Privacy Policy
Last updated: 31 May 2026
This Privacy Policy explains how OEKHOST Limited ("we", "us", or "our") collects, uses, and protects your personal data when you use JobPilot (the "Service") at usejobpilot.com. We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
OEKHOST Limited is a company registered in England and Wales (company number 15394512) with its registered office at 85 Great Portland Street, London, W1W 7LT. We are registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZC147809. For privacy or data-protection questions, contact us at privacy@usejobpilot.com.
2. Personal data we collect
- Account data. Your email address, provided when you create an account.
- Resume content. The full text of any CV or resume you upload or paste. This may include your name, contact details, employment history, education, skills, and any other information you choose to include.
- Job description content. Job descriptions you paste, provide a URL for, or upload for tailoring.
- Generated content. Tailored resumes, cover letters, and other text produced by the Service in response to your inputs.
- Subscription & payment data. When you upgrade to a paid plan, payment is handled by Stripe. Stripe collects your card details directly — we do not see or store them. We store your Stripe customer ID, current plan, and generations used.
- Usage data. Token counts and approximate cost figures for each generation, used for billing-limit enforcement and operating-cost monitoring.
- Authentication cookies. A session cookie set by Supabase (our authentication provider) to keep you logged in.
3. Why we process your data, and our lawful basis
| Purpose | Lawful basis (UK GDPR Article 6) |
|---|---|
| Provide the Service (generate tailored resumes, store your applications) | Contract — Art. 6(1)(b) |
| Process subscription payments | Contract — Art. 6(1)(b) |
| Keep you logged in via cookies | Strictly necessary — PECR exemption |
| Comply with UK accounting/tax obligations | Legal obligation — Art. 6(1)(c) |
| Detect fraudulent or abusive use | Legitimate interests — Art. 6(1)(f) |
We do not use your data for advertising or profiling, and we do not sell it to third parties.
4. Special-category data
A CV may, in rare cases, include information classed as "special category" data under UK GDPR (such as health information, religious affiliation, or ethnic background). By uploading a CV containing such information, you explicitly consent to its processing solely for the purpose of providing the Service (Art. 9(2)(a)). We strongly recommend removing any special-category information from your CV before uploading if you do not want it processed.
5. Third-party processors
We share your personal data with the following processors strictly for service delivery:
| Processor | Purpose | Privacy policy |
|---|---|---|
| Stripe, Inc. (USA) | Payment processing | stripe.com/privacy |
| Supabase, Inc. (USA / EU) | Database, authentication, storage | supabase.com/privacy |
| Anthropic, PBC (USA) | AI text generation (Claude API) | anthropic.com/legal/privacy |
| Resend (USA) | Transactional email (sign-in confirmation, password reset, invites) | resend.com/legal/privacy-policy |
| Vercel, Inc. (USA) | Application hosting | vercel.com/legal/privacy-policy |
| Cloudflare, Inc. (USA) | DNS, email forwarding | cloudflare.com/privacypolicy |
Note on Anthropic. Inputs you send (your CV and job description) are processed by Anthropic's Claude API to generate the output. By default, Anthropic does not train its models on API inputs or outputs. Anthropic retains inputs and outputs for up to 30 days for abuse detection and then deletes them. See Anthropic's policy for current details.
6. International data transfers
Our processors are primarily located in the United States. When we transfer your personal data outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as the legal mechanism, depending on the processor.
7. How long we keep your data
| Category | Retention |
|---|---|
| Account data (email, profile) | While your account is active, plus 30 days after deletion |
| Resume content, job descriptions, generated content | While your account is active, plus 30 days after deletion |
| Subscription / payment records | 7 years (UK tax law: Companies Act 2006, Section 388) |
| Authentication cookies | Until logout or session expiry (typically 30 days) |
| Usage logs / generation history | 90 days, then aggregated and anonymised |
8. Cookies
JobPilot uses only strictly necessary cookies: an authentication cookie set by Supabase to keep you logged in across page loads. We do not use analytics, advertising, or tracking cookies, and we do not display a cookie consent banner because no non-essential cookies are in use (per the UK Privacy and Electronic Communications Regulations).
9. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectification of inaccurate data
- Erasure ("right to be forgotten") — we will delete your account and personal data within 30 days of a verified request
- Restriction of processing
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent (e.g. for special-category data in your CV)
- Not be subject to solely automated decision-making with legal or similarly significant effects (AI-generated text does not have such effects — you decide whether and how to use it)
To exercise any of these rights, email privacy@usejobpilot.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
10. Security
We protect your data using HTTPS (TLS) encryption for all data in transit, encryption at rest for the database (managed by Supabase), role-based access controls (Supabase Row-Level Security), and email-and-password authentication where passwords are stored only as salted hashes by Supabase (our authentication provider) and never in plain text. If we become aware of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR Article 33.
11. Children
JobPilot is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, please contact privacy@usejobpilot.com.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and shown prominently on the Service. The "Last updated" date at the top reflects the most recent revision.
13. Contact
OEKHOST Limited85 Great Portland Street
London, W1W 7LT
United Kingdom
Companies House: 15394512
Email: privacy@usejobpilot.com