Privacy Policy

Effective Date: April 22, 2026

Aplyr ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our job search automation platform (the "Service"). By using Aplyr, you consent to the practices described in this policy.

1. Information We Collect

Account Data

When you create an account, we collect your name, email address, and authentication credentials.

Profile Data

To power auto-fill and application submission, we collect personal information you provide, including your name, email address, phone number, mailing address, work history, education history, and resume content.

Gmail Data (via OAuth)

If you connect your Gmail account, we request read-only access to scan for job application-related emails. We collect email metadata only -- including subject lines, sender addresses, and dates -- for the purpose of detecting and tracking job application confirmations and status updates. We do not read or store the full body of your emails.

Job Application Tracking Data

We store information about job applications you submit through the Service, including company names, job titles, application dates, and status updates.

Usage and Analytics Data

We use Google Analytics 4 to collect pseudonymous product usage events (page views, feature interactions, signup and application milestones) tied to a randomly generated client ID. We also use Vercel Analytics and Vercel Speed Insights for cookieless page-performance telemetry. Analytics cookies are gated by your consent (see the Cookies section below and Section 8).

Geographic and Device Data

When you visit our website, we automatically collect approximate geographic information derived from HTTP headers provided by our hosting infrastructure. This includes your approximate country, city, region, and timezone. This data is stored as aggregated daily counts and is not linked to individual users or sessions.

When you sign up for our waitlist, we additionally collect and securely encrypt your IP address using industry-standard key management. This encrypted IP is stored alongside your signup record and is only accessible to authorized administrators.

Cookies

Aplyr uses a small set of first-party cookies. Cookies that are not strictly necessary only load after you consent (see Section 8).

  • _geo — functional, 60-second lifetime. Carries approximate country/city from our server to the page so we can record aggregate visit counts.
  • _ga, _ga_*, _gid — Google Analytics 4. Stored only after you grant analytics consent and used to distinguish anonymous visitors for product analytics.
  • _consent, _consent_required — strictly necessary. Store your cookie preferences and whether your jurisdiction requires the consent banner.
  • Authentication / session cookies set by Firebase Authentication while you are signed in. Strictly necessary.

We do not use advertising, retargeting, or cross-site tracking cookies.

2. How We Use Your Information

  • Provide the Service: Search for jobs, track applications, and manage your job search pipeline.
  • Auto-fill and submit applications: Use your profile data to automatically populate and submit job applications on your behalf through browser automation.
  • AI-powered job matching: Analyze your profile and preferences using AI to recommend relevant job opportunities and tailor your resume for specific positions. AI processing is performed via third-party APIs that do not use your inputs or outputs to train their models.
  • Email scanning: Detect job application confirmation emails and status updates to automatically update your application timeline.
  • Service improvement: Analyze usage patterns and aggregated geographic data to improve features, fix bugs, understand our user base, and enhance the user experience.
  • Communications: Send transactional emails related to your account and application activity.

3. Third-Party Service Providers

We rely on third-party service providers to operate Aplyr. Each provider processes data only as necessary to deliver their respective service. The categories of providers we use include:

  • Cloud hosting and application infrastructure.
  • Authentication, database, and storage providers.
  • AI and machine learning APIs for job matching and resume tailoring.
  • Transactional email delivery.
  • Job search indexing and search functionality.
  • Rate limiting, caching, and security tooling.
  • Product analytics and performance telemetry (Google Analytics 4, Vercel Analytics, Vercel Speed Insights).

A current list of sub-processors, including their purpose, location, and transfer mechanism, is available on request by emailing privacy@aplyr.ai. We notify existing customers of any new sub-processor at least 30 days before that sub-processor begins processing personal data.

Open-source software used in Aplyr is subject to the respective project licenses. A full list of third-party open-source components and their licenses is available on request.

3a. Sensitive Personal Information (California)

Under the California Privacy Rights Act, the following categories of data we may collect qualify as Sensitive Personal Information ("SPI"):

  • Racial or ethnic origin, religious or philosophical beliefs, union membership — only when voluntarily provided on an EEO self-identification form.
  • Account credentials (passwords are hashed; OAuth tokens are encrypted with a managed KMS).
  • Contents of email subject lines scanned from Gmail.
  • Coarse geolocation (city/country from IP, never precise).

We do not use SPI to infer characteristics about you, and we do not sell or share SPI. California residents can submit a Limit the Use of My Sensitive Personal Information request at any time.

