Privacy Policy
Version 2.0 — Last updated: April 24, 2026
InJobby (“we”, “our”) is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act of 6 January 1978, as amended. Pursuant to Article 13 GDPR, this policy describes who processes your data, for what purposes, on what legal basis, for how long, and how to exercise your rights.
1. Data controller
The data controller is the publisher of the InJobby website, whose full details (identity, address, registration number where applicable) appear in the Legal Notice. The single contact point for any data-related question is: contact@injobby.com.
Given the nature and volume of data processed, the appointment of a Data Protection Officer (DPO) is not required under GDPR Article 37. Your requests are handled directly by the data controller.
2. Data collected, purposes, and legal basis
We collect only the data strictly necessary to deliver the service and secure it. We never sell, monetise, or transfer your data to third parties for advertising purposes.
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Name, email | Account creation and management, service notifications | Contract performance (Art. 6.1.b) |
| bcrypt-hashed password | Authentication | Contract performance (Art. 6.1.b) |
| Google identifier (OAuth) if you use “Continue with Google” | Password-less authentication | Contract performance (Art. 6.1.b) |
| CV and cover-letter content | Generation, ATS analysis, PDF export, AI improvement | Contract performance (Art. 6.1.b) |
| Manually tracked applications | Private tracking and statistics | Contract performance (Art. 6.1.b) |
| Email (PRO / MAX waitlist) | Launch notification | Consent (Art. 6.1.a) |
| IP address, user-agent, request timestamps | Security, rate-limiting, abuse detection | Legitimate interest (Art. 6.1.f) — service security |
| Usage counters (AI quotas, scans, exports) | Enforcement of plan limits | Contract performance (Art. 6.1.b) |
| Engagement events (scan run, letter generated, PDF downloaded) | Internal activation analytics, Founding Member eligibility | Legitimate interest (Art. 6.1.f) — service improvement |
| Payment data (Stripe customer id, subscription status) | Subscription processing, billing | Contract performance (Art. 6.1.b) |
| Client- and server-side application errors (Sentry) | Bug detection and resolution | Consent (Art. 6.1.a) for browser errors; legitimate interest server-side |
| Anonymised product events (PostHog, if consented) | Aggregate usage analytics, activation funnel | Consent (Art. 6.1.a) |
Password confidentiality. We never store your password in plain text. Only its bcrypt digest (cost 12) is kept. We cannot retrieve it: if you forget it, the only route is an email reset.
No credit-card data is ever stored by InJobby. Payments are processed exclusively by Stripe (PCI-DSS Level 1); we never see your card number, CVV, or expiry date.
3. Sub-processors (GDPR Article 28)
Your data is hosted and processed by the following sub-processors, selected for GDPR compliance and bound by a Data Processing Addendum (DPA):
| Sub-processor | Role | Location |
|---|---|---|
| Neon Inc. | Postgres database (accounts, CVs, scans, applications) | Frankfurt, Germany — EU |
| Railway Corp. | Backend API and worker hosting | Amsterdam, Netherlands — EU |
| Vercel Inc. | Frontend hosting and Next.js API proxy | CDG region (Paris, France) — EU |
| Upstash Inc. | Redis cache (rate-limiting, token revocation) | eu-west-1 (Ireland) — EU |
| Resend Inc. | Transactional email delivery (verification, reset, billing) | eu-west-1 (Ireland) — EU |
| Sentry (Functional Software Inc.) | Application error monitoring | EU region (Frankfurt, Germany) |
| Stripe Payments Europe Ltd. | Payment processing and billing (when Stripe is enabled) | Dublin, Ireland — EU (with onward transfers to Stripe Inc., USA — see §4) |
| PostHog Inc. | Aggregate product analytics (EU Cloud instance selected) | Frankfurt, Germany — EU (US parent entity — see §4) |
| Groq Inc. | AI text processing (ATS analysis, bullet rewriting, letter generation) | United States (see §4) |
| Google Ireland Ltd. | OAuth 2.0 “Continue with Google” (only if you use this button) | Dublin, Ireland — EU (with onward transfers to Google LLC, USA — see §4) |
No CV, letter, application, or email content is retained by Groq or used to train any model. Texts are transmitted for processing and discarded by Groq after the response (contractual zero-retention policy). System prompts also ensure that no user's data can leak to another user.
4. Transfers outside the European Union
Almost all processing takes place inside the European Economic Area. Four exceptions are described below. For each, we state the applicable transfer mechanism and — where the United States is involved — the residual risk the CJEU's Schrems II decision (16 July 2020) requires us to disclose.
- Groq Inc. (USA) — real-time AI processing. InJobby uses Groq Inc. for AI processing of the CV, cover letter, and job description text you entrust to us. This transfer is governed by the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914, controller-to-processor module). We acknowledge that the United States does not benefit from an adequacy decision for this kind of processing — Groq Inc. is not certified under the EU-US Data Privacy Framework at this time — and we inform users of the residual risk : US authorities can, under certain conditions of the Cloud Act and FISA Section 702, request access to data held by Groq without notification to the data subject. To limit this risk, we have contractually negotiated a zero-retention policy with Groq (texts are not stored beyond the response) and we do not transmit direct identifiers (name, email) in AI requests. If this residual risk is not acceptable to you, you can export your data and delete your account at any time from the Settings page.
