Privacy

ApplyTrue is a Canadian job-application assistant that helps you turn your resume into tailored cover letters and CVs. We’re pre-incorporation; once we’re a registered Canadian entity, this notice will be updated with our legal name and mailing address. Until then, reach us at privacy@applytrue.com.

• Account: your email address and authentication metadata (sign-in time, device fingerprint, MFA factor).
• Resume content: the text you paste or the file you upload, plus the structured resume our parser extracts from it. This is the most sensitive data we hold.
• Generated content: cover letters, CVs, and suggestions you create using our tools.
• Usage telemetry: a small set of allow-listed events (sign-ins, MFA challenges, resume parses, generation attempts) so we can measure reliability. We do not log resume contents into telemetry.
• Cookies: a session cookie issued by our authentication provider (Supabase) and a per-device cookie used to recognise your browser for new-device confirmation. No advertising cookies; no third-party trackers.

• To run the service: parse your resume, generate cover letters and CVs, store your drafts, and let you sign back in.
• To keep the service safe: rate limits, MFA challenges, new-device confirmations, malware scanning of uploads.
• To diagnose failures and measure reliability via the telemetry events listed above.

• Supabase (Canada, ca-central-1) — hosts our database, authentication, and file storage. Your resume bytes and account data live here at rest.
• LLM provider — we send your resume text and (later) job descriptions to a large-language-model service to extract structure and draft cover letters. Before sending, we strip obvious identifiers (long digit runs, SIN/SSN-shaped numbers, credit-card-shaped numbers) with a regex pass. The provider does not retain prompts for training under our contract.
• Resend — sends transactional email (sign-up confirmation, password reset, MFA recovery).

Creating an account is your consent to the data uses above. Uploading a resume requires a separate, explicit checkbox so the AI-processing step is visible at the moment it happens, not buried in this document. You can withdraw consent at any time by deleting your account; once a full subject-access flow ships you’ll also be able to export or delete individual resumes without closing your account.

Drafts you don’t confirm are swept by a retention job after 30 days. Confirmed resumes, cover letters, and CVs stay until you delete them or close your account. Authentication telemetry is retained for 90 days for security investigation.

Resume bytes are encrypted at rest (Supabase storage and Postgres). Row-level-security policies make it impossible for one user’s session to read another user’s resume. Sign-in requires email confirmation; you can enable a second factor (TOTP or recovery codes). Production deploys go through a security review before merge.

You can request a copy of your data, ask us to correct it, or ask us to delete it by emailing privacy@applytrue.com. Once the in-app subject-access surface ships you’ll be able to do this without contacting us. If you’re in a jurisdiction with stronger rights (EU GDPR, UK GDPR), those rights apply on top of PIPEDA.

We’ll update the “Last updated” date at the top of this page when this notice changes. Material changes (new processors, new categories of data) will also be flagged in-product before they take effect.