Privacy Policy

Last updated: May 9, 2026 — Effective immediately

Our commitment in plain language

  • We do not sell your data. Ever.
  • We do not have ad networks, tracking pixels, or third-party behavioural analytics.
  • We do not use your resume or job descriptions to train AI models.
  • You can export all your data or delete your account at any time.
  • Your data is encrypted in transit (TLS 1.3+) and at rest.

What we collect

Account information

When you sign in with Google, we receive your name, email address, and Google profile photo URL. We store your email, display name, selected country, and industry. We never receive or store your Google password.

Resume and job content

When you upload a resume or paste a job description, we store them to generate your Assessment. Standard users have one resume slot; Pro users have five. Resumes are encrypted at rest and accessible only to your account. They are automatically deleted 90 days after your Pro window expires or when you delete your account.

Assessment data

We store your Assessment results (card outputs) to display them to you. We use aggregate, anonymised Assessment metadata for product analytics (e.g., “which cards are most used”). Individual Assessment content is never shared.

Usage data

We collect basic usage data via Vercel Analytics (privacy-respecting, cookie-free) and Plausible (GDPR-compliant, no fingerprinting). This includes page views and rough geographic region. We do not track individual users across sessions or devices. We do not use Google Analytics, Meta Pixel, or any ad network.

How we use your data

  • To provide the service: generate Assessments, store results, manage your account.
  • To send transactional emails: Assessment delivery (Standard), receipt (Pro), expiry warnings.
  • To enforce anti-abuse limits and detect fraud.
  • To improve the service using aggregate, anonymised analytics.
  • To comply with legal obligations.

We do not use your data for advertising, profiling, or sale to third parties.

Data processors

We use the following sub-processors. Each processes only the minimum data required for its function:

  • Supabase (database, storage, auth) — stores your account data, resumes, and Assessments. SOC 2 Type 2. EU region available on request.
  • Vercel (hosting, CDN) — serves the web application. SOC 2 Type 2.
  • Stripe (payments) — processes Pro payments. PCI DSS Level 1. We never see your card details.
  • Resend (email) — sends transactional emails (Assessment delivery, receipts, expiry alerts).
  • Google Gemini / Anthropic Claude / Microsoft Azure (AI) — processes your resume and JD to generate Assessment cards. API inputs are not used for training. Data is not retained beyond the API call.
  • Sentry (error tracking) — receives anonymised error information to help us fix bugs. No personal data in error payloads where avoidable.

Data retention

  • Active account: data retained while account is active.
  • Pro window expiry: Assessment results and resumes become read-only. Auto-deleted 90 days after expiry.
  • Account deletion: 30-day grace period, then permanent deletion of all user-owned data.
  • Audit log: retained for 1 year for security compliance, then purged.

Your rights (GDPR & CCPA)

  • Access:export all your data from Settings > Account > Export.
  • Correction: update your profile from Settings.
  • Deletion:delete your account from Settings > Account > Delete account.
  • Portability: the export ZIP contains your data in machine-readable JSON.
  • Objection (GDPR): email privacy@alfalah.app to object to any processing.
  • Opt-out of sale (CCPA): we do not sell personal information. No opt-out mechanism needed.

Cookies

We use one first-party cookie: a session cookie (httpOnly, Secure, SameSite=Strict) that manages your login state. We do not use advertising cookies, tracking cookies, or third-party cookies. You can delete this cookie by signing out.

Security

We use TLS 1.3+ for all data in transit. Data at rest is encrypted by Supabase (AES-256). Row-Level Security policies ensure users can only access their own data. See our Security page for full details.

Children

Alfalah is not directed at persons under 16. We do not knowingly collect personal information from children under 16. If we discover we have done so, we will delete the account immediately.

Changes to this policy

We will notify registered users by email of material changes at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.

Contact

Privacy questions or requests: privacy@alfalah.app