Effective Date: 26/02/2026
Last Updated: 26/02/2026

Privacy Policy

1. Introduction

CareerSeeker AI (“we,” “our,” “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our website (https://careerseeker.ai/).

2. Data We Collect

We collect minimal personal data necessary to provide and improve our services. The data we collect includes:

2.1 Cookies

We use cookies for website functionality and analytics. The following cookies are collected:

cookieyes-consent (1 year): Remembers user consent preferences.
ga* (1 year 1 month 4 days): Tracks page views via Google Analytics.
_ga (1 year 1 month 4 days): Tracks user sessions via Google Analytics.
randomly-generated (5 days): Performance related plugin.
randomly-generated (5 days): Functionality related plugin.
visited (1 day): Functional plugin counting visitors.
careerseeker_purchase_token (13 months): Authenticates your access to purchased Pro/Ultimate career quizzes.

These cookies store information anonymously and do not personally identify users.

2.2 Chatbot Conversation Data

When you interact with our AI-powered chatbot, we automatically collect and store:

Conversation Content: All messages you send to the chatbot and the responses provided by our AI system
Technical Information: Your IP address and browser/device information (user agent string)
Session Data: Unique conversation identifier (UUID), timestamps, message count, and response classification (FAQ or document-based)

Purpose of Collection:

We collect chatbot conversation data for the following legitimate purposes:

Service Improvement: Analyzing conversation patterns to enhance response accuracy and overall user experience
Customer Support: Enabling our support team to assist users who reference previous chatbot interactions
Quality Assurance: Monitoring chatbot performance, identifying issues, and ensuring service reliability
Security: Detecting and preventing spam, malicious usage, or system abuse

Legal Basis (GDPR): We process this data under legitimate interest (Article 6(1)(f) GDPR). We have assessed that our need to improve services and provide effective support does not override your fundamental rights and freedoms.

Data Retention:

Conversation logs are retained to support ongoing service improvement
We may implement automatic deletion of conversations older than 90 days
You may request immediate deletion of your conversation history at any time (see Section 7 below)

Data Security:

All conversation data is stored in encrypted PostgreSQL databases with SSL/TLS encryption for data transmission
Database access is restricted to authorized administrators using secure authentication tokens
Hosted on Railway.app (USA-based cloud provider) with industry-standard security measures and automated backups

Third-Party Data Storage:

Service Provider: Railway.app (https://railway.app/)
Location: United States
Purpose: Database hosting and infrastructure services
Privacy Policy: https://railway.app/legal/privacy

International Data Transfers: If you are located outside the United States, your conversation data will be transferred to and processed in the United States where our database infrastructure is located.

Your Control:

Each conversation generates a unique identifier (UUID) — we recommend saving this ID if you wish to reference or manage your conversation data later
You may request access to, correction of, or deletion of your conversation history
Conversations are associated with technical identifiers (IP address, conversation UUID) rather than user accounts

3. Voluntarily Submitted Information

In addition to cookies, we may collect email addresses voluntarily submitted by users through a form on our website. These email addresses are used exclusively for internal marketing purposes, such as sending updates about the project and notifications about new features.

Submitting an email address is entirely optional.
Users can unsubscribe at any time by following the unsubscribe link provided in each email or by contacting us directly.
We do not share email addresses with third parties.
Emails are stored securely and processed in accordance with GDPR guidelines.

4. Payment Information

When you purchase a Pro or Ultimate plan, we collect and process the following payment-related information:

4.1 Data Collected During Checkout

Email Address: Collected by Stripe during checkout to send purchase confirmation and associate with your purchase
Payment Method Details: Card number, expiration date, and CVC are collected and processed directly by Stripe — we never store your full card details
Billing Information: Name and billing address as required by your payment method
Purchase Token: A unique cryptographic identifier (64-character) used to verify your quiz access

4.2 Data Stored by CareerSeeker AI

We store the following in our database:

Data	Purpose	Retention
Email address	Purchase identification, results delivery	3 years
Plan type (Pro/Ultimate)	Access verification	3 years
Purchase token	Quiz access authentication	13 months
Stripe session/payment IDs	Transaction reference, customer support	3 years
Amount and currency	Financial records, customer support	7 years (tax compliance)
Purchase timestamp	Order history, analytics	3 years
Quiz access status	Service delivery verification	3 years
Results ID	Link purchase to your career report	3 years

Legal Basis (GDPR): We process payment data under contract performance (Article 6(1)(b) GDPR) as it is necessary to fulfill your purchase, and legal obligation (Article 6(1)(c) GDPR) for tax and financial record-keeping requirements.

