Privacy Policy
Who we are
ContextualIntel (“ContextualIntel”, “we”, “us”, or “our”) operates this service. The service is provided by [LEGAL_ENTITY], a limited liability company organized in Texas, United States, with its registered address at [REGISTERED_ADDRESS]. We are the controller responsible for the personal data described in this policy.
If you have any questions about this policy or how we handle your personal data, contact our privacy team at privacy@[DOMAIN].
Our data protection / privacy officer is [PRIVACY_OFFICER]. (We are in the process of appointing this contact; this placeholder will be replaced before launch.)
Scope of this policy
This policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights you have. It applies to the ContextualIntelweb application and the related services, pages, and APIs we provide (together, the “Service”).
It does not apply to third-party services that have their own privacy policies, even where we link to them or rely on them as subprocessors. Where you add information about other people to the Service, please also read Third-party contacts below.
Data we collect
We collect the following categories of personal data:
- Account & authentication data. Your email address, authentication credentials, and account identifiers, handled through our authentication and database provider (Supabase). This includes information needed to create, secure, and sign in to your account.
- Resume & profile data. The resumes, career history, skills, preferences, and other profile information you provide or upload so the Service can tailor its features for you.
- Third-party contact data you add about others. Information you choose to record about other people — for example recruiters, hiring managers, or other contacts — such as their names, employers, email addresses, and your notes about your interactions. You provide this data, and you are responsible for having a lawful basis to do so; see Third-party contacts.
- Usage & device data, including IP address. Technical data generated when you use the Service — such as your IP address, device and browser information, pages viewed, and request metadata — collected in part through our hosting and edge-delivery provider (Vercel) to operate, secure, and improve the Service.
- Billing data. If you subscribe to the paid Pro tier, payment is handled by our payment processor (Stripe). We receive billing identifiers, payment-method metadata, and transaction records; we do not store full card numbers.
- Support communications. The content of messages you send us for support, and our responses, including any data you choose to include.
- Consent evidence. When you accept our Terms of Service and this Privacy Policy at sign-up (clickwrap), we record that you accepted, which version you accepted, and when. Where enabled and disclosed, we may also retain limited technical evidence of that acceptance (such as IP address and browser user-agent) to make the acceptance provable. See How and why we use your data for the legal basis, and Retention.
How and why we use your data
We use personal data to provide and operate the Service, to power its features (including the AI features described below), to process payments for the Pro tier, to communicate with you and provide support, to keep the Service secure and prevent abuse, to meet our legal obligations, and to improve the Service.
Legal bases. Where the EU/EEA GDPR or the UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to create your account and provide the features you ask us for, including generating AI output you request.
- Legitimate interests — to secure the Service, prevent fraud and abuse, maintain records (including consent evidence), and improve our features, balanced against your rights.
- Legal obligation — to comply with applicable law, including tax, accounting, and lawful requests.
- Consent — where we ask for it, such as any future optional analytics or marketing. You can withdraw consent at any time without affecting prior processing.
Where Canadian law (PIPEDA) or Quebec's Law 25 applies, we process personal data on the basis of your consent and the other grounds those laws permit, in line with the purposes described here. Where U.S. state privacy laws apply, we process personal data to provide the Service and for the disclosed business purposes.
AI processing
Some features of the Service use a third-party large language model (LLM) provider, OpenAI, to generate output you request — for example match scoring, resume tailoring, and interview preparation. To do this, content you submit for those features — including your resumes, job descriptions, and the answers you provide — is sent to OpenAI for processing on our behalf.
Our posture on AI training and retention. We aim to use this provider on a conservative basis: we seek terms under which your content is not used to trainthe provider's models and is processed on a zero-retention basis (i.e. not retained by the provider after the request is served), beyond what is strictly necessary to deliver the feature or comply with law. [OPENAI_DATA_TERMS] — the exact data-processing terms are being finalized and will be confirmed before launch.
AI output can be inaccurate or incomplete and is not professional, career, or legal advice. We describe how OpenAI fits into our wider set of subprocessors in Subprocessors.
Subprocessors
We use a small set of third-party processors (subprocessors) to operate the Service, including Supabase, Stripe, Resend, Vercel, OpenAI, [JV_PROCESSOR_NAME], USAJOBS. They process personal data only on our instructions and under contract.
