Legal Document

Privacy Policy

Effective date: May 19, 2026

Your privacy matters to us. This Privacy Policy explains what data Emekly collects, why we collect it, how we protect it, and what control you have over it. We have written it in plain language because you deserve to understand what happens to your information.

1. Introduction

Emekly (“we,” “us,” or “our”) operates the platform at emekly.com. This policy applies to all users who interact with the platform, whether on a Free, Pro, or Premium plan.

By using Emekly you agree to the collection and use of information described in this policy. If you do not agree, please do not use the Service.

2. What We Collect

2.1 Information You Provide Directly

Data type	When collected
Email address	Account registration
Password (bcrypt hash only)	Account registration
CV / résumé file	CV upload
CV text content	Extracted during analysis
Job preferences & search history	Job search interactions
Payment identifiers (no card numbers)	Subscription purchase
Support messages	When you contact us

We never store raw card numbers. Payment processing is handled entirely by our PCI-compliant payment processor.

2.2 Information Collected Automatically

Usage events — pages visited, features used, buttons clicked (via PostHog analytics)
Device information — browser type, operating system, screen resolution
IP address — for security, abuse prevention, and approximate country-level geolocation
Session identifiers — to maintain your logged-in state
Referrer URL — to understand how you found Emekly

2.3 Information from Third-Party OAuth Providers

If you sign in with Google, we receive your name, email address, and profile picture as provided by Google. We do not receive your Google password or access any data beyond what you explicitly authorize.

3. How We Use Your Information

Provide the Service

Analyze your CV, generate ATS scores, skill-gap reports, and cover letters.

Job matching

Match your profile keywords against global job boards (Adzuna, Jooble, Reed, USAJobs).

Account management

Authenticate you, manage your subscription, and send transactional emails (verification, receipts).

Security

Detect fraud, abuse, and unauthorized access attempts.

Product improvement

Aggregate, anonymized usage analytics help us understand what works and what to fix.

Legal compliance

Retain minimal billing records as required by tax and financial regulations.

We do not use your data for advertising profiling, behavioral targeting, or any purpose unrelated to delivering the Service.

4. AI Processing & Third-Party Sharing

Key guarantee

Your CV content and personal data are never used to train AI models — by us or by any third-party API provider.

4.1 How AI Analysis Works

When you request a CV analysis, a structured representation of your CV's text content is transmitted over an encrypted TLS connection to one or more large language model (LLM) API providers. These providers process the text to generate an analysis response and return it to us. The raw file itself is never sent — only extracted text.

Current AI processing providers may include:

Groq, Inc. — groq.com/privacy
OpenAI, LLC — openai.com/privacy
Anthropic, PBC — anthropic.com/privacy
Google LLC (Gemini API) — policies.google.com/privacy

Under the commercial API agreements governing our use of these services, all of the above providers explicitly exclude API-submitted data from model training pipelines by default. We have not opted into any data-sharing or model-improvement programs. Your data is processed transiently to produce a response and is not retained by these providers beyond the immediate API request.

4.2 Job Board APIs

To surface job listings, we send anonymized search queries (keywords, location, job category) to third-party job boards including Adzuna, Jooble, Reed, and USAJobs. We do not send your name, email, CV content, or any personally identifying information to these services.

4.3 Infrastructure Sub-Processors

We use the following infrastructure providers to operate the Service:

Supabase — database, authentication, and file storage (EU/US regions)
Vercel — hosting and serverless compute
PostHog — product analytics (anonymized usage data only)
Resend / SMTP — transactional email delivery

All sub-processors are bound by contractual data processing agreements. We do not sell your data to any third party.

5. Data Retention

We retain your data only for as long as necessary to provide the Service or comply with legal obligations.

Data	Retention period
Raw CV file	Purged from primary storage within 30 days of upload
CV analysis results	Retained while your account is active; deleted when account is deleted
Job match & search history	Retained while your account is active; deleted when account is deleted
Account & profile data	Retained while your account is active
Anonymized analytics	Up to 24 months; cannot be linked back to you
Billing records	Up to 7 years (tax compliance); contain no CV or behavioral data

Inactive accounts: If your account has had no login activity for 12 consecutive months, we will send a notice to your registered email address. If you do not log in within the following 30 days, your account and all associated data will be permanently deleted.

6. Data Deletion

Your right to erasure

You can permanently delete your account and all data at any time from Account Settings → Delete Account. No email required, no waiting period.

When you confirm account deletion, the following happens:

Your account is immediately deactivated — you are signed out and cannot log back in.
Your profile, CV files, analysis history, cover letters, job match history, and saved preferences are queued for permanent deletion.
All of the above data is hard-deleted from our primary databases and file storage within 48 hours.
Residual copies in encrypted backup snapshots are overwritten within 30 days as those snapshots rotate on their normal schedule.
A confirmation email is sent to your registered address immediately.

Exceptions: Minimal billing identifiers (invoice IDs, subscription tier history) may be retained for up to 7 years as required by applicable tax law. These contain no CV content, analysis data, or behavioral records.

Deletion is irreversible. We cannot recover your account or data after deletion is confirmed. If you wish to export your data before deleting, submit a data export request to emekly.co@gmail.com — we will respond within 72 hours.

7. Cookies & Analytics

7.1 Cookies We Set

sb-auth-tokenEssential

Maintains your authenticated session with Supabase. Required for the Service to function.

ph_*Analytics

PostHog analytics cookies. Tracks product usage events to help us improve the platform. Anonymized — not linked to your email.

7.2 Analytics

We use PostHog to understand how users interact with the platform. PostHog is configured with person_profiles: “identified_only”, meaning we only create detailed user profiles for authenticated accounts. Anonymous visitors are counted but not profiled. We do not use Google Analytics or Meta Pixel.

8. Security

We implement industry-standard security controls to protect your data:

All data in transit is encrypted with TLS 1.2+.
All data at rest is encrypted using AES-256 via Supabase's managed infrastructure.
Passwords are never stored in plaintext; we use bcrypt hashing via Supabase Auth.
Access to production databases is restricted to authenticated services; no direct human access in normal operations.
API keys and secrets are stored as environment variables, never in source code.
We perform regular dependency audits and apply security patches promptly.

Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it responsibly to security@emekly.com. Do not disclose it publicly until we have had a reasonable opportunity to address it.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data. We honor all of them regardless of jurisdiction.

Access

Request a copy of all personal data we hold about you.

Rectification

Correct inaccurate or incomplete personal data.

Erasure

Request permanent deletion of your account and data (see Section 6).

Portability

Receive your data in a machine-readable format (JSON/CSV).

Restriction

Ask us to limit processing of your data in specific circumstances.

Objection

Object to processing based on legitimate interests.

Withdraw consent

Where processing is based on consent, withdraw it at any time.

Lodge a complaint

File a complaint with your local data protection authority.

To exercise any of these rights, email emekly.co@gmail.com. We will respond within 30 days. For verified requests, we will not charge a fee.

10. Children's Privacy

Emekly is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we discover that we have inadvertently collected such data, we will delete it immediately. If you believe a child under 16 has provided us with their personal information, please contact us at emekly.co@gmail.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the “Effective date” at the top of this page.
Send an email notification to registered users at least 14 days before the changes take effect.
Display an in-app banner prompting you to review the updated policy.

Non-material changes (typo corrections, formatting) may be made at any time without notice. The current version of this policy is always available at emekly.com/privacy.

12. Contact

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us:

Email: emekly.co@gmail.com

Emekly — emekly.com