Privacy Policy

Last updated: May 5, 2026

JobPilot AI (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, how we process it, and your rights regarding that data. By using our service, you consent to the practices described in this policy.

1. Information We Collect

We collect the minimum data necessary to provide our service:

  • Account Information: Name, email address, and a securely hashed password (bcrypt) when you register.
  • Usage Metadata: AI feature usage counts and subscription plan type — used solely for plan enforcement.
  • Payment Information: If you subscribe to a paid plan, payments are processed by our third-party payment processor. We never store your credit/debit card numbers, CVV, or full payment details on our servers.

2. Resume, LinkedIn & Career Data — Ephemeral Processing

Key Point: Your resume text, LinkedIn profile text, cover letters, and job descriptions are processed ephemerally and are NOT permanently stored on our servers by default.

When you use our AI features:

  • Your text is sent from your browser to our secure API endpoint.
  • Our server forwards it to Google Gemini AI for processing.
  • The AI result is returned to your browser.
  • Your original text is not retained on our servers after the request completes.
  • All processing happens in-memory during the request lifecycle only.

If you explicitly choose to save a resume or cover letter to your account (via a “Save” action), that data will be stored in our database until you delete it or delete your account.

3. Third-Party Data Processors

We use the following third-party services to operate:

  • Google Gemini AI:Processes your text to generate AI outputs. Google's API terms state that data sent via API is not used to train their models. See: Google Cloud Data Processing Terms.
  • Vercel:Hosts our application and handles HTTPS traffic. Data passes through Vercel's infrastructure during requests.
  • Turso (LibSQL): Stores account data (name, email, hashed password, usage counts). Encrypted at rest and in transit.
  • Payment Processor: Handles subscription billing. We receive only a customer ID and subscription status — never full payment details.

We do not sell, rent, or share your personal data with any third party for advertising, marketing, or profiling purposes.

4. Data Security

  • All connections use TLS/HTTPS encryption in transit.
  • Passwords are hashed with bcrypt (cost factor 12) — we cannot see your password.
  • Database is encrypted at rest with AES-256.
  • Sessions use secure, HTTP-only JWT tokens.
  • API endpoints require authentication — no anonymous access to user data.

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security and are not liable for breaches beyond our reasonable control.

5. Data Retention

  • Account data: Retained until you delete your account.
  • AI-processed text (resume, LinkedIn, etc.): Not retained — processed ephemerally during the request only.
  • Saved items (if you choose to save): Retained until you manually delete them or delete your account.
  • After account deletion: All data is permanently purged within 30 days, including any backups.

6. Your Rights

Regardless of your location, you have the following rights:

  • Right to Access: Request a copy of all personal data we hold about you.
  • Right to Deletion: Delete your account and all associated data at any time from Settings, or by contacting us.
  • Right to Rectification: Correct inaccurate personal data.
  • Right to Data Portability: Export your data in a machine-readable format.
  • Right to Withdraw Consent: Stop using the service at any time. Previously processed data (ephemeral) is already gone.
  • Right to Object: Object to processing of your data for specific purposes.

These rights apply under GDPR (EU/UK), CCPA (California), Australian Privacy Act, and similar regulations. To exercise any right, use the account deletion feature in Settings or email us.

7. Cookies

We use essential cookies only for authentication session management. We do not use tracking cookies, advertising pixels, third-party analytics (no Google Analytics), or any form of cross-site tracking. No cookie consent banner is required because we only use strictly necessary cookies.

8. Children's Privacy

Our service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we discover that a user is under 16, we will delete their account and data immediately.

9. International Data Transfers

Our servers and third-party processors may be located outside your country of residence. By using our service, you consent to the transfer of your data to these locations. We ensure all processors maintain adequate data protection standards.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. Your continued use of the service after changes constitutes acceptance.

11. Contact Us

For privacy-related questions, data access requests, or to exercise any of your rights, contact us at: privacy@jobpilotai.com

We aim to respond to all privacy requests within 14 business days.