Privacy Policy

1. Information We Collect

2. How We Use Your Information

• Provide the Service: Search for jobs, track applications, and manage your job search pipeline.
• Auto-fill and submit applications: Use your profile data to automatically populate and submit job applications on your behalf through browser automation.
• AI-powered job matching: Analyze your profile and preferences using AI to recommend relevant job opportunities and tailor your resume for specific positions. AI processing is performed via third-party APIs that do not use your inputs or outputs to train their models.
• Email scanning: Detect job application confirmation emails and status updates to automatically update your application timeline.
• Service improvement: Analyze usage patterns and aggregated geographic data to improve features, fix bugs, understand our user base, and enhance the user experience.
• Communications: Send transactional emails related to your account and application activity.

3. Third-Party Service Providers

We rely on third-party service providers to operate Aplyr. Each provider processes data only as necessary to deliver their respective service. The categories of providers we use include:

• Cloud hosting and application infrastructure (Vercel; Google Cloud / Firebase; Fly.io).
• Authentication, database, and storage providers (Google Firebase Authentication, Firestore, and Cloud Storage; Amazon Web Services S3 and KMS; Google Cloud KMS).
• AI and machine learning APIs for job matching, resume parsing and tailoring, and inbox features — OpenAI and Anthropic, accessed through the Vercel AI Gateway. To deliver these features, the relevant resume and profile content you provide is transmitted to these AI providers (located in the United States) for processing. Under their commercial/API terms, OpenAI and Anthropic do not use data submitted via their APIs to train their models, and retain it only for a limited period for abuse monitoring before deletion.
• Transactional, marketing, and outbound user-composed email delivery (Resend).
• Job search indexing and search functionality (Typesense; Algolia).
• Payments and billing (Stripe).
• Rate limiting, caching, and security tooling (Upstash Redis).
• Browser-automation and submission infrastructure used to fill in and submit applications on your behalf (Fly.io browser service; residential-proxy routing via Bright Data; Browserless.io; and the CAPTCHA-solving services Anti-Captcha and CapSolver). When you authorize an automated application, your profile and application-form data, and the network path of the submission, may be processed by these providers solely to complete that submission; they do not use your data for their own purposes.
• Workflow orchestration for submissions and Autopilot runs (Inngest).
• Google Gmail API (read-only email scanning for OAuth-connected users). Our use of data from this Google API adheres to the Google API Services User Data Policy, including the Limited Use requirements (see Section 4).
• Address autocomplete (Google Places).
• Bot and abuse protection (Google reCAPTCHA Enterprise, invoked via Firebase App Check).
• Company logos, enrichment, and dashboard market data (Logo.dev; Brandfetch; Finnhub).
• Cookie-consent management (c15t, which runs locally in your browser).
• Product analytics and performance telemetry (Google Analytics 4, Vercel Analytics, Vercel Speed Insights, Sentry).

A current, itemized list of sub-processors, including their purpose, location, and transfer mechanism, is also available on request by emailing privacy@aplyr.ai. We notify existing customers of any new sub-processor at least 30 days before that sub-processor begins processing personal data.

Open-source software used in Aplyr is subject to the respective project licenses. A full list of third-party open-source components and their licenses is available on request.

3a. Sensitive Personal Information (California)

Under the California Privacy Rights Act, the following categories of data we may collect qualify as Sensitive Personal Information ("SPI"):

• Aplyr does not collect EEO or demographic data (gender, race/ethnicity, veteran status, disability status) by default. Voluntary self-identification sections on job applications are left for you to complete directly with the employer; where we submit an application on your behalf, we send a "decline to self-identify" response.
• Application-eligibility data such as work authorization, visa/sponsorship needs, citizenship status, city of birth, security clearance, and a yes/no criminal-record disclosure — collected only if you provide it, and used solely to complete the applications you direct.
• Account and third-party credentials. Your Aplyr password is managed by Firebase Authentication; credentials you provide for third-party services (for example, an employer-portal / Workday account password or a Gmail app password) and OAuth tokens are encrypted at rest with a managed key-management service (KMS).
• Contents of communications you direct us to process — the subject lines we scan to update your tracker and, only if you turn on "Store message bodies," the encrypted full body of those job-related messages.
• Approximate geolocation — we derive approximate city-level coordinates from the city/region you enter (and approximate country/region from your IP) to power location-based job matching. We do not collect street-level or real-time precise location.

We do not use SPI to infer characteristics about you, and we do not sell or share SPI. California residents can submit a Limit the Use of My Sensitive Personal Information request at any time.

