we use one cookie. that's it.

a strictly-necessary session cookie keeps you logged in. no analytics, no ad pixels, no third-party trackers. cookie policy →

JobVault/back

/privacy policy

your data, your rules.

last updated: february 2026 · governed by UK GDPR & PECR

the short version

  • we only store what you type in. no tracking pixels, no ad cookies, no data brokers.
  • your vault is accessible only to you, secured with a JWT cookie. we never sell it.
  • the Chrome extension reads your vault from your account on your command — credentials never leave your browser.
  • you can export everything as JSON / Markdown / .docx at any time.
  • delete your account from Settings — wiped permanently within 14 days (grace period for accidental clicks).

1. who's the data controller

[JobVault Ltd / Sole Trader — REPLACE WITH LEGAL ENTITY], registered in England & Wales (company number [PLACEHOLDER]), is the data controller for the personal data described in this policy. ICO registration number: [PLACEHOLDER]. Contact our Data Protection lead at privacy@jobvault.co.uk.

2. what we collect & lawful basis

datapurposelawful basis (UK GDPR Art. 6)
Account info (email, bcrypt password hash, name)Authenticate you and provide the serviceContract (6(1)(b))
Vault contents (work history, education, refs, docs, applications)Store and display back to you, enable autofillContract (6(1)(b))
AI analyses (culture scores, cover letter critiques, tailored CVs)Generate the personalised guidance you asked forContract (6(1)(b)) — disclosed on first use
Special-category data (UK diversity questionnaire: ethnicity, gender, disability, etc.) — only if you fill it inHelp you complete the diversity sections employers ask forExplicit consent (9(2)(a)) — you opt in
Payment info (Stripe customer ID, subscription status)Bill Premium / Unlimited subscribersContract (6(1)(b)) + Legal obligation (HMRC records)
Transactional emails (password reset, doc-expiry, deletion notice)Run the service safelyContract (6(1)(b))
Marketing emails (only if you opt in)Tell you about new featuresConsent (6(1)(a)) — opt-in at signup, toggle in Settings

What we do NOT collect: tracking pixels, Google Analytics, Mixpanel, Hotjar, Facebook/TikTok pixels, browser fingerprints, ad-network cookies, or anything resembling targeted advertising.

3. the chrome extension

The JobVault Chrome extension is a thin client that reads your vault from jobvault.co.uk and uses it to autofill job application forms on the active tab.

  • What it accesses: the URL and form fields of the active tab when you press “autofill this page” or “scan this job ad”. Nothing is read in the background.
  • What it sends to us: when you press “scan this job ad”, the visible text of that page is POSTed to /api/culture/analyze. The raw page text is not retained — only the resulting score and red-flag list.
  • What it sends elsewhere: nothing. The extension makes requests only to jobvault.co.uk — never to third parties.
  • Local storage: the extension caches your vault JSON in chrome.storage.local. Cleared when you click “disconnect” in the popup.

4. sub-processors

We use these trusted providers to run JobVault. We've signed data-processing agreements with each.

providerroledata location
Anthropic (Claude)Powers Vault Coach (CV Tailor, Cover Letter Checker, Interview Prep) + Culture Barometer. Doesn't train on API data.US (DPA + SCCs)
StripeProcesses subscription payments. We never see your card number.EU/UK
ResendDelivers password resets, doc-expiry reminders, monthly check-ins.EU
MongoDB AtlasHosts the vault database. Encrypted at rest (AES-256).EU (Frankfurt region)
CloudflareCDN + DDoS protection + WAF on jobvault.co.uk.Global edge (UK PoPs prioritised)
EmergentApplication hosting + secure object storage for uploaded documents.EU/UK

5. data retention

  • Active accounts: we keep your data for as long as your account is open.
  • Account deletion: when you delete your account, we mark it for permanent erasure. A 14-day grace window lets you change your mind by logging back in. After that everything is wiped within 30 days.
  • Payment records: Stripe retains payment history for 7 years for HMRC / tax compliance. Even after account deletion, we're legally required to keep transaction IDs for that period.
  • Backups: encrypted database backups roll over every 30 days. Deleted data persists in backups for up to 30 days before being overwritten.
  • AI provider logs: Anthropic retains API call metadata for up to 30 days for abuse monitoring, then deletes.
  • Email logs: Resend retains delivery logs for 30 days.
  • Inactive accounts: if an account hasn't logged in for 24 months, we'll email you a heads-up before scheduling deletion.

6. your UK GDPR rights

You have the right to:

  • Access all your data — Settings → Export, or call GET /api/export/profile.
  • Rectify any field directly in the app.
  • Delete your account from Settings (right to erasure).
  • Portability — export as JSON, Markdown, .docx, or LinkedIn-ready plain text.
  • Restrict / object to processing — email privacy@jobvault.co.uk.
  • Withdraw consent at any time (marketing toggle in Settings, AI consent reset, special-category withdrawal).
  • Not be subject to automated decision-making — our AI features are advisory; we don't make consequential decisions about you without human review.
  • Complain to the UK ICO if you think we've mishandled your data: ico.org.uk/make-a-complaint.

We respond to data requests within 30 days of receiving them.

7. how we keep it safe

  • Passwords are bcrypt-hashed (cost factor 12). We can't see them.
  • All traffic is HTTPS-only with HSTS.
  • Auth cookies are HttpOnly, Secure, SameSite=None.
  • Database encrypted at rest (MongoDB Atlas AES-256).
  • Rate-limiting on login + register to defeat credential stuffing.
  • Documents stored in encrypted object storage with signed-URL access only.

If we suffer a personal data breach that's likely to risk your rights, we'll notify the ICO within 72 hours and email you without undue delay.

8. international transfers

Most of your data stays in the UK / EU. When we send data to Anthropic (US), we rely on the UK Addendum to the EU Standard Contractual Clauses for the transfer. All other sub-processors host your data in the UK or EU.

9. children

JobVault is for users aged 16+. We don't knowingly collect data from under-16s. If we discover an account belongs to someone under 16, we'll delete it.

10. changes to this policy

If we make material changes (e.g. new sub-processor, new data category), we'll email you at least 14 days before the change takes effect. The “last updated” date at the top always reflects the most recent change.

11. contact

Privacy questions, data requests, or just want to chat — privacy@jobvault.co.uk. We reply within 5 working days; data requests within 30 days.

See also our Terms of Service and Cookie Policy.