Effective Date: 06/05/2026
Last Updated: 06/05/2026

Privacy Policy

1. Introduction

CareerSeeker AI (“we,” “our,” “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our website (https://careerseeker.ai/).

1.1 Data Controller

The data controller responsible for your personal data is:

Company Name: Selenthir Sp. z o.o.
Registered Office: Tysiąclecia 35 / 41, 41-303 Dąbrowa Górnicza, Poland
VAT ID (NIP): PL6292521423
KRS Number: 0001227518
Contact: [email protected]

CareerSeeker AI is a product owned and operated by Selenthir Sp. z o.o. All references to “we,” “our,” or “us” in this Privacy Policy refer to Selenthir Sp. z o.o.

2. Data We Collect

We collect minimal personal data necessary to provide and improve our services. The data we collect includes:

2.1 Cookies

We use cookies for website functionality and analytics. The following cookies are collected:

cookieyes-consent (1 year): Remembers user consent preferences.
ga* (1 year 1 month 4 days): Tracks page views via Google Analytics.
_ga (1 year 1 month 4 days): Tracks user sessions via Google Analytics.
randomly-generated (5 days): Performance related plugin.
randomly-generated (5 days): Functionality related plugin.
visited (1 day): Functional plugin counting visitors.
careerseeker_purchase_token (13 months): Authenticates your access to purchased Pro/Ultimate career quizzes.

These cookies store information anonymously and do not personally identify users.

2.2 Chatbot Conversation Data

When you interact with our AI-powered chatbot, we automatically collect and store:

Conversation Content: All messages you send to the chatbot and the responses provided by our AI system
Technical Information: Your IP address and browser/device information (user agent string)
Session Data: Unique conversation identifier (UUID), timestamps, message count, and response classification (FAQ or document-based)

Purpose of Collection:

We collect chatbot conversation data for the following legitimate purposes:

Service Improvement: Analyzing conversation patterns to enhance response accuracy and overall user experience
Customer Support: Enabling our support team to assist users who reference previous chatbot interactions
Quality Assurance: Monitoring chatbot performance, identifying issues, and ensuring service reliability
Security: Detecting and preventing spam, malicious usage, or system abuse

Legal Basis (GDPR): We process this data under legitimate interest (Article 6(1)(f) GDPR). We have assessed that our need to improve services and provide effective support does not override your fundamental rights and freedoms.

Data Retention:

Conversation logs are retained to support ongoing service improvement
We may implement automatic deletion of conversations older than 90 days
You may request immediate deletion of your conversation history at any time (see Section 7 below)

Data Security:

All conversation data is stored in encrypted PostgreSQL databases with SSL/TLS encryption for data transmission
Database access is restricted to authorized administrators using secure authentication tokens
Hosted on Railway.app (USA-based cloud provider) with industry-standard security measures and automated backups

Third-Party Data Storage:

Service Provider: Railway.app (https://railway.app/)
Location: United States
Purpose: Database hosting and infrastructure services
Privacy Policy: https://railway.app/legal/privacy

International Data Transfers: If you are located outside the United States, your conversation data will be transferred to and processed in the United States where our database infrastructure is located.

Your Control:

Each conversation generates a unique identifier (UUID) – we recommend saving this ID if you wish to reference or manage your conversation data later
You may request access to, correction of, or deletion of your conversation history
Conversations are associated with technical identifiers (IP address, conversation UUID) rather than user accounts

2.3 Email Engagement Tracking (Pro and Ultimate Customers)

When we send transactional emails to Pro and Ultimate customers – specifically the quiz access email and the results delivery email – we include limited engagement tracking in the HTML version of the message. We collect:

Email opens: A small invisible image (a “tracking pixel”) loads when you open the HTML email, allowing us to record that the email was opened, along with a timestamp.
Link clicks: Links to your quiz or results in the email pass through a redirect that records the click and timestamp before sending you to the intended destination. Redirect targets are validated to prevent misuse.

