Privacy Policy

Last Updated: 19 December 2025

1. Introduction

Career Journey ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our career management platform (the "Service").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws in the European Union.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Data Controller

Career Journey acts as the Data Controller for the personal data we process in connection with the Service. We determine the purposes and means of processing your personal data.

Data Controller Contact Information:

Career Journey

Email: sebi.secasiu@gmail.com

3. Personal Data We Collect

3.1 Information You Provide Directly

When you use the Service, you may provide us with the following types of personal data:

Account Information:

  • Name and email address
  • Authentication credentials (password or OAuth tokens)
  • Profile information
  • Account preferences and settings

Career Data:

  • Employment history (roles, companies, dates, locations)
  • Achievements and accomplishments
  • Projects and initiatives
  • Education and certifications
  • Skills and competencies
  • Recognition and awards (kudos)
  • Job descriptions and application information

Communication Data:

  • Correspondence with us (support requests, feedback)
  • Email reminder preferences

3.2 Information Collected Automatically

When you access the Service, we automatically collect certain information:

Usage Information:

  • Pages visited and features used
  • Time and date of access
  • Time spent on pages
  • Links clicked
  • Search queries within the Service

Device and Technical Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Screen resolution
  • Referring website

Cookies and Similar Technologies:

We use cookies and similar tracking technologies to enhance your experience. See Section 8 for more details.

3.3 Information from Third Parties

We may receive information about you from third-party services you connect to your Account, such as:

  • OAuth authentication providers (Google, LinkedIn, etc.)
  • Professional networking sites (if you choose to import data)

4. How We Use Your Personal Data

We process your personal data for the following purposes, based on the legal grounds specified:

To Provide and Maintain the Service

Legal basis: Performance of a contract (Terms of Service)

  • Create and manage your Account
  • Store and organize your career data
  • Enable AI-powered resume tailoring
  • Track job applications and analytics
  • Provide customer support

To Communicate with You

Legal basis: Performance of a contract and legitimate interests

  • Send you email reminders (if you opt in)
  • Respond to your inquiries and requests
  • Send important service updates and notifications
  • Notify you of changes to our Terms or Privacy Policy

To Improve and Develop the Service

Legal basis: Legitimate interests

  • Analyze usage patterns and trends
  • Test new features and improvements
  • Conduct research and development
  • Debug and fix technical issues
  • Monitor and improve AI model performance

For Security and Fraud Prevention

Legal basis: Legitimate interests and legal obligations

  • Detect and prevent fraud, abuse, and security incidents
  • Protect against unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations

For Legal Compliance

Legal basis: Legal obligation

  • Comply with applicable laws and regulations
  • Respond to legal requests and prevent harm
  • Maintain records as required by law

With Your Consent

Legal basis: Consent

  • Send you marketing communications (you can opt out at any time)
  • Use your data for purposes not listed above (we will ask for your explicit consent)

5. How We Share Your Personal Data

We do not sell your personal data. We may share your personal data only in the following circumstances:

5.1 Service Providers and Processors

We share data with third-party service providers who process data on our behalf:

  • Cloud Hosting: MongoDB Atlas (database storage)
  • Authentication: NextAuth and OAuth providers
  • AI Services: OpenAI (for resume tailoring - your data is not used to train their models)
  • Email Services: Resend (for transactional emails and reminders)
  • Analytics: Privacy-focused analytics tools (anonymized data only)

All service providers are contractually bound to protect your data and may only use it for the purposes specified by us. We have Data Processing Agreements in place with all processors handling personal data.

5.2 Legal Requirements

We may disclose your personal data if required by law or in response to:

  • A court order, subpoena, or other legal process
  • A request from law enforcement or government authorities
  • The need to protect our rights, property, or safety
  • The need to protect the rights, property, or safety of others

5.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide notice and ensure the same level of protection for your data.

5.4 With Your Consent

We may share your personal data with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers are located.

When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers
  • Adequacy Decisions: We transfer data to countries deemed adequate by the European Commission
  • Supplementary Measures: We implement additional technical and organizational measures to protect your data

You have the right to request information about the safeguards we have in place for international data transfers.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data

Retained while your Account is active and for up to 90 days after account deletion (to allow for account recovery)

Career Data

Retained while your Account is active. Deleted within 30 days of account deletion unless you request immediate deletion

Usage and Analytics Data

Retained in anonymized form for up to 24 months for service improvement

Communication Records

Retained for up to 6 years as required by applicable law and for customer support purposes

Legal and Compliance Data

Retained as long as required by applicable law (typically 6-10 years depending on the jurisdiction)

You may request deletion of your data at any time by exercising your right to erasure (see Section 10).

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of the Service and to improve your experience.

8.1 What Are Cookies?

Cookies are small data files stored on your device. They help us recognize you, remember your preferences, and understand how you use the Service.

8.2 Types of Cookies We Use

Strictly Necessary Cookies

Legal basis: Legitimate interest (essential for service operation)

These cookies are essential for the Service to function. They enable core features like authentication, security, and session management.

Functional Cookies

Legal basis: Legitimate interest

These cookies remember your preferences and settings to personalize your experience.

8.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking necessary cookies may prevent you from using certain features of the Service.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

9.1 Security Measures

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest
  • Authentication: Secure authentication mechanisms with password hashing and OAuth support
  • Access Controls: Strict access controls and role-based permissions
  • Monitoring: Continuous monitoring for security threats and anomalies
  • Regular Audits: Periodic security audits and vulnerability assessments
  • Data Isolation: Multi-tenant architecture with strict data isolation
  • Backup and Recovery: Regular backups with secure storage and tested recovery procedures

9.2 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected users without undue delay if there is a high risk to your rights
  • Provide information about the nature of the breach and steps taken to address it

9.3 Your Responsibility

While we take extensive measures to protect your data, you are responsible for maintaining the security of your Account credentials. Never share your password with others and notify us immediately if you suspect unauthorized access to your Account.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data and receive information about how it is processed.

2. Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most of your data directly in your account settings.

3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected or when you withdraw consent. You can delete your Account and data through your account settings.

4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we limit the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.

5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. Contact us to request an export of your data.

6. Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. You can opt out of marketing communications at any time.

7. Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

9. Rights Related to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our AI features provide suggestions that you review and approve.

10.1 How to Exercise Your Rights

To exercise any of these rights:

  • For account deletion: Use the delete account feature in your account settings
  • For data rectification: Update your information directly in your account settings
  • For all other requests: Contact us at sebi.secasiu@gmail.com

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of the extension and the reasons for delay.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at sebi.secasiu@gmail.com.

If we discover that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible.

12. Third-Party Websites and Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.

This Privacy Policy applies only to personal data collected by Career Journey through the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy
  • Post the revised Privacy Policy on the Service
  • Notify you via email or through a prominent notice on the Service
  • Obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Career Journey

Email: sebi.secasiu@gmail.com

EU Supervisory Authority:
You have the right to lodge a complaint with your local data protection authority. You can find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

Summary: Your Data, Your Control

We collect only the data necessary to provide and improve the Service

We never sell your personal data to third parties

You have full control over your data with comprehensive GDPR rights

We implement strong security measures to protect your data

You can export or delete your data at any time

We are transparent about how we use your data

For a detailed overview of our data processing activities, please see our Data Processing Agreement.