← Back to home

Privacy Policy

Last updated 10 May 2026

1. Who we are

ApplyMate is operated by ApplyMate Pte Ltd, a company registered in Singapore (the “Company”, “we”, “us”). This policy explains how we handle your personal data when you use applymate.com and the ApplyMate web application (the “Service”).

We comply with Singapore’s Personal Data Protection Act 2012 (PDPA) and, for users in the European Economic Area and the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR). California residents have additional rights under the CCPA described in section 9.

Questions or requests: privacy@applymate.com.

2. What data we collect

You give us

  • Account data: name, email, password (hashed), email-verification status, notification preferences.
  • Profile data: the contents of your master CV — work history, education, skills, projects, languages, certifications, links, target roles, target locations, salary expectations.
  • Uploaded files: CV PDFs you upload for parsing, screenshots of job postings.
  • Job data: job postings you save (pasted text, URLs, screenshots, PDFs) and your application notes and statuses.
  • Generated content: resumes and cover letters produced by the AI based on your profile + a target job.

We collect automatically

  • Authentication cookies (NextAuth session token, CSRF token) — strictly necessary to keep you signed in.
  • Technical logs: IP address, user agent, request timestamps, and AI-call telemetry (token counts, latency, model used). Stored for security, debugging, and capacity planning.

We do not collect

  • Behavioural advertising profiles. We do not load third-party ad trackers.
  • Sensitive categories under GDPR Art. 9 (race, religion, health, etc.) unless you choose to include them in your CV. You control what you put in your profile.

3. How we use your data

PurposeLawful basis (GDPR)
Provide the Service: store your profile, parse jobs, generate resumes and cover letters, track applications.Performance of contract (Art. 6(1)(b))
Authenticate you and keep your account secure.Performance of contract; legitimate interest (Art. 6(1)(f))
Send transactional email (verification, password reset, billing receipts when applicable).Performance of contract
Send product updates, tips, weekly digests, marketing.Consent — opt-in via Settings → Email preferences (Art. 6(1)(a))
Detect abuse, prevent fraud, comply with legal requests.Legitimate interest; legal obligation (Art. 6(1)(c) and (f))
Improve the Service via aggregated, anonymised analysis.Legitimate interest

4. AI processing

Resume tailoring, cover letter drafting, CV parsing, job parsing, and match scoring are powered by Anthropic’s Claude models. When you trigger one of these features, we send the relevant subset of your profile and the target job posting to Anthropic’s API.

  • Anthropic processes the request to return the AI output and does not use API inputs or outputs to train its models. See Anthropic’s Commercial Terms and Privacy Policy.
  • Anthropic retains API request/response data for a short period for trust-and-safety purposes per its published policy.
  • AI outputs are produced under our “Strict Truth Mode” system prompt: the model is instructed never to invent experience, dates, employers, metrics, or skills not present in your profile or the source job.
  • AI output is generated text. It can contain errors. You are responsible for reviewing any document before sending it to a recruiter.

5. Subprocessors and international transfers

We rely on the following subprocessors. Each is bound by a data-processing agreement and appropriate safeguards (Standard Contractual Clauses where personal data leaves the EEA/UK).

SubprocessorPurposeRegion
MongoDB Atlas (MongoDB, Inc.)Primary databaseEU / US (configurable)
Vercel Inc.Application hosting and Blob storage (CV uploads, generated PDFs)US / EU (edge)
Anthropic, PBCAI inference (Claude)US
Resend (Resend Inc.)Transactional email deliveryUS / EU

We will update this list when subprocessors change. If you would like advance notice of changes, email privacy@applymate.com.

6. How long we keep your data

  • While your account is active: as long as you keep using the Service.
  • After you delete your account: your account is locked immediately and all your personal data (profile, jobs, generated documents, applications, uploaded files on Vercel Blob) is permanently erased 30 days later. The 30-day window gives you time to recover the account if you change your mind. Contact privacy@applymate.com to request immediate erasure instead.
  • Backups: encrypted database backups may retain residual copies for up to a further 30 days before they are overwritten.
  • Logs and AI telemetry: retained for up to 90 days, then deleted or aggregated.
  • Legal/tax records: when payments are processed, invoice records may be retained for up to 7 years to comply with Singaporean tax law.

7. Your rights

If you are in the EEA, UK, or Switzerland (GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to processing.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

If you are in Singapore (PDPA), you have the right to:

  • Access the personal data we hold about you and how it has been used.
  • Request correction of inaccurate or misleading data.
  • Withdraw consent for any non-essential processing.

You can exercise most rights directly inside the app:

  • Export: Settings → Data export downloads a JSON file with your profile, jobs, generated documents, and applications.
  • Deletion: Settings → Delete account starts the 30-day erasure window.
  • Correction: edit your profile and account at any time in Settings.

For anything else, email privacy@applymate.com. We respond within 30 days.

8. Security

  • Encryption in transit (TLS) for all traffic to applymate.com.
  • Encryption at rest for the database and file storage (Atlas, Vercel Blob).
  • Passwords hashed with bcrypt; we never see your plaintext password.
  • Server-side authorization checks: no user can access another user’s data.
  • Principle of least privilege for production database access.

No system is perfectly secure. If you discover a vulnerability, please report it to security@applymate.com.

9. California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, request correction, and opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise CCPA rights, email privacy@applymate.com.

10. Children

ApplyMate is not directed at children. You must be at least 16 years old (or the minimum digital-consent age in your country, whichever is higher) to use the Service. We will delete any account we discover belongs to a child.

11. Changes to this policy

We will post material changes here and, where required, notify you by email. Your continued use of the Service after a change indicates acceptance.

12. Contact

ApplyMate Pte Ltd, Singapore
Email: privacy@applymate.com

PrivacyTermsCookiesDPA© 2026 ApplyMate Pte Ltd · Singapore