4.3 Third-Party Payment Processor: Stripe

All payment transactions are processed securely by Stripe, Inc.

Service Provider: Stripe (https://stripe.com)
Location: United States (with EU data processing available)
Data Processed by Stripe:
- Full card details (never seen or stored by CareerSeeker AI)
- Billing address
- Device information for fraud prevention
- IP address
Stripe’s Privacy Policy: https://stripe.com/privacy
PCI DSS Compliance: Stripe is certified PCI Level 1 Service Provider — the highest level of certification in the payments industry

Important: Your payment card details are entered directly on Stripe’s secure checkout page. CareerSeeker AI never has access to, receives, or stores your full card number, expiration date, or CVC.

4.4 Consent Management for Purchases

Before completing a purchase, you must accept:

Terms of Service (required)
Privacy Policy (required)
Marketing Communications (optional)

Your consent choices are logged with:

Consent ID (unique identifier)
Stripe session reference
Hashed IP address (SHA-256, non-reversible)
Timestamp
User agent string

This consent record is retained for 3 years for legal compliance and to demonstrate valid consent if required.

4.5 Marketing Consent (Optional)

If you opt-in to marketing communications during checkout:

Your email will be added to our mailing list via MailerLite
You will receive career tips, updates, and special offers
You can unsubscribe at any time via the link in any email or by contacting us
This consent is stored separately and can be withdrawn without affecting your purchase or access to your Report

MailerLite:

Service Provider: MailerLite (https://mailerlite.com)
Location: Lithuania (European Union)
Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

5. Third-Party Services

We use the following third-party services to provide and improve our services:

Service	Purpose	Location	Privacy Policy
Google Analytics	Website traffic analysis	USA	policies.google.com/privacy
Google Cloud	Application deployment & analytics	USA	policies.google.com/privacy
OpenAI	AI career insights	USA	openai.com/policies/row-privacy-policy
Google Gemini	AI career insights	USA	support.google.com/gemini
Anthropic	AI career insights	USA	anthropic.com/legal/privacy
Stripe	Payment processing	USA/EU	stripe.com/privacy
MailerLite	Marketing emails (if opted-in)	EU (Lithuania)	mailerlite.com/legal/privacy-policy
Railway.app	Chatbot database hosting	USA	railway.app/legal/privacy

These services may collect data as described in their respective privacy policies. We have selected providers that maintain appropriate security standards and, where applicable, offer GDPR-compliant data processing.

6. Use of AI Services and Data Retention

We use third-party artificial intelligence (AI) services — including those provided by OpenAI, Google Gemini and Anthropic — to process certain user inputs (such as text, prompts, or queries) in order to deliver or enhance our services.

When data is sent for processing via API:

OpenAI may retain inputs and outputs for up to 30 days for the purposes of abuse monitoring and operational debugging.
Anthropic may retain inputs and outputs for up to 30 days for similar purposes.
Google Gemini may retain inputs and outputs for up to 55 days for similar purposes.

During these retention periods, OpenAI, Google and Anthropic may access the data only as necessary to ensure compliance with their respective usage policies.

After the applicable retention period, both OpenAI, Google and Anthropic delete the data unless otherwise required to retain it under applicable law.

We use the resulting data internally for the analysis of AI output accuracy and to enhance our system performance.

We do not permit OpenAI, Google or Anthropic to use this data to train or improve their models, and we take reasonable steps to minimize the inclusion of personally identifiable information in any data sent for processing.

Note on Chatbot Conversation Logging: In addition to the AI provider retention periods described above, CareerSeeker AI maintains its own database of chatbot conversations for service improvement and support purposes (see Section 2.2). Our internal logging practices and your data rights regarding these logs are detailed separately in this Privacy Policy.

