Joblama

Privacy Policy

Last updated: 30 April 2026 · Version 1.2

Joblama ("we", "us", "our") is a student project built for concept validation. This Privacy Policy explains how we collect, use, and protect your personal data when you use the Joblama web application (the "Service").

1. Data Controller

The data controller responsible for your personal data is the Joblama project team. For questions or requests regarding your data, contact us at: privacy.cometworks@ik.me.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: email address, full name, and authentication credentials (password hash or OAuth provider ID)
  • CV and career data: employment history, education, skills, certifications, and any other information you include in your CVs
  • Job data: job postings you save, job analyses, cover letters, and application tracking information
  • Profile data: skills you add to your profile (current, gap, and ambition tiers)
  • Usage data: anonymous page-view statistics collected by Vercel Web Analytics (see Section 6)

3. How We Use Your Data

We use your personal data to:

  • Provide and operate the Service (CV optimization, job matching, gap analysis)
  • Process your CV and career data through AI models to generate tailored CVs and analyses
  • Authenticate your identity and maintain your account
  • Improve the Service based on aggregated, anonymized usage patterns

4. Third-Party AI Processing (OpenAI)

Your CV content, employment history, skills, and career data are sent to OpenAI, L.L.C. (United States), which acts as our data processor under Article 28 GDPR, to generate AI-powered features (CV parsing, tailoring, gap analysis, cover-letter generation, translation).

4.1 Cross-Border Transfer

Because OpenAI processes data in the United States, this constitutes a transfer of your personal data outside the European Economic Area (EEA) and the United Kingdom. The transfer relies on the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor, Commission Implementing Decision (EU) 2021/914) incorporated by reference into the OpenAI Data Processing Addendum. For UK data subjects, the UK International Data Transfer Addendum (UK IDTA) also applies. You can request a copy of these safeguards from privacy.cometworks@ik.me.

4.2 Retention at OpenAI

OpenAI retains API inputs and outputs for up to 30 days for abuse-monitoring purposes, after which they are deleted. OpenAI does not use your API content to train their models. We use the OpenAI API (not ChatGPT), which provides these stricter data handling guarantees. We apply automated PII redaction to prompts before transfer where feasible.

5. Cookies and Authentication

Joblama uses essential cookies only for authentication session management, provided by Supabase Auth. These cookies are strictly necessary for the Service to function and are exempt from consent requirements under GDPR.

We do not use any marketing, advertising, or tracking cookies. No cookie consent banner is needed because we only use strictly necessary cookies.

6. Analytics

We use Vercel Web Analytics to collect anonymous page-view statistics. Vercel Analytics is cookie-free — it identifies visitors using a daily-reset hash derived from the incoming request. No personally identifiable information is collected by this service, and visitor identification resets every 24 hours.

7. Data Storage and Security

Your data is stored in a Supabase-hosted PostgreSQL database with row-level security (RLS) policies ensuring you can only access your own data. All data is encrypted in transit (TLS) and at rest.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right of access (Article 15): request a copy of the personal data we hold about you
  • Right to rectification (Article 16): correct inaccurate personal data
  • Right to erasure (Article 17): request deletion of your personal data — you can delete your account from the Settings page at any time
  • Right to data portability (Article 20): receive your data in a structured, machine-readable format — available via the data export feature in Settings
  • Right to object (Article 21): object to the processing of your personal data

To exercise any of these rights, email us at privacy.cometworks@ik.me or use the self-service options in your account Settings.

9. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all associated data (profile, CVs, jobs, analyses, cover letters, and skills) is permanently deleted via cascade deletion. During the beta period, if the Service is discontinued, all user data will be deleted within 30 days of the shutdown notice.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notice. The "Last updated" date at the top indicates when this policy was last revised.

11. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: privacy.cometworks@ik.me