The Next Job← Back to home

Legal

Privacy Policy

Last updated: 14 May 2026 · Version v1.1

1. Who we are

The Next Job (thenextjob.app) is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, contact us at hello@thenextjob.app.

2. What data we collect and why

We only collect data necessary for the service we provide (data minimisation, GDPR Art. 5(1)(c)). The data we collect depends on how you use the service.

Account and identity data

DataPurposeLegal basis
Email addressAccount creation, transactional notifications (order status, billing, account management)Performance of contract (Art. 6(1)(b))
Name and profile pictureSourced from your OAuth provider (Google or GitHub) for display in the dashboardPerformance of contract (Art. 6(1)(b))
OAuth tokensUsed internally by NextAuth to maintain your session; never exposed or sharedPerformance of contract (Art. 6(1)(b))
Language and country preferenceTo deliver the interface in your preferred language and regionPerformance of contract (Art. 6(1)(b))
Marketing consent flag + timestampTo send product updates and founder communications – only if you opt inExplicit consent (Art. 6(1)(a))

Job application data (core service)

DataPurposeLegal basis
Your CV / résumé (uploaded file)Parsed and stored securely so the AI pipeline can tailor it to each role you apply for. Your original is never modified.Performance of contract (Art. 6(1)(b))
Job descriptions you pasteAnalysed to identify keywords, required skills, seniority, and role-specific prioritiesPerformance of contract (Art. 6(1)(b))
AI-generated content (tailored CVs, cover letters, gap analysis, interview prep)Generated per application and stored so you can access, compare, and download your resultsPerformance of contract (Art. 6(1)(b))
Target role, company name, job locationStored per order to organise your application historyPerformance of contract (Art. 6(1)(b))

Billing data

DataPurposeLegal basis
Stripe customer ID and subscription metadataTo manage your subscription, process payments, and handle billing eventsPerformance of contract (Art. 6(1)(b))
Withdrawal waiver consent (EU only)For subscribers who waive the 14-day right of withdrawal under EU Directive 2011/83/EU to access the service immediately; recorded with anonymised IP and timestampLegal obligation (Art. 6(1)(c))

Usage and error data

DataPurposeLegal basis
Page views and custom events (Vercel Analytics – cookieless)To understand how the service is used. No cookies are set; Vercel uses a privacy-preserving hashed fingerprint that is not linked to your account.Legitimate interest (Art. 6(1)(f)) – improving the service
Error reports and session recordings (Sentry)To diagnose crashes and bugs. 5% of sessions and 100% of sessions where an error occurs are recorded. Recordings are stored on Sentry's EU infrastructure and automatically expire.Legitimate interest (Art. 6(1)(f)) – maintaining service reliability

3. AI processing – how your CV and job description data is used

When you submit a job application through The Next Job, your CV content and the job description you paste are sent to Anthropic (maker of Claude AI) via their API to generate your tailored CV, cover letter, gap analysis, and interview preparation. This is the core function of the service.

Anthropic processes this data as a data processor acting on our instructions. They do not use your data to train their models. Their Data Processing Agreement and privacy commitments are available at anthropic.com/legal/privacy.

Your CV may contain sensitive personal data (name, address, employment history). By using the service you consent to this data being processed by Anthropic solely for the purpose of generating your application materials.

4. What we do not collect

  • We do not use tracking cookies or advertising pixels.
  • We do not collect your IP address for profiling (IP is anonymised before being stored in consent records – last octet zeroed for IPv4, truncated to /64 for IPv6).
  • We do not share or sell your data to third parties for marketing purposes.
  • We do not use your CV or job description data to train any AI model.

