Privacy Policy

Privacy Policy

Reviewed by counsel pre-launch — final review pending. This document was drafted from a Termly template and customised by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].

Effective: 2026-05-20 · Last updated: 2026-05-20


1. Who we are

CAREER iNTEL ("we," "us," "our") is an AI-powered job-search platform operated as a multi-tenant SaaS. Our service is hosted at https://careerintel.app, with primary data storage in the United States (Hetzner, Ashburn, Virginia). We are the data controller for your personal data under California and other US state privacy laws (CCPA/CPRA), and — for our international customers — the GDPR (EU), UK GDPR, NDPR (Nigeria), and PIPEDA (Canada).

Contact:

2. What data we collect

CategoryExamplesPurposeLegal basis (GDPR)
IdentityEmail, name, OAuth identifierAuthentication, account managementContract (Art. 6(1)(b))
Career dataUploaded resume, work history, skills, target roles, compensation expectationsScore, Tailor, Discovery, TrackerContract
Application dataTracked applications, status, notesTracker, Story Bank, Copilot contextContract
Generated artifactsTailored resumes, cover letters, mock-interview transcriptsService delivery + your retentionContract
Usage logsPage views, feature usage, AI call latency + costService improvement, billing reconciliationLegitimate interest (Art. 6(1)(f))
Payment dataStripe-tokenised payment method (we never see the raw card)Subscription billingContract
TechnicalIP, user agent, device typeSecurity, abuse detectionLegitimate interest
MarketingWaitlist email + tier preference (if you opt in)Phase 2 launch notificationConsent (Art. 6(1)(a))

3. How we use AI on your data

Your data is processed by large language models (LLMs) routed via OpenRouter (a sub-processor). We use multiple model tiers per task — see AI Policy for the routing transparency table.

Hallucination guardrail: Every AI output passes through a regex + LLM-validator gate before reaching you. We reject fabricated metrics, dates, companies, or titles not grounded in your source data.

Prompt-injection sanitizer: Every user-input field passes through a 36-pattern sanitizer before AI prompt concatenation.

No training without opt-in: By default, your data is processed only to deliver the service. Opt-in to anonymised data use for AI improvement in Settings → Data & Privacy → Consent. Default is off.

We do not sell or share your data. Not now, not ever.

4. Your data rights

You may exercise these rights at any time. The exercise mechanism (Settings → Data & Privacy, or emailing [email protected]) is the same across jurisdictions; the rights below are grouped by the law that grants them.

4.1 United States — CCPA/CPRA (California) and other US state privacy laws

If you are a US resident, you have the following rights under the California Consumer Privacy Act as amended by the CPRA, and equivalent rights under other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and similar):

RightHow to exercise
Right to know / access (what we collect, use, disclose)Settings → Data & Privacy → Export (ZIP delivered < 60 s)
Right to deleteSettings → Data & Privacy → Delete (30-day soft-delete with crypto-shredding; cancellable)
Right to correctSettings → Profile (edit any field)
Right to data portabilitySettings → Data & Privacy → Export (JSON + Markdown formats)
Right to opt out of sale / sharing (Do Not Sell or Share)No action required — we do not sell or share your personal information
Right to limit use of sensitive personal informationSettings → Data & Privacy → Consent (granular toggles)
Right to non-discrimination for exercising these rightsAutomatic — we never penalise you for exercising a right

California: Do Not Sell or Share My Personal Information. We do not sell, and do not "share" (for cross-context behavioural advertising), your personal information — so there is nothing to opt out of. We will honor any Global Privacy Control (GPC) signal regardless.

