Privacy Policy

Welcome to ApplyLeft's Privacy Policy. This policy describes how edbn.me ("we", "us", "our"), the parent company operating ApplyLeft at applyleft.com, collects, uses, discloses, and safeguards your personal information.

We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy applies to all users of our Service, regardless of location, and complies with applicable data protection laws including GDPR, CCPA, and other relevant regulations.

By using ApplyLeft, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Service.

Data Controller Information:

• Company: edbn.me

• Service: ApplyLeft (applyleft.com)

• Contact: privacy@applyleft.com

• Support: support@applyleft.com

We collect several types of information to provide and improve our Service:

Account Information:

• Email address (required for authentication)

• Name (optional, for resume generation)

• Password (encrypted and never stored in plain text)

• OAuth provider information (Google, GitHub)

• Account creation and last login timestamps

Resume and Profile Data:

• Professional experience and work history

• Educational background and certifications

• Skills, achievements, and languages

• Contact information (phone, LinkedIn, location)

• Job titles, company names, and descriptions

• Resume versions and modification history

Payment and Billing Information:

• Payment method details (processed by Dodo Payments)

• Billing address and tax information

• Transaction history and invoice records

• Subscription status and renewal dates

Usage Data:

• Pages visited and features used

• Resume generation and chat message counts

• Time spent on the platform

• Browser type, device information, and IP address

• Referral source and navigation patterns

Chat and AI Interaction Data:

• Messages sent to our AI assistant

• AI-generated content and recommendations

• User feedback and ratings

Technical and Security Data:

• Session tokens and authentication cookies

• Error logs and debugging information

• Security event logs

We use collected information for the following purposes:

Service Delivery and Core Functionality:

• Authenticate your identity and manage your account

• Generate AI-powered resume content tailored to job descriptions

• Store and manage your resume versions and history

• Process payments and manage subscriptions

• Track usage limits and enforce fair use policies

• Export resumes to PDF format

Service Improvement and Analytics:

• Analyze usage patterns to improve features and user experience

• Monitor platform performance and identify technical issues

• Train and improve our AI models (using anonymized data)

• Conduct A/B testing and feature experiments

• Develop new features and functionality

Communication:

• Send transactional emails (account confirmation, password resets)

• Notify you of subscription renewals and billing issues

• Respond to support inquiries and provide customer service

• Send important service announcements and security alerts

• Share product updates and new features (with opt-out option)

Legal and Security:

• Detect, prevent, and investigate fraud and security incidents

• Enforce our Terms of Service and other policies

• Comply with legal obligations and respond to lawful requests

• Protect the rights, property, and safety of our users and company

We DO NOT:

• Sell your personal information to third parties

• Use your resume content for advertising purposes

• Share your data with employers without your explicit consent

• Use your personal information for unrelated marketing

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on the following legal grounds:

Contractual Necessity:

• Processing required to provide the Service you've requested

• Account management and authentication

• Resume generation and storage

• Payment processing and subscription management

Legitimate Interests:

• Service improvement and analytics

• Security and fraud prevention

• Technical optimization and performance monitoring

• Customer support and communication

Consent:

• Marketing communications (opt-in required)

• Non-essential cookies and analytics

• AI model training using your anonymized data

Legal Obligation:

• Compliance with tax and financial regulations

• Response to lawful government requests

• Retention for legal proceedings

You have the right to withdraw consent or object to processing based on legitimate interests at any time.

We share your information only in the following limited circumstances:

Essential Service Providers:

• Supabase (authentication, database hosting, and storage)

• Dodo Payments (payment processing and subscription management)

• Email service providers (transactional emails only)

• Cloud hosting infrastructure providers

All service providers are bound by data protection agreements and are prohibited from using your data for any other purpose.

Business Transfers:

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

Legal Requirements:

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas). We will notify you of such requests unless prohibited by law.

Protection of Rights:

We may disclose your information to:

• Enforce our Terms of Service and policies

• Investigate potential violations

• Protect against legal liability

• Detect, prevent, or address fraud or security issues

With Your Consent:

We may share your information with third parties when you explicitly consent, such as integrations with job boards or applicant tracking systems (future features).