The current subprocessor list, the categories of data each one handles, and our processor obligations for the personal data you add about others are set out in our Data Processing Agreement, which is maintained from the same source of truth as this policy.
International transfers
Where your data is stored. Personal data is stored and primarily processed in the United States. If you access the Service from outside the United States, your personal data will be transferred to, and processed in, the United States.
Transfer safeguards.For transfers of personal data from the EU/EEA and Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs); for transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, together with any additional measures required.
Canada. One of our processors operates from Montreal, Canada (Quebec) and performs operations on our behalf, so some personal data is transferred to and processed in Canada under appropriate contractual safeguards, including Quebec Law 25 requirements.
Data retention
We keep personal data for as long as your account is active and as long as needed to provide the Service. When you delete your account, we delete or anonymize your personal data within a reasonable period, except where we must keep certain records to comply with law, resolve disputes, or enforce our agreements.
Some data is kept on specific cycles: billing and transaction records are retained as required for tax and accounting; consent-evidence records (including the version you accepted and, where enabled, the associated technical evidence) are retained for as long as needed to make your acceptance provable; and content sent to our AI provider is handled on the conservative basis described in AI processing.
Your rights
Depending on where you live, you have privacy rights over your personal data. We honor these rights regardless of where you are located where we reasonably can.
GDPR (EU / EEA)
If you are in the EU or EEA, you have the rights to access, rectify, erase, restrict, and object to processing of your personal data, the right to data portability, and the right to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.
UK GDPR
If you are in the United Kingdom, you have the same core rights as under the EU GDPR, and you may lodge a complaint with the UK Information Commissioner's Office (ICO).
CCPA / CPRA (California)
If you are a California resident, you have the rights to know, access, correct, and delete your personal information, and the right not to be discriminated against for exercising your rights.
Do Not Sell or Share. We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
Global Privacy Control (GPC). We honor the Global Privacy Control signal: where your browser sends a Sec-GPC signal, we treat it as a valid request to opt out of any sale or sharing of personal information for that browser.
PIPEDA & Quebec Law 25 (Canada)
If you are in Canada, you have the right to access and correct your personal information and to withdraw consent, subject to legal and contractual limits. Under Quebec's Law 25 you also have rights concerning the de-indexing and portability of your information, and you may contact our privacy officer (named in Who we are) about how your information is handled.
How to exercise your rights (DSAR intake)
You can exercise many of your rights yourself, without contacting us, from within the app:
- Access & portability. Request a copy of your data through the in-app data export in Settings → Privacy, which uses our data-export process.
- Deletion. Delete your account and associated data using the account-deletion controls in Settings → Privacy.
You can also make a request by emailing privacy@[DOMAIN]. To protect your data, we verify your identity before acting on a request — typically by confirming control of the account email — and we respond within the timeframes required by applicable law. There is no charge for a reasonable request.
Security
We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, and reliance on reputable infrastructure providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify you and the relevant authorities of incidents where the law requires.
Children
The Service is not directed to children, and you must be at least 18 years old to use it. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us personal data, contact privacy@[DOMAIN] and we will take appropriate steps to delete it.
Third-party contacts
The Service lets users record information about other people (such as recruiters or hiring managers). If you are someone whose personal data a user has added to the Service, we generally act as a processor of that data on the user's behalf, and the user controls it.
Your requests. If you want to access, correct, or request removal of personal data that a user has stored about you, email privacy@[DOMAIN] with enough detail for us to locate the data. We will verify your request, route it to the relevant user/controller where appropriate, and act on it — including by removing or correcting the data — as required by applicable law. We may need to ask you for information to confirm your identity, and we will not use the information you give us for this purpose for anything other than handling your request. This channel is also referenced in our Data Processing Agreement.
Changes to this policy
We may update this policy from time to time. When we do, we will update the version and effective date shown at the top of this page, and we keep the exact text of each version so prior acceptances stay provable. If the changes are material, we will provide additional notice as required by law. Your continued use of the Service after an update takes effect means you accept the updated policy.
How to contact us
For any privacy question or request, contact us at privacy@[DOMAIN], or write to [LEGAL_ENTITY] at [REGISTERED_ADDRESS].
EU representative (GDPR Art. 27). [EU_REPRESENTATIVE] — to be appointed before launch.
UK representative. [UK_REPRESENTATIVE] — to be appointed before launch.
Privacy officer. [PRIVACY_OFFICER] — to be appointed before launch.