Privacy Policy
ApplyKit — AI-Powered Job Application Platform
Effective Date: 13 March 2026 | Last Updated: 13 March 2026
1. Introduction
This Privacy Policy explains how ApplyKit OÜ (“ApplyKit,” “we,” “us,” or “our”), a company registered in Estonia, European Union, collects, uses, stores, and protects your personal data when you use the ApplyKit web application and related services (“Service”).
We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and other applicable data protection laws.
2. Data Controller
ApplyKit OÜ
Tallinn, Estonia
Email: privacy@applykit.io
3. Data We Collect
3.1. Account Data
Email address, password (stored as a cryptographic hash with per-user salt), and account creation date. If you sign in with Google, we receive your Google account email and display name.
3.2. CV and Application Data
Personal details (name, phone, email, location, LinkedIn URL, portfolio URL), professional summary, work experience, education, skills, certifications, languages, projects, and uploaded CV PDF files. Job postings you add (via PDF, URL, or text), including parsed job title, company, requirements, and salary information.
3.3. Skills Vault Data
Your professional skills inventory, including skill labels, sources (extracted from CV, inferred by AI, manually added, or AI-suggested), sort order, and default skill selections.
3.4. Generated Data
AI-tailored cover letters, skills recommendations, interview preparation materials (including compiled preparation documents), Career Coach conversations, and job requirement analyses.
3.5. Chat and Conversation Data
Messages exchanged with the AI in each workspace mode (cover letter, skills curation, interview preparation) and Career Coach. Conversations are stored per job and per mode.
3.6. Payment Data
Payment is processed by Stripe, Inc. We receive a payment confirmation, transaction reference, and your email address. We do not store full credit card numbers, CVV codes, or bank account details.
3.7. Job Search Data
Search queries and saved keywords used when browsing integrated Estonian job boards (Töötukassa, CV Online, CV Keskus). We do not send any personal data to these job boards; we only fetch publicly available job listings.
3.8. Preference Data
Language preference (EN/ET), AI generation preset selections, skills-per-CV cap setting, CV template and style choices, accent colours, and font selections.
3.9. Technical Data
IP address, browser type and version, device type, pages visited, timestamps, and error traces (collected via Sentry for bug detection).
3.10. Analytics and Tracking Data
We use Google Analytics 4 and Facebook Pixel for product improvement and performance marketing. These services collect anonymised page views and engagement metrics. They track conversion events such as sign-ups, CV uploads, job additions, content saves, PDF exports, and purchases. No CV content, job descriptions, chat messages, or skills are sent to analytics services.
4. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| CV tailoring, cover letter generation, interview preparation | Contract performance (Art. 6(1)(b)) |
| Skills Vault management and recommendations | Contract performance (Art. 6(1)(b)) |
| Career Coach analysis | Contract performance (Art. 6(1)(b)) |
| Job search integration (browsing job boards) | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Email communications (account-related) | Legitimate interest (Art. 6(1)(f)) |
| Analytics and product improvement (GA4, Facebook Pixel) | Legitimate interest (Art. 6(1)(f)) |
| Error monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and fraud prevention | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
5. How We Use Your Data
- Providing the Service — Processing your CV data, skills, and job information through AI to generate tailored cover letters, skills recommendations, interview preparation, and career advice.
- Career Coach — Analysing all your saved jobs and CV simultaneously to provide market alignment insights, skill gap analysis, and strategic career recommendations.
- Account Management — Authentication, password recovery, account settings.
- Payment Processing — Processing per-export payments through Stripe.
- Service Communications — Essential emails about your account and service changes.
- Service Improvement — Analysing anonymised, aggregated usage patterns via Google Analytics 4.
- Performance Marketing — Measuring advertising effectiveness via Facebook Pixel using anonymised conversion events.
- Error Detection — Monitoring application errors via Sentry to improve reliability.
- Security — Detecting and preventing fraud and unauthorised access.
What We Do NOT Do
- We do not sell your personal data to third parties.
- We do not use your Content to train AI models.
- We do not share your CV content, job descriptions, or chat messages with advertisers or analytics providers.
- We do not profile you for automated decision-making with legal effects.
- We do not send personal data to integrated job boards.
