1. Scope
This notice explains what personal data we collect, how we use and share it, how long we keep it, and your rights when using Mirrai Careers — including the resume builder, job matching, cover letter generator, application tracker, career test and Career Plan, and our blog.
2. Data We Collect
2.1 You provide
- Account data: email address and password (stored as a secure hash by our authentication provider), or — if you sign in with Google — your name, email, and profile picture as shared by Google.
- Resume data: resume files you upload (PDF) and the information extracted from them or entered manually — name, contact details (email, phone, location, LinkedIn, website), work history, education, skills, and achievements. Also the tailored resume variants, cover letters, and edits you create in the Service.
- Job search data: job descriptions you paste for analysis or matching, and job application records you keep in the application tracker (company, role, status, notes).
- Career test responses submitted via our embedded Tally.so questionnaire (career goals, background, skills, preferences, etc.). We copy your responses from Tally into our storage to prepare and deliver your Career Plan.
- Purchase info processed by Stripe (we receive transaction and subscription metadata — not full card numbers/CVV).
- Communications: support requests, feedback, and survey answers you send us.
2.2 Collected automatically
- Technical logs: IP address, device/browser, timestamps, error diagnostics — for security and troubleshooting.
- Service usage records: counts of AI feature usage (for enforcing plan limits, see our Fair Use Policy) and email delivery logs (whether our emails to you were sent).
- Cookies/SDKs/tags:
- Strictly necessary (authentication, security, load balancing).
- Analytics/marketing (subject to consent) via Google Tag Manager, which may load Google Analytics 4, PostHog, and (if enabled) advertising tags. Non-essential tags are not loaded until you opt in through our Osano consent banner; you can change your choices at any time.
2.3 Derived data
- AI-generated content and scores: parsed resume structure, match scores, generated resume text, cover letters, and Career Plan content created from your inputs.
- Text embeddings: numeric representations of resume bullet points, used internally for deduplication and matching.
3. How We Use Your Data & Legal Bases (UK GDPR)
- Provide and operate the Service (Contract): maintain your account; parse your resume; generate tailored resumes, cover letters, match analyses, and Career Plans using AI (see Section 4); render and store PDF exports; process payments and subscriptions; send transactional/service emails (welcome, payment confirmations, billing issues, trial reminders).
- Security, fraud prevention, service improvement (Legitimate interests): protect the Service, enforce usage limits, debug, and improve using aggregated or de-identified insights. You may object at any time.
- Marketing emails (Consent / Legitimate interests): onboarding tips and product updates, based on the choice you made at signup. Every marketing email contains an unsubscribe link, and you can opt out at any time; transactional emails are sent regardless because they are part of the Service.
- Analytics & marketing tags (Consent): load GA4/PostHog and similar tags only after consent via Osano (you can change choices anytime).
- Legal obligations: accounting/tax records, handling lawful requests.
4. AI Processing (Gemini / LLM)
To provide AI features, we transmit relevant parts of your data — resume content, job descriptions, and career test responses — to Google Gemini via API. Google processes this data as our service provider under data processing and security terms; under the Gemini API terms applicable to paid usage, data submitted via the API is not used to train Google’s models. AI outputs may be inaccurate or incomplete (see our Terms); always review them before use.
We do not use your data to make automated decisions that produce legal or similarly significant effects about you. Match scores and analyses are informational tools for your own use — we are not involved in any employer’s hiring decisions.
5. Sharing Your Data (Processors Only)
We share data only as needed with service providers acting on our instructions under data processing agreements:
- Supabase — database, authentication, and file storage (uploaded resumes, PDF exports);
- Google Cloud — application infrastructure and the Gemini AI API;
- Stripe — payments and subscription billing;
- Resend — transactional and marketing email delivery;
- Tally.so — career test questionnaire forms;
- Cloudflare — hosting, security, and CDN;
- PostHog — product analytics (after consent);
- Google Tag Manager / Google Analytics 4 — web analytics (after consent).
We do not sell your personal data and do not “share” it for cross-context behavioural advertising. We may disclose data if required by law or to protect our rights, and in connection with a business transfer (merger, acquisition), in which case this Policy would continue to apply.
6. International Transfers
Some providers may process data outside the UK/EEA (e.g., in the US). Where transfers occur, we use appropriate safeguards: the UK IDTA or EU SCCs, or — where available — recipients certified under the EU-US Data Privacy Framework and the UK-US Data Bridge (UK Extension to the DPF).
7. Retention
- Account and resume data (profiles, uploaded files, variants, cover letters, applications, Career Plans): retained while your account is active. When you delete your account from settings, your resume data, uploaded files, and exports are deleted. You can also request deletion by email.
- AI usage and technical logs: typically up to ~90 days for security, troubleshooting, and limit enforcement.
- Email delivery logs: retained for deliverability and to honour unsubscribe choices.
- Analytics data: retained per GA4/PostHog retention settings (e.g., 14–25 months) and your consent choices.
- Payment records: kept as required by law (accounting/tax).
8. Your Rights
Depending on your location, you can access, rectify, erase, restrict, object, port your data, and withdraw consent (where applicable). The fastest way to delete your data is the account deletion option in your account settings; for other requests, email us and we aim to respond within 30 days. You can complain to the ICO (UK) or your local supervisory authority.
California (CCPA/CPRA)
If you are a California resident, you may have additional rights (know, delete, correct, limit sensitive data, non-discrimination). We do not sell personal information and do not “share” it for cross-context behavioural advertising. (If this changes, we will update this notice and honour opt-out rights.)
9. Your Responsibilities
Keep your account credentials secure and your contact email accessible. Only upload resume or other content that you have the right to provide — do not upload other people’s personal data without authority. The quality of AI output depends on the accuracy and completeness of your inputs.
10. Security
We apply reasonable technical and organisational measures: TLS encryption in transit, encryption at rest provided by our infrastructure providers, row-level access controls so each user can only access their own data, restricted admin access, and monitoring. No method is 100% secure; contact us if you suspect an issue.
11. Children’s Privacy
Mirrai Careers is for users 18+. We do not knowingly collect data from minors; if we learn of such data, we will delete it.
12. Third-Party Sites
Our forms, checkout, sign-in, or links may point to third-party pages (e.g., Tally, Stripe, Google). Their privacy practices apply there; please review their notices.
13. Changes
We may update this Policy; the “Last Updated” date reflects the effective date. Material changes will be communicated reasonably (e.g., email or in-app notice). Continued use after updates means you accept the revised Policy.