Privacy Policy

1. Introduction and Data Controller

At JobAlign, we take the protection of your personal data very seriously. This privacy policy informs you about how we collect, use, share, and protect your personal information when you use our personalized resume generation service.

Data Controller

The data controller for your personal data is:

2. Data Collected

2.1 LinkedIn Profile Information

When you connect your LinkedIn account to JobAlign, we collect the following information with your explicit consent:

• First and last name
• Email address
• Profile photo
• Professional title (headline)
• Work experience (positions, companies, dates, descriptions)
• Education and degrees
• Skills and certifications
• Languages spoken

2.2 Job Posting Data

We collect and process information related to job postings you wish to target:

• Job posting URLs
• Job description content
• Job titles and companies

2.3 Technical Data

We automatically collect certain technical information:

• IP address
• Browser type and version
• Operating system
• Pages visited and session duration
• Cookies and session identifiers

3. Legal Bases and Purposes of Processing

In accordance with Article 6 of the GDPR, each data processing operation relies on a specific legal basis:

• Performance of contract (Art. 6.1.b): Personalized resume generation, ATS optimization, LinkedIn profile synchronization, account management and payment processing
• Legitimate interest (Art. 6.1.f): Service quality improvement, AI performance analysis, platform security, fraud prevention and technical log collection
• Legal obligation (Art. 6.1.c): Retention of billing data in accordance with applicable commercial and tax law
• Consent (Art. 6.1.a): Non-essential cookies (analytics, performance), marketing communications and newsletters. You can withdraw your consent at any time

4. Artificial Intelligence Processing

JobAlign uses artificial intelligence models (provided by OpenAI) to generate and optimize your resumes. We are committed to full transparency about how this processing works.

4.1 Data Sent to AI

When generating a resume, only the data strictly necessary for content optimization is sent to the OpenAI API:

• Anonymized professional content: Job titles, periods, experience descriptions, education, skills, languages and certifications
• Target job posting: Job description to enable resume optimization

Company names are systematically replaced with anonymous identifiers ("Company 1", "Company 2", etc.) before any transmission. Real names are re-injected locally into the final resume, without ever passing through OpenAI's servers.

4.2 Data Never Sent to AI

The following data is never sent to OpenAI:

• Candidate's first and last name
• Email address and phone number
• Personal location
• Company names (anonymized before transmission)
• LinkedIn ID or LinkedIn profile URL
• Profile photo
• Authentication tokens (OAuth tokens)
• Payment data or banking information
• IP address or browsing data

4.3 OpenAI's Guarantees on Your Data

In accordance with OpenAI's API data usage policy:

• Your data sent through the API is not used to train OpenAI's models
• Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• OpenAI retains API data for abuse monitoring for a maximum of 30 days, then automatically deletes it
• No data is shared with third parties by OpenAI

4.4 Automated Decision-Making

AI is used as a resume writing assistance tool. It does not make any decisions with legal or significant effects on you within the meaning of Article 22 of the GDPR. The generated content is a suggestion that you are free to modify, accept or reject. You retain full control over the final resume.

5. Data Sharing and Disclosure

We never sell your personal data to third parties.

We may share your information only with the following processors, strictly for service execution:

• OpenAI (United States): AI processing for resume generation — see section 4 for detailed data scope
• LinkedIn (United States): OAuth authentication and professional profile synchronization
• Stripe (United States): Secure payment processing — JobAlign does not store any banking data
• Legal obligations: If required by law, legal proceedings, or government request

6. International Data Transfers

Some of our processors (OpenAI, LinkedIn, Stripe) are located in the United States. These data transfers outside the European Economic Area are governed by the following safeguards:

• EU-U.S. Data Privacy Framework: Our US-based processors are certified under the EU-U.S. Data Privacy Framework, recognized by the European Commission as providing an adequate level of protection (adequacy decision of July 10, 2023)
• Standard Contractual Clauses (SCCs): Standard contractual clauses approved by the European Commission are in place with each processor
• Supplementary measures: Data encryption in transit and at rest, data minimization for transfers, regular risk assessments

7. Data Retention

We retain your personal data for as long as necessary to provide our services and in accordance with legal obligations:

• Profile data: As long as your account is active
• Generated resumes: Retained for 90 days after generation, unless manually deleted
• Payment data: Retained according to legal obligations (10 years under French commercial law)
• Technical logs: Retained for a maximum of 12 months
• Data sent to OpenAI: Retained by OpenAI for a maximum of 30 days for abuse monitoring, then automatically deleted

You can request deletion of your data at any time through your account or by contacting us.

8. Data Security

We implement appropriate technical and organizational security measures to protect your data:

• SSL/TLS encryption for all data transmissions
• Encryption of sensitive data at rest
• Secure authentication via OAuth 2.0
• Restricted access to personal data (principle of least privilege)
• Intrusion monitoring and detection
• Regular backups and continuity plan

However, no method of transmission over the Internet is 100% secure. We strive to protect your data but cannot guarantee absolute security.

In the event of a personal data breach presenting a high risk to your rights and freedoms, we will inform you without undue delay in accordance with Article 34 of the GDPR, and we will notify the relevant supervisory authority within 72 hours in accordance with Article 33 of the GDPR.

9. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access (Art. 15): Obtain a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data
• Right to restriction (Art. 18): Restrict the processing of your data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to the processing of your data based on legitimate interest
• Right to withdraw consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact us at: privacy@jobalign.com. We will respond within 30 days.

You also have the right to file a complaint with the CNIL (French Data Protection Authority) or your local supervisory authority within the EEA.

10. Cookies and Similar Technologies

In accordance with the ePrivacy Directive and CNIL guidelines, we use cookies and similar technologies:

• Strictly necessary cookies: Essential for site operation (authentication, sessions, security). These cookies are exempt from consent
• Performance cookies: Anonymized analysis of site usage to improve our services. Subject to your prior consent
• Functional cookies: Remembering your preferences (language, theme). Subject to your prior consent

You can accept or decline non-essential cookies via our consent banner. You can change your preferences at any time. Declining non-essential cookies does not affect the use of core site features.

11. Third-Party Services

JobAlign integrates third-party services for its operation. Each processor is bound by contractual obligations compliant with the GDPR:

• LinkedIn (Microsoft): OAuth authentication and profile synchronization (LinkedIn Privacy Policy)
• OpenAI: AI processing for resume generation and optimization — your API data is not used to train their models (OpenAI API Data Usage Policy)
• Stripe: Secure payment processing, PCI-DSS certified (Stripe Privacy Policy)

12. Minors

The Service is intended for adults (18 years and older) in the context of their job search. We do not knowingly collect personal data from minors. Access to the Service requires a LinkedIn account, which itself requires a minimum age of 16.

13. Changes to This Policy

We may update this privacy policy periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons.

In case of substantial changes, we will notify you by email or via a notification on the site. The date of the last update is indicated at the top of this page.

14. Contact Us

For any questions regarding this privacy policy or your personal data, you can contact us: