Data Protection & Privacy Compliance

Applicable Law

JobsFlow AI complies with the Digital Personal Data Protection Act, 2023 (DPDP Act), which governs data protection in India. The DPDP Act is India's comprehensive privacy legislation.

DPDP Act, 2023 Overview

The DPDP Act provides a framework for processing personal data with individual rights. Key provisions include:

• Lawful Processing: Data must be processed fairly, lawfully, and transparently
• Purpose Limitation: Data collected only for specified purposes
• Data Minimization: Only necessary data is collected
• Storage Limitation: Data retained only as long as needed
• Accountability: Your right to know who processes your data

Your Rights Under DPDP Act

Under the DPDP Act, you have specific rights regarding your personal data:

• Right to Access: You can request confirmation about whether we process your personal data and access that data
• Right to Correction: You can request correction of inaccurate or incomplete personal data
• Right to Erasure: You can request deletion of your personal data
• Right to Grievance Redressal: You can file complaints with the Central Consumer Protection Authority (CCPA)

Data Collection Practices

We collect personal data for the following purposes in India:

• Account Management: To provide and manage your JobsFlow AI account
• Job Application Automation: To automate job applications on job portals on your behalf
• Resume Processing: To parse and optimize your resume for better job matching
• Analytics and Improvement: To analyze usage patterns and improve our services

Indian Data Protection Authority

Data protection in India is overseen by:

• Central Consumer Protection Authority (CCPA): The national data protection authority
• State Consumer Protection Authorities: State-level regulators in each state
• Contact: Available through respective state government websites

When GDPR Applies

GDPR applies if you are:

• Located in the European Union (EU) when using our service
• An EU citizen, regardless of location
• Using our service from the EU

Note: If you are not an EU resident, your data is still protected by DPDP Act, 2023 (India's primary data protection law).

GDPR Principles

GDPR is based on several core principles that guide our data processing for EU residents:

• Lawfulness: We process your data fairly, lawfully, and transparently
• Purpose Limitation: We collect data only for specified, legitimate purposes
• Data Minimization: We collect only data necessary for our services
• Accuracy: We keep your data accurate and up to date
• Storage Limitation: We retain data only as long as necessary
• Integrity and Confidentiality: We ensure data security and confidentiality

Your GDPR Rights

As an EU resident, you have specific GDPR rights regarding your personal data. These rights are explained in detail:

• Right to Access: A copy of all personal data we hold about you
• Right to Rectification: Request modification of inaccurate or incomplete personal data
• Right to Erasure: Request permanent deletion of your personal data from our systems
• Right to Restriction: Request restriction of processing of your personal data
• Right to Portability: Receive your data in a structured, commonly used electronic format
• Right to Object: Object to our processing of your personal data based on your particular situation

Data Transfers

Your data may be transferred outside the European Union for processing or storage. We ensure:

• India is recognized as having adequate data protection laws
• All transfers are encrypted using HTTPS/TLS protocols
• Standard contractual clauses with third parties ensure GDPR-compliant data handling
• Compliance with GDPR Chapter V on data transfers

EU Data Protection Authority

For EU residents, the relevant data protection authority is:

• Your Country's DPA: The Data Protection Authority in your EU member state
• Contact: You have the right to lodge complaints with your national DPA
• Contact Us: Contact Us

Supervisory Authority

If you believe our processing of your data infringes GDPR, you have the right to:

• Lodge a complaint with the supervisory authority in your country
• Seek judicial remedy against us in a competent court
• Contact us first at support@jobsflowai.com

EU-Specific Compliance Measures

We implement several measures to ensure GDPR compliance:

• Data Protection Impact Assessments: We assess impact of our data processing on your privacy
• Data Protection by Design and Default: We incorporate privacy features into our platform by design
• Record Keeping: We maintain records of our GDPR compliance activities
• Cooperation with Authorities: We cooperate with supervisory authorities on requests

When California Privacy Applies

For residents of California, United States, our privacy practices are governed by:

• The California Consumer Privacy Act (CCPA) of 2018
• The California Privacy Rights Act (CPRA) of 2020
• Other applicable state and federal privacy laws

Note: If you are not a California resident, your primary data protection is governed by DPDP Act, 2023 (India) or GDPR (EU).

California Consumer Privacy Act (CCPA) Rights

The CCPA grants California residents specific rights regarding their personal information:

• Right to Know: Access specific pieces of personal information we collect about you
• Right to Delete: Request deletion of your personal information from our systems
• Right to Opt Out: Opt out of the sale of your personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

California Privacy Rights Act (CPRA) Rights

The CPRA provides additional rights for California residents:

• Right to Correction: Request correction of inaccurate personal information
• Right to Limit Use: Limit the use of your sensitive personal information
• Right to Data Portability: Receive your personal information in a portable format for transfer to other services
• Right to Opt-In Consent: Opt in to the sale of your personal information

No Sale of Personal Information

JobsFlow AI does not sell your personal information to third parties for their own marketing purposes.

We may share your information with third-party service providers (such as Stripe, SendGrid, Supabase) only as necessary to provide our services. All third-party providers are bound by their own privacy policies.

California-Specific Contact Information

For CCPA or CPRA-related inquiries, California residents can contact:

• California Attorney General: The California Department of Justice Office of the Attorney General
• California Privacy Protection Agency (CPPA): The California Privacy Protection Agency (CPPA)

Contact for California Privacy Inquiries

For California-specific privacy concerns, please contact us:

• Email: support@jobsflowai.com (include "California Privacy" in subject line)
• Response Time: Within 15 business days

Personal Information

We collect and process the following categories of personal information:

• Identity Data: Name, email address, phone number
• Profile Data: Education, work experience, skills, resume/CV
• Account Credentials: Encrypted login details for job portals
• Application Data: Job applications submitted, timestamps, status
• Usage Data: Feature usage, page views, session data
• Technical Data: IP address, device information, browser type, operating system
• Payment Data: Payment information (processed by Stripe or Razorpay, we store no credit card details)

Processing Purposes

We process your personal data for the following purposes:

• Account Management: Create and manage your JobsFlow AI account
• Service Delivery: Provide job application automation services
• Communication: Send transactional emails, service notifications, and support messages
• Analytics: Analyze usage patterns to improve our services (if analytics enabled)
• Security: Prevent fraud, protect platform and user data, ensure compliance
• Legal Compliance: Meet legal obligations for data protection across jurisdictions
• Customer Support: Respond to user inquiries and provide assistance

Data Sharing & Third Parties

We may share your personal data with trusted third-party service providers:

• Database & Infrastructure: Supabase for database and authentication services
• Payment Processing: Stripe and Razorpay for payment processing
• Email Delivery: SendGrid for email notifications and communications
• Job Portals: Access to job portals (Naukri.com, LinkedIn) only when authorized by you

Note: All third-party providers have signed data processing agreements ensuring GDPR-compliant data handling.

International Transfers

Your data may be transferred internationally for processing or storage. We ensure:

• India has adequacy decisions under GDPR for transfers from India
• All transfers are encrypted using HTTPS/TLS protocols
• Standard contractual clauses with third parties ensure GDPR-compliant data handling
• Compliance with GDPR Chapter V on data transfers

Your Rights Across Jurisdictions

Your data protection rights depend on your location:

• India Residents: Access, correction, erasure, and grievance redressal rights under DPDP Act, 2023
• EU Residents: Access, rectification, erasure, restriction, portability, and object rights under GDPR
• California Residents: Right to know, right to delete, right to opt-out, non-discrimination, correction, limiting, and portability rights under CCPA/CPRA
• Other Regions: Rights under applicable local data protection laws

Retention Principles

We retain your personal data only as long as necessary for the purposes outlined in this policy. This includes:

