Privacy Policy

Last updated: November 15, 2024

1. Introduction

HintCraft Spółka z o.o. ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our job landing system and related services (collectively, the "Service").

We comply with the General Data Protection Regulation (GDPR), Polish data protection laws (RODO), and other applicable privacy regulations.

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood how we handle your personal data.

2. Data Controller Information

Data Controller:

HintCraft Spółka z o.o.
ul. Kazimierza Morawskiego 5/127
30-102 Kraków, Poland
VAT EU: PL6762694168
Email: contact@hintcraft.com

For data protection matters, please email us at contact@hintcraft.com with "Data Protection" or "GDPR" in the subject line.

3. What Personal Data We Collect

We collect only the personal data necessary to provide and improve the Service. The data we collect depends on how you interact with our platform.

3.1 Information You Provide Directly

Account Registration:

  • Email address (required for account creation and login)
  • Password (encrypted and securely stored)
  • Name (optional, for personalization)

Profile Information:

  • Professional background and experience
  • Career goals and preferences
  • Skills and qualifications
  • Interview preparation content (questions, answers, practice sessions)
  • Resume and cover letter drafts
  • Job application tracking data

Payment Information:

  • Billing name and address
  • Payment method details (processed by Stripe; we do not store full credit card numbers)
  • Transaction history and invoices
  • EU Consumer Rights Consent: For customers in EU/EEA/UK countries, we store your consent to waive the 14-day withdrawal right (as required by EU Consumer Rights Directive 2011/83/EU) per-purchase/per-license, along with the date and time consent was given. This consent is required for immediate access to digital services.

Communications:

  • Messages you send us via email or contact forms
  • Support tickets and correspondence
  • Feedback and survey responses

3.2 Information Collected Automatically

Technical Data:

  • IP address (anonymized for analytics)
  • Browser type and version
  • Device type and operating system
  • Time zone and language preferences
  • Referral source (how you found us)

Usage Data:

  • Pages visited and features used
  • Time spent on the Service
  • Click patterns and navigation paths
  • Session duration and frequency
  • Feature usage statistics

Cookies and Similar Technologies:

  • Essential cookies for authentication and functionality
  • Preference cookies for language settings
  • See our Cookie Policy for details

3.3 Information from Third-Party Services

Authentication Providers:

  • If you sign in using OAuth (Google, LinkedIn, etc.), we receive basic profile information they provide (name, email, profile picture)

Payment Processor:

  • Stripe provides us with payment status, transaction IDs, and billing information necessary to manage your subscription

4. How We Use Your Personal Data

We process your personal data for the following purposes:

4.1 Service Delivery

  • Create and manage your account
  • Provide access to features based on your subscription level
  • Store and retrieve your interview preparation content
  • Process AI-powered suggestions and recommendations
  • Track your job applications and progress
  • Deliver customer support and respond to inquiries

4.2 Service Improvement

  • Analyze usage patterns to improve features and user experience
  • Identify and fix technical issues
  • Develop new features and functionality
  • Conduct research and analytics (using anonymized data)

4.3 Communication

  • Send transactional emails (account confirmations, password resets, subscription updates)
  • Notify you about important changes to our Service or policies
  • Respond to your questions and support requests
  • Send service announcements and feature updates (you can opt out of non-essential communications)

4.4 Legal and Security

  • Comply with legal obligations and court orders
  • Prevent fraud, abuse, and unauthorized access
  • Enforce our Terms of Service and Fair Use Policy
  • Protect the rights, property, and safety of HintCraft, our users, and others

4.5 Business Operations

  • Process payments and manage subscriptions
  • Generate invoices and maintain financial records
  • Conduct internal audits and quality assurance

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contractual Necessity (Art. 6(1)(b) GDPR):

  • Processing necessary to provide the Service you've subscribed to
  • Managing your account and delivering core features

Legitimate Interests (Art. 6(1)(f) GDPR):

  • Improving our Service and user experience
  • Preventing fraud and ensuring security
  • Analyzing anonymous usage statistics
  • Marketing our services (where not requiring consent)

Legal Obligation (Art. 6(1)(c) GDPR):

