Privacy Policy
Effective: March 15, 2026 - Version 1.2
1. Who We Are
Career Compass is a career intelligence platform operated by:
CodeTech
Wroclaw, Poland
NIP: 7631936648
Email: support@careercompass.pl
Website: https://careercompass.pl
We are the data controller responsible for your personal data. This means we determine how and why your personal data is processed.
Given the current scale of our operations, we have not appointed a Data Protection Officer under Article 37 GDPR. All data protection inquiries can be directed to support@careercompass.pl. We will appoint a DPO if our processing activities require it.
Career Compass helps EU-based IT professionals, project managers, product owners, and delivery managers understand their career strengths through resume scoring, job matching, and market intelligence.
2. What Data We Collect
We collect and process the following categories of personal data:
Providing your resume and professional information is necessary to use Career Compass's core features. If you choose not to provide this data, we cannot deliver resume scoring, job matching, or AI-generated career content. Account registration requires only an email address and password (or Google OAuth).
2.1 Identity Information
| Data | Purpose | Source |
|---|---|---|
| Full name | Account identification, CV display | Resume upload, manual entry |
| Email address | Account access, communications | Registration form, OAuth |
| Phone number | Contact information on CV | Resume extraction |
| Location (city/country) | Job matching, CV display | Resume extraction, manual entry |
| LinkedIn profile URL | Professional profile linking | Resume extraction, manual entry |
2.2 Professional Information
| Data | Purpose | Source |
|---|---|---|
| Current job title | Resume scoring, job matching | Resume extraction |
| Work history | Experience scoring, industry classification | Resume extraction |
| Years of experience | Career depth analysis | Calculated from work history |
| Companies worked for | Industry breadth scoring | Resume extraction |
| Industries | Industry diversity scoring | AI classification |
| Education history | Presentation scoring | Resume extraction |
| Professional summary | Content quality analysis | Resume extraction |
2.3 Skills and Credentials
| Data | Purpose | Source |
|---|---|---|
| Technical skills | Competencies scoring, job matching | Resume extraction, keyword matching |
| Soft skills | Competencies scoring | Resume extraction, keyword matching |
| Certifications | Competencies scoring, job matching | Resume extraction, curated matching |
| Tools and methodologies | Competencies scoring | Resume extraction, keyword matching |
| Languages | Presentation scoring | Resume extraction |
2.4 Job Search Preferences
| Data | Purpose | Source |
|---|---|---|
| Target roles | Job matching, keyword coverage | Onboarding selection |
| Work location preference | Job matching (remote/hybrid/on-site) | Settings |
| Employment type | Job matching (full-time/contract/part-time) | Settings |
| Notice period | Job matching availability | Settings |
| Job search status | Feature personalization | Onboarding selection |
2.5 Usage Data
| Data | Purpose | Source |
|---|---|---|
| Job match history | Match history feature, service improvement | Automatic logging |
| Profile score history | Progress tracking | Automatic calculation |
| Login timestamps | Security, fraud prevention | Automatic logging |
| Feature usage | Service improvement | Automatic logging |
2.6 Technical Data
| Data | Purpose | Source |
|---|---|---|
| IP address | Security, fraud prevention | Automatic collection |
| Browser type | Technical support, compatibility | Automatic collection |
| Device information | Technical support | Automatic collection |
2.7 Payment Information
| Data | Purpose | Source |
|---|---|---|
| Billing email | Payment receipts and invoicing | Stripe checkout |
| Payment method type (last 4 digits only) | Transaction identification | Stripe |
| Transaction history | Purchase records, support | Automatic logging |
| Token balance and purchase timestamps | Service delivery, usage tracking | Automatic logging |
We never store full credit card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.
