Career Workbench

Privacy Policy

Last updated: 2026-04-28

This Privacy Policy explains how Career Workbench (“we”, “us”, “our”) collects, uses, and protects your personal data when you use the Career Workbench web application (the “Service”). We are committed to complying with the EU General Data Protection Regulation (GDPR) and Polish data protection law.

1. Who we are

The data controller is Career Workbench, operated as a student thesis project based in Poland. You can contact us about any privacy matter at goncuegemen@gmail.com.

2. What data we collect

  • Account data: email address, full name (optional), and a Google account identifier if you sign in with Google. If you create a password-based account, we store a hashed version of your password (never the plaintext).
  • Content data: the resumes, job descriptions, cover letters, interview answers, career preferences, and any other content you upload or generate while using the Service. This content is stored with your account so you can revisit past runs.
  • Technical data: IP address, browser type, device information, and error diagnostics collected automatically when something goes wrong in the app (via Sentry).
  • Cookies and similar storage: strictly-necessary authentication cookies and a local preference that remembers your cookie-consent choice. See the Cookie Policy for details.

3. How we use your data and legal basis

  • Providing the Service (Art. 6(1)(b) GDPR — contract): creating your account, letting you sign in, running the AI tools you request, and storing your results so you can return to them.
  • Security and bot protection (Art. 6(1)(f) GDPR — legitimate interest): preventing abuse and automated attacks through Google reCAPTCHA.
  • Error monitoring (Art. 6(1)(f) GDPR — legitimate interest): understanding and fixing crashes and bugs via Sentry.
  • Transactional email (Art. 6(1)(b) GDPR — contract): sending password-reset emails through Resend.
  • Advertising (Art. 6(1)(a) GDPR — consent): if we enable Google AdSense in the future, it will only load after you accept cookies. It is not active today.

4. AI processing of your content

To generate resume analyses, job matches, cover letters, interview feedback, and similar outputs, we send the content you provide (such as your resume text and the job description) to Google Vertex AI (Gemini). Google processes this content on our behalf as a sub-processor. You should not upload information you do not want to send to Google’s AI service. Please do not include highly sensitive data such as national IDs, health data, or payment information in your inputs.

5. Who we share data with (sub-processors)

We use the following third-party providers to run the Service:

  • Google Cloud (Vertex AI / Gemini) — AI processing of your content. Privacy notice
  • Google (OAuth) — optional sign-in with your Google account. Privacy policy
  • Google reCAPTCHA — bot protection on sensitive forms. Privacy policy
  • Google AdSense — advertising (only if enabled in the future and only with your consent). Ads policy
  • Sentry — error monitoring. Privacy policy
  • Resend — transactional email (password resets). Privacy policy
  • Railway — application hosting and managed PostgreSQL database. Privacy policy

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

6. International transfers

Some of our sub-processors (notably Google and Sentry) process data in the United States or other countries outside the European Economic Area. Where this happens, transfers are protected by the European Commission’s Standard Contractual Clauses and, where applicable, supplementary measures required under GDPR.

7. How long we keep data

  • Account data is kept for as long as your account exists. If you delete your account, we delete your profile and associated tool runs.
  • Content data (tool runs) is kept until you delete it or until you delete your account.
  • Error logs in Sentry are retained according to Sentry’s default retention policy (currently up to 90 days for most events).

8. Your rights under GDPR

You have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data (“right to be forgotten”);
  • request restriction or object to certain processing;
  • request a portable copy of your data;
  • withdraw consent at any time (for example, by declining or resetting cookies);
  • lodge a complaint with your local data protection authority. In Poland this is the President of the Personal Data Protection Office (UODO) uodo.gov.pl.

To exercise any of these rights, email us at goncuegemen@gmail.com. We will respond within one month.

9. Security

We use HTTPS for all traffic, store passwords only as bcrypt hashes, keep authentication tokens in HttpOnly cookies, and rely on Railway’s managed infrastructure for database security. No system is perfectly secure, so please use a strong, unique password.

10. Children

The Service is not intended for children under 16. If you are under 16, please do not use the Service or provide us with any personal data.

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page shows when it was last changed. Material changes will be announced in the app or by email.

Questions? Contact us at goncuegemen@gmail.com.