JobWarp Privacy Policy
Last Updated: 28 May 2026 Version: v1.0.0
This Privacy Policy explains how JobWarp ("we", "our", "us") collects, uses, stores, transfers and protects your personal data. It applies to https://jobwarp.app, the JobWarp Chrome extension, and the backend services that power them.
We follow the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Spanish Organic Law 3/2018 (LOPDGDD). The supervisory authority for Spanish users is the Agencia Española de Protección de Datos (AEPD), www.aepd.es.
If anything in this policy is unclear, please contact us before using the service.
1. Introduction
JobWarp is a job-application assistant. From a posting you save in your browser, our AI agents generate a tailored cover letter, screening-question answers, a fit score and a company briefing. You can edit, regenerate or discard everything we produce.
To operate, JobWarp needs a copy of your CV, the postings you save and your edits to the generated materials. The remainder of this policy explains exactly what we collect, why we collect it, who else sees it and what control you have.
2. Information We Collect
2.1 Account Data
- Email address
- Password, stored exclusively as a salted hash via the Better Auth library — we never see, store, or log the plain-text password
- Account creation and last sign-in timestamps
- A randomly generated user identifier (
user_id) - The timestamp of your DeepSeek consent (see § 6) and any subsequent revocation
2.2 Job-Profile Data
- The CV/résumé file you upload (PDF or DOCX), kept in Cloudflare® R2
- A text-extracted version of that CV, kept encrypted in Cloudflare D1
- A free-text "background" description you write about yourself
- Job preferences (target role, location, work mode, languages)
2.3 Application Data
For each job posting you save:
- The job URL, title, company, location, work mode and posting date
- The text of the posting only for the brief processing window (typically 30–60 seconds). We wipe this raw text as soon as the AI pipeline finishes
- The generated materials: cover letter, screening-question answers, fit score, company briefing, salary range estimate
- Your edits to those materials
- Your private notes on the application
- The status of the application in your kanban (saved, applying, interviewing, etc.)
2.4 Technical and Usage Data
- IP address, received by Cloudflare for routing and abuse detection; we do not store it in our database
- Browser type and version, operating system
- Pages visited within the application and basic interaction events strictly necessary to operate the product
- Error reports (no personally identifying content; see § 9)
2.5 Data We Do Not Collect
- We do not collect biometric data, health data, political opinions, religious beliefs, sexual orientation, trade-union membership or any other "special category" data under Art. 9 GDPR. If you voluntarily include such information in your CV or background text, you do so at your own discretion
- We do not buy or enrich your data from third-party data brokers
- We do not run advertising trackers. The only cookies we set are strictly necessary (see § 10)
3. How We Use Your Data
| Purpose | Categories Used | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Provide the service (sign-in, store applications, generate materials) | Account, profile, application | Art. 6(1)(b) — performance of the contract you accept by signing up |
| Send transactional emails (sign-in, password reset, account notices) | Email address | Art. 6(1)(b) |
| Generate cover letters, fit scores, company briefings and salary estimates via large language models | CV text, application text, profile background | Art. 6(1)(b) and Art. 49(1)(a) for the China transfer (see § 6) |
| Detect and prevent abuse, fraud and security incidents (rate limiting, IDOR/IDOR-style attempts, prompt-injection attempts) | IP, account, audit metadata | Art. 6(1)(f) — legitimate interest in keeping the service safe |
| Improve the product (aggregated, non-identifying usage analytics) | Aggregated counts and timings | Art. 6(1)(f). You may object via the contact email |
| Comply with legal obligations | As required | Art. 6(1)(c) |
We do not use your personal data to train any AI model, and our sub-processors are contractually prohibited from training on it (see § 5).
4. Automated Processing (Art. 22 GDPR)
JobWarp uses large language models to generate materials and to score how well a posting matches your profile (the "fit score"). These outputs are advisory:
- No legally significant decision is made automatically by us. We do not decide whether you are hired, contacted or screened by any employer. The decisions about whether to apply, edit, send or discard materials are always yours.
- The fit score and generated text are starting points; you can edit, ignore or delete them at any time.