4.2 EU / EEA — GDPR

If you are in the EU/EEA, you have the following rights under the GDPR:

RightHow to exercise
AccessSettings → Data & Privacy → Export (ZIP delivered < 60 s)
RectificationSettings → Profile (edit any field)
ErasureSettings → Data & Privacy → Delete (30-day soft-delete with crypto-shredding; cancellable)
RestrictionEmail [email protected]
PortabilitySettings → Data & Privacy → Export (JSON + Markdown formats)
ObjectionSettings → Data & Privacy → Consent (granular toggles)
Withdraw consentSettings → Data & Privacy → Consent
Lodge a complaintYour national supervisory authority (e.g., BfDI in Germany)

4.3 United Kingdom — UK GDPR

UK users have the same set of rights as EU/EEA users above (UK GDPR). You may lodge a complaint with the UK Information Commissioner's Office (ICO).

4.4 Nigeria — NDPR

If you are a Nigerian data subject, see our NDPR Addendum for jurisdiction-specific rights, including:

  • Right to information on cross-border data transfer mechanisms
  • Right to lodge a complaint with the NDPC (Nigeria Data Protection Commission)
  • Local DPO appointment status (currently deferred; updates published in that addendum)

4.5 Canada — PIPEDA

We honor the same access + correction + withdrawal-of-consent rights for users covered under PIPEDA. The exercise mechanism is identical to the above. You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC).

7. Sub-processors

We rely on the following sub-processors to deliver the service. Full table at Sub-processors.

  • Stripe — Payment processing (US)
  • OpenRouter — LLM gateway (US); downstream: Anthropic + Meta + Mistral
  • Cloudflare — CDN + DNS + Access (global)
  • Sentry — Error monitoring (SaaS — US); Phase 5 self-hosted migration planned
  • Unstructured.io — Resume parse fallback (US)
  • Hetzner — Hosting (US — Ashburn, Virginia)
  • Brevo — Transactional email + waitlist (EU — international processor)

8. Cookies

We use first-party cookies for authentication (Better Auth session) and dark-mode preference. We do not use third-party advertising cookies. See our Cookie Policy for the full, region-aware cookie disclosure (including the consent model that applies to you).

9. Breach notification

In the event of a personal data breach affecting your data, we will notify you without undue delay. For US users, we notify affected individuals (and any required state authorities) as required by applicable US state breach-notification laws (e.g., California Civil Code §§ 1798.29 / 1798.82). For international customers, we notify within 72 hours of discovery, per GDPR Art. 33 (and NDPR Section 40). See ops/runbooks/breach-notification.md (internal runbook) for the process. Notifications go to the registered email + a banner in the app + a Trust Center status post.

10. International transfers

Primary storage is in the United States (Hetzner, Ashburn, Virginia). If you are an international customer — in the EU/EEA, the UK, Nigeria, or Canada — your personal data is transferred to and stored in the United States. We rely on appropriate cross-border transfer safeguards for these transfers: the EU-US Data Privacy Framework (and the UK and Swiss extensions) where applicable, the 2021 Standard Contractual Clauses for EU/EEA transfers, and the UK International Data Transfer Addendum (IDTA) for UK transfers. Transfers to our sub-processors, and to any other regions, use SCCs, the DPF, or adequacy decisions.

11. Retention

DataRetention
Account + profile + career dataUntil you delete your account or 36 months of inactivity
Application data + Story BankSame as account
Generated artifactsSame as account
Usage logs (PII-scrubbed)13 months
Backups30 days (pgBackRest); tombstones expire after 90 days
Audit logs (admin access, billing events)6 years (regulatory retention)

12. Children

CAREER iNTEL is for users 16 years and older (EU) / 13 years and older (US). We do not knowingly collect data from anyone below these ages. If we discover such data, we delete it.

13. Changes to this policy

We will notify you of material changes via email and in-app banner at least 30 days before they take effect. Minor edits (typo fixes, clarifications) may be published without notice.

14. DPO Contact

For all CCPA/CPRA / US state-privacy-law / GDPR / UK GDPR / NDPR / PIPEDA requests, email [email protected]. We respond within 5 business days (or sooner where a shorter statutory deadline applies).


Reviewed by counsel pre-launch — final review pending.