Privacy Policy

How Apply4Me collects, uses, transfers, and protects your personal data under the EU GDPR.

Last updated: May 2026

1. Data Controller and Information We Collect

Data controller: Apply4Me, contact privacy@apply4me.io. We collect personal data you provide (account, CV content, professional profile, optional voice during interview practice), data generated by your use of the service (applications, interactions, swipes, device and crash data), and limited identifiers from authentication providers (Google, Apple). We do not knowingly collect data from users under 16.

Personal Information

Name, email, optional phone, city/country, profile photo, payment identifiers (handled by RevenueCat/Stripe/Apple/Google), authentication tokens, and any personal details you include in your CV or cover letter.

Professional Information

CV/resume content, work experience, education, skills, certifications, salary expectations, job preferences, application history, AI-generated cover letters and CV adaptations, and recorded interview-practice audio if you use that feature.

Usage and Device Information

App and web usage events, feature interactions, push notification tokens, device type, operating system, app version, crash reports, approximate location at country/region level, and consent state. We avoid storing raw IP addresses for analytics.

2. How We Use Your Information and Legal Basis

We process your data on the legal bases set out in Articles 6 and 9 GDPR: contract performance for core service features, your consent for marketing and AI-assisted optional features, legitimate interest for security and product analytics, and legal obligation for fraud prevention and accounting.

We use your information to:

  • Provide and improve job-matching, CV adaptation, cover letters, interview practice, and Auto-Apply (legal basis: contract performance and, where AI processing of your CV is involved, consent).
  • Process your applications and, when you enable Auto-Apply, transmit your application details to selected employers and job boards (legal basis: contract performance).
  • Send service notifications, password resets, application updates and product news (legal basis: contract performance and legitimate interest; marketing email requires consent).
  • Detect fraud, protect accounts, secure the platform, and respond to abuse (legal basis: legitimate interest and legal obligation).
  • Analyze usage to improve features and stability via privacy-preserving analytics (legal basis: legitimate interest; you can object via privacy@apply4me.io).
  • Comply with legal obligations, including tax, accounting, regulator and law-enforcement requests (legal basis: legal obligation).

3. Recipients and International Transfers

We share personal data only with vetted processors that act on our written instructions under EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Categories of recipients and their roles are listed below. We do not sell personal data. When you use Auto-Apply, we transmit the personal data you supply to the employer or job board you choose to apply to; those parties act as independent controllers.

Exceptions include:

  • Infrastructure: Amazon Web Services (Ireland, Germany), Supabase (Germany), Vercel (Germany/EU edge) for hosting, storage and databases.
  • AI processors: Cerebras Systems (United States), OpenAI Ireland/USA, AssemblyAI (United States) to generate CV adaptations, cover letters, career paths and interview transcription. Transfers rely on Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework.
  • Communications, payments and analytics: Mailgun (transactional email), RevenueCat (United States) and Stripe (Ireland/USA) for subscriptions, Apple App Store and Google Play for in-app purchases, Sentry (error monitoring), Amplitude (product analytics), Expo (push notifications), Google and TikTok (advertising, only with your consent via the cookie banner).
  • Authorities and successors: courts, regulators (including the Polish UODO) and law-enforcement bodies when legally required, and any acquirer in case of merger, acquisition or reorganisation, subject to equivalent protection.

4. Data Security

Personal data is encrypted in transit (TLS) and at rest (AES-256 on S3 and Supabase). Access is gated by least-privilege IAM, JWT authentication, and audited Lambda handlers. We monitor for anomalies via Sentry. We will notify you and the Polish supervisory authority (UODO) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms, as required by Article 33 GDPR.

5. Data Retention

Account and profile data are retained until you delete your account. CVs and Auto-Apply profiles are retained until you remove them. Application history is kept for up to 3 years after submission. Authentication refresh tokens are deleted within 30 days of revocation. Server logs are retained for 30 days. AI usage logs and completed background-job records are retained for up to 12 months for debugging and abuse prevention. Backups roll off within 30 days. You can request immediate deletion at any time via account settings or privacy@apply4me.io.

6. Your Rights

Under the GDPR you have the rights listed below. You can exercise them by emailing privacy@apply4me.io or using the in-app data tools. We respond within 30 days, free of charge in most cases. You also have the right to lodge a complaint with the Polish supervisory authority Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl.

Your rights include:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — delete your account and associated data (right to be forgotten).
  • Portability — receive your data in a machine-readable format and lodge a complaint with UODO.
  • Objection and withdrawal of consent — object to processing based on legitimate interest, opt out of marketing, and withdraw consent for AI-assisted features at any time.

7. Cookies and Similar Technologies

Strictly necessary cookies keep you signed in and remember your consent choice. With your consent we set marketing cookies for Google Ads and the TikTok Pixel to measure campaign performance; you can accept or reject these via the cookie banner at any time. Product analytics (Amplitude) and error monitoring (Sentry) run under legitimate interest with reduced identifiers; you can object via privacy@apply4me.io. You can also manage cookies in your browser settings.

8. Children's Privacy

Our services are intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@apply4me.io and we will delete it.

9. International Data Transfers

Apply4Me processes most personal data inside the EU (servers in Frankfurt and Ireland). Some AI processors, payment providers and analytics services are based in the United States. Transfers outside the EEA are protected by the EU Commission's Standard Contractual Clauses and, for processors enrolled, the EU-US Data Privacy Framework. A copy of the SCCs is available on request.

10. Changes to This Policy

We may update this Privacy Policy as our services or applicable law evolve. Material changes will be announced by email or in-app notice at least 14 days before they take effect. The 'Last updated' date at the top of this page shows the version in force.

11. Contact and Complaints

For privacy questions, data-subject requests, or to withdraw consent, email privacy@apply4me.io. For complaints you may also contact the Polish supervisory authority Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

Questions about our Privacy Policy?

If you have any questions about this Privacy Policy or our data practices, please contact us at contact@apply4me.io