  • Complying with tax, accounting, and other legal requirements
  • Responding to legal requests and court orders

Consent (Art. 6(1)(a) GDPR):

  • Sending optional marketing communications (you can withdraw consent anytime)
  • Using optional cookies (if we introduce them in the future)

6. How We Share Your Data

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

We share your data only in the following limited circumstances:

6.1 Service Providers

We work with trusted third-party service providers who process data on our behalf:

Authentication:

  • Auth.js - Secure user authentication and session management

Payment Processing:

  • Stripe - Payment processing and subscription management
  • Stripe's privacy policy: stripe.com/privacy

AI Services:

  • TogetherAI - Processing interview questions and generating AI responses (servers located in the United States)
  • TogetherAI does not use your data to train their models

Analytics:

  • Plausible Analytics - Privacy-friendly, anonymous website analytics (no personal data collected)

Infrastructure:

  • Railway - Database and application hosting (servers located in the European Union: Netherlands and Germany)

All service providers are bound by data processing agreements (DPAs) and are required to protect your data and use it only for specified purposes.

6.2 Legal Requirements

We may disclose your data when required by law or to:

  • Comply with legal obligations, court orders, or government requests
  • Enforce our Terms of Service or Fair Use Policy
  • Protect against fraud, security threats, or illegal activity
  • Protect the rights, property, or safety of HintCraft, our users, or the public

6.3 Business Transfers

If HintCraft is involved in a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your options regarding your data.

6.4 With Your Consent

We may share data with third parties if you explicitly consent to such sharing.

7. International Data Transfers

HintCraft is based in Poland (European Union). Your core account data and application data are stored within the EU (Netherlands and Germany via Railway).

However, when you use AI features, your prompts and responses are processed by TogetherAI, which operates servers in the United States. This means AI-related data is temporarily transferred outside the EU for processing.

When we transfer data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs):

  • EU-approved contract terms that require recipients to protect data according to EU standards

Data Processing Agreements (DPAs):

  • Written agreements with service providers specifying data protection obligations

Adequacy Decisions:

  • Transfers to countries recognized by the EU Commission as providing adequate protection

EU/EEA Hosting Preference:

  • Your core data (account, profile, application tracking) is stored exclusively in the EU (Netherlands and Germany)
  • Only AI processing temporarily uses US-based servers (TogetherAI)
  • We choose EU-based infrastructure wherever possible to minimize international transfers

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy or as required by law.

8.1 Active Accounts

  • Account and profile data: Retained while your account is active
  • AI prompt history and practice sessions: Retained while your account is active (you can delete anytime)
  • Usage analytics: Anonymized and aggregated data retained indefinitely for product improvement

8.2 After Subscription Expiration

When your paid subscription expires, we retain your data according to our retention policy:

2-Year Retention Period:

  • We store your account data for 2 years after your subscription expires
  • This allows you to return and continue using the Service without losing your work
  • You can access and export your data during this period
  • You receive premium feature access if you renew

30-Day Notice Before Deletion:

  • 30 days before the 2-year period ends, we email you a notification
  • You can purchase a minimum 1-month subscription to keep your data and extend retention for another 2 years
  • You can export your data through account settings
  • If you take no action, your account and data are permanently deleted

Early Deletion:

  • You can request immediate account deletion anytime by contacting us or using account settings
  • We process deletion requests within 30 days

8.3 Legal and Financial Records

  • Payment and invoice records: Up to 6 years (Polish tax law requirement)
  • Legal claims or disputes: Until resolved or statute of limitations expires
  • Fraud prevention records: As long as necessary to prevent repeat offenses

8.4 Anonymized Data

  • Aggregate statistics and anonymized usage data may be retained indefinitely for research and product improvement
  • This data cannot be linked back to you personally

9. Your Rights Under GDPR

As an individual in the EU/EEA, you have the following rights regarding your personal data:

9.1 Right of Access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you.

9.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data in certain circumstances:

  • Data no longer necessary for the purposes collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • Data processed unlawfully

Note: We may retain certain data where legally required (e.g., financial records for tax purposes).