Each tracked email contains a unique tracking identifier so opens and clicks can be associated with the specific message and, where applicable, your purchase or results record.

Plain-text emails are not tracked – they contain direct links and no tracking pixel. If you prefer to disable tracking, most email clients allow you to block remote images or display messages in plain text.

Purpose of Collection:

Service delivery verification: Confirming that purchase confirmations and results emails actually reach customers
Fraud prevention and dispute evidence: Maintaining a verifiable record of email delivery and engagement to defend against fraudulent chargebacks or refund disputes
Service quality: Identifying email deliverability issues

Legal Basis (GDPR): We process this data under legitimate interest (Article 6(1)(f) GDPR). Our legitimate interests are (a) verifying delivery of services you have paid for, and (b) protecting the business against fraudulent refund and chargeback claims. We have assessed that this limited, transactional-email-only tracking does not override your fundamental rights and freedoms, particularly because it applies only to emails you receive as a result of a purchase you made, is not used for behavioral profiling or advertising, and the data collected is minimal.

Retention: Email engagement records are retained for 3 years, consistent with our purchase record retention, to support potential refund and chargeback dispute resolution.

3. Voluntarily Submitted Information

In addition to cookies, we may collect email addresses voluntarily submitted by users through a form on our website. These email addresses are used exclusively for internal marketing purposes, such as sending updates about the project and notifications about new features.

Submitting an email address is entirely optional.
Users can unsubscribe at any time by following the unsubscribe link provided in each email or by contacting us directly.
We do not share email addresses with third parties.
Emails are stored securely and processed in accordance with GDPR guidelines.

4. Payment Information

When you purchase a Pro or Ultimate plan, we collect and process the following payment-related information:

4.1 Data Collected During Checkout

Email Address: Collected by Stripe during checkout to send purchase confirmation and associate with your purchase
Payment Method Details: Card number, expiration date, and CVC are collected and processed directly by Stripe – we never store your full card details
Billing Information: Name and billing address as required by your payment method
Purchase Token: A unique cryptographic identifier (64-character) used to verify your quiz access

4.2 Data Stored by CareerSeeker AI

We store the following in our database:

Data	Purpose	Retention
Email address	Purchase identification, results delivery	3 years
Plan type (Pro/Ultimate)	Access verification	3 years
Purchase token	Quiz access authentication	13 months
Stripe session/payment IDs	Transaction reference, customer support	3 years
Amount and currency	Financial records, customer support	7 years (tax compliance)
Purchase timestamp	Order history, analytics	3 years
Quiz access status	Service delivery verification	3 years
Results ID	Link purchase to your career report	3 years
Service event logs (e.g. quiz submission, email opens/clicks, AI career expert chat activity including message length)	Service delivery verification, fraud prevention, refund/chargeback dispute evidence	3 years
Pseudonymous device fingerprint	Fraud prevention, refund/chargeback dispute evidence	3 years

Device Fingerprint: For Pro and Ultimate customer activity, each logged event includes a non-reversible cryptographic hash derived from your IP address and browser identifier, combined with a server-side secret. This produces a pseudonymous identifier that lets us recognize repeated activity from the same device without storing your raw IP address or browser identifier in the event log. The hash cannot be reversed to recover the original values, and we use it solely for fraud prevention and to support refund and chargeback dispute resolution.

Legal Basis (GDPR): We process payment data under contract performance (Article 6(1)(b) GDPR) as it is necessary to fulfill your purchase, and legal obligation (Article 6(1)(c) GDPR) for tax and financial record-keeping requirements. Service event logs and the pseudonymous device fingerprint are processed under legitimate interest (Article 6(1)(f) GDPR) – specifically, our interests in verifying service delivery and protecting against fraudulent refund and chargeback claims, which we have assessed do not override your fundamental rights and freedoms given the limited, pseudonymous, and transactional nature of the data.

4.3 Third-Party Payment Processor: Stripe

All payment transactions are processed securely by Stripe, Inc.

