained after permanent deletion to prevent fraud, chargebacks, and abusive re-registration)
After the retention period, data is permanently deleted from our systems and backups.
7. AI Processing
Jobloyable is an AI-powered product. Uploaded resumes may first be processed by our self-hosted document parsing service to extract text, layout, and structure. When you use AI-powered features, we use third-party AI services to analyze your resumes, generate ATS-readiness assessments, and provide optimization suggestions. The specific AI providers we use are listed in Section 3: Third-Party Services above. This processing does not result in automated decisions that significantly affect you legally or similarly.
What AI Processing Includes
- Resume Analysis and Scoring: Extracting, categorizing, and evaluating your resume content against industry standards.
- Content Generation: Creating improvement suggestions, cover letters, and professional communications based on your profile.
- Career Guidance: Providing career path recommendations, interview preparation, and professional development insights.
Your Control Over AI
- Human Control: You review and approve all AI-generated content before using, downloading, or submitting it.
- No Automated Rejections: AI does not make decisions about your account status or access.
- Support Review: You can contact support if you believe AI output is inaccurate or inappropriate.
- Transparency: AI-generated content and scores are clearly labeled as estimates.
- AI-Required Features: AI processing is required for features such as resume analysis, scoring, recommendations, rewriting, enhancement, and AI inline helpers in the resume editor or builder. Manual resume building, manual editing, and upload without analysis where available may be used without sending content to AI providers.
Data Handling for AI
- We do not use your content to build, train, or fine-tune models operated by Jobloyable or Logentive Systems FZ L.L.C. The current AI provider listed above is OpenAI. According to that provider's data controls, API inputs and outputs are not used to train provider models by default unless an organization opts in.
- The self-hosted document parser is separate from the AI provider. It runs on infrastructure operated by Railway to extract resume text and structure. Only the extracted content necessary for the requested AI feature is sent to AI providers.
- AI providers may process or retain API data or metadata for operational reasons. For the current AI provider, API data or metadata may be retained for abuse monitoring, security, service operation, or legal compliance under provider terms.
8. Do Not Sell or Share (CCPA/CPRA)
We do not sell or share personal information as defined under the CCPA/CPRA and have not done so in the past 12 months. We do not use sensitive personal information for purposes beyond those authorized by the CCPA.
Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we automatically restrict non-essential cookies and tracking to essential-only, treating it as a valid opt-out request under CCPA/CPRA.
Categories of Information Collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email), professional information (resume content), visual information (optional headshot photos, if provided by you), internet activity (usage data, device information), and commercial information (subscription status). See Section 1 for full details.
For full CCPA/CPRA rights and rights under other US state privacy laws, see our Master Privacy Policy.
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Notification: We will notify you of material changes by email or prominent notice on our website.
- Effective Date: Changes become effective 30 days after notification (or immediately for legal compliance).
- Explicit Acceptance: For material changes, you will be required to explicitly review and accept the updated Privacy Policy before continuing to use the Service. Your acceptance is recorded with a timestamp for compliance purposes.
If you disagree with changes to this policy, you may cancel your subscription and delete your account.
10. Data Controller and Contact Information
Jobloyable is operated by Logentive Systems FZ L.L.C. For company details, please visit our Corporate Information page. The contact details below apply to privacy inquiries and data rights requests for the Jobloyable service.
Contact Us
Contact: Support Page (select "Privacy & Data Request")
Company: Logentive Systems FZ L.L.C
Legal Email: [email protected]
Response Time: Within 30 days for privacy requests (may extend for complex requests as permitted by applicable law)
Effective: May 2026 · Version: 1.0.0