← Back to Home

Privacy Policy

Last updated: 12 April 2026

1. Who We Are

JobPilotX ("we", "us", "our") operates the website jobpilotx.com and provides AI-powered job application automation services. JobPilotX is operated by an individual developer based in the European Union. We are the data controller for personal data processed through our platform.

Contact: support@jobpilotx.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, password (hashed), profile photo (if using OAuth via Google or LinkedIn)
  • Resume and profile data: Uploaded resumes, parsed profile information including work history, skills, education, certifications, and contact details
  • Cover letters: AI-generated and user-edited cover letters stored for each application
  • Job preferences: Desired roles, target locations, salary expectations, remote/hybrid/onsite preference, seniority level, and industry preferences
  • Application data: Jobs matched and applied to, application status, employer responses, follow-up history, and screening question answers
  • Payment data: Subscription plan, billing cycle, and payment history. Full card details are processed and stored exclusively by Stripe — we never see or store your complete card number
  • Usage data: Pages visited, features used, session duration, device type, browser type, IP address, and referral source
  • Communication data: Email digest preferences, support conversations, and feedback you provide

3. How We Use Your Data

  • AI job matching: We parse your resume using AI models to create vector embeddings of your profile, then match these against job listings scraped from public job boards (RemoteOK, WeWorkRemotely, Remotive, Himalayas, Jobicy, EURES)
  • Auto-apply: When you approve applications (or enable auto-apply mode), we submit job applications on your behalf via email or LinkedIn Easy Apply
  • AI content generation: We use AI to generate tailored cover letters, optimized resumes, and screening question answers based on your profile and the specific job listing
  • Email communications: We send automated job digest emails (Tuesday and Friday), congratulatory emails when applications advance, follow-up reminders, and transactional emails (receipts, account updates)
  • Payment processing: We process subscription payments and one-time credit purchases through Stripe
  • Service improvement: We analyze aggregate usage patterns to improve our AI matching algorithms, user interface, and overall service quality
  • Referral program: If you participate in our referral program, we process referral codes and track successful referrals to credit your account

4. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your resume, matching jobs, submitting applications, and managing your subscription — all necessary to provide the service you signed up for
  • Consent (Art. 6(1)(a)): Sending marketing emails, email digest preferences, and using optional analytics
  • Legitimate interest (Art. 6(1)(f)): Improving our AI models using aggregated and anonymized data, fraud prevention, basic service analytics, and ensuring platform security
  • Legal obligation (Art. 6(1)(c)): Retaining tax and billing records as required by law

5. Third-Party Services

We share personal data with the following third-party processors, each for a specific purpose:

ServicePurposeData Shared
SupabaseAuthentication and database (PostgreSQL)All account and application data
StripePayment processing (PCI DSS Level 1)Email, name, payment details
OpenRouterAI model routing for content generationResume text, job descriptions (for matching and generation)
Google GeminiAI model for resume parsing and matchingResume text, job descriptions
ResendTransactional email deliveryEmail address, name, email content
SentryError tracking and performance monitoringAnonymous error data, device/browser info (no personal data)
VercelWebsite hosting and edge deliveryAnonymous analytics, request logs

We do not allow any AI provider to use your personal data to train their models. We never sell your personal data to third parties.

6. Data Retention

  • Active account: All your data (profile, resumes, applications, preferences) is stored for as long as your account remains active
  • Account deletion: When you delete your account, we perform a soft-delete immediately. After 30 days, an automated process permanently hard-deletes all your personal data from our database. This grace period allows you to recover your account if the deletion was accidental
  • Resume files: Deleted when you remove them or when your account is hard-deleted
  • Application history: Deleted with your account after the 30-day grace period
  • Payment records: Retained for 7 years after the transaction date as required by EU tax regulations. These records are maintained by Stripe
  • Analytics data: IP addresses are anonymized after 30 days. Aggregated, non-personal analytics are retained indefinitely
  • Support communications: Retained for 12 months after resolution, then deleted

7. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you. We will provide this in a structured, commonly used format within 30 days
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data. You can also update most data directly from your account settings
  • Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account from Settings, which triggers our soft-delete then hard-delete process described above
  • Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON) so you can transfer it to another service
  • Right to restrict processing (Art. 18): Request that we limit how we use your data while a complaint or correction is being resolved
  • Right to object (Art. 21): Object to processing based on our legitimate interests, including profiling for job matching
  • Right to withdraw consent (Art. 7(3)): Withdraw consent for any processing based on consent (such as marketing emails) at any time, without affecting the lawfulness of prior processing
  • Right to lodge a complaint: You may file a complaint with your local data protection authority if you believe we have violated your rights

To exercise any of these rights, email support@jobpilotx.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

8. Cookies

We use a minimal set of cookies:

  • Strictly necessary cookies: Supabase authentication session cookies (sb-*-auth-token) — required to keep you logged in. No consent needed
  • Analytics: Vercel Analytics (va) for anonymous page view tracking

We do not use advertising cookies, third-party tracking cookies, social media tracking pixels, or cross-site tracking of any kind.

For full details, see our Cookie Policy.

9. Data Security

We take the security of your data seriously and implement the following measures:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • Database security: We use Supabase Row Level Security (RLS) policies to ensure users can only access their own data. Service-role keys are isolated and never exposed to the client
  • Password security: Passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords
  • Payment security: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Card data never touches our servers
  • Access control: Internal access to production data is restricted and logged
  • Breach notification: In the event of a data breach, we will notify affected users and relevant data protection authorities within 72 hours as required by GDPR Art. 33

Despite these measures, no system is 100% secure. We continuously review and improve our security practices.

10. International Data Transfers

Some of our third-party processors (such as Stripe, OpenRouter, and Sentry) may process data outside the European Economic Area (EEA). Where this occurs, we ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms under GDPR Chapter V.

You may request details of the specific safeguards applied to international transfers by contacting us.

11. AI Processing and Automated Decisions

We use AI models provided through OpenRouter and Google Gemini to parse resumes, compute job match scores, generate cover letters, and draft screening question answers. Your resume text and relevant job descriptions are sent to these providers solely to deliver the service.

Automated decision-making: Job match scores are generated automatically by AI. These scores are advisory and help you prioritize opportunities. They do not produce legal effects or similarly significant decisions. You always retain full control over which applications to submit.

12. Children's Privacy

Our service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@jobpilotx.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a prominent in-app notification at least 14 days before taking effect. The "last updated" date at the top of this page reflects the most recent revision.

14. Contact

If you have questions about this Privacy Policy, your data, or wish to exercise your GDPR rights, contact us at: