Privacy Policy

JobbyJob.ai ("JobbyJob," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website, APIs, optional SDKs or browser extensions where offered, and related services (including our mobile apps that load jobbyjob.ai, admin dashboard, and features such as Resume 360, Job Center, Trending, Blog, Portfolio, Site Builder, AI Headshots, Voice Profile, Voice Trainer, Peer Matching, Adaptive Portfolio, visitor analytics, and optional Mesh CRM) (collectively, the "Service"). This document is for transparency only and does not constitute legal advice; laws vary by jurisdiction — consult a qualified attorney for advice specific to you.

1. Data controller

The data controller responsible for the processing of your personal data is:

Manito AI

United States

Contact: privacy@jobbyjob.ai

Manito AI operates the JobbyJob.ai platform and acts as the data controller for your account information, usage data, and AI-processed content. For resume and career data you upload, we may act as either a data controller or a data processor, depending on the context.

2. Information we collect

We collect the following categories of information:

Account information— email address, name, password hash (authentication is handled by Supabase; we do not store plain-text passwords), and optional profile details.
Resume and career data— resumes, cover letters, professional profiles, work history, skills, education, and any career-related content you upload or create through Resume 360 and related features.
AI-generated content— content produced by AI features on your behalf, including resume rewrites, cover letters, job descriptions, site builder content, AI headshots, voice profiles, and career recommendations.
Payment and billing data— processed by Stripe (e.g., payment method details, billing address, subscription status); we do not store full card numbers. Stripe collects device and behavioral information for fraud detection and security; see Stripe's privacy policy.
Usage and analytics data— IP address, browser type, device information, pages visited, features used, and log data collected for security, operation, and service improvement.
CRM and networking data— contacts, companies, and relationship data you import or create through optional Mesh (me.sh) sync, Google or Microsoft contact import, Apple or CSV import where available, and peer matching features.
Site builder content— portfolio sites, custom domains, themes, and published content created through the Site Builder feature.
Audit and security data— actions taken in the service (e.g., logins, data access, billing events, consent changes) stored for security, compliance, and audit purposes.
Error and performance data— we use Sentry for error tracking and performance monitoring, which may capture anonymized or pseudonymized data related to errors.
Corporate visitor data— IP-based company identification for portfolio visitors.

3. How we use your data

We use your information for the following purposes:

Resume analysis and optimization— parsing, scoring, and improving your resume through AI-powered features in Resume 360.
Job matching— identifying relevant job opportunities based on your skills, experience, and preferences.
Career recommendations— providing personalized career advice, trending topics, and professional development suggestions.
Site building— creating, hosting, and maintaining your portfolio website through the Site Builder feature.
Peer matching and networking— connecting you with professionals who share similar career interests and experiences.
CRM and contact management— organizing and enriching your professional contacts through Mesh CRM integration.
Service operation— authentication, billing, email communications, customer support, and infrastructure maintenance.
Security and fraud prevention— protecting accounts, detecting abuse, and maintaining the integrity of the Service.
Legal compliance— meeting regulatory requirements and responding to lawful requests.

We do not sell your personal information.

4. AI processing

JobbyJob uses artificial intelligence to power many of its features. When you use AI-powered features (e.g., resume analysis, content generation, headshot training, voice analysis, job matching), your data may be processed by one or more AI providers:

OpenAI — content generation, resume analysis, chat features
Anthropic — content generation, analysis
Google AI — content generation (via Bring Your Own Key)
Mistral, Cohere, Perplexity — alternative AI providers (via BYOK)
Astria — AI headshot generation and training

Bring Your Own Key (BYOK): If you provide your own API keys under Settings, we store those secrets encrypted at rest(for example in Redis/KV and, for durability, an encrypted mirror in our database) so we can apply them when you use features that call those providers. We do not store secrets in plain text. Content and prompts you send when using BYOK are transmitted to the third-party provider you chose and are governed by that provider's terms and privacy policy.

We do not use your personal content to train AI models unless we separately disclose this and you provide explicit consent. AI outputs are generated content and may not always be accurate — you are responsible for reviewing and verifying AI-generated content before use.

Where the GDPR or UK GDPR applies, we process personal data on the following bases:

Contract— performance of our agreement with you, including account management, billing, and delivery of core service features.
Consent— where you have given consent (e.g., optional analytics, marketing communications, personalization). You may withdraw consent at any time via your Privacy Center or Settings.
Legitimate interests— security, fraud prevention, service improvement, error monitoring, and compliance, where balanced against your rights. You have the right to object to processing based on legitimate interests.
Legal obligation— where processing is necessary to comply with applicable laws or regulations.

