Privacy Policy

We collect only the data strictly necessary to provide the service:

• Email address and hashed password — used to create and authenticate your account.
• CV text — extracted temporarily from your PDF for AI analysis only. The raw text is discarded immediately after processing and is never stored in our database. The original PDF file is also never retained on our servers.
• Profile data derived from your CV — skills, seniority level, desired role, years of experience, language preferences, and job location preferences. This is the only CV-related data saved to your profile.
• Payment information — handled entirely by Stripe. We never see or store your card details. We only store your Stripe Customer ID to manage your subscription.
• Usage data — actions within the app (e.g. saved jobs) stored in your browser's local storage. Your profile and preferences are also stored in our database tied to your account.
• Profile photo — if you choose to upload one, stored in your browser's local storage only (not on our servers).

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR) — processing your email, profile data, and CV analysis output is necessary to provide the JobsMatch service you signed up for.
• Legitimate interest (Art. 6(1)(f) GDPR) — improving job matching accuracy, preventing abuse, and maintaining service security.
• Legal obligation (Art. 6(1)(c) GDPR) — processing subscription status and payment references to fulfil applicable tax, accounting, and financial reporting obligations.

When you upload a CV, the extracted text is sent to OpenAI (our AI sub-processor) to identify skills, seniority, and other professional attributes. This text is transmitted securely and is used only for this single analysis request — it is not used to train OpenAI models and is not retained by OpenAI beyond the API call.

We do not store the original PDF. Only the structured output of the analysis (skills list, seniority, role, etc.) is saved to your profile.

We use the following third-party data processors under appropriate Data Processing Agreements:

• OpenAI, L.L.C. (USA) — AI model provider for CV analysis. Data is processed under OpenAI's API terms, which prohibit use of API data for model training. OpenAI provides appropriate safeguards for international data transfers.
• Stripe, Inc. (USA) — payment processing. Stripe is PCI-DSS certified and processes payment data under its own privacy policy. Stripe acts as an independent data controller for payment data.
• Google LLC (USA) — optional sign-in provider. If you choose to log in with Google, your email address is verified via Google's OAuth service. We receive only your email address.
• Cloud infrastructure provider (to be named at launch) — infrastructure used to host and operate the service. We will update this notice with the provider's name before the service goes live.

• Account and profile data (email, skills, seniority, role, preferences): retained until you delete your account or submit an erasure request.
• CV text and original PDF file: never stored — both are discarded immediately after the AI analysis completes. Only the structured profile output is saved.
• Payment and transaction records: Stripe, acting as an independent data controller, retains payment records for the period required by applicable law (typically up to 10 years). We do not hold invoice or transaction data in our own systems.

As a data subject in the EU/EEA you have the following rights:

• Right of access (Art. 15) — request a copy of all personal data we hold about you. Use the 'Export' button in Settings → General → Privacy & data.
• Right to rectification (Art. 16) — correct inaccurate data via Settings → Profile.
• Right to erasure / 'right to be forgotten' (Art. 17) — permanently delete your account and all associated data via Settings → General → Privacy & data → Delete account.
• Right to restriction of processing (Art. 18) — request that we limit how we use your data while a dispute is being resolved.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON) via Settings → General → Privacy & data → Export.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Rights related to automated decision-making (Art. 22) — our AI matching is used only to rank job listings, not to make legally binding decisions about you.

To exercise any of these rights, or if you have a concern about how your data is handled, contact us at jobsmatch.support@gmail.com. We will respond within 30 days.

JobsMatch does not use tracking, advertising, or analytics cookies. Authentication state (your login token) and user preferences are stored in your browser's local storage — not in cookies. Local storage is technically necessary to keep you logged in and to persist your settings between sessions. It does not transmit data to third parties and does not require consent under ePrivacy rules.

We apply industry-standard security measures: passwords are stored as salted hashes (never in plain text), API communications use TLS/HTTPS, and access to the database is restricted to authenticated services. Payment data never passes through our servers.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, affected users without undue delay.

Some of our sub-processors (OpenAI, Stripe, Google) are based in the United States. These transfers are covered by the safeguards provided by those processors in their own Data Processing Agreements and privacy policies, which include Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.

We may update this Privacy Policy from time to time. We will provide reasonable advance notice of material changes via a prominent notice within the app. For changes that introduce new purposes for processing your personal data, we will seek your explicit agreement where required by applicable data protection law. Continued use of the service after the effective date constitutes acknowledgement of updates that do not affect how your personal data is processed.