Privacy Policy
Effective date: 13 May 2026 · Version: 1.0
1. Who we are
Crafted Candidate (“we”, “us”, or “our”) operates the website at craftedcandidate.com and the associated mobile application (collectively, the “Platform”). We are the data controller responsible for your personal data.
Contact: For any privacy-related enquiries or to exercise your rights, email us at privacy@craftedcandidate.com.
2. Data we collect and why
We collect personal data only where we have a lawful basis to do so under the UK/EU General Data Protection Regulation (“GDPR”).
| Category | Data | Lawful basis | Purpose |
|---|---|---|---|
| Account | Email, first name, last name, hashed password | Contract | Create and authenticate your account |
| Profile | Education, work experience, industry preferences, profile photo | Contract | Personalise interview preparation and resume content |
| Resumes | Full resume content, ATS scores, uploaded documents | Contract | Resume building, tailoring, and ATS analysis |
| Interview sessions | Conversation transcripts, AI feedback, scores | Contract | AI-powered mock interview practice and feedback |
| Job tracker | Job titles, companies, application dates, stages | Contract | Track job applications and interview pipeline |
| Billing | Stripe customer ID, subscription status (no raw card data) | Contract, Legal obligation | Process payments, manage subscriptions |
| Analytics | Page views, interaction events (anonymised where possible) | Consent | Understand Platform usage to improve the product |
| Waitlist | Email, optional name | Consent | Send launch updates to opted-in users |
3. AI processing disclosure
Certain features—including mock interview chat, resume tailoring, resume AI enhancement, and ATS analysis—send relevant portions of your data to one or more third-party AI providers for processing. This includes interview transcripts and resume content. Depending on the feature, different AI providers may be used; the current list of AI sub-processors is maintained in the sub-processors table in Section 4 below. Each AI provider processes your data as a data processor acting on our behalf under a Data Processing Agreement, and is contractually prohibited from using your data to train their models.
We ask for your explicit acknowledgement before you first use any AI-powered feature. You may revoke consent at any time by contacting privacy@craftedcandidate.com — however, disabling AI processing will prevent you from using AI-powered features.
4. Sub-processors
We share your data only with the following sub-processors, each bound by a Data Processing Agreement:
| Sub-processor | Role | Location | Data shared |
|---|---|---|---|
| Neon (PostgreSQL) | Database hosting | US / EU | All application data |
| AI providers (see note) | AI features | Varies | Interview transcripts, resume content |
| Stripe | Payment processing | US / EU | Email, subscription metadata |
| Resend | Transactional email | US | Your email address |
| Vercel Analytics | Web analytics | US | Anonymised page-view events (consent-gated) |
| Vercel (hosting) | Application hosting | US / EU | All request data |
AI providers note: We use one or more third-party AI providers depending on the feature (e.g. language models, speech synthesis). The specific providers in use at any given time are available on request at privacy@craftedcandidate.com. All AI providers are subject to the same sub-processor obligations described above.
For transfers to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement, as applicable.
5. Cookies
We use three categories of cookies. You can manage your preferences at any time via the cookie banner (shown on first visit) or by contacting us.
Strictly necessary
| Cookie | Duration | Purpose |
|---|---|---|
| auth_token | 7 days | Authenticates your session. HTTP-only — not accessible to JavaScript. |
| cookie_consent | 1 year | Stores your cookie category preferences so the banner is not shown on every visit. |
These cookies cannot be disabled — the site cannot function without them.
Analytics (consent-gated)
| Cookie / source | Duration | Purpose |
|---|---|---|
| Analytics provider cookies | Session / up to 2 years | Measure page views and feature usage to help us improve the platform. Set only if you accept analytics cookies. Current provider: Vercel Analytics (see sub-processors, Section 4). |
Marketing & targeting (consent-gated)
| Cookie / source | Duration | Purpose |
|---|---|---|
| Marketing provider cookies | Up to 2 years | Used to show relevant offers, measure campaign effectiveness, and support retargeting. Set only if you accept marketing cookies. Specific providers will be listed here as they are added. |
6. Data retention
- Account data: Retained while your account is active. Deleted within 30 days of an account deletion request.
- Interview transcripts & resumes: Retained while your account is active, then deleted with the account.
- Verification & reset tokens: Expire within 1 hour of creation and are purged automatically.
- Waitlist data: Retained until the launch campaign ends or until you unsubscribe, whichever comes first.
- Billing records: Retained for 7 years to comply with financial regulations, even after account deletion.
- Server logs: Retained for up to 30 days for security monitoring; logs do not contain passwords or full personal data.
7. Your rights
Under the GDPR you have the following rights regarding your personal data. To exercise any of them, email privacy@craftedcandidate.com or use the self-service tools in your account settings.
Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Correct inaccurate personal data via your profile settings or by contacting us.
Right to erasure (Art. 17)
Delete your account and all associated personal data via Settings → Account → Delete Account.
Right to data portability (Art. 20)
Download a machine-readable copy of your data via Settings → Account → Export My Data.
Right to restrict processing (Art. 18)
Request that we limit how we use your data while a dispute is resolved.
Right to object (Art. 21)
Object to processing based on legitimate interests (e.g. analytics).
Right to withdraw consent
Withdraw consent (e.g. analytics, AI processing) at any time without affecting prior lawful processing.
Right to lodge a complaint
Complain to your local data protection authority (e.g. the ICO in the UK or your EU supervisory authority).
We will respond to all verifiable requests within 30 days.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext.
- Authentication tokens stored in HTTP-only, Secure, SameSite=Lax cookies.
- All data transmitted over HTTPS/TLS.
- Database encrypted at rest by our hosting provider (Neon).
- Access to production data limited to authorised personnel.
9. Children
The Platform is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at privacy@craftedcandidate.com.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email (if you have an account) and update the effective date at the top of this page. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.