Your data, your rules

Aplyqk (the "Service") is operated by Naga Jyothi Sundooru (sole proprietor), based in Bangalore, Karnataka, India (the "Operator", "we", "us"). You can reach us at support@aplyqk.com for general queries and privacy@aplyqk.com for privacy-specific requests.

This Privacy Policy describes how Aplyqk collects, uses, stores, shares, and protects information when you use https://aplyqk.com and related sub-domains.

Account information: full name, email address, hashed password (we never store plaintext), phone number (optional), country, IANA timezone, and date of account creation.

Profile information you provide: resume content (work history, education, skills, links), target roles, target locations, target company sizes, salary expectations, work authorization status, and custom branding (accent color).

Authentication data: when you sign in with Google, we receive your name, email address, and Google account ID. We do not request your contacts, calendar, drive, or full Gmail inbox.

Gmail connector data (optional, only if you enable "Send via Aplyqk"): a Google OAuth refresh token with the limited scope https://www.googleapis.com/auth/gmail.send and read-only access to specific message threads you authorized. This token is encrypted at rest using AES-256-GCM.

Payment information: when you purchase a pass, our payment processor Razorpay collects and tokenizes your payment instrument (UPI ID, card details, netbanking, wallet). Aplyqk only stores the Razorpay order ID, payment ID, amount, currency, and status — NOT the underlying card number, CVV, or UPI PIN.

Technical information: IP address, browser type and version, operating system, device fingerprint hash, request paths visited, and timestamps. This is collected for fraud prevention, abuse detection, and aggregate analytics.

Communication metadata: when applications are sent through Aplyqk, we record the job ID, recipient employer email, send time, and message ID. We do not retain copies of the email body beyond 90 days.

To provide the Service: match you to jobs, tailor your resume per application, generate cover letters, send applications you authorize, and classify incoming reply emails.

To process payments: we transmit the minimum data required to Razorpay to create orders and verify webhooks. We do not see or store your raw payment credentials.

To communicate with you: account notifications, application reminders, billing receipts, pass-expiry warnings, and transactional product emails sent via Resend. You can opt out of non-essential emails from /dashboard/settings/notifications.

To improve and secure the Service: rate-limiting, abuse detection, error monitoring (Sentry), and aggregate usage analytics. None of this involves selling or sharing your personal data with advertisers.

To meet legal obligations: tax records (GST/income tax), responses to lawful government requests, fraud-prevention requirements, and dispute handling.

Aplyqk's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically: (a) we use Google user data ONLY to provide or improve user-facing features of Aplyqk that are prominent in the application's UI; (b) we do NOT use Google user data to serve advertisements; (c) we do NOT transfer Google user data to third parties except as necessary to provide or improve user-facing features (e.g., generating an outbound email via the Gmail Send API), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users; (d) we do NOT allow humans to read Google user data unless we have your explicit consent, it is necessary for security purposes, to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.

Scopes Aplyqk may request, with what each is used for:

• openid, email, profile — basic sign-in: associate your Aplyqk account with your Google identity.

• https://www.googleapis.com/auth/gmail.send — send job-application emails on your behalf, only after you click "Send via Aplyqk" on a specific application. Aplyqk does not read your inbox using this scope.

You can revoke Aplyqk's access at any time at https://myaccount.google.com/permissions. Revocation immediately disables the Gmail connector; existing sent emails remain in your Gmail Sent folder under your control.

Aplyqk uses Large Language Models hosted by third-party providers — Kimi (Moonshot AI), and may add Anthropic Claude, Google Gemini, or Groq in the future — to score job matches, tailor resumes, and draft application emails.

When a request requires LLM processing, the minimum necessary content (your resume snippet, the job description, the target role) is transmitted to the provider per request and the response is returned. We do not retain copies of LLM requests beyond the operational logs required for debugging (purged within 30 days).

Aplyqk has commercial agreements with these providers that prohibit training models on customer content. We never share your resume or job data outside these per-request inference calls.