You always have the right to request human review of any AI-generated output by writing to us at the address in § 14.
5. Sub-processors
We share your personal data only with the sub-processors strictly needed to operate the service. Each one is bound by a Data Processing Agreement (DPA).
| Sub-processor | Service | Processing Location | Transfer Mechanism |
|---|---|---|---|
| Cloudflare®, Inc. | Hosting (Workers, Pages), database (D1), object storage (R2), DNS, CDN, queues | Global; primary database region configurable | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) |
| DeepSeek™ (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) | Generation of cover letters, Q&A answers, fit scoring, briefings (we send your CV text, the job-posting text and your profile background) | People's Republic of China | Explicit consent under Art. 49(1)(a) GDPR — see § 6 |
| Tavily™ Research, Inc. | Web search used to research companies (we send only the company name and search query; we do NOT send your CV or any user-edited content) | United States | EU-US DPF + SCCs |
| Resend™, Inc. | Transactional email delivery | United States | EU-US DPF |
The current list is available at https://jobwarp.app/sub-processors. We give at least 30 days' notice before adding a new sub-processor that processes personal data.
6. International Transfers and the DeepSeek Notice
Some of our sub-processors process data outside the European Economic Area (EEA).
6.1 Transfers to the United States
Cloudflare, Tavily and Resend are certified under the EU-US Data Privacy Framework, which the European Commission considers an adequate level of protection (Implementing Decision (EU) 2023/1795). We supplement this with SCCs where required by our DPAs.
6.2 Transfers to the People's Republic of China — DeepSeek
There is no adequacy decision between the EU and the People's Republic of China. Chinese law (notably the 2017 National Intelligence Law and the 2021 Data Security Law) allows broad governmental access to data held by Chinese companies, with no effective judicial remedy from the EU.
We rely on Article 49(1)(a) GDPR — your explicit consent for this transfer. By creating a JobWarp account and ticking the checkbox that confirms acceptance of these Terms of Service and this Privacy Policy, you provide that explicit, informed consent and acknowledge that:
- Your CV text and the text of the job postings you save will be sent to DeepSeek for processing
- DeepSeek is located in the People's Republic of China
- The Chinese legal regime does not provide protections equivalent to those of the GDPR, and your data may, in theory, be accessed by Chinese public authorities without effective judicial remedy
- You can withdraw your consent at any time through your account settings, in which case we immediately stop sending any further data to DeepSeek. Withdrawal does not by itself delete data you've already saved (use account deletion for that)
- The AI features of JobWarp depend on this transfer; without consent, the product cannot operate
We are actively evaluating EEA-based or DPF-certified alternative model providers and will update this section if and when we migrate.
7. Storage, Security and Encryption
We implement appropriate technical and organisational measures (Art. 32 GDPR), including:
- Transport security: HTTPS / TLS 1.3 on all endpoints
- At-rest encryption (infrastructure): Cloudflare® D1 and R2 encrypt all data at rest with AES-256
- Application-level encryption: sensitive columns (CV text, cover letters, screening-question answers, your notes, target salary, company briefings) are encrypted with a per-user data-encryption key ("DEK"). Each DEK is wrapped under an environment key ("KEK") that lives only as a worker secret. This enables crypto-shredding: when you delete your account we destroy your DEK, instantly making all of your encrypted data permanently unreadable, even from backups
- Raw job-posting text is wiped from our database as soon as the AI pipeline finishes (typically within 30–60 seconds). To regenerate, you re-capture the posting from the JobWarp extension; we re-encrypt the new text, run the pipeline and wipe it again
- Access control: authentication via the Better Auth library with hashed passwords; per-record ownership checks (IDOR-resistant) on every endpoint
- Rate limiting on signup, sign-in, password reset, application creation and regeneration
- Input hardening: HTML sanitisation, defanging of prompt-injection delimiters, URL-scheme allowlist (http/https only), prompt-fenced untrusted content for LLM calls
- Backups: Cloudflare's standard rolling backups, typically retained 35 days. Backups inherit the same encryption and access controls; encrypted-column data in a backup is unreadable without the DEK
No system is 100% secure. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours (Art. 33) and, where the risk is high, notify you directly without undue delay (Art. 34).