6. Data storage and security

Your data is stored using the following infrastructure:

Supabase (PostgreSQL)— primary database for account data, resumes, career profiles, CRM contacts, and application data.
Redis (Upstash)— Redis-compatible storage used for caching, session data, consent audit trails, encrypted BYOK key material, and real-time feature state (via KV_REST_API_* or UPSTASH_REDIS_*).
Vercel Blob— file storage for uploads such as resume files, headshot images, and portfolio assets.

We implement the following security measures to protect your data:

Encryption at rest— all personally identifiable information (PII), including resume data, contact details, CRM records, and support tickets, is encrypted using AES-256-GCM encryption via our field-level encryption system.
Encryption in transit— all data transmitted between your browser and our servers is protected by HTTPS/TLS.
CSRF protection— cross-site request forgery prevention on all state-changing operations.
Rate limiting— API rate limiting to prevent abuse and protect service availability.
Audit logging— comprehensive logging of security-sensitive actions (logins, data access, consent changes, billing events) for compliance and incident response.
Access controls— role-based access controls and secure authentication via Supabase Auth.

We cannot guarantee absolute security and are not liable for unauthorized access beyond our reasonable control.

7. Third-party services

We use the following categories of third-party services to operate the Service. They process data on our behalf under agreements that require them to protect your data. Their own privacy policies and terms govern their handling of your data:

Stripe— payment processing, subscription management, and fraud detection. See Stripe's privacy policy.
Sentry— error tracking and performance monitoring. May capture anonymized data related to application errors.
Google Analytics— website usage analytics (when enabled and consented to). See Google's privacy policy.
Microsoft Clarity— session recordings, heatmaps, and behavioral analytics for understanding user experience (see Section 8).
Supabase— authentication, PostgreSQL database, and optional storage.
Vercel— hosting, serverless functions, Vercel Blob storage, and optional Vercel Analytics.
Resend— transactional and application emails (including authentication emails sent via Supabase SMTP).
Datadog— when enabled, application logs and performance monitoring (APM); may include pseudonymous technical data. See Datadog's privacy policy.
AI providers— OpenAI, Anthropic, Google AI, Mistral, Cohere, Perplexity (for AI features), and Astria (for AI headshot generation). See Section 4.
Mesh (me.sh)— professional data enrichment for CRM features (strictly BYOK — each user provides their own API key).

We may add or change processors as needed; material changes will be reflected in this policy.

8. Analytics and session recording

Microsoft Clarity: We use Microsoft Clarity to understand how you interact with our website through behavioral analytics. This includes:

Session recordings— visual replays of your website interactions with automatic masking of passwords, credit card numbers, and other sensitive data
Heatmaps— aggregated visualization of where users click, scroll, and move their mouse on our pages
Frustration detection— identification of areas where users experience difficulty (rage clicks, dead clicks, excessive scrolling)
Conversion funnels — analysis of user journey completion rates

AI-powered feedback analysis: When you submit feedback through our feedback widget, we use AI to analyze sentiment, categorize issues, and prioritize improvements. Critical feedback may trigger immediate alerts to our team for faster resolution.

Consent and control: You can control your analytics preferences through our consent banner with three tracking levels:

Minimal — only essential cookies and anonymous analytics
Basic — anonymous analytics with enhanced insights
Full — complete analytics with personalization features

Session recordings are automatically deleted after 30 days. You can opt out of analytics at any time through our consent preferences or your Privacy Center.

9. Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

Essential cookies— required for authentication, session management, CSRF protection, and core service functionality. These cannot be disabled.
Analytics cookies— used by Google Analytics and Microsoft Clarity to understand usage patterns (only with your consent).
Preference cookies— store your consent choices, theme preferences, and personalization settings.

You can control optional cookies through our consent banner or your browser settings. Disabling essential cookies may prevent some features from working correctly.

10. Data retention

We retain your personal data as follows:

Active account data— retained for as long as your account is active and you continue to use the Service.
Account closure— when you close your account or request deletion, we delete your personal data, including resumes, career profiles, CRM contacts, AI-generated content, and site builder data. Deletion is processed promptly in accordance with applicable law.
Legal and compliance retention— we may retain certain data (e.g., audit logs, billing records, backup copies) for longer periods where required for legal, regulatory, tax, security, or backup purposes.
Session recordings— automatically deleted after 30 days.
Error and performance logs— retained per Sentry's standard retention policies.