We share data with the following sub-processors strictly to provide the Service: Razorpay (payment processing, India), Resend (transactional email delivery), Moonshot AI / future LLM providers (inference only, per-request, no retention), Hetzner Online GmbH (server hosting, Falkenstein, Germany), Sentry (error monitoring), and GitHub (source code hosting, not user data).

We do NOT sell your personal information to anyone. We do NOT share it with advertisers. We do NOT trade it with data brokers.

We may disclose information when required by law, valid court order, or to defend our legal rights — and we will notify you unless prohibited from doing so.

Primary database (Postgres) and application servers are hosted on Hetzner Online GmbH infrastructure in Falkenstein, Germany. Backups are encrypted and retained for 30 days within the same provider.

All data at rest is encrypted using AES-256. All data in transit uses TLS 1.2 or higher. OAuth refresh tokens and other secrets are additionally encrypted at the application layer using AES-256-GCM with keys held only by the running service (never in source control).

If you are based outside Germany, your data is transferred to and processed in Germany. We rely on Standard Contractual Clauses where applicable.

Active accounts: data is retained for as long as your account is active.

Inactive accounts (no login for 12 months): we send a warning email, then delete the account if you don't reactivate within 30 days.

Cancelled or deleted accounts: data is retained for 7 days in a soft-deleted state to allow reactivation, then permanently purged.

Email sending records: 90 days. Operational logs: 30 days. Payment records: 8 years (tax compliance requirement in India).

Backups: 30 days.

Right to access: you can view all your stored data on /dashboard/settings.

Right to export: contact privacy@aplyqk.com to receive a machine-readable copy of your data within 30 days.

Right to correction: you can edit profile and resume data directly in the dashboard.

Right to deletion: delete your account from /dashboard/settings/danger-zone. The deletion is permanent and takes effect within 7 days.

Right to revoke Google access: visit https://myaccount.google.com/permissions and remove Aplyqk.

Right to opt out of non-essential emails: from /dashboard/settings/notifications.

If you are an EU/EEA resident, you also have the right to restrict processing, object to processing, and lodge a complaint with your local Data Protection Authority. We respond to verifiable requests within 30 days.

If you are a California resident under CCPA, you have the right to know, delete, and not be discriminated against for exercising your rights. We do not sell personal information.

If you are an Indian resident under the Digital Personal Data Protection Act, 2023, you have the right to access, correct, complete, update, and erase your personal data. You may also nominate another person to exercise these rights on your behalf.

We use only first-party cookies required for authentication and session management (the `aplyqk_session` cookie that pairs with your JWT). These are essential — without them, you cannot stay logged in.

We do not currently use third-party analytics, advertising trackers, retargeting pixels, or session-replay tools. If we adopt any in future we will update this policy and obtain consent where required.

Passwords are hashed using bcrypt with a per-password salt. We do not have access to your plaintext password and cannot recover it — only reset it.

JWT access tokens expire within ~30 minutes; refresh tokens expire within 30 days. Compromised tokens can be revoked from /dashboard/settings.

We monitor for unusual sign-in patterns, brute-force attempts, and credential-stuffing using rate limits and abuse heuristics.

Despite our best efforts, no internet transmission or electronic storage is 100% secure. If we ever experience a personal-data breach, we will notify affected users within 72 hours of confirmation, as required by applicable law.

Aplyqk is not directed at individuals under 18. We do not knowingly collect data from minors. If you become aware that a minor has provided personal data, contact privacy@aplyqk.com and we will delete the account.

We may update this Privacy Policy as the Service evolves. Material changes will be announced via in-app notice and email to all active users at least 14 days before the changes take effect. The "Last updated" date at the bottom of this page indicates the most recent revision.

Privacy questions, data-export or deletion requests, or any concern about this policy: privacy@aplyqk.com.

General support: support@aplyqk.com.

Postal: Naga Jyothi Sundooru, Bangalore, Karnataka, India. (For a precise address, contact support — we share it on request to verified parties.)

Owner & Data Protection Officer: Naga Jyothi Sundooru.

We respond to all verified privacy requests within 30 days.