Privacy Policy

OfferFlow ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the OfferFlow platform and related services. We operate under applicable privacy laws including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) where applicable, and other regional privacy frameworks. If you have questions, contact us at privacy@offerflow.ai.

We collect the following categories of information: Account & Profile Data • Name, email address, and password (hashed — we never store plaintext passwords) • Display name, experience level, work preference, and target job roles • Professional background and career goals you provide during onboarding • Profile photo (if provided via OAuth) Job Application Data • Job titles, employer names, locations, and descriptions of jobs you track • Application statuses and status history (saved, applied, interviewing, offered, etc.) • Notes you add to applications • Follow-up dates and reminders • AI match scores and labels associated with specific jobs Resume Data • Resume files you upload (PDF or image formats) • Parsed resume content including skills, experience summary, and experience years • Resume filename and upload timestamp AI Interaction Data • Cover letters generated for specific jobs • Interview questions and your practice answers • AI feedback on practice sessions • Salary negotiation strategies generated • Confidence ratings and session metadata for interview practice Usage & Technical Data • Pages visited, features used, and interactions within the app • Browser type, device type, and operating system • IP address and approximate location (country/region level) • Session duration and activity timestamps • Error logs and performance data Payment Data • Payment is processed entirely by Stripe. We do not store credit card numbers, CVVs, or full card details. We store only your Stripe customer ID and subscription status. Demo Usage Data • If you use the public demo without an account, we collect your IP address solely to enforce daily usage limits (3 free demo credits per IP per day). This data is automatically reset after 24 hours.

We use your information for the following purposes: Providing the Service • Authenticating your identity and managing your account • Displaying your application pipeline and tracking data • Generating AI-powered features (match scores, cover letters, interview prep, negotiation strategies, resume suggestions) • Sending follow-up reminders and application notifications Improving the Service • Analyzing aggregate usage patterns to identify popular features and areas for improvement • Debugging errors and improving reliability • Developing new features based on usage trends Communications • Sending transactional emails (account verification, password reset, billing receipts) • Notifying you of important changes to the Service or these policies • Sending product updates if you opt in (you can unsubscribe at any time) Legal & Safety • Preventing fraud and enforcing our Terms of Service • Complying with legal obligations • Protecting the rights, safety, and property of OfferFlow and our users We do NOT use your data for: • Training AI models on your personal resume or cover letters • Targeted advertising • Selling your data to third parties • Sharing your application data with employers without your explicit action

OfferFlow uses OpenAI's API (GPT-4o mini) to power AI features. When you use an AI feature, relevant data is transmitted to OpenAI for processing: What is sent to OpenAI: • Job description text (for match analysis, cover letters, interview prep) • Your profile data (experience level, target roles, background, goal role) • Resume text extracted from your uploaded file • Your interview practice answers (for AI feedback) What is NOT sent to OpenAI: • Your email address or account credentials • Your full application history • Your payment information OpenAI's data handling: OpenAI does not use API inputs to train their models by default (as per their API data usage policy as of our effective date). We recommend reviewing OpenAI's privacy policy at openai.com/policies/privacy-policy for current terms. Job data: Job listings are sourced from the Adzuna API. When you search for jobs, your search query and location are sent to Adzuna. Adzuna's privacy policy governs that data. Company logos: We use logo.dev to display company logos. Employer names may be sent to logo.dev to retrieve logos.

Where your data is stored: • Account, profile, and application data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure • Resume files are stored in Supabase Storage (AWS S3-backed), encrypted at rest • Our application runs on Vercel's global edge network Security measures: • All data transmission uses TLS 1.2+ encryption • Passwords are hashed using bcrypt — we never store plaintext passwords • Database access is restricted to authenticated application services • Row-Level Security (RLS) is enforced at the database level so users can only access their own data • Resume files are stored in private buckets with user-scoped access policies • We conduct periodic security reviews and monitor for unauthorized access Data retention: • Active account data is retained as long as your account exists • After account deletion, data is permanently removed within 30 days • Backups may retain data for up to 90 days after deletion • Demo rate limit data (IP addresses) is automatically deleted after 24 hours Despite our security measures, no system is completely secure. We encourage you to use a strong, unique password and enable any available security features.

We do not sell your personal data. We share data only in these limited circumstances: Service providers (data processors): • Supabase — database and file storage • OpenAI — AI feature processing • Stripe — payment processing • Vercel — application hosting • Adzuna — job listing data • logo.dev — company logo retrieval All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes. Legal requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others. Business transfers: If OfferFlow is acquired, merged, or its assets are sold, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy. With your consent: We will share your data with third parties only when you explicitly authorize it.

Depending on your location, you may have the following rights: Access: Request a copy of the personal data we hold about you. Correction: Request that we correct inaccurate or incomplete data. Deletion: Request deletion of your account and associated personal data. We will process deletion requests within 30 days. Data portability: Request your data in a machine-readable format. Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by contacting us. Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing. California residents (CCPA): You have the right to know what categories of personal information we collect, the right to delete your personal information, and the right to non-discrimination for exercising your rights. We do not sell personal information. EU/UK residents (GDPR): Our legal basis for processing your data is contract performance (to provide the Service), legitimate interests (security, fraud prevention, product improvement), and consent (marketing communications). You have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, email us at privacy@offerflow.ai with your request. We will respond within 30 days.

We use the following types of cookies and local storage: Essential / Authentication: • Session cookies set by Supabase Auth to maintain your logged-in state • These are required for the Service to function Functional: • Local storage for UI preferences (e.g., collapsed sidebar state) Analytics: • We may use privacy-respecting analytics tools to understand aggregate usage patterns. We do not use Google Analytics or other invasive tracking tools. We do NOT use: • Third-party advertising cookies • Cross-site tracking technologies • Fingerprinting You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

OfferFlow is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child under 16, please contact us at privacy@offerflow.ai and we will promptly delete the information.

OfferFlow is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers where applicable. By using the Service, you consent to the transfer of your information to the United States as described in this Privacy Policy.

As OfferFlow grows, we plan to introduce additional features that may involve new data processing: Career Growth (planned): A feature that tracks practice session history over time to generate career progression insights, skill trend analysis, and role recommendations. Practice session data (questions, answers, confidence ratings, topics) will be stored and analyzed to provide this functionality. Email Integration (planned): If we add email-based application tracking, we will request access to specific email threads (with your explicit consent) to automatically detect application status updates. We will only read emails you explicitly authorize and will never read your full inbox. Notifications (planned): We plan to add in-app and email notifications for application follow-ups, interview reminders, and offer deadlines. You will be able to control notification preferences granularly. Team/Collaborative Features (future): If we introduce team features for recruiting or career coaching, additional data sharing controls will be implemented with explicit consent. We will update this Privacy Policy before implementing any new data practices and notify you of material changes.

We may update this Privacy Policy from time to time. When we make material changes, we will: • Update the "Effective Date" at the top of this page • Send an email notification to registered users • Display a prominent notice within the app for 30 days Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. For minor changes (such as clarifications or corrections that don't affect your rights), we will update the policy without separate notification.

For privacy questions, requests, or concerns: Email: privacy@offerflow.ai Website: https://offerflow.ai For data deletion or access requests, please email privacy@offerflow.ai with the subject line "Privacy Request" and include your account email address. We aim to respond to all privacy inquiries within 5 business days and complete data requests within 30 days.