Privacy Policy

1. Data Controller and Architectural Segregation

Under applicable data protection legislation (including the General Data Protection Regulation “GDPR,” the California Consumer Privacy Act “CCPA,” and the Personal Data Protection Act of Singapore “PDPA”), the primary Data Controller for your account metadata, credentials, and resume records is The Job Log.

Generative AI Data Isolation (BYOK Paradigm):A core tenet of our Service architecture is the Bring Your Own Key (“BYOK”) model for artificial intelligence capabilities. When configuring and utilizing Google Gemini AI endpoints to generate, optimize, or tailor resumes:

• You act as the direct licensee of the Google Gemini API key procured through your personal or organizational Google AI Studio account.
• All prompt text, resumes, and career metrics dispatched for tailoring are transmitted directly via Next.js server proxies to Google Gemini Cloud API endpoints.
• Such transmissions are governed strictly under the Google Cloud API Developer Agreement. As per Google's binding developer terms, prompts and training payloads submitted via private paid API keys are not utilized to train base generative models, ensuring complete intellectual data segregation.

2. Categories of Information We Collect

We collect only the narrowest possible subset of personal information required to construct, render, and track professional career artifacts. These categories comprise:

3. Database Infrastructure & Security Measures

Our database infrastructure is deployed securely on Supabase (utilizing managed PostgreSQL database clusters).

Row-Level Security (RLS): The primary security mechanism protecting your career profile data is PostgreSQL Row-Level Security. Every single table in our system (including `resumes`, `jobs`, `profiles`, and `api_keys`) is governed by isolated RLS policies. These policies guarantee that database transactions are executed strictly under the authenticated user's ID (`auth.uid()`). A user is mathematically and procedurally blocked from reading, editing, or deleting any data records belonging to another account.

Encryption: Sensitive values (including stored custom API credentials) are encrypted at-rest using modern industry-standard cryptographic techniques (AES-256) utilizing private server-side encryption keys before being committed to Supabase tables.

4. Legal Bases for Processing (GDPR)

Under Article 6 of the GDPR, we process your personal data under the following legitimate legal bases:

1. Performance of a Contract: Providing the account access, resume rendering pipeline, PDF/DOCX generation, and job tracking features requested by you.
2. Legitimate Interests: Operating a secure digital environment, optimizing user-interface workflows, preventing fraudulent registrations, and maintaining application health.
3. Consent: When you voluntarily paste your API key, customize generative prompts, or publish public sharing links (`/r/[slug]`) to broadcast your resumes to the web.

5. Third-Party Data Transmission

We do not sell, rent, or trade your personal data. We disclose specific categories of information only to trusted subprocessors to execute critical service architecture:

5.1 International Data Transfers and Standard Contractual Clauses (SCCs)

Because our subprocessors, servers, and storage clusters operate globally (including deployments in the United States and other regions), your personal data may be transferred to, processed in, and stored in countries outside the European Economic Area (EEA), the United Kingdom (UK), Switzerland, or Singapore. We ensure that such transfers comply with applicable data protection laws.

For transfers of personal data originating from the EEA, UK, or Switzerland to countries that do not possess an adequacy decision from the European Commission, we rely on appropriate legal transfer mechanisms, including the Standard Contractual Clauses (SCCs) approved by the European Commission (in conjunction with the UK International Data Transfer Addendum where applicable), to guarantee that your personal data receives a level of protection equivalent to that guaranteed under the GDPR and applicable local statutes.

6. User Rights (GDPR & CCPA compliance)

Regardless of your geographical residence, the Platform extends comprehensive, modern rights to manage your digital footprint:

• Right of Access & Portability: You have the right to request a copy of all personal records and resume documents housed within our databases.
• Right of Rectification: You maintain complete edit access to alter, update, or correct all resume text and account properties directly via the Workspace interface.
• Right to Erasure (“Right to be Forgotten”): You may request the absolute deletion of your user account. Account deletion triggers a cascading deletion of your linked database records (including resumes, jobs, keys, and profile metadata), executing complete database eradication.
• Right to Restrict AI Processing: You may at any moment revoke, delete, or modify your stored Google Gemini API key, completely arresting the generative AI processing pipeline.

To invoke any statutory rights, please submit an explicit request to our administrative panel at privacy@thejoblog.com.

7. Cookie Disclosure & Analytical Exemption

Under the EU ePrivacy Directive, the Singapore PDPA, and similar global privacy frameworks, websites are mandated to obtain active consent before deploying tracking or marketing cookies.

The Platform does not engage in advertising, remarketing, or third-party analytical tracking. We do not utilize Google Analytics, Meta Pixels, or equivalent tracking cookies. We only employ cookies that are classified as strictly necessary for service functionality:

• Session Authentication: Cookies set by our Supabase middleware solely to authenticate your login sessions and secure database Row-Level Security transactions.
• Merchant Security: Cookies set by Stripe to process checkout flows securely and prevent transaction fraud.

Because these cookies are strictly essential to provision the Service requested by you, they are legally exempt from cookie consent banner mandates, allowing us to maintain a clean user interface without compromising compliance.

8. Data Retention

We retain your personal data and career documents strictly for as long as your account remains active or as necessary to fulfill the operational business purposes outlined in this Privacy Policy:

• Active Accounts: Profile information, resume databases, and job track records are retained indefinitely while your account remains active, facilitating ongoing access to your career dashboard.
• Account Deletion: Upon receiving an explicit request for account erasure, we immediately flag your account for deletion. All associated database records (including resumes, jobs, keys, and profiles) are permanently deleted and purged from our primary database clusters within thirty (30) days, except to the extent that retention is required to satisfy statutory financial audits.
• API Keys: Encrypted Google Gemini API keys are permanently deleted and purged from our live database rows immediately upon your deletion request in your Workspace Settings, or upon account termination.
• Stripe Billing Records: Stripe transaction reference tokens and payment metadata are retained for a minimum of seven (7) years to comply with statutory corporate, financial, and tax auditing rules in Singapore.

9. Children's Data Protection Disclaimer

Our Service is strictly directed to and intended for individuals who possess full legal capacity to enter into binding agreements. The Platform does not knowingly collect, compile, or process personal data from children under the age of thirteen (13) (or sixteen (16) under specific statutory thresholds in the EU).

If we discover or are notified that we have inadvertently collected personal data from a child under the relevant statutory age limit without verified parental or guardian consent, we will take immediate, cascading steps to delete and purge such records from our databases. If you believe or suspect that we have inadvertently captured children's data, please contact our privacy desk at privacy@thejoblog.com.

10. Revisions and Contact Information

We reserve the right to revise, amend, or restructure this Privacy Policy in response to regulatory shifts, architectural changes, or subprocessor updates. We will notify you of any material changes by updating the last revised date at the top of this page.

For all legal, regulatory, or privacy inquiries, please contact us at: