Privacy policy

Effective date: [DATE TO BE SET ON PUBLICATION]
Last updated: 27 May 2026

This Privacy Policy explains how GhostBreakers (the "Service", "we", "us", or "our"), operated by [Company Legal Name, registered in [Jurisdiction] under company number [REG. NO.], with registered office at [Address]] (the "Controller"), collects, uses, shares, and protects personal data about you ("you", "User") when you visit ghostbreakers.ai, create an account, upload information, purchase tokens, or instruct our automated job-application bot ("Bot") to act on your behalf.

We have written this policy to be both legally precise and humanly readable. If anything is unclear, contact us at privacy@ghostbreakers.ai before you continue using the Service.

Plain-English summary (not a substitute for the rest of this policy). You give us a profile and CV. We use it to fill in public job-application forms on your behalf, using only the data you provide. We never log in to job-portal accounts on your behalf. We share data with the categories of third-party processors listed in section 5 — including cloud-hosting, payment-processing, AI/LLM inference, browser-automation, file-storage, and email-delivery providers — strictly to deliver the Service. We keep your data for as long as your account is active and delete it on request, subject to the legal-retention exceptions in section 8. You have the full set of GDPR rights, exercisable at privacy@ghostbreakers.ai.

Who this policy applies to

This policy applies to visitors to ghostbreakers.ai and any subdomain operated by us; registered users of the Service, including users in trial, beta, and paid tiers; and individuals who contact us by email, support form, or social channels.

It does not apply to third-party websites the Bot interacts with on your behalf (for example, employer career pages and applicant-tracking systems) — those sites are operated by independent controllers, and their privacy notices govern any data they collect from your application submission. It also does not apply to operator-only internal tooling, which is not exposed to end users and processes only operator-authenticated traffic.

The data we collect

We collect the categories of personal data set out in this section. We collect only what is necessary to deliver the Service.

2.1 Data you provide directly

  • Account data — email address; password hash (if email/password) or federated-sign-in subject ID; display name. Used to authenticate you and secure your account.

  • Profile data — first and last name; phone number; postal address; nationality; work-authorisation status; languages; education; work history; skills. Used to populate application forms on your behalf.

  • CV or résumé — uploaded PDF or DOCX file, attached to your applications.

  • Cover-letter content — free-text or AI-generated drafts you accept, attached to your applications.

  • STAR stories — up to three behavioural answers you write or co-write with our chat assistant ("Sven"), used to pre-fill applicant-tracking-system open-ended questions.

  • Job-search criteria — target roles, geographies, salary expectations, contract type, remote preferences. Used to select listings the Bot may apply to.

  • Conversation history — messages exchanged with Sven and Sven's responses, used to operate the conversational flow and to debug issues.

  • Payment metadata — payment-processor checkout-session IDs, token-pack purchases, invoice history. Used to process purchases and comply with tax law.

2.2 Data we generate about your activity

  • Token balance and ledger — tokens purchased, spent, refunded.

  • Application logs — job-listing URL, employer, role title, timestamp, success or failure, redacted form payload.

  • Bot-run telemetry — run ID, duration, exit reason, and screenshots of the rendered application page (stored short-term for debugging).

  • Notifications — in-app and email notifications addressed to you, including delivery status.

  • Application-form events — field-fill events, CAPTCHA challenges encountered, applicant-tracking system detected.

  • Issue reports — reports you submit about a failed or incorrect application.

2.3 Data we collect automatically

  • Device and connection — IP address; user-agent; approximate geolocation derived from IP; referring URL.

  • Cookies and similar technologies — session cookies (essential); analytics cookies (only with consent — see section 6).

  • Server logs — HTTP request metadata and error stack traces.

2.4 Special-category data

We do not ask you for special-category data within the meaning of Article 9 GDPR — racial or ethnic origin, religious belief, health, sexual orientation, biometric data, trade-union membership, political opinion. A CV you upload may nevertheless contain such information incidentally (for example, your photograph may reveal ethnicity, or a volunteer role may reveal religion). To the extent your CV contains such data, you provide explicit consent (Article 9(2)(a) GDPR) for us to process it solely for the purpose of submitting it as part of your application.

You can ask us to redact specific information from your stored profile at any time.

2.5 Children

The Service is not directed at, and we do not knowingly collect personal data from, persons under the age of 16. If you believe a minor has provided us data, contact privacy@ghostbreakers.ai and we will delete it.

How we use your data, and our legal basis

We process your personal data on the following legal bases (Article 6 GDPR, and Article 9 where special-category data is involved):

  • To create and operate your account — performance of a contract (Art. 6(1)(b)).

  • To submit job applications on your behalf at your express instruction — performance of a contract (Art. 6(1)(b)); for any special-category data inside your CV, explicit consent (Art. 9(2)(a)).

  • To process token purchases and issue invoices — performance of a contract and compliance with tax obligations (Art. 6(1)(b) and (c)).

  • To operate the Sven conversational assistant — performance of a contract (Art. 6(1)(b)).