4. Google API Services -- Limited Use Disclosure

Aplyr's default Gmail connection uses IMAP with a user-issued app password and does not call Google APIs. For users with administrator-granted access to the OAuth flow, Aplyr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The same data-handling guarantees (no advertising, no selling, no training on user data, no human review except as required for security or with user consent) apply to both connection methods. For the OAuth-specific disclosure, see our Google API Limited Use Disclosure.

5. Data Retention

• Account and profile data is retained for as long as your account remains active.
• Upon account deletion request, all personal data is deleted within 30 days. Backups may be retained for up to 90 days before being permanently purged. As a narrow exception for fraud and abuse prevention, we retain a one-way, irreversible cryptographic hash of your email address (from which your email cannot be recovered) to enforce one free trial per person; this contains no readable personal data and is kept on the basis of our legitimate interest in preventing abuse.
• Gmail scan data:each new message detected via IMAP (default) or the Google OAuth read-only scope (admin-granted users) is classified shortly after arrival. By default we retain only the classification result and extracted fields (company, role, status, dates). If you opt in to "Store message bodies" in Settings, the encrypted message body is also retained and is deleted when you turn the setting off, disconnect Gmail, or delete your account.
• Gmail credentials: the encrypted app password (IMAP users) or OAuth tokens (OAuth users) are retained only while your Gmail is connected. Disconnecting from Settings deletes the credential immediately. We do not retain credentials after disconnect.
• Usage and analytics data may be retained in anonymized form for service improvement purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal data.
• Deletion: Request that we delete your personal data.
• Data portability: Request a machine-readable copy of your data.
• Opt out of automated processing: Request human review of decisions made solely by automated means.
• Withdraw consent: Revoke previously granted consent at any time. Disconnect your Gmail account or toggle Store message bodies from Settings → Integrations, and manage analytics or functional cookies from Settings → Security.

Submit any of these requests through our Privacy Rights page, or email privacy@aplyr.ai directly.

7. Automated Decision-Making

Aplyr uses artificial intelligence to power several features: matching and scoring jobs against your profile and preferences; tailoring your resume and drafting cover letters for specific roles; filling in application forms; and — when Gmail is connected — classifying incoming messages into categories such as recruiter outreach, interview, offer, or rejection. For plans that include Smart Inbox, we also send the subject and body of detected job-related emails to a third-party large language model to generate a short summary and extract key details, which we store on the corresponding email record so you can see them inside Aplyr.

If you turn on Autopilot, you authorize Aplyr to select matching jobs and submit applications to third-party employers on your behalf. Autopilot offers a Review Queue mode, where each application waits for you to approve it before it is sent, and a Fully Automated mode, where applications matching your saved criteria are submitted automatically without asking you to review each one individually. In Fully Automated mode there is no separate, per-application confirmation — your authorization is given once when you enable and configure Autopilot, and you remain responsible for the applications submitted under your account (see our Terms of Service). You can pause or disable Autopilot, switch modes, lower your daily limit, review and edit all AI-generated content, and see every submitted application at any time in Settings. Where applicable, you have the right to obtain human intervention, express your point of view, and contest the processing (Article 22 GDPR) by contacting privacy@aplyr.ai.

8. Cookies, Tracking and Your Choices

• Essential cookies: Authentication, session, and consent- preference cookies. These load without consent because the Service cannot function without them.
• Product analytics (Google Analytics 4): Sets _ga / _gid cookies used to distinguish anonymous visitors. Google Ads signals, remarketing, and ad personalization features are disabled.
• Performance telemetry: Vercel Analytics and Vercel Speed Insights. Cookieless — used to measure page load performance.
• No advertising cookies: Aplyr does not use advertising, retargeting, or cross-site tracking cookies.

9. Children's Privacy

Aplyr is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a user under 16, we will promptly delete that information.

10. International Data Transfers

Aplyr is based in the United States. Your data is stored and processed in the United States. If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to the United States in reliance on appropriate transfer safeguards — principally the European Commission's Standard Contractual Clauses (SCCs), supplemented by the UK International Data Transfer Addendum and the Swiss FADP addendum where applicable, and/or a sub-processor's certification under the EU–US Data Privacy Framework. Upon request, we can provide further information about the transfer mechanism we rely on for a given sub-processor.

11. Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data at rest and in transit (TLS/SSL).
• Gmail credentials — both app passwords (IMAP users) and OAuth tokens (OAuth users) — encrypted with a managed key management service before storage. Decryption happens in-memory only at the moment of use.
• Optionally-stored email message bodies encrypted with a managed key management service (AES-256-GCM) before storage.
• Role-based access controls for internal systems.
• Regular security reviews and updates.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at the address associated with your account. The "Effective Date" at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Aplyr
Email: privacy@aplyr.ai