Privacy Policy

Last updated: May 7, 2026

1. Introduction

JobBoost.ai ("we", "us", "our") is operated as a data controller for the personal information described below. This Privacy Policy explains what we collect, why, how long we keep it, who we share it with, and the rights you have over it. We follow the GDPR (EU/UK) and CCPA (California) standards as our baseline.

2. Information We Collect

Information you provide directly:

  • Account information (name, email address, password hash via Firebase Authentication)
  • Payment information (handled by Stripe — we do not see or store full card numbers, only the last 4 digits + brand for receipts)
  • Resume content, cover letter content, job descriptions, and any text you paste or upload to use the AI tools
  • Application-tracker entries (companies, roles, dates, notes)
  • Course progress (completed lessons, quiz attempts)

Information we collect automatically:

  • Device and browser metadata (user agent, screen size)
  • IP address (truncated to /24 for IPv4 or /48 for IPv6 and hashed before storage; raw IPs are never persisted)
  • Pages visited, buttons clicked (only if you accept analytics cookies)
  • Authentication and session cookies
  • Anonymized usage counters (number of AI runs in the last 30 days, daily token totals — used for rate-limit and abuse-prevention)

We do not use facial recognition, profile you for advertising, or sell any category of personal information.

3. How We Use Your Information

  • Provide the Service (analyze resumes, generate cover letters, run the coach, etc.)
  • Process payments and manage subscriptions through Stripe
  • Send transactional email (verification links, payment receipts, account notices)
  • Detect and prevent abuse, fraud, and excessive AI cost (we monitor per-user token consumption against a daily ceiling)
  • Maintain security (kill-switch for compromised accounts, token revocation on logout)
  • Comply with legal obligations (tax records, lawful disclosure requests)

4. Lawful Basis (GDPR Art. 6)

  • Performance of a contract — when you sign up and use the Service, we process the data needed to deliver it (account, payments, AI features).
  • Legitimate interest — for abuse prevention, the rate-limit ledger, the per-user kill switch, and the admin dashboard that lets us see who is consuming the most AI cost. The interest is keeping the Service available and affordable; the data processed (UID, email, token counts) is the minimum needed.
  • Consent — for non-essential cookies (analytics). You can accept or decline at any time via the cookie banner; declining disables Google Analytics tracking entirely.
  • Legal obligation — for tax, accounting, and lawful disclosure requirements (e.g. retaining payment records for the period required by your jurisdiction).

5. Cookies

We use a small number of cookies. Essential cookies (Firebase authentication, our session cookie, and CSRF protection) are required for the Service to function and are not subject to consent. Non-essential cookies (Google Analytics) only load if you click “Accept All” in the cookie banner. You can withdraw consent at any time from your browser settings.

6. Sub-Processors & Data Sharing

We do not sell your personal information. We share data only with:

  • Google Firebase / Google Cloud — authentication, Firestore database, Firebase App Hosting (US-based hosting). Sub-processor under their Cloud Data Processing Addendum.
  • Anthropic, PBC — provides the Claude AI model that powers the resume analyzer, coach, cover-letter generator, job-match, and career-translator features. The text you submit to those tools is sent to Anthropic for processing. Anthropic does not use API content to train its models. Sub-processor under their Data Processing Addendum.
  • Stripe, Inc. — payment processing and subscription management. Sub-processor under their Data Processing Agreement.
  • Cloudflare, Inc. — DNS, edge caching, and DDoS protection for the jobboost.ai domain. Sub-processor under their Data Processing Addendum.
  • Google Analytics (only with your consent) — aggregated usage analytics. Disabled if you decline analytics cookies.
  • Law enforcement and regulators — only when legally required.

7. Cross-Border Data Transfers

JobBoost.ai is hosted in the United States. If you access the Service from the EU, UK, or another region, your data is transferred to the US for processing. Each of our sub-processors (Google, Anthropic, Stripe, Cloudflare) operates under the EU Standard Contractual Clauses and equivalent UK and Swiss frameworks, which we rely on as the legal basis for those transfers. Where a sub-processor has Data Privacy Framework certification we additionally rely on that.

8. Your Rights (GDPR & CCPA)

Depending on where you live, you have the right to:

  • Access — receive a copy of the personal data we hold about you. You can self-serve via GET /api/account/export (signed in from any account page) or email us.
  • Rectification — correct inaccurate data. Most fields (name, email) are editable in your profile; others can be changed by emailing us.
  • Erasure— delete your account and associated data via the “Delete Account” option in your profile, or by emailing us. We process erasure within 30 days. See Section 9 for limits on what we can delete.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Objection — object to processing based on legitimate interest.
  • Portability — receive your data in a structured, commonly-used, machine-readable format (JSON). The export endpoint above provides this.
  • Withdraw consent — for analytics cookies, at any time, via the cookie banner or your browser.
  • Lodge a complaint with your local data protection authority (e.g. the ICO in the UK, your national DPA in the EU).

To exercise any right that isn't self-serve, email support@jobboost.ai. We respond within 30 days.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service:

  • Account profile, resumes, applications, course progress — until you delete the account, then erased within 30 days.
  • AI usage ledger (token counts, event timestamps) — rolling 30-day window; older entries are pruned automatically. Erased with the account.
  • Anonymous IP buckets — self-prune after 30 days. Hashed and coarsened, not associated with an identity unless and until you sign up.
  • Stripe payment records — retained by Stripe for the period required by financial-services and tax-law obligations (typically 7+ years), independently of account deletion. This is a permitted exception under GDPR Art. 17(3)(b) (compliance with legal obligation). We delete the Stripe customer object at your request, but transactional history that Stripe is required to keep cannot be erased earlier.
  • Webhook event log (for idempotency) — auto-expires after 30 days via Firestore TTL.
  • Server logs — retained 30 days by our hosting provider, then rotated. We do not log full request bodies or AI outputs.

10. Security

We use industry-standard technical and organisational measures: TLS in transit, encryption at rest (Firebase / Google Cloud defaults), httpOnly session cookies, server-side authentication and authorisation on every API route, server-managed rate-limit and token-spend ledgers, and field-level write protection on sensitive profile fields (membership, suspension flags). We have a documented per-user kill-switch for incident response and a per-user daily token cap to bound runaway-cost incidents. No method of transmission over the Internet is 100% secure; we will notify affected users within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to their rights and freedoms.

11. Children

JobBoost.ai is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe we have, please contact us and we will delete it.

12. Automated Decision-Making

Our AI features generate suggestions (resume bullet rewrites, ATS scores, cover letter drafts) but do not make automated decisions that produce legal or similarly significant effects on you. The output is informational; you choose what to do with it.

13. Changes to This Policy

We may update this policy as the Service evolves. Material changes will be announced to registered users by email. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact

For privacy-related inquiries, complaints, or to exercise any of the rights listed above, email support@jobboost.ai. We respond within 30 days.