Privacy Policy

1. Introduction

This Privacy Policy explains how CareerTrackr ("we", "us", or "our") collects, uses, discloses, and protects your personal data in accordance with the Personal Data Protection Act 2012 ("PDPA") of Singapore.

By using our service, you consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy.

2. Data We Collect

We collect the following types of personal data:

• Account Information: Name, email address, password (encrypted)
• Application Data: Company names, position titles, job descriptions, application dates, interview details, notes
• CV Files: CV documents you upload (PDF, DOCX format)
• Usage Data: Login timestamps, IP addresses, browser type, activity logs
• Feedback: Messages and feedback you submit through our feedback system

3. How We Use Your Data

We use your personal data for the following purposes:

• Service Provision: To provide and maintain the job application tracking service
• Authentication: To verify your identity and secure your account
• Data Storage: To store your job applications, CVs, and related information
• Communication: To send important service notifications and respond to inquiries
• Security: To detect and prevent fraud, abuse, and security incidents
• Compliance: To comply with legal obligations and enforce our terms of service
• Service Improvement: To analyze usage patterns and improve our service

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. The default retention period is 3 years from your last login. After this period, we may delete your account and associated data unless you request otherwise.

You may request deletion of your account at any time through the Data Rights portal. Account deletion requests are subject to a 30-day grace period during which you may cancel the deletion.

5. Your Rights Under PDPA

Under the PDPA, you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Deletion: Request deletion of your account and all associated data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON)
• Right to Withdraw Consent: Withdraw your consent for data processing (may affect service availability)
• Right to Object: Object to processing of your personal data for certain purposes

To exercise these rights, please visit the Data Rights portal or contact our Data Protection Officer (see Section 12).

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Passwords are hashed using bcrypt; data in transit uses HTTPS/TLS
• Access Control: Role-based access control (admin/user roles)
• Audit Logging: All security events and data access are logged
• Rate Limiting: Protection against brute force attacks (5 attempts per 15 minutes)
• Account Lockout: Automatic lockout after repeated failed login attempts (30-minute lockout)
• Session Management: Secure session tokens with 30-day expiry
• File Validation: CV uploads are validated for file type and size (max 5MB)

7. Third-Party Services

We use the following third-party services to provide our service:

• Vercel (Hosting & Database): Application hosting and PostgreSQL database - Privacy Policy
• Vercel Blob (File Storage): CV file storage - Privacy Policy
• Resend (Email Service): Transactional emails (password resets, notifications) - Privacy Policy

These third-party services are GDPR/PDPA compliant and process data only as instructed by us. Data is primarily stored in Singapore or Asia-Pacific regions where available.

8. Data Transfers

Your personal data is stored on servers located in the Asia-Pacific region (primarily Singapore). In limited cases, data may be transferred to other regions where our service providers operate, subject to appropriate safeguards and compliance with PDPA transfer requirements.

9. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of the breach, in accordance with PDPA requirements. The notification will include:

• Nature of the breach and types of data affected
• Likely consequences of the breach
• Measures taken to address the breach and mitigate harm
• Recommended actions you should take to protect yourself

We will also notify the Personal Data Protection Commission (PDPC) of Singapore if required by law.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising or third-party tracking cookies. Session cookies expire after 30 days or when you log out.

11. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us to request deletion.

12. Data Protection Officer Contact

For privacy-related inquiries, data access requests, or complaints, please contact our Data Protection Officer:

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by email or through a prominent notice in the application. Your continued use of the service after such notification constitutes acceptance of the updated Privacy Policy.

Previous versions of this Privacy Policy will be archived and available upon request.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Singapore. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Singapore.

15. Consent

By using our service, you consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy. You may withdraw your consent at any time, but this may affect your ability to use certain features of the service.