Privacy Policy
Effective date: April 9, 2026
Last updated: April 9, 2026
1. Introduction and Who We Are
Aplico ("Aplico," "we," "us," or "our") operates an AI-powered resume tailoring service at aplico.io. We are committed to being transparent about how we collect, use, and protect your personal information.
By creating an account or using Aplico, you acknowledge that you have read and understood this Privacy Policy.
Privacy contact: privacy@aplico.io
2. Information We Collect
We collect only what we need to provide the service.
Account information
- Email address — used to create your account, authenticate you, and send transactional emails (account confirmation, password reset).
- Password — stored as a one-way cryptographic hash by Supabase; we never see or store your plain-text password.
- Google profile (if you sign in with Google) — your Google-provided email address and OAuth token, handled entirely by Supabase's OAuth integration.
Resume and job content
- Master resume — the text or file (PDF/DOCX) you submit to be tailored. We extract the text content and store it for your session and dashboard.
- Job posting content — the text you paste or the URL you provide (we fetch and store the content of the page).
- Interview answers — responses you give to the gap-filling questions during generation. These are stored with your resume record.
- Generated resume — the tailored resume we produce for you, stored as a PDF and Word file in your dashboard.
Payment information
We use Stripe to process payments. Stripe collects and stores your payment card details — we never see or store full card numbers. We receive and store only: a Stripe Customer ID, payment confirmation status, and the number of credits purchased.
Technical and usage data
- IP address — used for rate limiting and security.
- Error and diagnostic data — sent to Sentry when application errors occur; may include the URL you were visiting, error stack traces, and a random session identifier.
- Browser and device type — basic metadata included in error reports.
What we do not collect
- We do not run advertising trackers or use third-party analytics tools (e.g., Google Analytics).
- We do not sell your data to any third party.
- We do not collect data about you from external sources.
3. How We Use Your Information
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email, password | Account management and authentication | Contract performance — Art. 6(1)(b) |
| Resume and job content | Generate your tailored resume | Contract performance — Art. 6(1)(b) |
| Interview answers | Incorporate context into resume generation | Contract performance — Art. 6(1)(b) |
| Generated resume | Save to your dashboard for download | Contract performance — Art. 6(1)(b) |
| Credit balance | Track purchased credits | Contract performance — Art. 6(1)(b) |
| Stripe payment info | Process payment, provide receipt, comply with financial regulations | Contract + Legal obligation — Art. 6(1)(b)(c) |
| IP address | Security, rate limiting, fraud prevention | Legitimate interest — Art. 6(1)(f) |
| Error logs | Diagnose bugs and improve service reliability | Legitimate interest — Art. 6(1)(f) |
4. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Account data (email) | Until you delete your account |
| Resume and job posting content | Until you delete the individual resume or close your account |
| Interview answers | Retained with the associated resume; deleted when you delete the resume or account |
| Generated resume files (PDF/DOCX) | Until you delete the resume or close your account |
| Payment transaction records | 7 years from the transaction date — required by financial regulations in most jurisdictions |
| Error and diagnostic logs | 90 days, then automatically purged by Sentry |
5. Third Parties We Share Data With
We do not sell your data. We share data only with the service providers necessary to operate Aplico:
Supabase (US / EU)
Provides our database, user authentication, and file storage. Stores your account data, resume content, and generated files. Supabase processes data under Standard Contractual Clauses for EU transfers.
Anthropic (US)
Provides the Claude AI model that generates your tailored resume. Your resume text, job posting content, and interview answers are sent to Anthropic's API. Anthropic's API usage policy states that it does not train models on API input/output data by default. See Anthropic's Privacy Policy at anthropic.com/privacy.
Stripe (US)
Processes all payments. Stripe receives your payment card details — we never see or store them. By completing a purchase, you also accept Stripe's privacy policy at stripe.com/privacy.
Amazon Web Services (S3) (US)
Stores uploaded and generated document files (PDF, DOCX).
Sentry (US)
Receives error reports and diagnostic data to help us detect and fix bugs. See sentry.io/privacy.
Vercel (US)
Hosts the frontend web application.
Railway (US)
Hosts the backend API server.
All third-party providers are contractually bound to process your data only as necessary to deliver their services to us and to maintain appropriate security measures.
6. International Data Transfers
Our service providers are primarily located in the United States. If you are in the EU/EEA, UK, or another jurisdiction that restricts international data transfers, your data may be transferred to the US. We rely on:
- Standard Contractual Clauses (SCCs) — used by Supabase and other providers for EU data transfers.
- EU-US Data Privacy Framework participation — where applicable for our US-based providers.
7. Your Rights
EU / EEA residents (GDPR)
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — ask us to limit how we process your data.
- Portability — receive your personal data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Lodge a complaint — with your local data protection authority (DPA). A list of EU DPAs is at edpb.europa.eu.
California residents (CCPA / CPRA)
- Know — what personal information we collect, why we collect it, and who we share it with.
- Delete — request deletion of your personal information.
- Correct — request correction of inaccurate information.
- Opt out of sale — we do not sell personal information; this right is satisfied by default.
- Non-discrimination — we will not treat you differently for exercising your rights.
All users
- You can delete individual resumes from your dashboard at any time.
- You can request account deletion by emailing privacy@aplico.io. We will process your request within 30 days.
- You can request a copy of your data by contacting us.
To exercise any of your rights, contact us at privacy@aplico.io. We will respond within 30 days. We may need to verify your identity before processing your request.
8. Cookies and Tracking
We use only strictly necessary cookies:
- Authentication session cookies — set by Supabase to keep you logged in across pages. These are essential for the service to function and cannot be disabled.
We do not use advertising cookies, analytics cookies, or any third-party tracking scripts. We do not use Google Analytics, Meta Pixel, or similar tools.
9. Security
We implement industry-standard security measures:
- Passwords are hashed using bcrypt (managed by Supabase — we never see plain-text passwords).
- All data is transmitted over HTTPS / TLS.
- Access to production systems is restricted by role.
- Supabase Row Level Security (RLS) ensures users can only access their own data at the database level.
No system is perfectly secure. If we become aware of a data breach that affects your personal data, we will notify you as required by applicable law (within 72 hours of discovery for GDPR purposes).
10. Children's Privacy
Aplico is not directed at individuals under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, please contact us at privacy@aplico.io and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to your registered email address, and
- Displaying a notice in the application.
The "Effective date" at the top reflects the most recent revision. Continued use of Aplico after the effective date of the updated policy constitutes acceptance of the changes.
12. Contact Us
For privacy-related questions, data requests, or concerns, contact us at:
privacy@aplico.io