GDPR & Data Requests

This page is for users in the EU, UK, and other GDPR-equivalent jurisdictions, plus enterprise customers’ legal and procurement teams. Most data subject requests can be completed in seconds with the self-serve buttons on your account page.

• Export your data: the “Export my data” button on the account page produces a JSON file with everything we hold (profile, tracked jobs, search history, resume text, alerts).
• Delete your account: the “Delete account” button immediately and irreversibly removes all your data from our database. There is no soft-delete.
• Edit your profile: name, target salary, and notification preferences are all editable in place.

Self-serve completes in seconds. Use email-based requests only if self-serve doesn’t fit your need.

For any other data subject request, email privacy@jobzyl.com with the subject line DSAR: <type of request>. Include the email address on your Jobzyl account so we can verify your identity.

We will respond within:

• 30 days for GDPR / UK GDPR requests (Art. 12(3)). Extendable by 60 days for complex requests, with notice.
• 45 days for CCPA / CPRA requests. Extendable by 45 days, with notice.

• Access: get a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure (“right to be forgotten”): have your data deleted.
• Restriction: pause processing while a dispute is resolved.
• Portability: receive your data in a machine-readable format (the JSON export).
• Objection: object to processing for direct marketing or based on legitimate interests.
• Withdraw consent: for processing based on consent (e.g. analytics opt-in).
• Lodge a complaint: with your supervisory authority.

We use Anthropic Claude (Haiku) to produce advisoryautomated outputs — CV-to-JD match scoring, cover-letter drafts, interview prep, and CV-tailoring tips. None of these gate your access to features, and none are used to make legal or similarly significant decisions. If you disagree with a score or want a human to review the output, email privacy@jobzyl.com and we will manually review within 30 days. You can contest a score or output in the same email.

Jobzyl, operated by Hammad Ahmad. Contact: privacy@jobzyl.com.

Personal data is stored on Supabase (PostgreSQL, EU region). The backend application is served from AWS App Runner (Frankfurt, eu-central-1). The static frontend is served from AWS S3 with CloudFront (origin in EU; edges global). Some processing is performed in the United States by Anthropic (AI), Sentry (error tracking), and Vercel (analytics + Web Vitals); see “International transfers” below for safeguards.

• Supabase: Primary database (PostgreSQL) and authentication. EU.
• AWS App Runner: Backend application hosting (Frankfurt, eu-central-1). EU (eu-central-1).
• AWS S3 + CloudFront: Static frontend hosting (origin in eu-central-1; CloudFront edges global). EU (S3 origin EU, edges global).
• Resend: Transactional email (account verification, OTP, password reset, support replies). EU.
• Plausible: Anonymous, aggregated traffic analytics. No cookies. EU (plausible.io). Loaded only after your consent.
• PostHog: Product behaviour analytics (feature usage, funnels). Autocapture and session recording disabled; identified-only profiles. EU (eu.i.posthog.com). Loaded only after your consent.
• Anthropic: AI-powered CV scoring, cover-letter generation, interview prep, and CV-tailoring tips. Data is processed transiently; per Anthropic API terms, content is not used to train models. US.
• Sentry: Backend error tracking and performance monitoring. send_default_pii is disabled; URL paths and exception traces are captured. US.
• Vercel Analytics: Aggregated page-view counts. No cookies set. US (va.vercel-scripts.com). Loaded only after your consent.
• Vercel Speed Insights: Web Vitals (LCP, INP, CLS) for performance monitoring. No cookies set. US (vitals.vercel-insights.com). Loaded only after your consent.

Where personal data is transferred outside the EU/UK we rely on the European Commission’s Standard Contractual Clauses (Module 2 controller-to-processor) and, for UK data, the UK International Data Transfer Addendum (IDTA). Specifically:

• Anthropic — United States. EU SCCs Module 2 + UK IDTA addendum
• Sentry — United States. EU SCCs Module 2 (verify EU-US DPF certification at sub-processor renewal)
• Vercel Analytics — United States. EU SCCs (verify EU-US DPF certification at sub-processor renewal)
• Vercel Speed Insights — United States. EU SCCs (verify EU-US DPF certification at sub-processor renewal)

We do not transfer data to any country without an adequacy decision unless an SCC- or IDTA-equivalent safeguard is in place. A current copy of the relevant agreement is available on request.

If you believe we have not handled your data correctly, you may complain to:

• The UK Information Commissioner’s Office (ICO) at ico.org.uk.
• Your EU member state’s data protection authority. The full list is at edpb.europa.eu.
• The California Attorney General at oag.ca.gov.

We provide a Data Processing Agreement (with EU SCCs and the UK IDTA) on request. Email enterprise@jobzyl.com with your company name and the deployment context, and we will return a counter-signed DPA within three business days.

Privacy questions: privacy@jobzyl.com. General support: support@jobzyl.com. Enterprise / DPA: enterprise@jobzyl.com.