You can request deletion of your data at any time through our Privacy Center (Right to be Forgotten) or by contacting us.

11. Your rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights:

Right of access(Article 15) — request a copy of all personal data we process about you.
Right to rectification(Article 16) — request correction of inaccurate or incomplete personal data.
Right to erasure(Article 17) — request deletion of your personal data ("right to be forgotten").
Right to restrict processing(Article 18) — request limitation of how we process your data.
Right to data portability(Article 20) — receive your data in a structured, commonly used, machine-readable format.
Right to object(Article 21) — object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent(Article 7) — withdraw consent at any time where processing is consent-based.

You can exercise these rights through our Privacy Center, which provides self-service tools for data export, rectification, access reports, processing restrictions, consent management, and account deletion. You can also contact us at privacy@jobbyjob.ai. We will respond within the timeframes required by applicable law (typically 30 days).You also have the right to lodge a complaint with a supervisory authority.

12. California and other U.S. state rights (CCPA / CPRA)

If you are a California resident or reside in another U.S. state with applicable privacy legislation, you may have the following rights:

Right to know— know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Right to delete— request deletion of your personal information.
Right to correct— request correction of inaccurate personal information.
Right to opt out of sale / sharing— we do not sell your personal information for money. We use service providers (Section 7) for business purposes such as hosting, security, and optional analytics. You may opt out of optional analytics via our consent banner and Privacy Center and may contact us for other CPRA requests.
Right to limit use of sensitive information— limit how we use sensitive personal information.
Right to non-discrimination— we will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@jobbyjob.ai or use the Privacy Center. We may verify your identity before fulfilling requests.

13. International transfers

Our service and processors may store or process data in the United States or other countries. By using the Service, you acknowledge that your data may be transferred to and processed in those locations. Where required by law (e.g., GDPR), we implement appropriate safeguards such as standard contractual clauses (SCCs) or other approved transfer mechanisms.

14. Sensitive and special-category data

We do not ask you to provide sensitive categories of data (e.g., health, race, religion, political opinions). Please do not submit such data unless necessary for a feature you use; we will treat it in accordance with this policy and applicable law but do not assume any heightened obligations unless required.

15. Children's privacy

JobbyJob.ai is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us at privacy@jobbyjob.ai and we will promptly delete it.

16. Automated processing

We use automated systems (including AI) to operate the Service, analyze resumes, match jobs, generate content, prevent fraud, and improve functionality. We do not use automated decision-making that produces legal effects or similarly significantly affects you without human oversight, unless we disclose it separately or as required by law. You have the right to request human review of any automated processing decision.

17. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we will notify you by email or in-app notification before the changes take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

18. Contact

For privacy questions, data protection inquiries, or to exercise any of your rights described in this policy, you can reach us through:

Contact page (no account required)
Email: privacy@jobbyjob.ai
Privacy Center (self-service GDPR tools; sign-in required)
Support Center (sign-in required)

For a Data Processing Addendum (DPA), security questionnaires, SOC 2, or other compliance inquiries, please use the same channels.

1. Data controller

The data controller responsible for the processing of your personal data is:

Manito AI

United States

Contact: privacy@jobbyjob.ai

2. Information we collect

We collect the following categories of information:

Account information— email address, name, password hash (authentication is handled by Supabase; we do not store plain-text passwords), and optional profile details.
Resume and career data— resumes, cover letters, professional profiles, work history, skills, education, and any career-related content you upload or create through Resume 360 and related features.
AI-generated content— content produced by AI features on your behalf, including resume rewrites, cover letters, job descriptions, site builder content, AI headshots, voice profiles, and career recommendations.
Payment and billing data— processed by Stripe (e.g., payment method details, billing address, subscription status); we do not store full card numbers. Stripe collects device and behavioral information for fraud detection and security; see Stripe's privacy policy.
Usage and analytics data— IP address, browser type, device information, pages visited, features used, and log data collected for security, operation, and service improvement.
CRM and networking data— contacts, companies, and relationship data you import or create through optional Mesh (me.sh) sync, Google or Microsoft contact import, Apple or CSV import where available, and peer matching features.
Site builder content— portfolio sites, custom domains, themes, and published content created through the Site Builder feature.
Audit and security data— actions taken in the service (e.g., logins, data access, billing events, consent changes) stored for security, compliance, and audit purposes.
Error and performance data— we use Sentry for error tracking and performance monitoring, which may capture anonymized or pseudonymized data related to errors.
Corporate visitor data— IP-based company identification for portfolio visitors.

