Privacy Policy

Effective Date: January 15, 2025

At JobStep, we take your privacy seriously. This Privacy Policy explains how TenThirty GmbH ("JobStep," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our AI-powered career platform.

1. Company Information

This service is operated by:
TenThirty GmbH
Guggachstrasse 6
8057 Zürich, Switzerland
Email: info@jobstep.io
UID: CHE-167.324.376

Managing Directors: Jan-Oliver Seidenfuss, Alexander Eichhorn, Max Brenner

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide when using JobStep:

  • Account Information: Name, email address, password (encrypted), and authentication data through Firebase Authentication
  • Resume and CV Content: Employment history, education, skills, work experience, achievements, and other professional information
  • Application Materials: Cover letters, job descriptions, tailored resumes, and other job application documents
  • Media Files: Profile photos, headshots, application videos (recorded or uploaded)
  • Job Tracking Data: Job postings you're tracking, application status, notes, and application-related metadata
  • Payment Information: Processed by Stripe (we do not store credit card numbers)
  • Communication Data: Messages, feedback, and correspondence with our support team

2.2 Automatically Collected Information

When you use JobStep, we automatically collect certain information:

  • Analytics Data: IP addresses (hashed using PBKDF2), geolocation data, user agent information, device type, browser type, and operating system
  • Usage Data: Pages visited, features used, time spent on the platform, click patterns, and interaction data collected via PostHog
  • Public Application Website Analytics: When you create a public application website, we track visitor IP addresses (hashed), geolocation, user agents, and engagement metrics to provide recruiter insights
  • Cookies and Similar Technologies: Session cookies, authentication tokens, and analytics cookies
  • Error and Performance Data: Application errors, crash reports, and performance metrics via Sentry
  • Log Data: Server logs, API requests, and system events via Better Stack (Logtail)

2.3 Information from Third Parties

  • OAuth Providers: If you sign in with Google or Apple, we receive your name, email address, and profile information
  • Job Posting Data: We collect publicly available job postings via Exa.ai and Firecrawl to help you tailor your applications
  • Marketing Attribution: TikTok Pixel and Google Ads may provide campaign performance data and conversion tracking information

3. How We Use Your Information

We use your information for the following purposes:

3.1 Core Service Delivery

  • AI-Powered Resume Improvement: Process your resume content through OpenAI GPT models to provide suggestions, improvements, and optimizations
  • Job-Specific Tailoring: Generate tailored resumes and cover letters based on specific job descriptions using AI
  • Application Tracking: Store and organize your job applications, track application status, and provide analytics
  • Public Application Websites: Generate and host personalized application landing pages with your resume, videos, and contact information
  • Video Processing: Store and deliver application videos via Cloudflare R2
  • Analytics Dashboard: Provide insights on recruiter engagement with your public application website

3.2 Account Management and Authentication

  • Create and manage your account via Firebase Authentication
  • Verify your identity and prevent unauthorized access
  • Manage subscription tiers (Free vs. Premium) and feature access
  • Process payments and billing through Stripe

3.3 Product Improvement and Analytics

  • Analyze usage patterns to improve features and user experience via PostHog
  • Monitor application performance and identify bugs via Sentry
  • Conduct A/B testing and feature experimentation
  • Generate aggregate statistics and insights (never sold to third parties)

3.4 Communication

  • Send transactional emails (account verification, password resets, subscription updates)
  • Provide customer support and respond to inquiries
  • Send product updates and important service announcements (with opt-out option)

3.5 Legal and Security

  • Comply with legal obligations and regulatory requirements
  • Detect and prevent fraud, abuse, and security threats
  • Enforce our Terms of Service and protect user rights
  • Maintain audit logs for security and compliance purposes

4. Third-Party Services and Data Sharing

We work with trusted third-party service providers to deliver JobStep. Your data may be shared with:

4.1 AI and Content Processing

  • OpenAI (GPT-5): Processes resume content, job descriptions, and generates tailored application materials. Data sent to OpenAI is not used to train their models per our agreement. OpenAI is based in the US. OpenAI Privacy Policy
  • Exa.ai: Scrapes publicly available job postings to help tailor your applications. US-based service.
  • Firecrawl: Extracts job posting content from employer websites. US-based service.

4.2 Infrastructure and Storage

  • Cloudflare R2: Stores your uploaded files (resumes, videos, images) with encryption at rest. Cloudflare operates globally with data centers in Europe. Cloudflare Privacy Policy
  • PostgreSQL: Database hosted on European servers (Railway/AWS EU regions) storing structured data
  • Redis: Caching layer for performance optimization

4.3 Authentication and Payments

  • Firebase Authentication: Manages user authentication, including OAuth (Google, Apple). Google service with global infrastructure. Firebase Privacy Policy
  • Stripe: Processes payments and manages subscriptions. PCI DSS Level 1 certified. We do not store credit card information. Stripe Privacy Policy

4.4 Analytics and Monitoring

  • PostHog: Product analytics platform tracking user behavior and feature usage. IP addresses are hashed before storage. US-based with EU hosting options. PostHog Privacy Policy
  • Sentry: Error tracking and performance monitoring. May receive stack traces and error context. US-based service. Sentry Privacy Policy
  • Better Stack (Logtail): Log management and monitoring. EU-based service.