2.8 AI-Generated Content
| Data | Purpose | Source |
|---|---|---|
| Cover letters | Career application support | AI generation from profile + job match |
| Elevator pitches | Networking preparation | AI generation from profile + job match |
| Interview prep questions | Interview preparation | AI generation from profile + job match |
| Professional summaries | Profile enhancement | AI generation from profile data |
| Polished achievements | Achievement improvement | AI generation from user input |
| Score history snapshots | Progress tracking over time | Automatic calculation |
3. How We Collect Your Data
We collect data through the following methods:
3.1 Direct Collection
- Registration forms: When you create an account using email/password
- Resume upload: When you upload your CV in PDF format
- Manual entry: When you edit or add information to your profile
- Settings updates: When you configure your job preferences
3.2 Automated Collection
- AI extraction: We use artificial intelligence to extract structured data from your uploaded resume
- Keyword matching: We identify skills, certifications, and tools using curated dictionaries
- Industry classification: We classify your work experience into industry categories using AI analysis
- Usage logging: We automatically record your interactions with the platform for security and service improvement
3.3 Third-Party Collection
- Google OAuth: If you sign up or log in with Google, we receive your name and email address from Google
- Job posting analysis: When you analyze a job posting URL, we extract information from that public job listing
4. Legal Basis for Processing
Under GDPR, we must have a valid legal basis to process your personal data. We rely on the following bases:
4.1 Contract Performance (Article 6(1)(b) GDPR)
We process data necessary to provide our services to you:
- Account creation and management
- Resume storage and display
- AI-powered resume extraction and analysis
- Resume scoring using the Three Pillars Model
- Job matching against external job postings
- AI-generated career content (cover letters, elevator pitches, interview prep)
- Storing and displaying extracted professional information
4.2 Consent (Article 6(1)(a) GDPR)
We process certain data only with your explicit consent:
- Analytics cookies (Google Analytics 4, via CookieYes consent banner)
- Marketing communications (when applicable)
You can withdraw consent at any time. For cookies, use the CookieYes preference center (cookie icon in footer). For marketing, use the one-click unsubscribe link. Withdrawal does not affect the lawfulness of processing before withdrawal. Note: Core service features operate under Contract Performance basis, not consent.
4.3 Legitimate Interest (Article 6(1)(f) GDPR)
We process some data based on our legitimate business interests, balanced against your rights:
| Processing Activity | Legitimate Interest |
|---|---|
| Job match history storage | Providing match history feature, avoiding duplicate analysis |
| Usage analytics (aggregated) | Service improvement, feature development |
| Security logging | Fraud prevention, account security |
4.4 Legal Obligation (Article 6(1)(c) GDPR)
We process some data to comply with legal requirements:
- Account deletion audit records (GDPR compliance documentation)
- Responding to lawful data access requests
Summary: Data Processing Legal Basis
| Data Category | Legal Basis | Purpose |
|---|---|---|
| Resume PDF file | Contract Performance | Storage, extraction, scoring |
| Personal identity info | Contract Performance | Account management |
| Work history & skills | Contract Performance | Scoring, matching |
| AI-generated content | Contract Performance | Career content generation |
| Analytics cookies | Consent | Website usage analytics |
| Job match results | Legitimate Interest | History feature, analytics |
| Login activity | Legitimate Interest | Security, fraud prevention |
| Account deletion audit | Legal Obligation | GDPR compliance |
5. How We Use Your Data
5.1 Resume Scoring
We analyze your resume using our Three Pillars Model:
- Experience Pillar: Evaluates career depth, industry breadth, and achievement impact
- Competencies Pillar: Assesses certifications, technical skills, soft skills, and tools
- Presentation Pillar: Reviews contact completeness, content structure, data quality, and language proficiency
This scoring helps you understand your CV's strengths and areas for improvement.
5.2 Job Matching
When you submit a job posting URL, we:
- Extract job requirements from the posting
- Compare your profile against job requirements
- Calculate a match score across Role Fit, Skills Fit, and Preferences Fit
- Identify skill gaps and provide actionable insights
5.3 Keyword Coverage Analysis
We analyze how well your resume keywords align with expected keywords for your target roles, helping you optimize your CV for specific career paths.
5.4 Account Management
We use your data to:
- Create and maintain your account
- Authenticate your identity
- Send important service communications
- Respond to your support requests
5.5 Service Improvement
We use aggregated, anonymized data to:
- Improve our scoring algorithms
- Develop new features
- Understand market trends in skills and certifications
5.6 Automated Profiling
Career Compass performs automated profiling under Art. 4(4) GDPR through the following mechanisms:
- Resume scoring: The Three Pillars Model (Experience, Competencies, Presentation) produces a 0-100 score for each pillar
- Job matching: Weighted comparison across Role Fit (35%), Skills Fit (35%), and Preferences Fit (30%)
These scores are informational only and do not result in any employment decisions. No decisions producing "legal effects or similarly significant effects" under Art. 22 GDPR are made based on this profiling.
You can review the scoring methodology on the platform. If you have concerns about any automated assessment, contact support@careercompass.pl for human review.
6. Data Sharing and Third Parties
6.1 Service Providers (Data Processors)
We share data with the following third-party processors who help us operate our platform:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All user data, resume files | EU (Paris) |
| Anthropic (Claude API) | AI-powered resume extraction and analysis | Resume text content (identity data redacted before transmission) | USA* |
| OpenAI | Job description extraction and classification | Job posting URLs and content | USA* |
| Tavily | Job posting content extraction (fallback) | Job posting URLs | USA* |
| Vercel | Application hosting | Technical/usage data | EU (Paris) |
| Stripe | Payment processing | Billing email, payment method info, transaction data | USA* |
| Landing.ai | PDF document parsing (resume extraction) | Resume PDF content | EU |
| Resend | Transactional emails (verification, notifications) | Email address | USA* |
| Langfuse | LLM prompt management and observability | AI processing metadata, job data | EU (Germany) |
| CookieYes | Cookie consent management | Cookie preferences, anonymized consent records | EU |
| Google Analytics | Website usage analytics | Anonymized usage data (only after consent) | USA* |
| ScrapingBee | Job posting content extraction (fallback for select platforms) | Job posting URLs (no user PII) | EU |
*For US-based processors, we rely on Standard Contractual Clauses (SCCs) and their additional safeguards. See Section 10 for details.
6.2 What We Do NOT Do
We never:
- Sell your personal data to third parties
- Share your resume with recruiters without your explicit consent
- Use your data for advertising or marketing by third parties
- Share your data with other users of the platform
6.3 Legal Requirements
We may disclose your data if required by law, court order, or government request, or to protect our legal rights.
7. Data Retention
We retain your data only as long as necessary for the purposes described in this policy.
7.1 Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Service provision |
| Resume file | Until account deletion | Deleted immediately with account |
| Extracted profile data | Until account deletion | Service provision |
| Job match history | Until user deletes or account deletion | User feature |
| Login activity logs | 90 days rolling | Security monitoring |
| Account deletion audit | 3 years from deletion | Legal compliance |
7.2 After Account Deletion
When you delete your account:
- Immediate: All personal data, including resume files, is deleted
- Retained for 3 years: Anonymized audit record (SHA-256 hash of email only, no plain text) for GDPR compliance documentation
8. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
8.1 Right of Access (Article 15)
You can request a copy of all personal data we hold about you.
How to exercise: Email support@careercompass.pl with subject "Data Access Request"
8.2 Right to Rectification (Article 16)
You can correct inaccurate or incomplete personal data.
How to exercise: Edit your profile directly in the platform, or contact us for assistance.
8.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data.
How to exercise: Use the "Delete Account" function in Settings, or email us.
8.4 Right to Data Portability (Article 20)
You can request a copy of all your data in a structured, machine-readable format (JSON/ZIP). This includes:
- Profile information and preferences
- Identity data (name, contact details)
- Extracted skills, certifications, and work history
- Job match results and history
- Cover letters, elevator pitches, and interview preparations
- Original uploaded resume file
How to exercise: Email support@careercompass.pl with subject "Data Export Request". We will fulfill your request within 30 days.
