Skip to main content

Privacy Policy

Last updated: {{LAST_UPDATED_DATE}}

1. Data Controller

ApplyScope ("we," "us," or "our") is operated by {{OPERATING_ENTITY_NAME}}, a legal entity established under the laws of {{OPERATING_ENTITY_JURISDICTION}}, registered under tax identification {{TAX_ID}}, with its registered address at {{REGISTERED_ADDRESS}} (the "Controller").

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the ApplyScope platform (the "Service"). It is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the Brazilian Lei Geral de Proteção de Dados (LGPD).

For privacy inquiries, contact our data protection contact at {{PRIVACY_CONTACT_EMAIL}}. Our Data Protection Officer (or equivalent contact) is {{DPO_NAME_AND_EMAIL}}.

2. Data We Collect

Information you provide

  • Account information: name, email address, and hashed password.
  • Professional profile: skills, experience, salary preferences, target positions, and location.
  • Resume content: uploaded resume text used for AI matching, screening, and cover letter generation.
  • Job search activity: saved jobs, application status, notes, pipeline stage, evaluations, and cover letters.
  • Payment information: billing details are processed directly by Stripe. We do not store full card numbers; we retain a non-sensitive customer identifier, last four digits, and subscription metadata.
  • Support correspondence: any messages you send to us or our support channels.

Information collected automatically

  • Usage data: pages visited, features used, and product interactions (via PostHog, gated on consent).
  • Technical data: IP address, browser type, device information, and operating system.
  • Log data: request timestamps, API endpoints accessed, and error logs for debugging, security, and performance.
  • Aggregated site analytics: anonymous visit counts, referrers, and page views (via Plausible, cookieless).

3. Purposes and Legal Basis for Processing

Under GDPR Art. 6 and LGPD Art. 7, we process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): operating your account, evaluating job postings against your profile, generating cover letters and screening answers, managing your pipeline, and processing subscription payments.
  • Legitimate interest (Art. 6(1)(f)): securing the Service, preventing fraud and abuse, improving product quality through aggregated analytics, and debugging errors. You may object to processing based on legitimate interest at any time.
  • Consent (Art. 6(1)(a)): product analytics cookies (PostHog), marketing communications, and any processing that is not strictly necessary to operate the Service. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)): retaining records required by applicable tax, accounting, or data-protection law.

4. Sub-Processors and Third Parties

We engage the following sub-processors to deliver the Service. Each is bound by a data processing agreement and, where applicable, EU Standard Contractual Clauses (SCCs) for international transfers.

  • Anthropic (PBC, USA) — AI provider (Claude). Receives job descriptions and your profile/resume content to produce evaluations, cover letters, and screening answers. Anthropic does not use API inputs to train its models.
  • OpenAI, L.L.C. (USA) — contingent AI provider used only if and when a failover path is enabled. Receives the same inputs as Anthropic when active. OpenAI API data is not used for training by default.
  • Stripe, Inc. (USA / global) — payment processor. Receives your billing details directly; we receive only non-sensitive metadata. Stripe is PCI DSS Level 1 certified.
  • Plausible Insights OÜ (EU, self-hosted) — cookieless, GDPR-compliant site analytics. No personal identifiers are collected.
  • PostHog Inc. (USA) — product analytics and session replay. Cookie-based; enabled only after explicit consent.
  • Chatwoot Inc. — customer support chat and inbox. Receives messages you send through support channels.
  • Hetzner Online GmbH (Germany) / MinIO — infrastructure and S3-compatible object storage hosting the Service and backups within the EU.
  • Sentry (Functional Software, Inc., USA) — error and performance monitoring. May receive stack traces and request context; we scrub sensitive fields before transmission.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

5. International Data Transfers

Some sub-processors (notably Anthropic, OpenAI, PostHog, Sentry, and Stripe) are established in the United States. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Brazil, we rely on appropriate safeguards including EU Standard Contractual Clauses (SCCs), UK International Data Transfer Addenda, and the ANPD's LGPD equivalents where applicable. Copies are available on request from {{PRIVACY_CONTACT_EMAIL}}.

6. Data Retention

  • Account and profile data: retained for the lifetime of your account, plus up to 90 days in encrypted backups after account deletion, after which it is purged.
  • Resume content: retained on the same schedule as account data.
  • Job evaluations, cover letters, and pipeline records: retained while the account is active; deleted on the same schedule as account data.
  • Identifiable product analytics events (PostHog): retained for 12 months, then deleted or anonymized.
  • Aggregated site analytics (Plausible): anonymous by design; retained indefinitely at the aggregate level.
  • Billing records: retained for the period required by applicable tax and accounting law (commonly 5-10 years).
  • Application and security logs: retained for up to 30 days, then rotated.

7. Security Measures

We implement technical and organizational measures appropriate to the risk, including:

  • TLS 1.2+/HTTPS for all data in transit.
  • Encryption at rest for databases and object storage.
  • Row-Level Security (RLS) and role-based access control (RBAC) to isolate tenant data.
  • Hashed passwords (never stored in plain text), secure session tokens, and short-lived API credentials.
  • Rate limiting, audit logging, and automated monitoring to detect anomalies.
  • Least-privilege access for employees and contractors, with access reviews at least annually.
  • Regular encrypted backups with a defined retention window and tested restoration.

No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected compromise.

8. Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with GDPR Art. 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay in accordance with GDPR Art. 34. LGPD Art. 48 and CCPA/CPRA notification duties are met in parallel.

9. Your Rights

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, LGPD), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format (a self-service JSON export is available from your account settings).
  • Restriction — request that we limit processing in specific circumstances.
  • Objection — object to processing based on legitimate interests or direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
  • Non-discrimination — CCPA-protected right not to receive discriminatory treatment for exercising your rights.
  • Lodge a complaint — with your local supervisory authority (e.g., the Irish DPC, the ANPD in Brazil, or the California Attorney General / CPPA).

To exercise any of these rights, contact us at {{PRIVACY_CONTACT_EMAIL}}. We will respond without undue delay and in any event within one month of receipt, extendable by up to two further months for complex or numerous requests, consistent with GDPR Art. 12(3).

10. Cookies and Similar Technologies

We use the following cookies and local storage:

  • Strictly necessary — authentication tokens stored in localStorage to keep you signed in, and minimal session preferences (e.g., saved filters and view settings). These are required for the Service to function and do not require consent.
  • Site analytics (Plausible) — cookieless and GDPR-compliant; no personal identifiers are collected.
  • Product analytics (PostHog) — sets cookies to identify distinct users and record in-product actions for product improvement. This is loaded only after you grant consent via our cookie banner and respects the Do Not Track (DNT) header.

You may opt out of product analytics at any time through the cookie banner or your account settings; opting out does not affect your core account functionality. We do not use advertising cookies or cross-site tracking cookies.

11. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, please contact {{PRIVACY_CONTACT_EMAIL}} and we will take reasonable steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and in-product at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For questions or concerns about this Privacy Policy or our data practices, contact the Controller at {{PRIVACY_CONTACT_EMAIL}} or by post at {{REGISTERED_ADDRESS}}. For EU/UK residents, you may also contact our Data Protection Officer at {{DPO_NAME_AND_EMAIL}}.