We DO NOT:

• Sell your personal data to data brokers

• Share your resume content with recruiters without permission

• Provide your information to advertisers for targeting

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

Active Accounts:

• Your data is retained while your account remains active

• Resume content and versions are stored indefinitely until deletion

• Chat history is retained for service improvement

Deleted Accounts:

• Personal information is deleted within 30 days of account closure

• Backups may retain data for up to 90 days for disaster recovery

• Some information may be retained longer for legal compliance

Payment and Billing Records:

• Transaction records retained for 7 years (tax and accounting requirements)

• Subscription history retained for dispute resolution

Anonymized Data:

• Aggregated, anonymized analytics retained indefinitely

• De-identified data used for AI model training

Security Logs:

• Authentication logs retained for 1 year

• Security incident logs retained for 3 years

You can request deletion of your data at any time by contacting us at privacy@applyleft.com.

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards:

• TLS/HTTPS encryption for all data in transit

• AES encryption for sensitive data at rest

• Industry-standard password hashing (bcrypt with salt)

• Row-level security (RLS) policies in our database

• Regular security audits and penetration testing

• Web Application Firewall (WAF) protection

• DDoS mitigation and rate limiting

Organizational Safeguards:

• Access controls and role-based permissions

• Employee training on data protection

• Confidentiality agreements with all staff and contractors

• Regular security awareness training

• Incident response and breach notification procedures

Infrastructure Security:

• Multi-factor authentication for administrative access

• Automated security updates and patches

• Regular backups with encryption

• Geographically distributed data centers

• 24/7 security monitoring

Despite our best efforts, no security system is impenetrable. We cannot guarantee the absolute security of your data. In the event of a data breach, we will:

• Notify affected users within 72 hours of discovery

• Report to relevant authorities as required by law

• Take immediate steps to contain and remediate the breach

• Provide guidance on protective measures you can take

Depending on your location, you may have the following rights regarding your personal information:

Universal Rights (All Users):

• Access: Request a copy of your personal data

• Correction: Update inaccurate or incomplete information

• Deletion: Request deletion of your personal data

• Export: Download your data in a machine-readable format

• Opt-out: Unsubscribe from marketing communications

Additional Rights (GDPR - EEA, UK):

• Right to object to processing based on legitimate interests

• Right to restrict processing in certain circumstances

• Right to data portability in a structured, commonly used format

• Right to withdraw consent at any time

• Right to lodge a complaint with a supervisory authority

Additional Rights (CCPA - California):

• Right to know what personal information is collected

• Right to know if personal information is sold or disclosed

• Right to say no to the sale of personal information (Note: We do not sell data)

• Right to equal service and price (no discrimination for exercising rights)

How to Exercise Your Rights:

1. Email us at privacy@applyleft.com with your request

2. Use the data export feature in your account settings

3. Contact our support team through the dashboard

We will respond to all requests within 30 days (or as required by applicable law). For security purposes, we may need to verify your identity before processing your request.

We use cookies and similar tracking technologies to enhance your experience and analyze usage patterns.

Types of Cookies We Use:

Essential Cookies (Always Active):

• Authentication tokens (required for login)

• Session management cookies

• Security cookies (CSRF protection)

• Load balancing cookies

Functional Cookies (Opt-out Available):

• User preference storage (theme, language)

• Feature flags and A/B testing

• Usage tracking for feature improvement

Analytics Cookies (Opt-out Available):

• Page view and navigation tracking

• Feature usage statistics

• Error and performance monitoring

• User flow analysis

We DO NOT use:

• Third-party advertising cookies

• Cross-site tracking cookies

• Social media tracking pixels

Cookie Management:

You can control cookies through:

• Your browser settings (block all non-essential cookies)

• Our cookie consent banner (opt-out of analytics)

• Account settings (disable optional tracking)

Note: Disabling essential cookies will prevent you from using certain features of the Service.

ApplyLeft is operated from the United States. If you access our Service from outside the US, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

These countries may have different data protection laws than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

Safeguards for International Transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Data Processing Agreements with all third-party processors

• Adequate level of protection as required by GDPR and other regulations

• Binding corporate rules where applicable

For EEA, UK, and Swiss Users:

We comply with the EU-US Data Privacy Framework principles and implement appropriate technical and organizational measures to ensure your data receives adequate protection when transferred outside the EEA.

Countries Where Data May Be Processed:

• United States (primary hosting)

• European Union (backup and CDN)

• Other regions as required for service delivery

By using ApplyLeft, you acknowledge and consent to the transfer of your information to countries outside your country of residence.

ApplyLeft is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at privacy@applyleft.com. We will take steps to delete such information from our systems.

