Security & Privacy

We handle personal information — resumes, job descriptions, career history. Here is exactly how we protect it.

  • Zero-trust architecture

    Every API route validates your session token on every request — no exceptions. Every database query is enforced by Row-Level Security at the Postgres layer, meaning even a server-side bug cannot expose one user's data to another. Your data is isolated at the database level, not just the application level.

  • We never store your password

    Sign-in is via Google OAuth only, with email magic link as a fallback. We never see or store a password. Your session is a short-lived httpOnly cookie — it cannot be read by JavaScript, protecting you from XSS attacks. Pro users and all recruiters are required to enable TOTP two-factor authentication.

  • Stripe handles payments — we never see your card

    All payment processing happens on Stripe's hosted checkout page. Our servers never receive, store, or log your card number, expiry, or CVV. This means we have near-zero PCI DSS scope. Your payment data is Stripe's responsibility, and Stripe is the world's most trusted payment processor.

  • Your data, your right to delete

    You can export all your data (profile, Assessments, resumes) as a ZIP from your account settings. You can request deletion at any time — a 30-day grace period applies (so you can undo it), then every row and storage object associated with your account is permanently deleted. Your resume and job-description files are automatically deleted 90 days after your Pro window expires.

  • Encrypted in transit and at rest

    All traffic uses TLS 1.3+ (enforced by Vercel and Supabase). We set HSTS preload headers, strict Content Security Policy, and Helmet security defaults. Your resumes and job descriptions are encrypted at rest in Supabase Storage and served only via short-lived signed URLs (5-minute expiry) — no permanent public links.

  • No data sale. No ad targeting. No tracking pixels.

    We use Vercel Analytics (privacy-respecting, no cookies) and Plausible (GDPR-compliant, no fingerprinting). We have no Google Analytics, no Meta Pixel, no third-party ad networks. We do not sell your data to anyone — not now, not ever. Revenue comes from users paying us for value, not from monetising you.

  • Report a vulnerability

    If you discover a security vulnerability, please email security@alfalah.app with the details. We commit to responding within 48 hours and to responsible disclosure. We do not pursue legal action against good-faith security researchers. Our security.txt file is available at /.well-known/security.txt.

GDPR & CCPA compliance

We comply with GDPR (EU/UK) and CCPA (California). You have the right to access, correct, export, and delete your personal data at any time. We do not engage in the sale of personal information as defined by CCPA.

Data processors we use: Supabase (database + storage, EU region available), Vercel (compute + CDN), Stripe (payments), Resend (transactional email), Sentry (error tracking — anonymised where possible).

Full details are in our Privacy Policy.