Service Provider: Stripe (https://stripe.com)
Location: United States (with EU data processing available)
Data Processed by Stripe:
- Full card details (never seen or stored by CareerSeeker AI)
- Billing address
- Device information for fraud prevention
- IP address
Stripe’s Privacy Policy: https://stripe.com/privacy
PCI DSS Compliance: Stripe is certified PCI Level 1 Service Provider – the highest level of certification in the payments industry

Important: Your payment card details are entered directly on Stripe’s secure checkout page. CareerSeeker AI never has access to, receives, or stores your full card number, expiration date, or CVC.

4.4 Consent Management for Purchases

Before completing a purchase, you must accept:

Terms of Service (required)
Privacy Policy (required)
Marketing Communications (optional)

Your consent choices are logged with:

Consent ID (unique identifier)
Stripe session reference
Hashed IP address (SHA-256, non-reversible)
Timestamp
User agent string

This consent record is retained for 3 years for legal compliance and to demonstrate valid consent if required.

4.5 Marketing Consent (Optional)

If you opt-in to marketing communications during checkout:

Your email will be added to our mailing list via MailerLite
You will receive career tips, updates, and special offers
You can unsubscribe at any time via the link in any email or by contacting us
This consent is stored separately and can be withdrawn without affecting your purchase or access to your Report

MailerLite:

Service Provider: MailerLite (https://mailerlite.com)
Location: Lithuania (European Union)
Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

5. Third-Party Services

We use the following third-party services to provide and improve our services:

Service	Purpose	Location	Privacy Policy
Google Analytics	Website traffic analysis	USA	policies.google.com/privacy
OpenAI	AI career insights	USA	openai.com/policies/row-privacy-policy
Google Gemini	AI career insights	USA	support.google.com/gemini
Anthropic	AI career insights	USA	anthropic.com/legal/privacy
Stripe	Payment processing	USA/EU	stripe.com/privacy
MailerLite	Marketing emails (if opted-in)	EU (Lithuania)	mailerlite.com/legal/privacy-policy
Railway.app	Chatbot database hosting	USA	railway.app/legal/privacy

These services may collect data as described in their respective privacy policies. We have selected providers that maintain appropriate security standards and, where applicable, offer GDPR-compliant data processing.

6. Use of AI Services and Data Retention

We use third-party artificial intelligence (AI) services – including those provided by OpenAI, Google Gemini and Anthropic – to process certain user inputs (such as text, prompts, or queries) in order to deliver or enhance our services.

When data is sent for processing via API:

OpenAI may retain inputs and outputs for up to 30 days for the purposes of abuse monitoring and operational debugging.
Anthropic may retain inputs and outputs for up to 30 days for similar purposes.
Google Gemini may retain inputs and outputs for up to 55 days for similar purposes.

During these retention periods, OpenAI, Google and Anthropic may access the data only as necessary to ensure compliance with their respective usage policies.

After the applicable retention period, both OpenAI, Google and Anthropic delete the data unless otherwise required to retain it under applicable law.

We use the resulting data internally for the analysis of AI output accuracy and to enhance our system performance.

We do not permit OpenAI, Google or Anthropic to use this data to train or improve their models, and we take reasonable steps to minimize the inclusion of personally identifiable information in any data sent for processing.

Note on Chatbot Conversation Logging: In addition to the AI provider retention periods described above, CareerSeeker AI maintains its own database of chatbot conversations for service improvement and support purposes (see Section 2.2). Our internal logging practices and your data rights regarding these logs are detailed separately in this Privacy Policy.

7. Your Rights

Under GDPR and applicable privacy laws, you have the following rights:

7.1 Right to Access (Article 15 GDPR)

You have the right to request a copy of your personal data, including your chatbot conversation history and purchase records.

How to Exercise: Email [email protected] with your conversation ID (UUID), purchase email, or IP address and date/time range
Delivery Format: We will provide your data in JSON or CSV format
Response Time: Within 30 days of your request

7.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data in your conversations or purchase records.