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we use your data in certain situations.

9.5 Right to Data Portability (Art. 20 GDPR)

You can request a copy of your data in a structured, machine-readable format (e.g., JSON, CSV) and transfer it to another service.

9.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it anytime. This does not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority:

Poland (UODO):
Urząd Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl

EU Data Protection Authorities:
Find your local authority at edpb.europa.eu

9.9 How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: contact@hintcraft.com (subject: "Data Rights Request")
  • Account Settings: Use the data export or deletion tools

We will respond to your request within 30 days (may be extended by 2 months for complex requests).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

10.1 Security Measures

Technical Security:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of sensitive data at rest
  • Secure password hashing (bcrypt or similar)
  • Regular security audits and vulnerability assessments
  • Firewall protection and intrusion detection systems

Access Controls:

  • Limited employee access to personal data (need-to-know basis)
  • Multi-factor authentication for internal systems
  • Regular access reviews and logging

Organizational Measures:

  • Employee training on data protection and security
  • Data breach response plan
  • Vendor security assessments

10.2 Your Responsibility

You are responsible for:

  • Keeping your password secure and confidential
  • Not sharing account access with others
  • Logging out from shared devices
  • Reporting suspected security incidents to us immediately

10.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

  • Notify you without undue delay (within 72 hours where required by law)
  • Inform you of the nature of the breach and potential risks
  • Explain steps we're taking to mitigate the breach
  • Advise you on protective measures you can take
  • Report the breach to relevant supervisory authorities as required

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. We will delete such data promptly.

12. AI and Your Data

12.1 How We Use AI

Our Service uses artificial intelligence to:

  • Generate interview question suggestions
  • Provide feedback on your answers
  • Analyze job descriptions
  • Offer personalized recommendations

12.2 AI Data Processing

When you use AI features:

  • Your input (questions, answers, profile information) is sent to TogetherAI (servers in the United States)
  • Processing is done in real-time to generate responses
  • TogetherAI does not use your data to train their AI models
  • AI interactions may be temporarily logged for quality assurance and debugging
  • Data transfers to the US are protected by Standard Contractual Clauses (SCCs)

12.3 Your Control

  • You can delete your AI interaction history anytime through account settings
  • You can choose not to use AI features and still access core functionality
  • We do not use your data to train third-party AI models without explicit consent

13. Marketing Communications

13.1 Types of Communications

We may send you:

Transactional Emails (cannot opt out):

  • Account confirmations and password resets
  • Subscription and billing notifications
  • Service announcements and security alerts
  • Responses to your support requests

Marketing Emails (can opt out):

  • Feature updates and tips
  • Educational content about job searching
  • Product announcements and offers

13.2 Opting Out

You can unsubscribe from marketing emails:

  • Click "Unsubscribe" link in any marketing email
  • Update preferences in your account settings
  • Email us at contact@hintcraft.com

You will continue to receive essential transactional emails even after opting out of marketing.

14. Third-Party Links

The Service may contain links to external websites, resources, or services not operated by us (e.g., job boards, company websites).

We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing any personal data.

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do not sell personal information (nothing to opt out of)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise CCPA rights, email us at contact@hintcraft.com with "CCPA Request" in the subject.

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

  • Changes in our data practices
  • New features or services
  • Legal or regulatory requirements

16.1 Notification of Changes

When we make significant changes, we will:

  • Update the "Last updated" date
  • Notify you via email or in-app notification
  • Post a prominent notice on our website
  • Request consent for material changes affecting your rights

16.2 Your Acceptance

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree, please stop using the Service and contact us to delete your account.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: contact@hintcraft.com
Subject Line: Use "Privacy", "GDPR", or "Data Protection" for faster routing
Mail: HintCraft Spółka z o.o., ul. Kazimierza Morawskiego 5/127, 30-102 Kraków, Poland

We aim to respond to all inquiries within 30 days.

18. Additional Resources

Summary: We collect only the data necessary to provide our job landing system. We do not sell your data. You have full control over your information and can access, export, or delete it anytime. We use strong security measures and comply with GDPR and other privacy laws.