Privacy
Privacy Policy
Last updated: May 24, 2026
In plain English
- We collect what we need to run Hyrejet for you — your account, your resume, the jobs you submit, your applications, and basic usage analytics.
- We do not sell your data, and we do not use it to train any AI model.
- You can export or delete your data at any time from Settings.
- EU and California users have specific legal rights — full list below.
1. Who we are
Hyrejet is operated by Cristian Selar, a sole proprietor based in Greece (“Hyrejet”, “we”, “us”). We are the data controller of the personal data described in this policy.
For any privacy-related question, request, or complaint, contact us at hyrejet@gmail.com.
2. Personal data we collect
We collect the following categories of personal data:
Account data (provided by you when you sign up)
- Email address
- Display name (optional)
- Authentication identifiers. We use Supabase Auth for sign-in. If you sign in with Google, we receive your Google email, display name, and profile picture URL.
- Encrypted password hash (only for email/password sign-in)
Career profile data (provided by you)
- Resume content parsed from your uploaded PDF
- Work history, education, skills, certifications, projects, accomplishments, stories, languages, volunteering, affiliations
- Target roles, preferences, context signals, free-text notes
- Any additional files you choose to upload
Application data (generated by your use of the Service)
- Job descriptions you submit for tailoring
- Tailored resumes, cover letters, screening answers, and follow-up emails generated for you
- Application status updates (Applied, Interview, Offer, etc.)
Usage data (collected automatically)
- Pages visited, features used, buttons clicked
- Approximate city-level location (derived from your IP)
- Device, browser, operating system
- Session recordings (see Section 10)
Billing data (collected by Stripe, our payment processor)
Stripe handles your card number, billing address, and transaction history. We never see or store your full card details. We receive only your subscription tier, status, Stripe customer ID, and the last 4 digits of your card.
3. How we use your data and our legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Provide the Service: parse your resume, generate tailored applications, manage your account | Contract performance (Art. 6(1)(b) GDPR) |
| Process subscriptions and billing | Contract performance (Art. 6(1)(b) GDPR) |
| Send transactional emails (account confirmation, billing receipts, password resets) | Contract performance (Art. 6(1)(b) GDPR) |
| Improve the Service through aggregated, anonymised analytics | Legitimate interests (Art. 6(1)(f) GDPR) |
| Detect fraud, abuse, and security issues | Legitimate interests + legal obligation (Art. 6(1)(f), Art. 6(1)(c) GDPR) |
| Comply with tax, accounting, and lawful information requests | Legal obligation (Art. 6(1)(c) GDPR) |
| Send marketing communications | Consent (Art. 6(1)(a) GDPR) — only if you have opted in |
4. AI processing — what we do and what we do NOT do
Hyrejet uses third-party AI services (Microsoft Azure OpenAI Service and Anthropic) to:
- Parse and structure your uploaded resume
- Parse job descriptions you submit
- Generate tailored resumes, cover letters, screening answers, and follow-up emails
- Compute match-rate analyses between your profile and a job
What we do NOT do:
- We do not use your data to train any AI model.
- We do not share your career profile with third parties for marketing or model training purposes.
- We do not make automated decisions that produce legal effects or significantly affect you (Art. 22 GDPR). The AI generates content suggestions; you review and decide whether to use them. Hyrejet does not decide whether you are hired, screened, or shortlisted — that is always the employer’s decision.
Per our contracts with Microsoft Azure OpenAI Service and Anthropic, your inputs and outputs are not used to train their general-purpose models.
5. Sub-processors
We use the following sub-processors to operate the Service. Each is bound by a Data Processing Agreement (DPA) that requires GDPR-equivalent safeguards.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | USA |
| Vercel Inc. | Hosting, edge network, serverless compute | USA |
| Stripe, Inc. | Payment processing | USA + Ireland |
| Microsoft Corporation (Azure OpenAI Service) | AI model inference | EU + USA regions |
| Anthropic, PBC | AI model inference (fallback provider) | USA |
| Mixpanel, Inc. | Product analytics (EU data residency) | EU (Ireland) |
| Microsoft Corporation (Clarity) | Session recordings + heatmaps | USA |
| Google LLC (Gmail) | Receiving support and legal email at our contact address | USA |
We do not sell or rent your personal data to anyone.
6. International data transfers
Several of our sub-processors are located outside the European Economic Area (mainly in the USA). When personal data is transferred outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU–US Data Privacy Framework where the sub-processor is certified (e.g. Microsoft, Stripe, Vercel)
- Additional contractual + technical safeguards
You can request a copy of the transfer safeguards in place by emailing hyrejet@gmail.com.
7. Data retention
| Data category | Retention period |
|---|---|
| Account, career profile, applications | Lifetime of your account, plus 30 days in backups |
| Billing records | 10 years (Greek and EU tax law requirement) |
| Analytics events | 24 months, then anonymised or deleted |
| Session recordings (Microsoft Clarity) | 30 days |
| Support email correspondence | 24 months after the last interaction |
You can delete your account at any time from Settings → Delete account. Deletion cascades through every table that holds your data; backups expire within 30 days.
8. Your rights
Under GDPR / UK GDPR (EEA + UK residents)
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — request deletion of your data
- Restriction of processing — limit how we use your data
- Data portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent
- Lodge a complaint with your local supervisory authority. In Greece, this is the Hellenic Data Protection Authority (dpa.gr).
Under CCPA / CPRA (California residents)
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing — we do not sell or share personal information, so there is nothing to opt out of
- Right to non-discrimination for exercising your rights
- Right to limit use of sensitive personal information
To exercise any of these rights, email hyrejet@gmail.com with a description of your request. We will respond within 30 days (GDPR) or 45 days (CCPA), as required by law. We may ask you to verify your identity before processing your request.
9. Cookies and tracking
Hyrejet uses a small number of cookies:
- Essential cookies — required for authentication (Supabase auth session) and to remember your preferences. These cannot be disabled.
- Analytics cookies — Mixpanel, used to understand how the Service is used in aggregate. You can disable these in your browser settings or via an ad blocker.
- Session recording cookies — Microsoft Clarity, described in Section 10.
We do not use cookies for advertising or for selling your data to third parties.
10. Session recordings (Microsoft Clarity)
We use Microsoft Clarity to record user sessions on the Service. Clarity captures clicks, mouse movements, scrolls, and DOM mutations. Sensitive fields are masked — Clarity does not record:
- Your full resume text
- Generated cover letters, screening answers, or follow-up emails
- Job description content
- Passwords or payment information
Recordings are stored by Microsoft for 30 days and used solely for product improvement. For more detail, see Microsoft’s privacy statement.
11. Security
We use industry-standard security practices:
- TLS encryption for all data in transit
- Encryption at rest for database and file storage (provided by Supabase)
- Row-level security policies that isolate each user’s data
- OAuth-based authentication (Google) and password hashing (when using email sign-in)
- Regular security updates for all dependencies
No system is 100% secure. If you believe your account has been compromised, contact hyrejet@gmail.com immediately.
12. Children’s privacy
The Service is not directed at, and we do not knowingly collect personal data from, individuals under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify you by email or via a prominent in-app notice at least 30 days before the change takes effect.
14. Contact
For any questions, requests, or complaints about this Privacy Policy or our handling of your personal data:
- Email: hyrejet@gmail.com
- Data controller: Cristian Selar, sole proprietor, Greece
If you are not satisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority or with your local EU supervisory authority.