4.5 Marketing and Attribution

  • TikTok Pixel & Events API: Tracks conversions and ad performance for TikTok campaigns. We may share hashed personal data (email address, phone number if provided) with TikTok for conversion attribution and audience matching via their Events API. TikTok Privacy Policy
  • Meta (Facebook) Conversions API: We may share hashed personal data (email address, phone number if provided) with Meta for conversion tracking and ad attribution. Meta Privacy Policy
  • Google Ads: Conversion tracking for Google advertising campaigns. Google Privacy Policy

4.6 Other Services

4.7 Legal Disclosure

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

5. Data Storage and Security

5.1 Where We Store Your Data

  • Primary Data Storage: PostgreSQL databases hosted in EU West regions (Ireland and Frankfurt) via Railway and AWS
  • File Storage: Cloudflare R2 with global distribution, including EU regions
  • Encryption: All data transmitted over HTTPS (TLS 1.3). Files stored with encryption at rest. Sensitive tokens encrypted using Fernet encryption
  • Authentication: Firebase JWT tokens for secure session management

5.2 Security Measures

  • Industry-standard encryption for data in transit and at rest
  • IP address hashing using PBKDF2 for analytics data
  • Two-factor authentication (2FA) available for user accounts
  • Regular security audits and vulnerability assessments
  • Access controls and role-based permissions
  • Automated monitoring and alerting via Sentry and Better Stack

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

6. International Data Transfers

JobStep is operated from Switzerland, and your data is primarily stored in EU regions. However, some of our third-party service providers are based in the United States and other countries outside the European Economic Area (EEA).

When we transfer your data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Service providers certified under relevant data protection frameworks
  • Encryption and pseudonymization of data before transfer
  • Contractual commitments requiring equivalent protection levels

US-based services we use include: OpenAI, PostHog, Sentry, Exa.ai, and Firecrawl. We have evaluated these providers' security practices and data protection measures.

7. Your Privacy Rights

Depending on your location, you have various rights regarding your personal data:

7.1 GDPR Rights (European Economic Area)

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Export your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 CCPA Rights (California Residents)

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (Note: We do not sell personal information)
  • Right to request deletion of personal information
  • Right to non-discrimination for exercising CCPA rights

7.3 Swiss Data Protection Rights

As a Swiss company, we comply with Swiss Federal Data Protection Act (FADP), which provides rights similar to GDPR.

7.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at info@jobstep.io. We will respond within 30 days. You may also manage some settings directly in your account dashboard.

8. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

  • Active Accounts: Data retained while your account is active
  • Deleted Accounts: Most data deleted within 30 days of account deletion. Some data retained in backups for up to 90 days for security and legal compliance
  • Analytics Data: Aggregated and anonymized analytics retained for up to 2 years
  • Payment Records: Retained for 7 years to comply with tax and accounting regulations
  • Legal Hold: Data may be retained longer if required by law or for legal proceedings

You can request deletion of your data at any time by contacting info@jobstep.io or deleting your account in the dashboard.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve our services:

9.1 Essential Cookies

  • Authentication cookies (Firebase session tokens)
  • Security cookies (CSRF protection)
  • Load balancing cookies

9.2 Analytics Cookies

  • PostHog analytics cookies (can be opted out)
  • Usage tracking and feature engagement

9.3 Marketing Cookies

  • TikTok Pixel (for ad attribution)
  • Google Ads conversion tracking

You can control cookies through your browser settings. Note that disabling essential cookies may affect functionality.

10. Public Application Websites

JobStep allows you to create public application websites to share with potential employers. Please be aware:

  • Public Information: Content on your public application website is visible to anyone with the link
  • Visitor Tracking: We track visitors to your public website (IP addresses hashed, geolocation, user agents) to provide you with recruiter engagement analytics
  • Control: You control what information is included on your public website and can disable it at any time
  • Search Engines: Public websites may be indexed by search engines unless you disable this feature

11. AI and Automated Decision-Making

We use AI (OpenAI GPT models) to provide resume improvements, suggestions, and tailored content. Important notes:

  • No Automated Decisions: We do not make automated decisions that significantly affect you without human oversight
  • AI as a Tool: AI suggestions are recommendations only. You review and control all final content
  • Training Data: Your data is not used to train OpenAI's models per our agreement
  • Human Review: You can always edit or reject AI-generated content

12. Children's Privacy

JobStep is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe we have collected information from a child, please contact us at info@jobstep.io.

13. Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. We currently do not respond to DNT signals as there is no industry standard for how to interpret them. We may revisit this as standards evolve.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Effective Date" at the top of this policy
  • Notify you via email (if you have an account)
  • Display a prominent notice in the application
  • Provide a summary of significant changes

Your continued use of JobStep after changes indicates acceptance of the updated policy. If you do not agree with changes, you may delete your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@jobstep.io
Mail:
TenThirty GmbH
Data Protection Officer
Guggachstrasse 6
8057 Zürich, Switzerland

Data Protection Authority:
If you are in the EU/EEA and believe we have not addressed your concerns, you may lodge a complaint with your local supervisory authority or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

16. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide JobStep services you requested
  • Consent: Where you have given explicit consent (e.g., marketing communications, analytics)
  • Legitimate Interests: For fraud prevention, security, and product improvement where not overridden by your rights
  • Legal Obligation: To comply with laws, regulations, and legal processes

17. California Privacy Rights (CCPA Details)

Categories of Personal Information Collected

  • Identifiers (name, email, IP address)
  • Professional information (resume content, work history)
  • Internet activity (usage data, analytics)
  • Geolocation data
  • Audio/visual information (videos, photos)

Business Purposes for Collection

  • Providing career optimization services
  • Product improvement and analytics
  • Security and fraud prevention
  • Customer support

Sale of Personal Information

We do not sell your personal information to third parties. We share data with service providers only as necessary to deliver our services.

Last updated: January 15, 2025