Privacy Policy

1. Who We Are

Jobnest (“we”, “us”, “our”) is a job-application tracking service operated by Nish Patel (“Controller” under GDPR). Questions about this policy can be directed to our contact page.

2. Data We Collect

We collect information in three ways: data you provide directly, data generated automatically as you use the service, and data from third-party sign-in providers (Google, GitHub).

We do not collect precise location data, device fingerprints, browsing history outside Jobnest, or any special-category data (health, biometric, political, racial, etc.).

3. Legal Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland we rely on the following legal bases:

• Contract (Art. 6(1)(b)): Processing necessary to provide the service you signed up for — authentication, storing your applications, generating AI responses.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, rate limiting, debugging, and service reliability.
• Consent (Art. 6(1)(a)):Optional features such as notification emails and the NESTAi “About Me” context. Withdrawable at any time in Profile settings.
• Legal obligation (Art. 6(1)(c)): Retaining deletion records and IP logs where required by applicable law.

4. How We Use Your Data

• Provide and maintain the Jobnest service
• Authenticate you and keep your session secure
• Power NESTAi AI features using your job-search context
• Send transactional emails: OTP codes, password resets, account-deletion warnings
• Detect and prevent fraud, abuse, and unauthorised access
• Debug errors and improve service reliability
• Comply with legal obligations

We do not use your data for advertising, profiling for third-party purposes, or any automated decision-making that produces legal effects.

5. Third-Party Services (Sub-processors)

We share data with a small set of trusted processors only to the extent needed to run the service:

We do not sell, rent, or trade your personal data with any third party. We do not use Google Analytics, Meta Pixel, or any other advertising or behavioural tracking service.

6. Data Storage & Residency

Your data is stored on Supabase infrastructure. Supabase projects are created in the region selected at project creation — typically EU West (Ireland, eu-west-1). Vercel serverless functions run globally but do not persist your data between requests.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). PostgreSQL Row-Level Security (RLS) policies ensure you can only read and write your own rows.

7. Data Retention

• Active accounts: Data is kept for as long as your account is active.
• Account deletion: When you request deletion, your account enters a 30-day grace period. You can reactivate during this window. After 30 days, all personal data (applications, documents, interviews, contacts, AI history, salary records) is permanently purged by an automated cron job.
• Security logs: IP addresses recorded on deletion requests and OTP events are retained for 90 days, then deleted.
• Supabase backups: Automated point-in-time backups are retained for 7 days (free plan) or 30 days (Pro). Backups are subject to the same purge pipeline after restoration.

8. Your Rights

Under GDPR (EEA/UK) and similar laws you have the right to:

• Access (Art. 15): Request a copy of all personal data we hold about you.
• Rectification (Art. 16): Correct inaccurate data via your Profile page.
• Erasure (Art. 17 — “right to be forgotten”): Delete your account from Profile → Danger Zone. All data is purged after the 30-day grace period.
• Data portability (Art. 20): Export your job-search data as CSV/JSON from the Applications page export button.
• Restriction (Art. 18): Request that we limit processing while a dispute is resolved.
• Objection (Art. 21): Object to processing based on legitimate interests.
• Withdraw consent: Toggle optional features off in Profile → Notifications at any time, without affecting prior lawful processing.

To exercise any right, use our contact page. We will respond within 30 days (GDPR Art. 12). If you believe we have breached data protection law, you have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, DPC in Ireland).

9. Cookies & Local Storage

We use only essential cookies — no tracking, analytics, or advertising cookies. See our full Cookie Policy for a cookie-by-cookie breakdown. Your cookie consent choice is stored in localStorage under the key jobnest_cookie_consent.

10. Children

Jobnest is not directed at anyone under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has registered, we will delete their account immediately. See Section 2 of our Terms of Use for the age requirement.

11. Security Measures

• TLS 1.2+ on all data in transit
• AES-256 encryption at rest via Supabase
• PostgreSQL Row-Level Security — per-user data isolation
• OTP-gated account deletion and password changes
• IP-level and per-email rate limiting on sensitive endpoints
• Dual-layer OTP rate limiting (10/min per IP, 3/min per email)
• Secure, HttpOnly session cookies with SameSite=Lax
• File-type validation (MIME + magic-byte check) on document uploads
• Content-Disposition: attachment forced on all document downloads (prevents stored XSS)

No system is 100% secure. If you discover a security vulnerability, please report it responsibly via our contact page before public disclosure.

12. International Transfers

Your data may be processed by Vercel's global edge network outside the EEA. Vercel provides Standard Contractual Clauses (SCCs) as a transfer mechanism. Supabase stores data in your selected region (EU by default). Groq AI processes inference requests in the US — only the message content you send is transferred and not stored long-term.

13. California Privacy Rights (CCPA / CPRA)

California residents have the following rights:

• Right to know: The categories and specific pieces of personal information we collect (see Section 2).
• Right to delete: Request deletion via Profile → Danger Zone.
• Right to correct: Update inaccurate information via your Profile page.
• Right to opt-out of sale: We do not sell personal information. No opt-out mechanism is required, but you may contact us to confirm.
• Right to non-discrimination: Exercising your rights will not result in different or lesser service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last updated” date at the top of this page. For significant changes we will send an email notification to registered users at least 14 days in advance. Continued use after the effective date constitutes acceptance.

15. Contact & Data Requests

For privacy-related questions, data access requests, or complaints, please use our contact page. We aim to respond within 30 days. For urgent security disclosures, please include “Security” in your message subject.