← Back to Home

Privacy Policy

Last Updated: January 4, 2026

Our Commitment: We are committed to transparency about our data practices. This policy explains how we collect, use, protect, and manage your personal information.

1. Introduction and Data Controller

1.1 About This Policy

This Privacy Policy explains how ApplyWright collects, uses, discloses, and protects your personal information when you use our recruitment platform.

1.2 Data Controller

Chainwright Ltd, a company registered in England and Wales, is the data controller responsible for your personal information. Chainwright Ltd operates ApplyWright and determines how and why your personal data is processed in connection with our Service.

1.3 Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contractual Necessity: To provide our Service as agreed in our Terms of Service
  • Legitimate Interests: To improve our Service, prevent fraud, and ensure security
  • Consent: Where you've provided explicit consent for specific processing activities
  • Legal Obligations: To comply with applicable laws and regulations

2. Information We Collect

2.1 From Job Applicants

During Application:

  • Email Address (required) - for authentication and communication
  • Name (optional) - may be provided during conversation
  • Conversation Messages - complete transcripts of all chat interactions with the AI
  • Application Materials - final compiled application text
  • Access Token - unique identifier stored in browser to access your application

Automatically Collected:

  • Timestamps - when application was created, updated, submitted
  • AI Rating - automated 1-10 score (visible to employers, not to you)
  • Token Usage - AI processing consumed
  • IP Address - for rate limiting and security

2.2 From Companies

  • Company Name and Email
  • Job Specifications - complete job requirements and details
  • Subscription Plan - selected tier (Free, Starter, Growth, Enterprise)
  • Usage Tracking - token consumption per job and application

Passwordless Authentication: We do NOT collect or store passwords.

3. How We Use Your Information

3.1 AI Processing with OpenAI

Third-Party AI Processing:

We use OpenAI's API to power our AI functionality. The following data is sent to OpenAI:

  • Conversation transcripts between applicants and the AI
  • Job specifications and requirements from companies
  • Application materials for rating and summarization
  • Web-scraped job posting content (when companies provide URLs)

According to OpenAI's API terms, data submitted via their API is not used to train their models. For more details, review OpenAI's Privacy Policy.

4. AI Analysis and Processing

4.1 AI Suitability Analysis

How AI Analysis Works:

The Service uses AI to generate suitability rankings and summaries of applications to assist employers in their review process. This is advisory information only - hiring decisions are made exclusively by the employer. ApplyWright does not make hiring decisions or automatically accept/reject candidates.

4.2 Limitations of AI Analysis

AI-generated analysis may have limitations:

  • Incomplete Context - The AI may not capture all aspects of your qualifications
  • Potential Bias - Like all AI systems, outputs may reflect biases in training data
  • Interpretation Variance - The AI's understanding may differ from human interpretation

Employers conduct independent review of applications and make their own hiring decisions. The AI analysis is one input among many in their decision-making process.

5. How We Share Your Information

5.1 With Employers

When you submit an application, the company receives:

  • Your email address and name
  • Complete application materials
  • AI-generated suitability ranking and analysis
  • Full conversation history with the AI

Important: Full Transparency to Employers

Everything you discuss with the AI is visible to the employer after you submit.This includes all drafts, revisions, and conversations. Only submit your application when you're comfortable with the employer seeing the complete conversation history.

5.2 What You Control

Before submission, you have full control:

  • Your conversations and drafts remain private until you explicitly submit
  • You can abandon an application at any time without the employer seeing anything
  • You decide when an application is ready to submit
  • No information is shared with employers until you click "Submit"

5.3 Third-Party Services

  • OpenAI (required) - AI processing
  • Stripe (when implemented) - payment processing
  • Resend (planned) - email delivery

5.4 What We Don't Do

We do NOT:

  • Sell your personal information
  • Share data with advertisers for marketing
  • Use your data for unrelated commercial purposes

6. Data Retention

6.1 Retention Periods

  • Login codes: 10 minutes or until used
  • Session tokens: 7 days
  • Applications: Retained until manually deleted
  • Conversations: Retained until associated application is deleted

All data is securely hosted on Render with automated daily backups and point-in-time recovery for data protection.

6.2 Data Deletion

Your data is deleted when:

  • A company deletes a specific job (all associated applications are removed)
  • A company deletes their account (all their jobs and applications are removed)
  • You request deletion of your data (contact support - see Your Rights section)

7. Data Security

7.1 Security Measures

We implement multiple layers of security to protect your data:

  • Passwordless authentication - No password storage vulnerabilities
  • Cryptographically secure random codes - For login authentication
  • Encrypted sessions - JWT tokens with HTTP-only cookies
  • SSL/TLS encryption - Enforced for database connections in production
  • Security headers - Content Security Policy and other protective headers
  • Rate limiting - Protection against brute force and abuse
  • CORS protection - Restricted cross-origin requests
  • Secure hosting - Render platform with DDoS protection and automated backups

7.2 Data Protection

While we implement industry-standard security practices, no system is completely invulnerable. We continuously monitor and improve our security measures to protect your data.

8. Your Privacy Rights

8.1 Rights Under Data Protection Laws

Depending on your location, you may have:

  • Right to Access - Request a copy of your data
  • Right to Rectification - Correct inaccurate data
  • Right to Erasure - Request deletion ("Right to be Forgotten")
  • Right to Data Portability - Receive data in machine-readable format
  • Right to Object - Object to processing of your personal data

8.2 GDPR (European Users)

  • Right to restrict processing under certain circumstances
  • Right to lodge a complaint with your data protection authority

8.3 CCPA (California Users)

  • Right to Know what information we collect and share
  • Right to Delete (with certain exceptions)
  • Right to Opt-Out of sale (we don't sell data)
  • Right to Non-Discrimination

8.4 How to Exercise Your Rights

To exercise any of your privacy rights, contact us through the support options available on our platform. Include your name, email address, and specific right you wish to exercise.

We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your verified request.

8.5 Processing Your Requests

  • Data export: Contact support to receive your data in machine-readable format
  • Data deletion: Contact support to request deletion of your information
  • Processing time: Up to 30 days depending on request complexity

9. Children's Privacy

The Service is not intended for children under 16 (or under 13 in the US). We do not knowingly collect data from children.

10. International Data Transfers

Your data may be processed in the United States and other locations via:

  • Our servers ([specify location])
  • OpenAI servers (United States and other locations)
  • Third-party service providers

We use Standard Contractual Clauses (SCCs) and other safeguards for international transfers.

11. Cookies and Tracking

11.1 Essential Cookies

  • auth_token - Company authentication (7 days)
  • applicant_auth_token - Applicant portal (7 days)

11.2 Browser Local Storage

We store application access tokens in localStorage (format: app_{job_slug}). You can clear this through browser settings.

11.3 No Third-Party Tracking

We do NOT use Google Analytics, advertising cookies, or social media tracking.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of becoming aware of the breach
  • Describe the nature of the breach and data affected
  • Explain the measures we're taking to address the breach
  • Provide guidance on steps you can take to protect yourself
  • Notify relevant supervisory authorities as required by law

14. Contact Us

14.1 Privacy Inquiries

For privacy-related questions or to exercise your data rights, contact us through the support options available on our platform.

Response Time: We aim to respond within 5 business days for general inquiries and within 30 days for formal privacy rights requests.

14.2 Data Protection Officer

For data protection concerns specifically, you may contact our data protection representative through the same support channels.

15. Supervisory Authority

If you are in the EEA, UK, or Switzerland, you may lodge a complaint with your local data protection authority:

Terms of ServiceHome