Privacy Policy

This Privacy Policy describes how Buzz2Remote ("we", "us") collects, uses, shares, and protects information about you when you use the Service. We act as the data controller for personal data we collect about you directly. By using the Service, you consent to the practices described here.

Account & profile data

• Identity: name, email address, password hash, profile photo.
• Profile: job title, bio, skills, work experience, education, location, languages.
• CV / resume: uploaded files and extracted text content.
• Preferences: target roles, salary expectations, remote/location filters.

Activity data

• Application history: jobs viewed, liked, dismissed, applied to, click timestamps.
• AI-tool usage: when you run CV review, career diagnosis, coaching chats, top-matches generation.
• Interaction logs: page views, feature usage, search queries (de-identified after 90 days).

Technical data

• IP address, browser type, device type, operating system, approximate location (derived from IP).
• Session cookies for authentication; preference cookies; no third-party advertising cookies.

Third-party sign-in data

• If you sign in with Google or LinkedIn, we receive your name, email, profile photo, and (for LinkedIn imports) work-experience data you explicitly authorize. We do not receive your password.

• Service delivery: matching you with jobs, generating AI insights, tracking applications.
• Personalization: ranking matches against your profile, surfacing relevant employers.
• Communications: account notifications, job alerts (opt-in), product updates.
• Service improvement: aggregated analytics, fraud prevention, debugging.
• Legal compliance: tax records, responding to lawful requests.

We do not sell your personal data. We do not use your data for third-party advertising or behavioral targeting.

For users in the EEA, UK, and Switzerland, our legal bases for processing are:

• Contract: to provide the Service you signed up for (account, matching, applications).
• Consent: for marketing emails, optional features (e.g., LinkedIn import). You may withdraw consent anytime.
• Legitimate interest: to operate, secure, and improve the Service.
• Legal obligation: tax, accounting, and lawful-request compliance.

AI features (CV review, career diagnosis, LinkedIn optimizer, AI coaching, top matches, match scoring) are powered by Groq Inc. running open-weight Llama models. When you use these features:

• The relevant portion of your profile (e.g., CV text, job description, chat message) is sent to Groq for inference.
• Groq processes the request and returns a response. Per Groq's policy, prompts and outputs are not used to train models.
• We store the AI output linked to your account so you can review it later (e.g., diagnosis results, chat history).
• You can delete AI-generated content at any time from your settings.

AI output is generated probabilistically and may contain inaccuracies. Treat it as informational only — see the Terms of Service for full AI disclaimers.

We share your data only with essential service providers under contractual data-protection obligations:

• Neon — PostgreSQL database hosting (your profile, applications, AI history).
• Vercel — application hosting and edge delivery.
• Groq — AI inference (see Section 5).
• Stripe — payment processing for Pro subscriptions (we never see your card details).
• Mailgun — transactional email delivery (welcome, password reset, alerts).
• Google & LinkedIn — OAuth sign-in (if you choose to use them).

Additionally, when you click Applyon a job, you are redirected to the employer's applicant-tracking system (Greenhouse, Lever, Ashby, etc.). Data you submit on those sites is governed by their privacy policies — we are not involved.

• Active accounts: we retain your data while your account is active.
• Deleted accounts: we delete your profile, CV, and AI history within 30 days, except where retention is required by law (e.g., tax records for 5–10 years).
• Inactive accounts: if you don't sign in for 24 months, we send a reactivation email; if there's no response within 30 days, the account is deleted.
• Application logs: de-identified after 90 days; aggregated analytics kept indefinitely.
• Email logs: kept for 1 year for deliverability debugging.

We protect your data with:

• Encryption in transit: all traffic over HTTPS/TLS 1.3.
• Encryption at rest: database and file storage are encrypted.
• Password hashing: bcrypt with strong salting (we never store plaintext passwords).
• Access controls: least-privilege internal access, audit logs, MFA for staff.
• Apply-URL hardening: destination ATS URLs are accessed only via a server-side auth-gated redirect — they never reach client-side JavaScript or analytics.

No system is perfectly secure. Report suspected vulnerabilities to security@buzz2remote.com.

Depending on your jurisdiction (GDPR, CCPA, etc.), you may have the following rights:

• Access: request a copy of your data.
• Rectification: correct inaccurate data (or do it yourself in profile settings).
• Erasure: delete your account and associated data.
• Restriction: limit how we process your data.
• Portability: export your profile and CV in a machine-readable format.
• Objection: opt out of marketing emails, legitimate-interest processing.
• Withdraw consent: revoke consent for optional features at any time.
• Lodge a complaint: contact your local data-protection authority.

Exercise these rights from your account settings or email privacy@buzz2remote.com. We respond within 30 days.

We use a minimal cookie set:

• Strictly necessary: session cookies (authentication), CSRF protection.
• Preferences: remembering your filter settings, theme.
• No third-party advertising or behavioral-tracking cookies.

You can clear cookies through your browser, but doing so will sign you out.

Our infrastructure spans multiple regions. Your data may be processed in the United States (Vercel, Neon, Groq) and the European Union. Transfers from the EEA, UK, or Switzerland rely on Standard Contractual Clauses approved by the European Commission.

Buzz2Remote is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with data, contact us at privacy@buzz2remote.com and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top reflects the current version. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

For privacy questions, data-rights requests, or to reach our Data Protection Officer:

• Email: privacy@buzz2remote.com
• General contact: hello@buzz2remote.com
• Security: security@buzz2remote.com

See also our Terms of Service and contact page.