7. Your Rights

Under GDPR and applicable privacy laws, you have the following rights:

7.1 Right to Access (Article 15 GDPR)

You have the right to request a copy of your personal data, including your chatbot conversation history and purchase records.

How to Exercise: Email [email protected] with your conversation ID (UUID), purchase email, or IP address and date/time range
Delivery Format: We will provide your data in JSON or CSV format
Response Time: Within 30 days of your request

7.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data in your conversations or purchase records.

How to Exercise: Contact [email protected] with the conversation ID or purchase email and specific corrections needed

7.3 Right to Erasure / “Right to be Forgotten” (Article 17 GDPR)

You have the right to request permanent deletion of your personal data, including conversation data and purchase records.

How to Exercise: Email [email protected] with your conversation ID, purchase email, or IP address and date range
Processing Time: Data will be deleted within 30 days of identity verification
Exceptions: We may retain certain financial records as required by tax law (typically 7 years for transaction amounts)

7.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we limit how we use your personal data in certain circumstances.

How to Exercise: Email [email protected] explaining the circumstances

7.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a machine-readable format to transfer to another service.

How to Exercise: Email [email protected] with your conversation ID or purchase email

7.6 Right to Object (Article 21 GDPR)

You have the right to object to our processing of your personal data based on legitimate interest.

How to Exercise: Contact [email protected] with your objection
Effect: We will stop processing unless we can demonstrate compelling legitimate grounds

7.7 Right to Withdraw Consent

Where we process data based on your consent (such as marketing communications), you have the right to withdraw consent at any time.

Marketing Emails: Click the unsubscribe link in any email, or contact us
Effect: Withdrawal does not affect the lawfulness of processing before withdrawal

7.8 Right to Lodge a Complaint

You have the right to file a complaint with your data protection authority if you believe your rights have been violated.

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en
UK Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/

7.9 Payment Data Requests

To request access to or deletion of your purchase data:

Contact: [email protected]
Include: Your purchase email address and approximate purchase date
Note: We may retain certain financial records as required by tax law (typically 7 years for transaction amounts)
Stripe: You can also contact Stripe directly at https://stripe.com/privacy-center to request deletion of your payment data from their systems

Important: Deleting your purchase data will not affect your access to already-generated career reports, as these are stored separately using anonymous identifiers.

7.10 How to Submit Data Requests

Contact: [email protected]

Please Include in Your Request:

Your conversation ID (UUID) if you saved it, OR
Your purchase email address, OR
Your IP address and the approximate date/time of your conversation(s) or purchase
A brief description of your conversation topics or purchase (to help us locate your data)
The specific action you’re requesting (access, deletion, correction, etc.)

Response Time: We will respond within 30 days (or 60 days for complex requests, with advance notice).

Verification: To protect your privacy, we may request additional identifying information before fulfilling your request.

No Fee: Exercising your rights is free, except in cases of excessive or manifestly unfounded requests.

8. Data Security

We implement appropriate technical and organizational security measures to protect your data, including:

8.1 General Security Measures

Encryption: All conversation and purchase data is stored in encrypted databases
Secure Transmission: SSL/TLS encryption for all data in transit
Access Controls: Database access restricted to authorized administrators via secure authentication tokens
Infrastructure Security: Hosting on providers with industry-standard security practices and automated backups
Monitoring: Regular monitoring for unauthorized access attempts and security threats

8.2 Payment Security Measures

No Card Storage: We never store, process, or have access to your full credit card details — all card data is handled directly by Stripe
PCI Compliance: Payment processing is handled by Stripe, a PCI Level 1 certified service provider (the highest level of certification)
Tokenization: Purchase access uses cryptographically secure tokens (32 bytes random, 64-character hex)
Secure Cookies: Purchase tokens stored in HttpOnly, Secure cookies (not accessible to JavaScript)
Webhook Verification: All Stripe payment notifications verified with cryptographic signatures to prevent fraud

While we implement robust security measures, please note that no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to using industry-standard practices to protect your information.

9. Updates to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date.

For material changes that significantly affect how we process your personal data, we will provide prominent notice (such as a banner on our website) before the changes take effect.

10. Contact Us

For any privacy-related questions, contact us at [email protected].