What data is actually transmitted to Groq ? For full transparency (rather than a marketing promise) : the text content of your CV, cover letters, and the job descriptions you provide to us is transmitted to Groq for processing. Before transmission, a server-side filter automatically replaces detected email addresses, phone numbers, and URLs with neutral tokens ([email],[phone],[url]) ; this filter applies to every AI route except the structured CV parser (whose explicit purpose is to extract your contact details back into the matching fields of your profile). The remaining text content — your name as you typed it, job titles you held, employer and school names, experience descriptions — is necessarily transmitted because it is the actual material the AI analyses. No administrative field (password, token, Stripe identifier) is ever transmitted to Groq. - Stripe Inc. (USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework by the US Department of Commerce, which constitutes an adequacy decision under GDPR Article 45. SCCs additionally cover transfers to its sub-processors.
- Google LLC (USA) — only if you use the “Continue with Google” button. Google LLC is certified under the EU-US Data Privacy Framework. No transfer occurs for users who sign up with a classic email.
- PostHog Inc. (USA, parent entity). The instance we use is hosted in the EU (EU Cloud, Frankfurt). SCCs cover any residual administrative operations with the US entity.
You can obtain a copy of the applicable SCCs by writing to contact@injobby.com.
5. Retention periods
- Active account: account data (identity, CVs, letters, applications, scans) is retained as long as the account remains active.
- Deleted account: erased within 30 calendar days of the deletion request.
- Technical logs and security events: rolling 90 days maximum.
- Anonymised engagement events: 13 months — the limit recommended by the CNIL for audience-measurement statistics.
- Invoices and accounting data: 10 years — statutory retention period (Article L.123-22 of the French Commercial Code).
- Waitlists: retained until the relevant plan launches, then erased within 30 days (or sooner on explicit unsubscribe).
- Cookie-consent proof: 13 months (CNIL recommendation), re-collected beyond.
6. Your rights
Under GDPR Articles 15 to 22, you have the following rights over your personal data:
- Right of access (Art. 15) — obtain confirmation that we are processing your data and a copy of it.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data (“right to be forgotten”).
- Right to restriction (Art. 18) — request the suspension of a processing whose accuracy or lawfulness you contest.
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (JSON).
- Right to object (Art. 21) — object, for reasons relating to your particular situation, to processing based on legitimate interest.
- Right to withdraw consent (Art. 7) — at any time, without affecting the lawfulness of prior processing.
- Right to set post-mortem directives (Article 85 of the French Data Protection Act) — on what happens to your data after your death.
7. How to exercise your rights
For the rights of access and erasure, you have self-service tools in the application:
- Export of all your data — from the Settings → Privacy page, button “Download my data”. We deliver a portable JSON file (portability exercised in under 30 seconds).
- Permanent account deletion — from the same page, button “Delete my account”. Confirmation requires typing your email address to prevent mis-clicks.
For any other right, or if you prefer a human contact, email contact@injobby.com. We respond within 30 days (the statutory maximum under GDPR Article 12.3), with a possible 2-month extension for complex requests — duly justified.
You also have the right to lodge a complaint with the French data protection authority (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr/en/plaintes.
8. Security
We implement appropriate technical and organisational measures (GDPR Article 32):
- TLS encryption (HTTPS) on every exchange.
- At-rest encryption on the Postgres database (Neon) and hosting volumes (Railway).
- Passwords hashed with bcrypt cost 12, never stored in plain text.
- Authentication cookies set as httpOnly, Secure, SameSite=Lax, with a short 30-minute access-token TTL and refresh-token rotation.
- Mandatory two-factor authentication (TOTP) for administrator accounts, with Fernet-encrypted secrets at rest.
- CSRF protection via a custom header, brute-force protection via rate-limiting (slowapi backed by Redis).
- HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy).
- Secret and token filtering in application logs and in Sentry.
- Principle of least privilege on operator accesses.
9. Data-breach notification
Under GDPR Article 33, we will notify the CNIL within 72 hours of becoming aware of any personal-data breach likely to result in a risk to the rights and freedoms of data subjects. Under Article 34, when the breach is likely to result in a high risk, we will also inform affected users without undue delay, by email and via in-app notification.
10. Automated decision-making
No decision producing legal effects or significantly affecting you is taken on a purely automated basis (GDPR Article 22). AI suggestions are assistance subject to your validation. The acceptance or rejection of an account for abuse is a human decision, with a right of appeal to contact@injobby.com.
11. Minors
InJobby is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a minor has sent us data, write to contact@injobby.com — we will delete the account without delay.
12. Cookies
The cookies and similar technologies we use, their duration, and how to withdraw your consent are detailed in the Cookie Policy.
13. Changes to this policy
We may update this policy to reflect regulatory, technical, or feature changes. The last-updated date and version number appear at the top of this page. Substantive changes will be notified to you by email at least 30 days before they take effect.
14. Contact
For any question about this policy or the processing of your data: contact@injobby.com.