• Deleting data when it's no longer needed: We will delete your data when it's no longer required for the purposes it was collected
• Anonymizing or aggregating data for long-term analysis: We may anonymize or aggregate your data for analytics and improvement purposes after personal identifiers are removed
• Complying with legal requirements: We may retain certain data (like payment records) for legal compliance regardless of account status
• Automating deletion of inactive accounts: Accounts inactive for 2 years may be automatically deleted with all associated data
• Providing you control over your data: You can request deletion of your data at any time through your account settings or by contacting support@jobsflowai.com

Specific Retention Periods

We retain different categories of data for different periods:

Data Encryption

We implement industry-standard encryption to protect your data:

• Encryption at Rest: AES-256 encryption for stored data, including credentials
• Encryption in Transit: HTTPS/TLS encryption for all data transferred over networks
• Database Encryption: Encrypted database storage through Supabase

Access Control

We implement access controls to protect your account and data:

• Secure Authentication: Password-based authentication with optional multi-factor authentication (2FA)
• Session Management: Secure session tokens with reasonable expiration times
• Role-Based Access: Access controls for internal systems and support staff
• Account Recovery: Options to recover account access
• Activity Monitoring: Detection of suspicious login attempts and account activity

Audits and Penetration Testing

We conduct regular security audits and penetration testing to identify and address vulnerabilities:

• Regular Security Audits: Annual or bi-annual reviews of our security practices and data processing
• Penetration Testing: Third-party penetration testing to identify vulnerabilities before they can be exploited
• Vulnerability Scanning: Ongoing monitoring for security vulnerabilities in our systems and dependencies
• Security Best Practices: Implementation of security best practices and industry standards (OWASP)

Incident Response

In the event of a security breach or data incident:

• Notification: We will notify affected users within 72 hours of becoming aware of a breach
• Assessment: We will investigate and assess the impact of the breach
• Remediation: We will take steps to mitigate harm and prevent future incidents
• Reporting: We will report to relevant authorities if required by law

Submit a Request

To exercise any of your data protection rights, please contact us:

• Email: support@jobsflowai.com for all inquiries
• Include Details: Specify your request clearly and provide sufficient information to identify your account

Response Timeline

We will respond to your request within:

• DPDP Act Requests: Within 30 days (India)
• GDPR Requests: Within 30 days (EU)
• CCPA/CPRA Requests: Within 15 business days (California)
• Other Requests: Within 30 days or as required by applicable law

Verification Process

We may need to verify your identity before processing certain requests to protect your privacy and prevent unauthorized access:

• Identity Verification: Request additional information to confirm your identity
• Request Context: Context about your request (account number, recent activity)
• Secure Communication: We will only discuss your request with verified account holders

No Fee for Rights Requests

Exercising your data protection rights is free of charge. We will not impose fees for:

• Data access requests
• Data correction requests
• Data erasure requests

We may charge reasonable fees for additional copies if you request them excessively (beyond first free copy).

Your Control Over Your Data

You can exercise control over your personal data through:

• Account Settings: Manage your preferences, control analytics tracking, and delete your account with all data
• Privacy Dashboard: Review which data is collected, how it's used, and access or correct it
• Opt-Out Controls: Disable cookies in your browser settings, opt out of analytics tracking
• Export Data: Download your personal data in a portable format (JSON, CSV) for transfer to other services
• Request Deletion: Request permanent deletion of your personal data and account at any time

Account Deletion

When you delete your JobsFlow AI account:

• Immediate Effect: Your account and all associated personal data will be permanently deleted within 24 hours of your request
• No Recovery: Account deletion is irreversible. Once deleted, we cannot restore your data
• Third-Party Data: We will notify third-party services to delete your data from their systems
• Legal Requirements: We may retain certain data (like payment records) for legal compliance for required periods even after account deletion
• Continued Use: You may not be able to use our services after account deletion