8.5 Right to Restriction of Processing (Article 18)
You can request we limit how we use your data in certain circumstances.
How to exercise: Contact us explaining the specific restriction you're requesting.
8.6 Right to Object (Article 21)
You can object to processing based on legitimate interests.
How to exercise: Contact us with your objection. We will stop processing unless we have compelling legitimate grounds.
8.7 Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw it at any time through these specific channels:
- Cookie consent: Use the CookieYes preference center (cookie icon in the footer) to change your cookie preferences at any time
- Marketing communications: Use the one-click unsubscribe link in any marketing email (when applicable)
Core service features (resume scoring, job matching, AI content) operate under Contract Performance basis (Art. 6.1.b), not consent. These features are part of the service you signed up for.
Withdrawal does not affect the lawfulness of processing before withdrawal.
8.8 Right to Lodge a Complaint
You have the right to complain to a supervisory authority. In Poland, this is:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warszawa
Website: https://uodo.gov.pl
Email: kancelaria@uodo.gov.pl
Response Timeline
We will respond to all rights requests within 30 days. If a request is complex, we may extend this by an additional 60 days, but we will inform you of any extension within the initial 30-day period.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
9.1 Technical Measures
- Encryption in transit: All data transmitted using TLS 1.3
- Encryption at rest: Database and file storage encrypted
- Secure authentication: Password hashing, OAuth 2.0 support
- Access controls: Role-based access, principle of least privilege
9.2 Organizational Measures
- Data minimization: We only collect data necessary for our services
- Access limitation: Only authorized personnel can access personal data
- Incident response: Procedures for detecting and responding to data breaches
9.3 Data Breach Notification
In the event of a data breach that poses a risk to your rights:
- We will notify the supervisory authority within 72 hours
- We will notify affected users without undue delay if high risk
- We will document all breaches and remediation actions
10. International Data Transfers
Your data is primarily stored in the European Union (Supabase EU - Paris).
When we transfer data to processors outside the EU (specifically to the USA for AI processing), we rely on:
10.1 EU-US Data Privacy Framework (DPF)
Stripe and Google are certified under the EU-US Data Privacy Framework. Vercel participates in the DPF. These certifications provide an adequate level of data protection for transfers to the United States.
10.2 Additional Safeguards for AI Processors
- Anthropic and OpenAI process data transiently with no long-term storage
- Only professional data is shared (resume content, job descriptions)
- No sensitive personal data categories are sent to AI processors
10.3 EU Data Storage
Supabase stores all persistent user data in the EU (Paris region). Langfuse (LLM observability) is hosted in the EU (Germany).
10.4 AI Processing Specifics
When your resume is processed by AI services:
- Identity data (name, email, phone number, LinkedIn URL) is extracted locally on our servers using pattern matching - no AI is involved in processing your personal identifiers
- Identity data is stripped from the resume text before it is sent to AI providers. Only professional content (skills, experience, education) reaches AI services
- Processing is transient (not stored by the AI provider beyond the request)
- Results are immediately returned and stored in our EU database
12. Children's Privacy
Career Compass is designed for professionals and is not intended for anyone under 18 years of age.
We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at support@careercompass.pl, and we will delete such data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
13.1 Notification Process
- Minor changes: Updated policy posted on this page with new "Last Updated" date
- Material changes: Email notification to registered users at least 14 days before changes take effect
13.2 Continued Use
Your continued use of Career Compass after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you may delete your account.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Email: support@careercompass.pl
General Inquiries: hello@careercompass.pl
Company Information:
CodeTech
NIP: 7631936648
Wroclaw, Poland
We aim to respond to all inquiries within 5 business days, and to formal rights requests within 30 days.
This Privacy Policy was drafted in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applies to users of Career Compass in the European Union.