Privacy

Privacy Policy

Last updated: May 24, 2026

In plain English

  • We collect what we need to run Hyrejet for you — your account, your resume, the jobs you submit, your applications, and basic usage analytics.
  • We do not sell your data, and we do not use it to train any AI model.
  • You can export or delete your data at any time from Settings.
  • EU and California users have specific legal rights — full list below.

1. Who we are

Hyrejet is operated by Cristian Selar, a sole proprietor based in Greece (“Hyrejet”, “we”, “us”). We are the data controller of the personal data described in this policy.

For any privacy-related question, request, or complaint, contact us at hyrejet@gmail.com.

2. Personal data we collect

We collect the following categories of personal data:

Account data (provided by you when you sign up)

  • Email address
  • Display name (optional)
  • Authentication identifiers. We use Supabase Auth for sign-in. If you sign in with Google, we receive your Google email, display name, and profile picture URL.
  • Encrypted password hash (only for email/password sign-in)

Career profile data (provided by you)

  • Resume content parsed from your uploaded PDF
  • Work history, education, skills, certifications, projects, accomplishments, stories, languages, volunteering, affiliations
  • Target roles, preferences, context signals, free-text notes
  • Any additional files you choose to upload

Application data (generated by your use of the Service)

  • Job descriptions you submit for tailoring
  • Tailored resumes, cover letters, screening answers, and follow-up emails generated for you
  • Application status updates (Applied, Interview, Offer, etc.)

Usage data (collected automatically)

  • Pages visited, features used, buttons clicked
  • Approximate city-level location (derived from your IP)
  • Device, browser, operating system
  • Session recordings (see Section 10)

Billing data (collected by Stripe, our payment processor)

Stripe handles your card number, billing address, and transaction history. We never see or store your full card details. We receive only your subscription tier, status, Stripe customer ID, and the last 4 digits of your card.

3. How we use your data and our legal bases (GDPR)

PurposeLegal basis
Provide the Service: parse your resume, generate tailored applications, manage your accountContract performance (Art. 6(1)(b) GDPR)
Process subscriptions and billingContract performance (Art. 6(1)(b) GDPR)
Send transactional emails (account confirmation, billing receipts, password resets)Contract performance (Art. 6(1)(b) GDPR)
Improve the Service through aggregated, anonymised analyticsLegitimate interests (Art. 6(1)(f) GDPR)
Detect fraud, abuse, and security issuesLegitimate interests + legal obligation (Art. 6(1)(f), Art. 6(1)(c) GDPR)
Comply with tax, accounting, and lawful information requestsLegal obligation (Art. 6(1)(c) GDPR)
Send marketing communicationsConsent (Art. 6(1)(a) GDPR) — only if you have opted in

4. AI processing — what we do and what we do NOT do

Hyrejet uses third-party AI services (Microsoft Azure OpenAI Service and Anthropic) to:

  • Parse and structure your uploaded resume
  • Parse job descriptions you submit
  • Generate tailored resumes, cover letters, screening answers, and follow-up emails
  • Compute match-rate analyses between your profile and a job

What we do NOT do:

  • We do not use your data to train any AI model.
  • We do not share your career profile with third parties for marketing or model training purposes.
  • We do not make automated decisions that produce legal effects or significantly affect you (Art. 22 GDPR). The AI generates content suggestions; you review and decide whether to use them. Hyrejet does not decide whether you are hired, screened, or shortlisted — that is always the employer’s decision.

Per our contracts with Microsoft Azure OpenAI Service and Anthropic, your inputs and outputs are not used to train their general-purpose models.

5. Sub-processors

We use the following sub-processors to operate the Service. Each is bound by a Data Processing Agreement (DPA) that requires GDPR-equivalent safeguards.

Sub-processorPurposeLocation
Supabase Inc.Database, authentication, file storageUSA
Vercel Inc.Hosting, edge network, serverless computeUSA
Stripe, Inc.Payment processingUSA + Ireland
Microsoft Corporation (Azure OpenAI Service)AI model inferenceEU + USA regions
Anthropic, PBCAI model inference (fallback provider)USA
Mixpanel, Inc.Product analytics (EU data residency)EU (Ireland)
Microsoft Corporation (Clarity)Session recordings + heatmapsUSA
Google LLC (Gmail)Receiving support and legal email at our contact addressUSA

We do not sell or rent your personal data to anyone.

6. International data transfers

Several of our sub-processors are located outside the European Economic Area (mainly in the USA). When personal data is transferred outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU–US Data Privacy Framework where the sub-processor is certified (e.g. Microsoft, Stripe, Vercel)
  • Additional contractual + technical safeguards

You can request a copy of the transfer safeguards in place by emailing hyrejet@gmail.com.

7. Data retention

Data categoryRetention period
Account, career profile, applicationsLifetime of your account, plus 30 days in backups
Billing records10 years (Greek and EU tax law requirement)
Analytics events24 months, then anonymised or deleted
Session recordings (Microsoft Clarity)30 days
Support email correspondence24 months after the last interaction

You can delete your account at any time from Settings → Delete account. Deletion cascades through every table that holds your data; backups expire within 30 days.

8. Your rights

Under GDPR / UK GDPR (EEA + UK residents)

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure (“right to be forgotten”) — request deletion of your data
  • Restriction of processing — limit how we use your data
  • Data portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing relies on consent
  • Lodge a complaint with your local supervisory authority. In Greece, this is the Hellenic Data Protection Authority (dpa.gr).

Under CCPA / CPRA (California residents)

  • Right to know what personal information we collect, use, and share
  • Right to delete your personal information
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell or share personal information, so there is nothing to opt out of
  • Right to non-discrimination for exercising your rights
  • Right to limit use of sensitive personal information

To exercise any of these rights, email hyrejet@gmail.com with a description of your request. We will respond within 30 days (GDPR) or 45 days (CCPA), as required by law. We may ask you to verify your identity before processing your request.

9. Cookies and tracking

Hyrejet uses a small number of cookies:

  • Essential cookies — required for authentication (Supabase auth session) and to remember your preferences. These cannot be disabled.
  • Analytics cookies — Mixpanel, used to understand how the Service is used in aggregate. You can disable these in your browser settings or via an ad blocker.
  • Session recording cookies — Microsoft Clarity, described in Section 10.

We do not use cookies for advertising or for selling your data to third parties.

10. Session recordings (Microsoft Clarity)

We use Microsoft Clarity to record user sessions on the Service. Clarity captures clicks, mouse movements, scrolls, and DOM mutations. Sensitive fields are masked — Clarity does not record:

  • Your full resume text
  • Generated cover letters, screening answers, or follow-up emails
  • Job description content
  • Passwords or payment information

Recordings are stored by Microsoft for 30 days and used solely for product improvement. For more detail, see Microsoft’s privacy statement.

11. Security

We use industry-standard security practices:

  • TLS encryption for all data in transit
  • Encryption at rest for database and file storage (provided by Supabase)
  • Row-level security policies that isolate each user’s data
  • OAuth-based authentication (Google) and password hashing (when using email sign-in)
  • Regular security updates for all dependencies

No system is 100% secure. If you believe your account has been compromised, contact hyrejet@gmail.com immediately.

12. Children’s privacy

The Service is not directed at, and we do not knowingly collect personal data from, individuals under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify you by email or via a prominent in-app notice at least 30 days before the change takes effect.

14. Contact

For any questions, requests, or complaints about this Privacy Policy or our handling of your personal data:

If you are not satisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority or with your local EU supervisory authority.