  • To detect and prevent abuse, fraud, and automated misuse of the Bot — legitimate interests (Art. 6(1)(f)) in protecting the Service, our infrastructure, and third-party recipients of applications.

  • To send transactional emails (run summaries, billing receipts) — performance of a contract.

  • To send product or marketing emails — consent (Art. 6(1)(a)), revocable at any time.

  • To analyse aggregate usage to improve the Service — legitimate interests (Art. 6(1)(f)); data is aggregated and not used to make decisions about you individually.

  • To comply with legal obligations and respond to lawful requests — legal obligation (Art. 6(1)(c)).

3.1 Automated decision-making

Our Bot performs automated processing when it decides whether a given job listing is a match for your criteria, whether a given application form is fillable, and whether to submit it. This automation is the Service you contracted us to deliver.

We do not use automated decision-making that produces legal or similarly significant effects about you within the meaning of Article 22 GDPR. The Bot does not screen candidates, score résumés, or make hiring decisions; those happen entirely on the receiving employer's side, outside our control.

How the Bot acts on your behalf

When you authorise a run, the Bot reads your stored profile, CV, cover-letter, and STAR stories; selects job listings that match the criteria you set; opens the public application page in a managed browser operated through our headless-browser-automation provider; fills the form fields with the data from your profile, in the same way you would yourself; handles any CAPTCHA challenge that blocks form submission, through our CAPTCHA-handling provider, where lawful and where the listing publisher has not contractually forbidden automated form completion; and submits the form.

The Bot never logs in. Listings that require authentication, account creation, or account-linked third-party login are detected and skipped. We do not capture or store credentials for third-party sites on your behalf.

Your data is transmitted to the receiving employer's application system as if you had submitted the form manually. From the moment the form is submitted, the employer (and any applicant-tracking-system provider they use) becomes an independent data controller of the data you submitted, and their privacy notice governs.

Who we share data with

We share personal data only with the categories of recipients below, and only for the purposes described.

5.1 Categories of sub-processors

To deliver the Service, we engage sub-processors in the following categories. We disclose categories — rather than vendor names — in this public policy in order to protect the technical confidentiality of the Service. The detailed, vendor-level list is described in section 5.2.

  • Cloud-application hosting — runs our backend services, worker queues, and scheduled jobs. Typically located in the EU and/or USA, depending on region. Transfers are covered by Standard Contractual Clauses (SCCs); EU region preferred where available.

  • Managed database — stores structured account, profile, and application-log data. Located in the EU. Transfers covered by the provider's Data Processing Agreement.

  • Cloud object storage — stores CVs and uploaded documents. Located in the EU or on a global edge network. Transfers covered by SCCs; encryption at rest.

  • AI / large-language-model inference — powers the Sven conversational assistant and AI-assisted drafting (cover letters, STAR stories). Typically located in the USA, with EU routing where available. Transfers covered by SCCs; API content is not used by the provider to train its models.

  • Headless-browser automation — opens public application pages and executes the Bot's fill-and-submit flow. Typically located in the EU or USA. Transfers covered by SCCs.

  • CAPTCHA-handling provider — handles CAPTCHA challenges encountered on application forms. Typically located in the EU or USA. Transfers covered by SCCs; only the specific challenge payload is transmitted.

  • Payment processor — processes token purchases, issues invoices, manages tax. Located in the EU. Intra-EU processing; SCCs for any onward transfer.

  • Transactional email delivery — sends run summaries, billing receipts, and account notifications. Typically located in the EU or USA. Transfers covered by SCCs.

  • Job-listing data provider — supplies the pool of job listings the Bot may apply to. We send your search criteria; we receive listings. Typically located in the EU or USA. Provider Data Processing Agreement in place; only your search criteria are transmitted.

  • Authentication and identity providers — optional sign-in via federated identity (such as OAuth) and address autocomplete. Located in the EU.

5.2 Detailed sub-processor list

A current, vendor-level list of our sub-processors is maintained internally and is available on request to: any registered user, on request to privacy@ghostbreakers.ai, for the purpose of exercising your data-protection rights or evaluating the safeguards in place; and competent supervisory authorities, business customers, and counsel acting on behalf of a registered user, in the same manner.

We treat the detailed list as commercially confidential. By requesting it you agree to use it solely for the purpose of evaluating our processing activities and not to redistribute it. This does not affect any right you have to be informed of recipient categories or transfer safeguards, which are set out fully in section 5.1.

We will give at least 30 days' notice to registered users before adding a new sub-processor that materially affects how your personal data is processed, so that you can object or close your account before the change takes effect. Where you have subscribed to sub-processor change notifications, those notices will be delivered by email.

5.3 Recipients of your applications

When the Bot submits an application on your behalf, the recipient employer (and any applicant-tracking system the employer uses) receives the personal data you included in the application. These recipients are independent controllers. Their handling of your data is governed by their own privacy notices, which we cannot vary.

