1. Data Controller Information
CandyTrack ("we," "us," "our") acts as the data controller for personal data processed through the CandyTrack service (available at candytrack.app).
CandyTrack is operated by an individual developer. For any questions regarding data protection, please contact us at: contact@candytrack.app.
This Privacy Policy applies to all users of the Service worldwide and is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Brazilian Lei Geral de Protecao de Dados (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable international data protection laws.
2. Types of Data Collected
2.1 Personal Data
When you create an account and use CandyTrack, we collect:
- Account data: name, email address, profile picture (if provided via Google OAuth)
- Application data: company names, job titles, application statuses, dates, notes, and any other information you enter regarding your job applications
- Contact data: names, email addresses, phone numbers, and other contact information for professional contacts you add
- CV data: documents and their content that you upload to the Service
- AI analysis data: results generated by AI analysis of your documents and applications
- Payment data: billing information processed through Stripe (we do not store credit card numbers)
- Preference data: language preferences, notification settings, and other user preferences
2.2 Usage Data
We automatically collect:
- IP address and approximate geographic location
- Browser type and version
- Device type and operating system
- Pages visited, features used, and actions taken within the Service
- Date and time of access
- Referring URL
2.3 Cookies and Similar Technologies
We use essential cookies for authentication and session management, as well as functional cookies for user preferences. We do not use advertising or tracking cookies. See Section 9 for our full Cookie Policy.
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds under GDPR Article 6(1):
- Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process subscriptions, and deliver the features you use
- Consent (Art. 6(1)(a)): Processing your data through AI analysis features when you explicitly choose to use them; sending optional marketing communications
- Legitimate interest (Art. 6(1)(f)): Improving and securing the Service, analyzing usage patterns to enhance features, preventing fraud and abuse, responding to support requests
- Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax and accounting requirements for paid subscriptions
Where we rely on legitimate interest, we have conducted a balancing test to ensure your fundamental rights and freedoms are not overridden. You have the right to object to processing based on legitimate interest at any time.
4. How Data Is Used
We use your personal data for the following purposes:
- Service delivery: Providing, maintaining, and improving CandyTrack features
- Account management: Creating and managing your user account, authenticating your identity
- AI analysis: Processing your documents and application data to generate insights and recommendations (only when you use AI features)
- Payment processing: Managing Pro plan subscriptions, processing payments, and handling invoices
- Communications: Sending transactional emails (account verification, password reset, subscription confirmations), notifications about your applications, and service updates
- Security: Detecting and preventing fraud, unauthorized access, and other malicious activities
- Analytics: Understanding how the Service is used to improve features and user experience (using aggregated, anonymized data where possible)
- Legal compliance: Complying with applicable laws, regulations, and legal processes
We do not sell your personal data to any third party. We do not use your data for automated decision-making that produces legal effects or similarly significant effects on you, beyond the AI analysis features you voluntarily use.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where some of our third-party service providers are located.
For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses as the primary mechanism for international data transfers
- EU-U.S. Data Privacy Framework: Where applicable, we rely on service providers that are certified under the EU-U.S. Data Privacy Framework
- Supplementary measures: We implement additional technical and organizational measures, such as encryption in transit and at rest, to ensure an adequate level of protection
For users in Brazil (LGPD): International transfers are conducted under appropriate safeguards as required by the LGPD, including standard contractual clauses and adherence to data protection principles.
For users in Canada (PIPEDA): Your data may be processed outside Canada. We ensure that any international transfer is subject to comparable levels of protection through contractual and organizational safeguards.
You may request a copy of the relevant transfer mechanisms by contacting us at the address provided in Section 14.
7. Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:
- Active account data: Retained for the duration of your account's existence
- Application and contact data: Retained as long as your account is active
- CV/Resume files: Retained as long as your account is active; deleted within 30 days of account deletion
- AI analysis results: Retained as long as the related application data exists in your account
- Payment records: Retained for up to 10 years after the transaction, as required by applicable tax and accounting laws
- Usage logs and analytics: Retained for up to 12 months, then aggregated and anonymized
- Deleted account data: Permanently deleted within 30 days of account deletion, except where retention is legally required
When data is no longer needed, it is securely deleted or irreversibly anonymized.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 Rights under GDPR (EU/EEA residents)
- Right of access (Art. 15): Request a copy of your personal data
- Right to rectification (Art. 16): Request correction of inaccurate data
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
- Right to restriction (Art. 18): Request restriction of processing under certain circumstances
- Right to object (Art. 21): Object to processing based on legitimate interest, including profiling
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent
- Right to lodge a complaint: File a complaint with your local data protection supervisory authority
8.2 Rights under CCPA (California residents)
- Right to know: Request disclosure of the categories and specific pieces of personal information collected
- Right to delete: Request deletion of personal information
- Right to opt-out: Opt out of the sale of personal information (note: we do not sell personal data)
- Right to non-discrimination: Exercise your rights without receiving discriminatory treatment
8.3 Rights under LGPD (Brazilian residents)
- Confirmation of the existence of processing
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Data portability
- Information about sharing with third parties
- Revocation of consent
8.4 Rights under PIPEDA (Canadian residents)
- Access to your personal information held by us
- Request correction of inaccurate information
- Withdraw consent (subject to legal or contractual restrictions)
- File a complaint with the Office of the Privacy Commissioner of Canada
To exercise any of these rights, please contact us at contact@candytrack.app. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may request identity verification before processing your request.
10. Children's Privacy
CandyTrack is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data.
If you are a parent or guardian and believe that your child under 16 has provided personal data to CandyTrack, please contact us at contact@candytrack.app so that we can take appropriate action.
11. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
- Encryption at rest: Data stored in our database is encrypted at rest
- Authentication security: Secure password hashing, OAuth 2.0 for third-party authentication, and session management
- Access controls: Strict access controls to production databases and infrastructure
- Infrastructure security: Hosted on Vercel and Supabase, both of which maintain robust security programs and compliance certifications
- Regular updates: Dependencies and infrastructure are regularly updated to address known vulnerabilities
- Data minimization: We collect only the data necessary for the functioning of the Service
- Error monitoring: Sentry is used to quickly detect and fix technical issues, with IP address anonymization
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority: Within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected users: Without undue delay when the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34
- Document the breach: Maintain records of all data breaches, including their effects and the remedial actions taken
The notification will include a description of the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address the breach.
For users in California, Brazil, Canada, and other jurisdictions with breach notification laws, we will comply with the specific notification requirements of your jurisdiction.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
For material changes, we will provide notice by:
- Sending an email to the address associated with your account
- Displaying a prominent notice within the Service
- Updating the "Last updated" date at the top of this policy
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. Where required by law, we will obtain your consent before implementing material changes that affect how your data is processed.
14. Contact and Data Protection Inquiries
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
- Service: CandyTrack
- Website: candytrack.app
- Email: contact@candytrack.app
As CandyTrack is operated by an individual developer, the operator serves as the point of contact for all data protection matters, fulfilling the responsibilities equivalent to a Data Protection Officer (DPO).
If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority:
- EU: Your national Data Protection Authority (list available at https://edpb.europa.eu/)
- France: Commission Nationale de l'Informatique et des Libertes (CNIL) - www.cnil.fr
- California: Office of the California Attorney General
- Brazil: Autoridade Nacional de Protecao de Dados (ANPD)
- Canada: Office of the Privacy Commissioner of Canada