Last updated: April 12, 2026
Privacy Policy
Talnt.Fit is committed to protecting your privacy. This policy explains what information we collect, how we use it, and the choices you have. By using Talnt.Fit you agree to the practices described here and to our Terms of Service.
1. Information We Collect
Account information
When you create an account we collect your name, email address, and authentication credentials (or OAuth tokens if you sign in via LinkedIn or Google). For LinkedIn sign-in we receive your public profile name, email, and profile photo only — we do not access your LinkedIn connections, messages, or feed.
Resume and profile data
You may upload a resume (PDF or DOCX) and fill in your professional profile — work history, education, skills, certifications, and job preferences. This data is stored securely and used solely to power AI job matching for you.
AI-generated career content
When you use AI features, we store the outputs in your account so you can access them later. This includes: cover letters, LinkedIn outreach messages, salary negotiation scripts, STAR story drafts, follow-up email drafts, LinkedIn profile optimisation suggestions, and resume translations. These are tied to your account and treated as personal data under this policy.
Financial and compensation data
If you enter your current salary, offer details (base salary, bonus, equity), or use the offer comparison calculator, that financial information is stored in your account. This is treated as sensitive personal data and is never shared with third parties beyond what is necessary to deliver the feature (see Section 5).
Job search and application activity
We record the searches you run, jobs you view and save, application statuses, notes, and timeline entries in your tracker. We also perform automated HTTP checks on job posting URLs you have applied to (liveness checks) to detect when postings go offline — this involves making a request to the external employer URL on your behalf.
Job alert preferences
If you create job alerts, we store your saved search criteria and send you email notifications (via Resend) when new matching jobs are found. You can delete alerts or unsubscribe at any time.
Usage and technical data
We collect standard server logs (IP address, browser, pages visited, timestamps) and aggregate usage metrics (feature adoption, error rates). We do not use third-party analytics trackers on authenticated pages.
Payment information
Payments are processed by Stripe. We never see or store your card number. We receive a Stripe customer ID, plan status, subscription period, and billing email.
2. How We Use Your Information
- To authenticate you and maintain your session
- To power AI job matching, ranking, resume tailoring, and all career tools — your profile data is sent to OpenRouter (Claude AI) under our API key; see Section 5
- To send transactional emails: verification codes, job search results, job alert digests, and resume analysis notifications
- To perform liveness checks on job postings you are tracking
- To enforce usage limits and manage your subscription via Stripe
- To debug errors, improve reliability, and develop new features
- To comply with legal obligations
We do not sell your data, use it for advertising, share it with third parties for their own marketing, or use it to train AI models.
3. Legal Basis for Processing
We rely on the following legal bases to process your personal data:
- Contract performance — processing necessary to provide the service you have signed up for
- Legitimate interests — security logging, error monitoring, and feature improvement, where these interests are not overridden by your rights
- Legal obligation — where we are required by law to retain or disclose data
- Consent — for optional features such as job alert emails, where you explicitly enable them
Talnt.Fit operates primarily under Canadian privacy law (PIPEDA / provincial equivalents). If you are located in the European Economic Area or UK, the GDPR also applies and you have additional rights under Section 7. If you are a California resident, the CCPA applies; see Section 8.
4. Data Retention
Your account and profile data is retained for as long as your account is active. Job search results and AI rankings are kept for 90 days, after which they are automatically purged. Uploaded resume files are stored in Cloudflare R2 and deleted when you remove them from your account or close your account. AI-generated career content (cover letters, STAR stories, negotiation scripts, etc.) is retained until you delete it or close your account. Financial data (salary, offer details) is deleted immediately when you remove the relevant application. You may request deletion of all your data at any time by contacting us (see Section 11).
5. Third-Party Services (Sub-processors)
We use the following sub-processors to deliver the service. All are bound by contractual data protection obligations. Most are US-based; see Section 9 for international transfer details.
| Service | Purpose | Data shared |
|---|---|---|
| OpenRouter / Anthropic | AI job matching, resume analysis, career tools | Resume text, job description, profile summary, financial context (salary, offers) where you use those features |
| Stripe | Payment processing and subscription management | Name, email, billing address |
| Cloudflare R2 | Resume file storage | Uploaded resume files |
| Resend | Transactional and alert emails | Email address, OTP codes, job alert content |
| Upstash Redis | Background job queues and rate limiting | Job IDs, processing state, anonymised rate-limit keys |
| Hetzner Cloud | Application hosting (VPS) | All application data processed on-server |
| RapidAPI / JSearch | Job search data (primary source) | Search keywords, location, filters |
| Adzuna | Job search data (secondary source) | Search keywords, location, filters |
| Sentry | Error and performance monitoring | Stack traces, anonymised session context |
| Google / LinkedIn OAuth | Social sign-in (optional) | OAuth tokens; name, email, photo from the provider you choose |
AI API calls to OpenRouter are made under our API key. Your data is not used to train any AI model. OpenRouter's data processing is governed by their Privacy Policy.
6. Cookies
We use a single session cookie set by NextAuth.js to maintain your login state. The cookie is HTTP-only (not accessible to JavaScript), scoped to this domain, and marked Secure in production. We do not use third-party advertising or tracking cookies. You can clear cookies in your browser at any time; this will sign you out.
7. Your Rights
You have the right to:
- Access — request a copy of all personal data we hold about you
- Correction — update incorrect profile information directly in the app, or ask us to correct it
- Deletion — delete your account and all associated data; we will comply within 30 days
- Portability — export your profile data in JSON format (coming soon)
- Restriction — ask us to pause processing while a dispute is resolved
- Objection — object to processing based on legitimate interests
- Opt-out of emails — unsubscribe from job alerts and non-essential notifications at any time via account settings or the unsubscribe link in any email
To exercise any of these rights, contact us or email privacy@talnt.fit. We will respond within 30 days. If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
8. California Residents (CCPA)
If you are a California resident, you have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information. To submit a verifiable consumer request, contact us at privacy@talnt.fit. We will not discriminate against you for exercising your CCPA rights.
9. International Data Transfers
Talnt.Fit is headquartered in Canada. Our sub-processors (including OpenRouter, Stripe, Cloudflare, Resend, Upstash, and Sentry) are primarily based in the United States. By using the service, you acknowledge that your data may be transferred to and processed in the US or other jurisdictions with different privacy laws than your own. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms under GDPR.
10. Data Security
All data is transmitted over HTTPS/TLS. Passwords are hashed with bcrypt (never stored in plain text). Session cookies are HTTP-only and Secure. Database access is restricted to application credentials with least-privilege roles. Uploaded files are stored in a private Cloudflare R2 bucket accessible only via signed URLs. We perform regular security reviews and dependency audits.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities within 72 hours of becoming aware, as required by applicable law.
11. Children's Privacy
Talnt.Fit is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting a notice in the app or emailing your registered address at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent revision. Continued use after changes constitutes acceptance.
13. Contact
Questions about this policy? Contact us or email privacy@talnt.fit.