GDPR & Data Requests

This page is for users in the EU, UK, and other GDPR-equivalent jurisdictions, plus enterprise customers' legal and procurement teams. Most data subject requests can be completed in seconds with the self-serve buttons on your account page.

• Export your data: the "Export my data" button on the account page produces a JSON file with everything we hold (profile, tracked jobs, search history, resume text, alerts).
• Delete your account: the "Delete account" button immediately and irreversibly removes all your data from our database. There is no soft-delete.
• Edit your profile: name, target salary, and notification preferences are all editable in place.

Self-serve completes in seconds. Use email-based requests only if self-serve doesn't fit your need.

For any other data subject request, email privacy@jobzyl.com with the subject line DSAR: <type of request>. Include the email address on your Jobzyl account so we can verify your identity.

We will respond within:

• 30 days for GDPR / UK GDPR requests (Art. 12(3)). Extendable by 60 days for complex requests, with notice.
• 45 days for CCPA / CPRA requests. Extendable by 45 days, with notice.

• Access — get a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — have your data deleted.
• Restriction — pause processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format (the JSON export).
• Objection — object to processing for direct marketing or based on legitimate interests.
• Withdraw consent — for processing based on consent (e.g. analytics opt-in).
• Lodge a complaint — with your supervisory authority.

Jobzyl — operated by Hammad Ahmad. Contact: privacy@jobzyl.com.

Personal data is stored on Supabase (PostgreSQL, EU region). The web application is served from AWS App Runner (Frankfurt, eu-central-1). No data leaves the EU except as needed for outbound email delivery (Resend, EU-hosted) and optional Plausible analytics (EU-hosted).

• Supabase — database and authentication. EU.
• AWS — application hosting. EU (Frankfurt).
• Resend — transactional email (verification, OTP, support replies). EU.
• Anthropic — AI-powered CV scoring. United States; data is processed transiently and not used to train models, per the Anthropic API terms.
• Plausible — privacy-first analytics. EU. Loaded only after consent.

Where data is transferred outside the EU/UK (currently only to Anthropic for transient CV scoring), we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. We do not transfer data to any country without an adequacy decision unless an SCC-equivalent safeguard is in place.

If you believe we have not handled your data correctly, you may complain to:

• Your EU member state's data protection authority. The list is at edpb.europa.eu.
• The UK Information Commissioner's Office at ico.org.uk.
• The California Attorney General at oag.ca.gov.

We provide a Data Processing Agreement (with EU SCCs and the UK IDTA) on request. Email enterprise@jobzyl.com with your company name and the deployment context, and we will return a counter-signed DPA within three business days.