Privacy Policy

Who we are

Applyflow is a job-application tracking service operated by Applyflow (“we”, “us”, “our”). We provide a web application at applyflowtracker.com and a companion Chrome browser extension.

What data we collect

Web application

• Account information — email address and password, used for account creation and login.
• Job listing data — company name, role title, URL, status, notes, and any other details you choose to save.
• Events — status changes and interactions you generate while tracking applications.
• Resume data — you may upload a resume as a PDF file or enter resume text manually. Resume files are stored in Supabase Storage (EU Frankfurt). Text is extracted from PDFs and stored for use with AI features.
• Subscription information — if you subscribe to a paid plan, payment and billing details are collected and processed by Stripe. We do not store credit card numbers or bank details on our servers. See Stripe's privacy policy for details.

Chrome extension

When you use the “Save Job” action on a job-listing page the extension collects:

• Page URL — the URL of the page you are viewing.
• Page title — the title of the page.
• Visible page text (truncated) — used to extract the company name, role title, and other listing details.
• Authentication / session identifiers — required to associate the saved listing with your Applyflow account.

The extension stores your API URL and API token locally in chrome.storage.local to communicate with the Applyflow web application. This data is never synced to the cloud or shared with third parties.

The extension does not collect browsing history, run in the background on pages you have not explicitly activated it on, or access data from other tabs.

AI-assisted extraction

When you save a job listing, the visible page text may be sent to OpenAI's API to automatically extract structured details such as the company name, role title, location, and requirements. This text is processed solely for extraction purposes and is not used to train AI models. See OpenAI's privacy policy for details on how they handle data.

When you use AI Suggestions on a job listing, your resume text and the job description are sent to OpenAI's API to generate personalised improvement suggestions. This data is processed solely for generating suggestions and is not used to train AI models.

Cookies and local storage

We keep our use of browser storage to the minimum needed to operate the service:

We do not use Google Analytics, tracking pixels, fingerprinting, third-party marketing cookies, or any other form of cross-site tracking.

Purpose of data collection

All data collected — by both the web app and the extension — serves a single purpose: to save and organise job listings in your Applyflow account so you can track your applications.

Where data is stored

Your data is stored in a PostgreSQL database hosted by Supabase in the EU (Frankfurt, Germany). The web application is hosted on Vercel.

Data sharing

We do not sell, rent, or trade your personal data. We share data only with the infrastructure and service providers strictly necessary to operate Applyflow:

Data retention and deletion

Your data is retained for as long as your account exists. You can delete your account at any time from your Profile page. When you delete your account, ALL data is permanently and immediately removed — including your jobs, resumes, resume PDF files, AI suggestions, events, and account settings. There is no retention period after deletion.

Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

• Contract — processing your account and job listing data is necessary to provide the service you signed up for.
• Legitimate interest — we may process data to maintain the security and integrity of the service.
• Consent (Art. 6(1)(a)) — your matching preferences (see “Matching preferences and discovery” below) are processed only on your explicit, opt-in consent. Each channel is a separate consent, recorded individually, and revocable at any time with the same one-click affordance.

Matching preferences and discovery

We only store your matching preferences after you actively turn them on. Each preference is a separate consent: you can turn on one channel without turning on another. You can turn any of them off at any time in Settings → Privacy, with the same number of clicks it took to turn them on — and we log every change. This satisfies GDPR Art. 6(1)(a) (explicit consent) and Art. 7(3) (revocable on demand, no friction).

What each channel does

• Show up in employer searches — when an employer queries our directory for candidates with matching skills, your profile may appear in their results. Default off.
• Let AI agents score you for roles — employer hiring agents may evaluate your profile against their open roles and surface you as a match. A human always approves before any outreach reaches you. Default off.
• Let employers send you messages — employers can send you a message about a role; you decide whether to reply. No data about you leaves unless you reply. Default off.

Additional opt-in matching features (such as our planned anonymized shared discovery pool) will be added with their own separate, explicit consent at the moment they launch — never enabled retroactively.

What employers see at each scope

When you turn a channel on, the scope setting (default Full; adjustable in Settings → Privacy → Advanced) controls which fields of your profile cross to the employer. Tighter scopes share less:

Private scope still records that you opted in (so the audit trail exists), but no fields cross in responses. It is an edge case — most candidates use Full, Masked, or Skills only.

Withdrawing consent

The withdrawal mechanism is the same UI used to grant consent. Turning off a toggle in Settings → Privacy = consent withdrawn, immediately. No customer-service step, no escalation, no friction. We log the change to your account's audit trail and apply it to all future cross-party requests.

One honest caveat: data already shared with an employer under a previous consent cannot be clawed back from their systems. Withdrawing consent prevents future disclosures; it does not delete what an employer received and stored on their side. If you want a specific employer to delete data they hold, contact them directly. To delete your entire account and everything we hold, use the “Delete My Account” control on your Settings page.

Your rights

Under applicable data protection laws (including the GDPR), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Data portability — receive your data in a structured, machine-readable format.
• Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at the email below.

Chrome Web Store compliance

Our use and transfer of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the application. The “last updated” date at the top reflects the most recent revision.

Contact

For privacy-related requests or questions, email us at hello@applyflowtracker.com.