4. Google API Services -- Limited Use Disclosure

Aplyr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. For full details, please see our Google API Limited Use Disclosure.

5. Data Retention

  • Account and profile data is retained for as long as your account remains active.
  • Upon account deletion request, all personal data is deleted within 30 days. Backups may be retained for up to 90 days before being permanently purged.
  • Gmail scan data is processed in real-time. Only extracted metadata (subject, sender, date) is stored to build your application timeline. Full email content is never stored.
  • Usage and analytics data may be retained in anonymized form for service improvement purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete personal data.
  • Deletion: Request that we delete your personal data.
  • Data portability: Request a machine-readable copy of your data.
  • Opt out of automated processing: Request human review of decisions made solely by automated means.
  • Withdraw consent: Revoke previously granted consent at any time, including disconnecting your Gmail account and toggling off any category of analytics or functional cookies at Settings → Security → Privacy & data.

California residents (CCPA/CPRA): You have the right to know what personal information is collected, request its deletion, opt out of the sale or sharing of personal information (Aplyr does not sell your data), limit the use of your Sensitive Personal Information, and not be discriminated against for exercising your rights. Submit requests via Do Not Sell or Share, Limit Sensitive PI, or Privacy Rights.

EU/EEA / UK residents (GDPR / UK GDPR): You have the rights described above, plus the right to restrict processing, object to processing, and lodge a complaint with your local data protection supervisory authority.

Other US states (CO, CT, DE, MD, MN, MT, NH, NJ, OR, TX, and more): You have the right to opt out of the sale, sharing, or processing of your personal data for targeted advertising. Aplyr honors the Global Privacy Control (GPC) signal as a binding opt-out in states that require it.

Submit any of these requests through our Privacy Rights page, or email privacy@aplyr.ai directly.

7. Automated Decision-Making

Aplyr uses artificial intelligence to provide job matching recommendations and resume tailoring suggestions. These features are designed to assist you, not to make decisions on your behalf. You can review, modify, and approve all AI-generated content before any job application is submitted. No application is submitted without your authorization.

8. Cookies, Tracking and Your Choices

  • Essential cookies: Authentication, session, and consent- preference cookies. These load without consent because the Service cannot function without them.
  • Product analytics (Google Analytics 4): Sets _ga / _gid cookies used to distinguish anonymous visitors. Google Ads signals, remarketing, and ad personalization features are disabled.
  • Performance telemetry: Vercel Analytics and Vercel Speed Insights. Cookieless — used to measure page load performance.
  • No advertising cookies: Aplyr does not use advertising, retargeting, or cross-site tracking cookies.

Regional consent (EEA, UK, Switzerland): Visitors from the European Economic Area, the United Kingdom, and Switzerland see a cookie banner on first visit and must opt in before any non-essential cookies are stored. We use Google Consent Mode v2 so Google Analytics suppresses storage until consent is granted.

Everyone else:Product analytics, performance telemetry, and aggregate location logging are enabled by default. You can disable any category at any time by clicking "Manage cookies" in the footer, which opens a granular preferences dialog with toggles for Necessary, Functionality, Measurement, and Marketing categories. Your preference is stored on your device; clearing browser storage will reset it.

Global Privacy Control (GPC):Aplyr automatically honors the GPC signal sent by some browsers (Brave, DuckDuckGo, Firefox with the setting enabled) as a binding opt-out. If your browser is sending GPC, we treat that as a "Reject all" for analytics and marketing categories without showing the banner.

Consent management framework: We use c15t (open-source, Apache 2.0) running in offline mode — your consent choice is stored in your browser only and is never transmitted to c15t servers.

9. Children's Privacy

Aplyr is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a user under 16, we will promptly delete that information.

10. International Data Transfers

Aplyr is based in the United States. Your data is stored and processed in the United States. If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to the United States under the European Commission's Standard Contractual Clauses (SCCs) executed with each of our subprocessors, supplemented by the UK International Data Transfer Addendum and the Swiss FADP addendum where applicable. Upon request, we will provide a copy of the relevant transfer mechanism and, for transfers to non-adequate third countries, our Transfer Impact Assessment.

11. Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data at rest and in transit (TLS/SSL).
  • OAuth tokens encrypted with a managed key management service before storage.
  • Role-based access controls for internal systems.
  • Regular security reviews and updates.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at the address associated with your account. The "Effective Date" at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Aplyr
Email: privacy@aplyr.ai