8. Retention
We keep personal data only as long as necessary for the purposes set out above.
| Data | Retention |
|---|---|
| Account (email, hashed password) | While the account exists. On deletion the database record is crypto-shredded and hard-deleted immediately; CV files in storage are cleared within 30 days |
| Job profiles, CV files | While the profile exists. Crypto-shredded on profile deletion; underlying objects in R2 cleared within 30 days |
| Application records (title, company, generated materials, your notes, your edits) | While the application record exists |
| Raw text of saved job postings | Wiped after the AI pipeline completes (typically within 60 seconds of saving) |
| Audit/security logs | 12 months, then aggregated or deleted |
| Backups | Cloudflare's standard rolling backups, typically 35 days |
9. Your Rights Under the GDPR
You have the following rights regarding your personal data. We respond to any request within one month (extendable by two further months for complex requests, with notice).
- Right of access (Art. 15). Receive a copy of the personal data we hold about you. JobWarp provides a one-click JSON export from your account settings, exercising your right to data portability (Art. 20) at the same time
- Right to rectification (Art. 16). Have inaccurate or incomplete data corrected
- Right to erasure / "right to be forgotten" (Art. 17). Delete your account. We immediately crypto-shred your DEK and remove the user row, cascading the delete across all related tables; CV files in storage are cleared within 30 days
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20). Receive your data in a machine-readable format (JSON)
- Right to object (Art. 21) to processing based on legitimate interest (§ 3)
- Right not to be subject to automated decision-making (Art. 22). See § 4
- Right to withdraw consent. Where processing is based on consent (including the DeepSeek transfer described in § 6), you can withdraw at any time from your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal
- Right to lodge a complaint with the supervisory authority. In Spain, the AEPD (www.aepd.es). If you reside in another EU/EEA Member State, you may also complain to your national authority
To exercise any right, write to the contact email in § 14. We may ask for proof of identity to prevent fraudulent requests.
10. Cookies and Similar Technologies
We use only strictly necessary cookies and browser storage. Specifically:
| Name | Purpose | Type | Duration |
|---|---|---|---|
auth.session_token (HttpOnly, Secure, SameSite=Lax) | Keeps you signed in | First-party, strictly necessary | Up to 30 days |
auth.csrf_token | CSRF protection | First-party, strictly necessary | Session |
Local storage entries (jw.*) | UI preferences (kanban state, dismissed banners) | First-party, strictly necessary | Until you clear browser storage |
We do not use cookies for advertising, profiling or third-party tracking. Because we use only strictly necessary cookies, no consent banner is required under Spanish ePrivacy rules (LSSI Art. 22.2). If we ever add non-essential cookies, we will request your explicit consent first.
11. The JobWarp Google Chrome™ Extension
The extension is what reads job postings from the page you're on. It has the minimum permissions needed:
- storage — to remember your sign-in bearer for the API
- activeTab — to read the page only when you click the JobWarp action
- scripting — to render the panel inside the page
The extension does not track your browsing, scrape pages in the background, or send anything to any server other than the JobWarp API. The bearer token it stores can be revoked at any time by signing out of the web app.
12. Children's Data
JobWarp is not directed to children under 14, the age of digital consent in Spain under LOPDGDD Art. 7. We do not knowingly process personal data of children under 14. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Changes to This Policy
We notify you of material changes by email and by a banner inside the application at least 30 days before the change takes effect. The "Last Updated" date at the top of this document always reflects the current version. Previous versions are available on request.
14. Contact
Privacy questions, data-subject requests and complaints can be sent to:
- Data controller: Jesús Bosch Ayguadé
- Email: [email protected]
- Postal address: Carrer Benet Cortada 43, 08174 Sant Cugat del Vallès, Spain
JobWarp is currently run by an individual (no incorporated legal entity). If an operating company is created later, we will publish its registered name and tax identifier here and notify users in advance.