Privacy Policy

3.1 Personal Information You Provide

• Name and email address (via account registration)
• Professional history, skills, and experience
• Resume and career-related documents
• Goals, milestones, and career development notes
• Internship and work experience details

3.2 Information Collected Automatically

• Device information and browser type
• Usage patterns and feature interaction data
• Performance and error data, including privacy-masked session replays captured around errors (via Sentry) — see §7. Replay is opt-in and off by default; all on-screen text and images are masked
• Analytics data (via PostHog, routed through our first-party domain)

3.3 AI-Generated Data

• Career insights and recommendations
• Resume optimization suggestions
• Skills analysis and competency assessments
• Interview preparation content

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)) — to provide the Service, manage your account, deliver career development features, and provide AI-powered career insights (AI is a core component of the service as described in our Terms of Service)
• Consent (Art. 6(1)(a)) — for analytics, performance monitoring, and session replay. Managed via the cookie consent banner on web and via in-app privacy settings (onboarding and Settings → Privacy) on mobile. You may withdraw consent at any time; on mobile, replay changes take effect on the next app launch
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and service improvement
• Legal obligation (Art. 6(1)(c)) — to comply with applicable laws and regulations

CareerCard uses artificial intelligence as a core component of the service to provide personalized career insights. We process your career data (professional history, skills, goals, and documents) through AI models to generate recommendations, optimize resumes, and provide career guidance.

AI Data Safeguards

• Personal identifiable information (PII) is scrubbed before being sent to AI providers
• All AI API calls are configured with store: false to prevent provider-side storage for training or evaluation
• Prompt injection detection is active via Azure Content Safety
• AI-generated content is clearly distinguishable from user-created content

Consent and Preference Controls

CareerCard uses two separate frameworks for managing data processing preferences:

Cookie & Tracking Preferences (Consent-based, ePrivacy)

The following categories are managed via the cookie consent banner on web and require your explicit opt-in consent under the ePrivacy Directive:

• Analytics — usage analytics for service improvement (PostHog)
• Functional — enhanced features and personalization
• Performance — error reporting, performance monitoring, and privacy-masked session replay around errors (Sentry). Off by default; opt-in. (On mobile, the same Sentry diagnostics ride on the “Share Usage Analytics” setting rather than a separate Performance toggle.)

You may withdraw consent for any cookie category at any time via the cookie banner or your account privacy settings. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal (GDPR Art. 7(3)).

AI Processing (Contractual, with opt-out)

AI processing is a core component of the CareerCard service, performed under contractual necessity (GDPR Art. 6(1)(b)) as described in our Terms of Service. AI features are enabled by default when you use the service. You may opt out of AI processing at any time in your account settings or on the mobile app. Opting out will disable AI-powered features such as career suggestions, performance review generation, and resume optimization.

The AI opt-out is a contractual preference, not a withdrawal of consent. It takes effect immediately and does not affect other aspects of the service.

We use the following third-party services to operate CareerCard. Each processes data only as necessary for its stated purpose:

• User content (career cards, notes, documents) — retained until you delete your account
• Error reports & session replays (Sentry) — retained for 90 days, then automatically deleted
• Audit logs — retained for 90 days, then automatically deleted
• Notifications — retained for 90 days, then archived and deleted
• Consent records — retained indefinitely as required for GDPR compliance
• AI processing logs — contain metadata only (no user content); retained for compliance

When you delete your account, all personal data is cascade-deleted across all tables. Consent audit logs and data subject request records are retained for regulatory compliance.

• All data encrypted in transit (TLS 1.2+) and at rest
• Authentication via WorkOS with multi-factor authentication (MFA) support
• Content Security Policy with per-request cryptographic nonces
• Rate limiting and account lockout protection against brute-force attacks
• Automated dependency vulnerability scanning
• Regular security assessments

Under GDPR and other applicable data protection laws, you have the right to:

• Access (Art. 15) — request a copy of your personal data
• Rectification (Art. 16) — correct inaccurate personal data
• Erasure (Art. 17) — request deletion of your personal data
• Portability (Art. 20) — receive your data in a machine-readable format
• Restriction (Art. 18) — restrict processing of your data
• Object (Art. 21) — object to processing based on legitimate interest (e.g., security monitoring, service improvement)
• Withdraw consent (Art. 7(3)) — withdraw consent for analytics, functional, and performance tracking at any time via the cookie banner or privacy settings. This applies to consent-based processing categories only
• AI opt-out — disable AI processing at any time via your account settings. This is a contractual preference (see Section 6), not a consent withdrawal or Art. 21 objection

Automated decision-making (Art. 22): CareerCard's AI features are assistive tools that generate suggestions and drafts for your review. No decision with legal or similarly significant effect is made solely by automated means. All AI outputs are advisory and require your review before use.

California residents (CCPA): You have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell your personal information.

To exercise any of these rights, use the in-app settings or contact us at support@careercard.ai. We will respond within 30 days (or sooner if required by law).

We use the following types of cookies and tracking technologies:

• Essential cookies — required for authentication and session management
• Analytics — PostHog analytics (routed through our first-party domain at /ph to avoid third-party cookie issues)
• Error reporting — Sentry session replay (with consent)

You can manage analytics and error reporting consent through the in-app privacy settings. Essential cookies cannot be disabled as they are required for the Service to function.