5. How long we keep your data

DataRetention period
Account data (email, name, preferences)Until you delete your account, then immediately anonymised
CV file and generated documentsUntil you delete your account; hard-deleted from storage within 30 days of account deletion request
Order history and job descriptionsUntil you delete your account; associated user link removed within 30 days of deletion request
Billing records (Stripe)7 years minimum for tax and accounting compliance
Waitlist email and marketing consentUntil you unsubscribe, or 12 months after public launch – whichever comes first
Consent records (withdrawal waiver, marketing consent)Retained as evidence for the duration required by the applicable legal obligation
Sentry error recordingsAutomatically expire per Sentry's data retention policy (typically 30–90 days)

When you request account deletion, your personal data is immediately anonymised (name, email, and profile picture removed; active sessions revoked). Your CV file and generated documents are permanently deleted from storage within 30 days. You will receive a confirmation email when deletion is complete.

You can request deletion at any time from your account settings or by emailing hello@thenextjob.app.

6. Your rights under GDPR

If you are based in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Access – request a copy of the personal data we hold about you. Use the “Download your data” button in your account settings for an immediate JSON export.
  • Rectification – ask us to correct inaccurate data.
  • Erasure – delete your account from settings, or email us. See Section 5 for timelines.
  • Restriction – ask us to stop processing your data temporarily.
  • Portability – receive your data in a structured, machine-readable format (available via the data export feature).
  • Objection – object to processing based on legitimate interests (analytics, error monitoring).
  • Withdraw consent – for marketing emails, click unsubscribe in any email or contact us directly. For AI processing of your CV data, you can stop using the core service at any time and request deletion of your data.

To exercise any of these rights, email hello@thenextjob.app. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in Portugal: CNPD).

7. Third-party processors

We use the following sub-processors to deliver the service. Each operates under a Data Processing Agreement (DPA) or equivalent legal mechanism and processes your data only on our documented instructions.

VendorPurposeData processedData location
Supabase (AWS)Primary database – stores account, subscription, order, and consent dataAll account and application dataEU (Frankfurt, AWS eu-central-1)
RailwayAPI and background worker hosting – runs the FastAPI backend and Celery tasksAll API request dataEU region
Cloudflare R2File storage – stores your uploaded CV and AI-generated DOCX/PDF documentsCV files and generated documentsEU region
AnthropicAI processing – generates tailored CVs, cover letters, gap analysis, and interview prep from your CV and job descriptionCV content and job descriptionsUSA (processed under DPA / SCCs)
StripePayment processing and subscription managementBilling and payment metadata (no full card numbers stored by us)USA (processed under EU SCCs)
ResendTransactional email – sends order notifications, billing emails, and account management emailsEmail address and email contentEU-compliant (AWS)
VercelFrontend hosting and edge functions for the Next.js web applicationPage view data (cookieless, privacy-preserving)EU Edge Network
SentryError monitoring and session replay for debugging crashes and bugsError data, anonymised session recordings (5% of sessions; 100% on error)EU (ingest.de.sentry.io)
GoogleOAuth authentication provider (sign in with Google)OAuth tokens and basic profile (email, name, picture)Google Privacy Policy applies
GitHubOAuth authentication provider (sign in with GitHub)OAuth tokens and basic profile (email, name, picture)GitHub Privacy Policy applies

8. International transfers

Some sub-processors (Anthropic, Stripe) are based in the United States. Data transfers to these processors are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring adequate protection for data transferred outside the EEA. All other processors operate within the EU or on EU-region infrastructure.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), access controls, row-level security on our database, and short-lived authentication tokens. Your uploaded CV is stored in an isolated, access-controlled bucket and is never publicly accessible.

No method of transmission over the internet is 100% secure. If you believe your data has been compromised, contact us immediately at hello@thenextjob.app.

10. Cookies

We use only essential cookies required for the service to function:

  • Session cookie – set by NextAuth to maintain your login session. Required for authentication. Expires when you sign out or after 30 days of inactivity.
  • Language preference cookie – stores your chosen language. Expires after 1 year.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. Vercel Analytics is cookieless and does not set any cookies.

11. Changes to this policy

We may update this policy as the service evolves. When we make material changes, we will notify registered users by email and update the version number and date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your rights:

The Next Job
Email: hello@thenextjob.app