5.4 Legal disclosures

We may disclose personal data when we are required to do so by law, when responding to lawful requests from public authorities (including for national-security or law-enforcement purposes), when necessary to protect the rights, property, or safety of GhostBreakers, our users, or others, or in connection with a corporate transaction (merger, acquisition, asset sale) — in which case we will give you advance notice and an opportunity to delete your account before any transfer.

5.5 We do not sell your personal data

We do not, and will not, sell your personal data to third parties. We do not share your personal data with advertisers, data brokers, or analytics firms beyond the strictly limited, consent-based analytics described in section 6.

Cookies and similar technologies

We use the following cookies:

  • Essential — authentication session, CSRF protection, and checkout state with our payment processor. Strictly necessary; no consent required.

  • Functional — remember UI preferences such as theme and language. Used only with your consent.

  • Analytics — aggregate, IP-truncated usage statistics. Used only with your consent.

  • Marketing — not currently used; would require consent if enabled in future.

You can manage non-essential cookies via the cookie banner shown on first visit, and at any time via ghostbreakers.ai/cookies.

International data transfers

Some of our sub-processors are established outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on adequacy decisions issued by the European Commission, where one applies (for example, the EU–US Data Privacy Framework for participating US providers); Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented by technical and organisational measures such as encryption in transit and at rest, access controls, and logging; or your explicit consent for occasional, specific transfers where neither of the above applies.

You can request a copy of the SCCs in place for any specific transfer by emailing privacy@ghostbreakers.ai.

How long we keep your data

  • Account data — for as long as your account is active; deleted within 30 days of account closure.

  • Profile, CV, cover letters, STAR stories — for as long as your account is active; deleted within 30 days of account closure or on your erasure request.

  • Application logs (employer name, listing URL, outcome) — 24 months from submission, then anonymised for aggregate analytics.

  • Bot-run screenshots and debug captures — 30 days, then deleted.

  • Sven conversation history — 12 months from last message, then deleted or anonymised.

  • Payment and invoice records — 7 years (statutory tax-retention period in [Jurisdiction]).

  • Server access logs — 90 days.

  • Backups — 30 days rolling; deleted-account data is purged from active systems immediately and from backups within 30 days.

We may retain personal data for longer than the periods above where required by law, or where reasonably necessary to establish, exercise, or defend legal claims.

Your rights

If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights in respect of your personal data:

  • Right of access (Art. 15 GDPR) — obtain a copy of the personal data we hold about you.

  • Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.

  • Right to erasure (Art. 17) — have your personal data deleted, subject to the exceptions in Art. 17(3).

  • Right to restriction (Art. 18) — have processing of your data restricted in defined circumstances.

  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.

  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.

  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). See section 3.1.

  • Right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

  • Right to lodge a complaint with your local supervisory authority. For the EU/EEA, see edpb.europa.eu; for the UK, the Information Commissioner's Office at ico.org.uk. Our lead supervisory authority is [Lead SA — e.g. ANSPDCP (Romania)].

To exercise any of these rights, email privacy@ghostbreakers.ai. We respond within 30 days of receiving a verifiable request (extendable by up to two further months for complex requests, in which case we will tell you within 30 days).

We do not charge a fee for exercising your rights, except where a request is manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse the request, per Art. 12(5) GDPR).

Security

We protect your personal data with technical and organisational measures that include: TLS 1.2 or higher for all network traffic to and from the Service; encryption at rest for uploaded documents and for the production database; per-user encryption of sensitive credential material (such as email-alias inbox secrets); role-based access control with the principle of least privilege for staff; mandatory two-factor authentication for staff accounts that can access production systems; centralised logging and anomaly detection on production infrastructure; periodic backups, tested restoration, and documented incident-response procedures; and isolation of operator-only internal tooling from customer-facing code by an enforced repository-level boundary.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours, and notify affected users without undue delay where the risk is high (Art. 33 and 34 GDPR).

Data Protection Officer and contact

You can contact our Data Protection Officer at dpo@ghostbreakers.ai.

For all other privacy enquiries: privacy@ghostbreakers.ai.

Postal address: [Company Legal Name], [Address], [Country].

EU representative (where applicable, per Art. 27 GDPR): [Name, address, contact].
UK representative (where applicable, per UK GDPR Art. 27): [Name, address, contact].

Changes to this policy

We will update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top, maintain prior versions at ghostbreakers.ai/legal/privacy/history, and — for material changes (such as a new category of processing, a new sub-processor in a non-adequate country, or a change in legal basis) — notify you by email and, where required, request your renewed consent before the change takes effect.

Continued use of the Service after a non-material update constitutes acceptance of the updated policy.

Specific notices

13.1 California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These largely mirror the GDPR rights above and include the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of sale or sharing of personal information. We do not sell or share personal information within the meaning of the CCPA/CPRA.

To exercise CCPA/CPRA rights, email privacy@ghostbreakers.ai.

13.2 Users outside the EEA, UK, and California

We extend the substantive protections of this Privacy Policy to all users worldwide. Local mandatory law may grant you additional rights; contact us if you wish to invoke them.