Privacy Policy
1. Controller
The controller of your personal data is Yan Izmer, a natural person established in Poland. Contact: support@easyapply.com. Access to personal data is limited to persons individually authorised by the controller (GDPR art. 29), acting on documented instructions and bound by confidentiality.
2. What we process
- Account data — e-mail address, a salted password hash (passwords are never stored in plain text), your plan, and the date and document version of your acceptance of the Terms.
- Profile data — career information you enter: experience, education, skills, certifications, languages, contact details and an optional photo.
- Application data — job postings you save or import, generated CVs and cover letters, notes, statuses, tasks and interview records.
- Contact log — entries you create about people you contacted during your search (e.g. recruiters). This may contain third-party personal data; you are responsible for using it lawfully, and we process it only to display it back to you.
- Usage data — monthly counters of AI generations, used to enforce plan limits.
- Technical data — server logs including IP address and request metadata, used for security and abuse prevention.
Authentication is first-party (e-mail and password). We use no third-party login providers, no analytics tools and no advertising trackers.
3. Purposes and legal bases (GDPR art. 6)
- Providing the Service — storing your data, generating documents, tracking applications: performance of a contract (art. 6(1)(b)).
- Security and abuse prevention — rate limiting, logs, input validation: our legitimate interest (art. 6(1)(f)).
- Billing — once paid plans are purchasable, subscription management via Paddle: performance of a contract and compliance with legal obligations (art. 6(1)(b), (c)).
- Communication about the Service — responses to your requests and required notices: performance of a contract. We send no marketing communications.
4. AI processing — in plain language
When you generate a CV, cover letter, requirements analysis or match score, the text needed for that task — your profile and the job posting — is transmitted to our AI provider, OpenAI, which acts as our processor (GDPR art. 28) under a data-processing agreement: it processes the data only to return the result, does not use it to train its models under our API terms, and may retain API inputs and outputs for up to 30 days for abuse monitoring before deletion. If we engage an additional AI provider in the future, this policy will be updated first. Your photo is never sent to AI providers — it is only embedded into your rendered CV.
5. Recipients
- OpenAI, L.L.C. (USA) — AI document generation (processor).
- Adzuna — job search; receives only your search keywords and location, never your profile.
- Paddle — once paid plans are purchasable: checkout, invoicing and VAT as merchant of record; for payment data Paddle acts as an independent controller under its own privacy policy.
- Hosting — the Service runs on infrastructure operated by the controller. If a third-party hosting provider is engaged, it will act as a processor under a data-processing agreement and will be named here.
- Authorised persons — individuals assisting in operating the Service, authorised under GDPR art. 29 and bound by confidentiality.
We do not sell personal data and display no advertising. All fonts and assets are served from our own domain — using the Service triggers no third-party requests from your browser.
6. International transfers
OpenAI is established in the United States. Transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, as set out in the provider's data-processing agreement.
7. Retention
- Account, profile and application data — for as long as your account exists; deleted when your account is deleted.
- Generated documents — until you delete them or your account.
- Server logs — no longer than 12 months.
- Consent records (Terms version and acceptance date) — for as long as needed to demonstrate compliance.
- Billing records (once payments launch) — as required by tax law.
8. Your rights
You may request access to your data, rectification, erasure, restriction of processing and a machine-readable copy (portability), and you may object to processing based on legitimate interest. Write to support@easyapply.com from your account address — we respond within one month, as the GDPR requires. You may also lodge a complaint with the President of the Personal Data Protection Office (UODO, uodo.gov.pl) or the supervisory authority of your residence.
9. Automated decision-making
Match and ATS scores are automated estimates that support your own decisions. They produce no legal or similarly significant effects: every decision — what to send and where to apply — remains yours (no decision-making within the meaning of GDPR art. 22 takes place).
10. Security
Measures in place include salted PBKDF2 password hashing, server-side sessions with HttpOnly/SameSite cookies (Secure in production), per-account data isolation, rate limiting, input-length limits and individual authorisations for anyone with data access. Details: Security.
11. Children
The Service is intended for people looking for work and requires users to be at least 16 years old.
12. Changes
We may update this policy; material changes will be announced within the Service and, where we hold your address, by e-mail, at least 14 days before they take effect. The date and version above always identify the current text.