3. How we use your data

We use your information for the following purposes:

Resume analysis and optimization— parsing, scoring, and improving your resume through AI-powered features in Resume 360.
Job matching— identifying relevant job opportunities based on your skills, experience, and preferences.
Career recommendations— providing personalized career advice, trending topics, and professional development suggestions.
Site building— creating, hosting, and maintaining your portfolio website through the Site Builder feature.
Peer matching and networking— connecting you with professionals who share similar career interests and experiences.
CRM and contact management— organizing and enriching your professional contacts through Mesh CRM integration.
Service operation— authentication, billing, email communications, customer support, and infrastructure maintenance.
Security and fraud prevention— protecting accounts, detecting abuse, and maintaining the integrity of the Service.
Legal compliance— meeting regulatory requirements and responding to lawful requests.

We do not sell your personal information.

4. AI processing

OpenAI — content generation, resume analysis, chat features
Anthropic — content generation, analysis
Google AI — content generation (via Bring Your Own Key)
Mistral, Cohere, Perplexity — alternative AI providers (via BYOK)
Astria — AI headshot generation and training

Where the GDPR or UK GDPR applies, we process personal data on the following bases:

Contract— performance of our agreement with you, including account management, billing, and delivery of core service features.
Consent— where you have given consent (e.g., optional analytics, marketing communications, personalization). You may withdraw consent at any time via your Privacy Center or Settings.
Legitimate interests— security, fraud prevention, service improvement, error monitoring, and compliance, where balanced against your rights. You have the right to object to processing based on legitimate interests.
Legal obligation— where processing is necessary to comply with applicable laws or regulations.

6. Data storage and security

Your data is stored using the following infrastructure:

Supabase (PostgreSQL)— primary database for account data, resumes, career profiles, CRM contacts, and application data.
Redis (Upstash)— Redis-compatible storage used for caching, session data, consent audit trails, encrypted BYOK key material, and real-time feature state (via KV_REST_API_* or UPSTASH_REDIS_*).
Vercel Blob— file storage for uploads such as resume files, headshot images, and portfolio assets.

We implement the following security measures to protect your data:

Encryption at rest— all personally identifiable information (PII), including resume data, contact details, CRM records, and support tickets, is encrypted using AES-256-GCM encryption via our field-level encryption system.
Encryption in transit— all data transmitted between your browser and our servers is protected by HTTPS/TLS.
CSRF protection— cross-site request forgery prevention on all state-changing operations.
Rate limiting— API rate limiting to prevent abuse and protect service availability.
Audit logging— comprehensive logging of security-sensitive actions (logins, data access, consent changes, billing events) for compliance and incident response.
Access controls— role-based access controls and secure authentication via Supabase Auth.

We cannot guarantee absolute security and are not liable for unauthorized access beyond our reasonable control.

7. Third-party services

Stripe— payment processing, subscription management, and fraud detection. See Stripe's privacy policy.
Sentry— error tracking and performance monitoring. May capture anonymized data related to application errors.
Google Analytics— website usage analytics (when enabled and consented to). See Google's privacy policy.
Microsoft Clarity— session recordings, heatmaps, and behavioral analytics for understanding user experience (see Section 8).
Supabase— authentication, PostgreSQL database, and optional storage.
Vercel— hosting, serverless functions, Vercel Blob storage, and optional Vercel Analytics.
Resend— transactional and application emails (including authentication emails sent via Supabase SMTP).
Datadog— when enabled, application logs and performance monitoring (APM); may include pseudonymous technical data. See Datadog's privacy policy.
AI providers— OpenAI, Anthropic, Google AI, Mistral, Cohere, Perplexity (for AI features), and Astria (for AI headshot generation). See Section 4.
Mesh (me.sh)— professional data enrichment for CRM features (strictly BYOK — each user provides their own API key).

We may add or change processors as needed; material changes will be reflected in this policy.