Age Verification:

By creating an account, you represent that you are:

• At least 18 years old, or

• The age of majority in your jurisdiction if higher than 18

We reserve the right to request proof of age and to terminate accounts that do not meet these requirements.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Your California Rights:

1. Right to Know: Request disclosure of personal information collected, used, disclosed, and sold

2. Right to Delete: Request deletion of personal information

3. Right to Opt-Out: Opt out of sale of personal information (Note: We do not sell personal information)

4. Right to Correct: Request correction of inaccurate personal information

5. Right to Limit: Limit use and disclosure of sensitive personal information

6. Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

Categories of Personal Information We Collect:

• Identifiers (name, email, IP address)

• Professional information (resume content, work history)

• Commercial information (subscription and payment history)

• Internet activity (usage data, browsing behavior)

• Geolocation data (approximate location from IP)

We DO NOT sell your personal information. We do not share it for cross-context behavioral advertising.

To exercise your California rights:

• Email: privacy@applyleft.com

• Subject line: "California Privacy Rights Request"

• Include: Your name, email, and specific request

We will verify your identity and respond within 45 days.

Authorized Agents:

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR).

Your GDPR Rights:

1. Right of Access: Obtain confirmation of data processing and access to your data

2. Right to Rectification: Correct inaccurate or incomplete personal data

3. Right to Erasure ("Right to be Forgotten"): Request deletion of your data

4. Right to Restriction of Processing: Limit how we use your data

5. Right to Data Portability: Receive your data in a structured, machine-readable format

6. Right to Object: Object to processing based on legitimate interests

7. Right to Withdraw Consent: Withdraw consent for consent-based processing

8. Right to Lodge a Complaint: File a complaint with your local supervisory authority

Data Protection Officer:

For GDPR-related inquiries, contact our Data Protection Officer:

• Email: dpo@applyleft.com

• Response time: Within 30 days

Supervisory Authority:

You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

Legal Basis for Processing:

We process your data based on:

• Performance of contract (providing the Service)

• Legitimate interests (service improvement, security)

• Consent (marketing, optional features)

• Legal obligation (compliance with laws)

Our Service may contain links to third-party websites, services, or integrations that are not operated by us. This Privacy Policy does not apply to third-party services.

Third-Party Services We Use:

• Supabase: Authentication and database hosting (Privacy: https://supabase.com/privacy)

• Dodo Payments: Payment processing (Privacy: https://dodopayments.com/privacy)

• Google OAuth: Authentication (Privacy: https://policies.google.com/privacy)

• GitHub OAuth: Authentication (Privacy: https://docs.github.com/en/site-policy/privacy-policies)

When you interact with third-party services:

• You are subject to their privacy policies and terms

• We have no control over their data practices

• We are not responsible for their content or privacy practices

We recommend reviewing the privacy policies of any third-party services before providing your information.

OAuth Permissions:

When you use OAuth (Google, GitHub), we only request:

• Your email address for authentication

• Your name and profile picture (optional, for display)

We do not access or store your passwords for third-party services.

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked.

Because there is not yet a common understanding of how to interpret DNT signals, ApplyLeft does not currently respond to web browser DNT signals. Instead, we offer you choices about data collection through our cookie settings and account preferences.

You can control tracking through:

• Browser settings (disable cookies)

• Cookie consent preferences in your account

• Opt-out of analytics tracking

We will update this policy if industry standards for DNT are established.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You of Changes:

• Update the "Last Updated" date at the top of this policy

• Post the new policy on this page

• Send email notification for material changes

• Display an in-app notification upon your next login

Material vs. Non-Material Changes:

Material Changes (require notice):

• New purposes for data collection or use

• Changes to data sharing practices

• Reduction in your privacy rights

• Changes to data retention periods

Non-Material Changes (no notice required):

• Clarifications of existing practices

• Contact information updates

• Formatting or organizational changes

Your Consent:

By continuing to use ApplyLeft after changes take effect, you accept the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and request account deletion.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries:

• Email: privacy@applyleft.com

• Response time: Within 5 business days

Data Protection Officer (GDPR):

• Email: dpo@applyleft.com

• Response time: Within 30 days (as required by GDPR)

Customer Support:

• Email: support@applyleft.com

• Support portal: https://applyleft.com/support

Legal Department:

• Email: legal@applyleft.com

• For legal notices and data requests from authorities

When contacting us, please include:

• Your full name and email address associated with your account

• A clear description of your request or concern

• Any relevant documentation (for access or deletion requests)

We are committed to resolving your privacy concerns and will work with you to address any issues promptly and transparently.