Privacy Policy
Last updated: 17 April 2026
Career Coach AI ("we", "our", or "us") respects your privacy and is committed to protecting your personal data. This policy explains what data we collect, why we collect it, how we use it, whom we share it with, and the rights you have over it. If you disagree with any part of this policy, please do not use our service.
1. Data Controller
Career Coach AI is the data controller for personal data you provide through our website and applications. If you have questions about this policy or wish to exercise your rights, contact us at privacy@careercoach.ai.
2. Information We Collect
We collect information in the following ways:
- Account data you provide: email address, display name, password hash, authentication provider identifiers.
- Profile and CV content you upload or generate: résumé text, work history, education, skills, cover letters, interview recordings and transcripts.
- Billing data when you subscribe: name, billing address, subscription status, payment method metadata (card details are handled directly by Stripe — we never receive raw card numbers).
- Usage telemetry: pages viewed, features used, approximate geolocation from IP, browser and device metadata, performance metrics.
- Communications: messages you send to support, feedback, and email preferences.
3. How We Use Your Data
We process your data only for the purposes listed below and only on a lawful basis under GDPR Article 6:
- To provide the service you requested (contract, Art. 6(1)(b)): account creation, CV analysis, AI-powered interview practice, cover-letter generation, billing.
- To improve and secure the service (legitimate interests, Art. 6(1)(f)): error monitoring, abuse prevention, rate limiting, aggregate product analytics.
- For analytics and marketing (consent, Art. 6(1)(a)): only where you have accepted the relevant cookie category in our consent banner.
- To comply with legal obligations (Art. 6(1)(c)): tax records, responses to lawful requests from authorities.
4. Subprocessors & Third-Party Services
We rely on a small number of trusted subprocessors to operate the service. Each has its own published privacy policy and, where applicable, a Data Processing Addendum (DPA) governing their processing on our behalf. The current list is shown below and is kept in sync with our internal register; we update it whenever we add, change, or remove a subprocessor.
The following subprocessors help us operate Career Coach AI. Each processes your data under a written agreement that restricts use to the purposes we specify.
Authentication
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| Google Firebase (Authentication + Firestore) | User authentication, account management, and primary application database (profile, CV metadata, interview sessions). | email, display name, account identifiers, CV content, usage metadata | Global | Contract | Privacy policy·DPA |
Infrastructure
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| Vercel | Application hosting, edge compute, and CDN delivery. | IP address, request metadata, HTTP headers | Global | Contract | Privacy policy·DPA |
| Upstash (Redis) | Rate limiting and ephemeral cache (sliding-window counters, short-TTL keys only). | hashed user identifiers, request counters | Global | Legitimate interest | Privacy policy |
AI & Machine Learning
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| OpenAI | Large-language-model inference for CV analysis, interview simulation, cover-letter generation, and other AI features. OpenAI does not use API inputs to train models per their API data policy. | CV content, interview transcripts, user-provided text prompts | United States | Contract | Privacy policy·DPA |
Payments
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| Stripe | Subscription billing and payment processing. Card details are captured by Stripe directly — we never receive or store raw card numbers. | email, billing address, payment method metadata, subscription status | Global | Contract | Privacy policy·DPA |
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| Resend | Transactional email delivery (password reset, subscription receipts, weekly career report). | email address, email content metadata | United States | Contract | Privacy policy·DPA |
Monitoring
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| Sentry | Error monitoring, performance tracing, and session replay (all text and form inputs masked, all media blocked — replays capture only visual layout). | error stack traces, browser metadata, IP address (scrubbed when possible), masked session replay (layout/interactions without text content) | EU/EEA | Legitimate interest | Privacy policy·DPA |
Analytics
| Vendor | Purpose | Data shared | Region | Legal basis | Links |
|---|---|---|---|---|---|
| PostHog | Product analytics — understand feature usage and identify UX friction. | event metadata, anonymized user identifier, page paths | United States | Consent | Privacy policy·DPA |
| Google Analytics 4 | Aggregate traffic and conversion analytics. Runs under Google Consent Mode v2 — no analytics cookies until you accept. | anonymized IP, page views, event counts | Global | Consent | Privacy policy |
| Meta (Facebook) Pixel | Conversion measurement and retargeting for paid marketing campaigns. Loaded only after marketing-consent is granted. | page views, conversion events, hashed email (where provided) | Global | Consent | Privacy policy |
5. International Data Transfers
Some of our subprocessors are established outside the European Economic Area, notably in the United States. Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework, supplemented by technical and organisational safeguards (encryption in transit, access controls, regional processing where offered). You may request a copy of the transfer mechanism that applies to your data.
6. Data Retention
We keep your data only for as long as needed to provide the service and to meet legal obligations. Specifically:
- Active account data: retained while your account is active.
- Deleted accounts: erased from primary systems within 30 days; residual backup copies purge on a rolling 90-day cycle.
- CV and interview content: erased with the account, or earlier on request.
- Billing records: retained for 7 years to meet tax and accounting law.
- Support correspondence: retained for 24 months after the last interaction.
7. Your GDPR Rights (EEA, UK, Switzerland)
If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR / UK GDPR / FADP:
- Right of access — request a copy of your data.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion where no overriding legal basis applies.
- Right to restrict processing — pause certain uses while a dispute is resolved.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent — at any time, without affecting prior lawful processing.
- Right to lodge a complaint — with your local supervisory authority.
8. Your CCPA/CPRA Rights (California Residents)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):
- Right to know what personal information we collect, use, disclose, and sell or share.
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information. We do not sell personal data. We treat cross-context behavioural advertising as "sharing" and you can opt out by rejecting the Marketing cookie category.
- Right to limit use of sensitive personal information.
- Right to non-discrimination when exercising your rights.
9. AI Accuracy & Limitations
Career Coach AI uses large language models to generate CV feedback, interview questions, cover letters, and other outputs. These outputs are probabilistic and may contain errors, omissions, or biases. You should review and verify any AI-generated content before relying on it for applications, legal documents, or high-stakes decisions. We do not guarantee that AI outputs are accurate, complete, or suitable for any particular purpose.
10. Children's Privacy
Our service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16 without verified parental consent, we will delete it. If you believe a child has provided us data, please contact privacy@careercoach.ai.
11. Security
We implement industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for identifiers and credentials, role-based access control, least-privilege service accounts, rate limiting, and continuous monitoring. No system is perfectly secure; if a breach affects your personal data we will notify you and the appropriate supervisory authority as required by law.
12. Changes to This Policy
We may update this policy to reflect changes in our service, legal requirements, or subprocessor relationships. Material changes will be announced via email or in-app notice at least 30 days before they take effect. The "Last updated" date above reflects the most recent revision.