8. Analytics and session recording

Microsoft Clarity: We use Microsoft Clarity to understand how you interact with our website through behavioral analytics. This includes:

Session recordings— visual replays of your website interactions with automatic masking of passwords, credit card numbers, and other sensitive data
Heatmaps— aggregated visualization of where users click, scroll, and move their mouse on our pages
Frustration detection— identification of areas where users experience difficulty (rage clicks, dead clicks, excessive scrolling)
Conversion funnels — analysis of user journey completion rates

Consent and control: You can control your analytics preferences through our consent banner with three tracking levels:

Minimal — only essential cookies and anonymous analytics
Basic — anonymous analytics with enhanced insights
Full — complete analytics with personalization features

Session recordings are automatically deleted after 30 days. You can opt out of analytics at any time through our consent preferences or your Privacy Center.

9. Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

Essential cookies— required for authentication, session management, CSRF protection, and core service functionality. These cannot be disabled.
Analytics cookies— used by Google Analytics and Microsoft Clarity to understand usage patterns (only with your consent).
Preference cookies— store your consent choices, theme preferences, and personalization settings.

You can control optional cookies through our consent banner or your browser settings. Disabling essential cookies may prevent some features from working correctly.

10. Data retention

We retain your personal data as follows:

Active account data— retained for as long as your account is active and you continue to use the Service.
Account closure— when you close your account or request deletion, we delete your personal data, including resumes, career profiles, CRM contacts, AI-generated content, and site builder data. Deletion is processed promptly in accordance with applicable law.
Legal and compliance retention— we may retain certain data (e.g., audit logs, billing records, backup copies) for longer periods where required for legal, regulatory, tax, security, or backup purposes.
Session recordings— automatically deleted after 30 days.
Error and performance logs— retained per Sentry's standard retention policies.

You can request deletion of your data at any time through our Privacy Center (Right to be Forgotten) or by contacting us.

11. Your rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights:

Right of access(Article 15) — request a copy of all personal data we process about you.
Right to rectification(Article 16) — request correction of inaccurate or incomplete personal data.
Right to erasure(Article 17) — request deletion of your personal data ("right to be forgotten").
Right to restrict processing(Article 18) — request limitation of how we process your data.
Right to data portability(Article 20) — receive your data in a structured, commonly used, machine-readable format.
Right to object(Article 21) — object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent(Article 7) — withdraw consent at any time where processing is consent-based.

12. California and other U.S. state rights (CCPA / CPRA)

If you are a California resident or reside in another U.S. state with applicable privacy legislation, you may have the following rights:

Right to know— know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Right to delete— request deletion of your personal information.
Right to correct— request correction of inaccurate personal information.
Right to opt out of sale / sharing— we do not sell your personal information for money. We use service providers (Section 7) for business purposes such as hosting, security, and optional analytics. You may opt out of optional analytics via our consent banner and Privacy Center and may contact us for other CPRA requests.
Right to limit use of sensitive information— limit how we use sensitive personal information.
Right to non-discrimination— we will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@jobbyjob.ai or use the Privacy Center. We may verify your identity before fulfilling requests.

13. International transfers

14. Sensitive and special-category data

15. Children's privacy

16. Automated processing

17. Changes to this policy

18. Contact

For privacy questions, data protection inquiries, or to exercise any of your rights described in this policy, you can reach us through:

Contact page (no account required)
Email: privacy@jobbyjob.ai
Privacy Center (self-service GDPR tools; sign-in required)
Support Center (sign-in required)

For a Data Processing Addendum (DPA), security questionnaires, SOC 2, or other compliance inquiries, please use the same channels.

1. Data controller

2. Information we collect

3. How we use your data

4. AI processing

5. Legal basis for processing (GDPR)

6. Data storage and security

7. Third-party services

8. Analytics and session recording

9. Cookies and similar technologies

10. Data retention

11. Your rights (GDPR)

12. California and other U.S. state rights (CCPA / CPRA)

13. International transfers

14. Sensitive and special-category data

15. Children's privacy

16. Automated processing

17. Changes to this policy

18. Contact

Privacy Policy

1. Data controller

2. Information we collect

3. How we use your data

4. AI processing

5. Legal basis for processing (GDPR)

6. Data storage and security

7. Third-party services

8. Analytics and session recording

9. Cookies and similar technologies

10. Data retention

11. Your rights (GDPR)

12. California and other U.S. state rights (CCPA / CPRA)

13. International transfers

14. Sensitive and special-category data

15. Children's privacy

16. Automated processing

17. Changes to this policy

18. Contact