6. Sub-Processors
| Sub-Processor | Purpose | Data Received | Location |
|---|---|---|---|
| Supabase, Inc. | Authentication, database, file storage | All user data, uploaded files | EU (Frankfurt) / US |
| Anthropic, PBC | AI content generation (Claude API) | CV content, job descriptions, chat messages, skills lists | US |
| Stripe, Inc. | Payment processing | User email, payment method, transaction amount | US (PCI DSS Level 1) |
| Vercel, Inc. | Application hosting, CDN, serverless functions | Application traffic, server logs | Global edge network |
| Google LLC | Analytics (Google Analytics 4) | Anonymised page views, engagement and conversion events | US |
| Meta Platforms, Inc. | Facebook Pixel (conversion tracking) | Anonymised page views, conversion events | US |
| Functional Software, Inc. (Sentry) | Error monitoring | Error traces, user ID (if authenticated), browser/device info | EU (Frankfurt) |
| Cloudflare, Inc. | Worker proxy for CV Keskus job board | Job search queries (no user PII) | Global edge network |
All sub-processors are bound by data processing agreements. Transfers outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) and supplementary encryption measures.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data, CV data, skills, generated content | Until account deletion + 30 days |
| Chat and conversation history | Until account deletion + 30 days |
| Job data and search keywords | Until account deletion + 30 days |
| Payment records | 7 years (Estonian tax law) |
| Server logs | 90 days (rolling) |
| Sentry error logs | 30 days |
| Anthropic API data retention | Up to 30 days (Anthropic trust & safety) |
| Anonymised analytics | Indefinitely (no personal data) |
8. Your Rights (GDPR Articles 15–22)
- Access (Art. 15) — Request a copy of all personal data we hold about you.
- Rectification (Art. 16) — Correct inaccurate or incomplete data.
- Erasure (Art. 17) — Request deletion of your personal data.
- Restriction (Art. 18) — Restrict processing in certain circumstances.
- Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Object (Art. 21) — Object to processing based on legitimate interests, including analytics.
- Withdraw Consent (Art. 7(3)) — Withdraw consent at any time where consent is the legal basis.
- Lodge a Complaint — With the Estonian Data Protection Inspectorate (Tatari 39, 10134 Tallinn).
To exercise any right, contact privacy@applykit.io. We respond within 30 days.
9. Data Security
- Encryption in transit: HTTPS (TLS 1.2+) for all connections.
- Encryption at rest: AES-256 (Supabase infrastructure).
- Password security: bcrypt with per-user salts (Supabase Auth).
- Access control: Row-Level Security (RLS) on all database tables — users can only access their own data.
- File storage: Supabase Storage with RLS — users can only access their own uploaded files.
- Infrastructure: Vercel (SOC 2) and Supabase (SOC 2 Type II) certified.
- API keys: Stored as environment variables, never exposed to client-side code.
In the event of a data breach, we notify the relevant supervisory authority within 72 hours and affected individuals without undue delay (GDPR Articles 33 and 34).
10. Cookies and Tracking Technologies
Essential Cookies
We use a Supabase authentication session cookie (sb-*-auth-token) which is essential for the Service to function. This cookie is httpOnly and secure.
Analytics and Marketing
We use the following analytics and marketing technologies:
- Google Analytics 4 — Collects anonymised page views, engagement metrics, and conversion events (sign-ups, uploads, exports, purchases). Loads after page interaction.
- Facebook Pixel — Collects anonymised page views and conversion events for measuring advertising effectiveness. Loads after page interaction.
These services may set their own cookies. No CV content, job descriptions, chat messages, skills, or other user-generated content is sent to analytics or marketing services. Only page-level engagement and conversion events are tracked.
You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. You can manage Facebook tracking preferences in your Facebook Ad Settings.
11. AI Data Processing
When you use AI features, your Content is sent to Anthropic's Claude API for processing. Here is what is sent for each feature:
- Cover Letter Generation: Your name, contact details, professional summary, work experience, education, skills (from CV), plus the job title, company, requirements, and full job description.
- Skills Curation: Your full Skills Vault contents plus the job requirements and description.
- Interview Preparation: Your work experience, education, skills (from CV), plus the job details and conversation history.
- Career Coach: All your saved jobs (titles, companies, requirements, skills, keywords) and your CV summary are sent simultaneously for holistic analysis.
- CV Import: The full PDF document content for structured data extraction.
- Job Parsing: The raw job posting text for requirement extraction.
Anthropic does not use your data to train AI models. Data is processed in-memory and not persistently stored beyond the request lifecycle. Anthropic may retain inputs for up to 30 days for trust and safety monitoring purposes.
12. International Data Transfers
Data may be transferred to the United States (Anthropic, Stripe, Google, Meta) and globally (Vercel, Cloudflare edge networks). All transfers are safeguarded by Standard Contractual Clauses (SCCs), supplementary encryption measures, and data processing agreements with each sub-processor.
13. Children's Privacy
The Service is not directed at individuals under 16. We do not knowingly collect data from children. If we discover that data has been collected from a child under 16, we will delete it promptly.
14. Changes to This Policy
Material changes are communicated via email or in-app notice at least 14 days before taking effect. Minor clarifications may be made without prior notice. The “Last Updated” date at the top of this page always reflects the most recent revision.
15. Contact
ApplyKit OÜ
Tallinn, Estonia
General: support@applykit.io
Privacy: privacy@applykit.io
This Privacy Policy is effective as of 13 March 2026.