How to Exercise: Contact [email protected] with the conversation ID or purchase email and specific corrections needed

7.3 Right to Erasure / “Right to be Forgotten” (Article 17 GDPR)

You have the right to request permanent deletion of your personal data, including conversation data and purchase records.

How to Exercise: Email [email protected] with your conversation ID, purchase email, or IP address and date range
Processing Time: Data will be deleted within 30 days of identity verification
Exceptions: We may retain certain financial records as required by tax law (typically 7 years for transaction amounts)

7.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we limit how we use your personal data in certain circumstances.

How to Exercise: Email [email protected] explaining the circumstances

7.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a machine-readable format to transfer to another service.

How to Exercise: Email [email protected] with your conversation ID or purchase email

7.6 Right to Object (Article 21 GDPR)

You have the right to object to our processing of your personal data based on legitimate interest.

How to Exercise: Contact [email protected] with your objection
Effect: We will stop processing unless we can demonstrate compelling legitimate grounds

7.7 Right to Withdraw Consent

Where we process data based on your consent (such as marketing communications), you have the right to withdraw consent at any time.

Marketing Emails: Click the unsubscribe link in any email, or contact us
Effect: Withdrawal does not affect the lawfulness of processing before withdrawal

7.8 Right to Lodge a Complaint

You have the right to file a complaint with your data protection authority if you believe your rights have been violated.

Polish Supervisory Authority (UODO): Urząd Ochrony Danych Osobowych, ul. Stanisława Moniuszki 1A, 00-014 Warszawa – https://uodo.gov.pl/
EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en
UK Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/

7.9 Payment Data Requests

To request access to or deletion of your purchase data:

Contact: [email protected]
Include: Your purchase email address and approximate purchase date
Note: We may retain certain financial records as required by tax law (typically 7 years for transaction amounts)
Stripe: You can also contact Stripe directly at https://stripe.com/privacy-center to request deletion of your payment data from their systems

Important: Deleting your purchase data will not affect your access to already-generated career reports, as these are stored separately using anonymous identifiers.

7.10 How to Submit Data Requests

Contact: [email protected]

Please Include in Your Request:

Your conversation ID (UUID) if you saved it, OR
Your purchase email address, OR
Your IP address and the approximate date/time of your conversation(s) or purchase
A brief description of your conversation topics or purchase (to help us locate your data)
The specific action you’re requesting (access, deletion, correction, etc.)

Response Time: We will respond within 30 days (or 60 days for complex requests, with advance notice).

Verification: To protect your privacy, we may request additional identifying information before fulfilling your request.

No Fee: Exercising your rights is free, except in cases of excessive or manifestly unfounded requests.

8. Data Security

We implement appropriate technical and organizational security measures to protect your data, including:

8.1 General Security Measures

Encryption: All conversation and purchase data is stored in encrypted databases
Secure Transmission: SSL/TLS encryption for all data in transit
Access Controls: Database access restricted to authorized administrators via secure authentication tokens
Infrastructure Security: Hosting on providers with industry-standard security practices and automated backups
Monitoring: Regular monitoring for unauthorized access attempts and security threats

8.2 Payment Security Measures

No Card Storage: We never store, process, or have access to your full credit card details – all card data is handled directly by Stripe
PCI Compliance: Payment processing is handled by Stripe, a PCI Level 1 certified service provider (the highest level of certification)
Tokenization: Purchase access uses cryptographically secure tokens (32 bytes random, 64-character hex)
Secure Cookies: Purchase tokens stored in HttpOnly, Secure cookies (not accessible to JavaScript)
Webhook Verification: All Stripe payment notifications verified with cryptographic signatures to prevent fraud

While we implement robust security measures, please note that no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to using industry-standard practices to protect your information.

9. Updates to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date.

For material changes that significantly affect how we process your personal data, we will provide prominent notice (such as a banner on our website) before the changes take effect.

10. Contact Us

For any privacy-related questions, contact us at [email protected].