Privacy Policy

1. What Information We Collect

1.1 Information You Provide

When you create an account and use our services, you provide us with:

• Account Information: Name, email address, password, location (country/city)
• Profile Information: Career goals, job preferences, skills, experience, education
• CV/Resume Data: Work history, qualifications, achievements, references
• Application Content: Cover letters, job applications, career documents
• Payment Information: Billing details (processed securely by Stripe, we don't store full card numbers)
• Communication Data: Messages you send to our support team
• Feedback: Surveys, reviews, and other feedback you provide

1.2 Information Collected Automatically

When you use our services, we automatically collect:

• Usage Data: Features used, actions taken, time spent, pages viewed
• Device Information: Browser type, operating system, device type, screen resolution
• Log Data: IP address, access times, referring URLs, error logs
• Location Data: Approximate location based on IP address
• Cookies & Tracking: See our Cookie Policy for details

1.3 Information from Third Parties

We may receive information from:

• Payment Processors: Transaction confirmations from Stripe
• Analytics Providers: Usage analytics from Google Analytics
• Social Media: If you choose to connect social accounts (future feature)
• Job Boards: Public job listings we display to you

2. How We Use Your Information

We use your information for the following purposes:

2.1 Provide Services

• Create and manage your account
• Match you with relevant job opportunities
• Generate AI-powered CV optimizations and cover letters
• Track your job applications and provide analytics
• Process payments and manage subscriptions
• Provide customer support

2.2 Improve Our Services

• Analyze usage patterns to enhance user experience
• Train and improve our AI models (using anonymized data only)
• Fix bugs and technical issues
• Conduct research and development
• Test new features (A/B testing)

2.3 Communicate with You

• Send service updates and notifications
• Respond to your inquiries and support requests
• Send marketing communications (with your consent)
• Notify you of new features and improvements
• Send usage limit reminders and upgrade prompts

2.4 Legal and Safety

• Comply with legal obligations and court orders
• Enforce our Terms of Service
• Prevent fraud, abuse, and security threats
• Protect the rights and safety of users
• Resolve disputes

2.5 Legal Basis (GDPR)

For users in the EU/EEA, we process your data based on:

• Contract Performance: To provide the services you signed up for
• Consent: For marketing communications and optional features
• Legitimate Interests: To improve our services, prevent fraud, and ensure security
• Legal Obligations: To comply with applicable laws

3. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

3.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

• Cloud Infrastructure: Secure data storage and hosting
• Payment Processing: Secure payment and billing services
• AI Services: Artificial intelligence and natural language processing
• Analytics: Usage analytics and performance monitoring
• Communication: Email and notification services

Note: All service providers are bound by strict confidentiality agreements and can only use your data to provide services to us. A complete list of processors is available upon request at privacy@xpani.com.

3.2 Family Plan Members

If you're part of a Family Plan, the plan administrator can see:

• Family member names and email addresses
• Subscription status
• Usage statistics (aggregated only)

Plan administrators cannot see your CV content, cover letters, or application details.

3.3 Legal Requirements

We may disclose your information if required by law:

• In response to court orders, subpoenas, or legal processes
• To comply with government requests
• To enforce our Terms of Service
• To protect our rights, property, or safety
• To prevent fraud or illegal activity
• To protect user safety in emergency situations

3.4 Business Transfers

If Xpani AI is acquired, merged, or sells assets, your information may be transferred to the new owner. We will notify you before your information is transferred and becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information for other purposes with your explicit consent, such as:

• Sharing your profile with employers (if you enable this feature)
• Integrating with third-party career tools (future features)
• Participating in case studies or testimonials

4. AI and Machine Learning

4.1 AI Processing

• Third-Party AI Services: We use enterprise-grade AI service providers to analyze and generate content
• Data Sent: Your CV content, job descriptions, and application text are sent to our AI providers for processing
• Provider Usage: AI providers process this data to provide responses but do not use it to train their own models or for advertising purposes
• Temporary Processing: Data is processed in real-time and not permanently stored by AI providers
• Encryption: All data transmission to AI providers is encrypted using industry-standard protocols
• Data Processing Agreements: All AI providers are bound by strict data processing agreements that limit how they can use your data

4.2 Model Training

We may use anonymized, aggregated data to improve our own AI models:

• All personally identifiable information is removed before analysis
• Data is aggregated with data from thousands of users
• Individual CVs or applications cannot be reconstructed from anonymized data
• You can opt out of contributing to model improvement by contacting privacy@xpani.com

4.3 AI Limitations

Please remember:

• AI suggestions may contain errors or inaccuracies
• AI cannot guarantee employment outcomes
• You should always review and verify AI-generated content
• AI may reflect biases present in training data
• AI should supplement, not replace, your professional judgment

5. Data Security

We implement industry-standard security measures to protect your data:

5.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Secure Hosting: Data stored on AWS servers with enterprise-grade security
• Access Controls: Strict role-based access for employees
• Password Protection: Passwords are hashed using bcrypt
• Regular Backups: Automated backups with encryption
• Security Monitoring: 24/7 monitoring for threats and anomalies

5.2 Organizational Safeguards

• Employee training on data protection
• Confidentiality agreements for all staff
• Regular security audits and assessments
• Incident response procedures
• Limited data access on need-to-know basis

5.3 Your Responsibility

Security is a shared responsibility. Please:

• Use a strong, unique password
• Enable two-factor authentication (when available)
• Keep your login credentials confidential
• Log out of shared devices
• Report suspicious activity immediately

5.4 Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours
• Report to relevant authorities as required by law
• Provide details about the breach and affected data
• Offer guidance on protective measures
• Take immediate action to secure systems

6. Your Privacy Rights

You have the following rights regarding your personal data:

6.1 Access

You can request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format (JSON/CSV).

6.2 Correction

You can update your account information at any time through your account settings. For data you cannot update yourself, contact us at privacy@xpani.com.

6.3 Deletion

You can delete your account and all associated data:

• Through account settings: Settings → Delete Account
• By emailing: privacy@xpani.com
• Data deleted within 30 days from active systems
• Backup copies deleted within 90 days
• Some data retained for legal/accounting purposes (6 years)

6.4 Portability

You can export your data in machine-readable format (JSON) through account settings or by requesting it from privacy@xpani.com.

6.5 Object to Processing

You can object to certain types of processing:

• Marketing: Unsubscribe from emails via the link in any email
• Analytics: Opt out of Google Analytics via browser settings
• AI Training: Opt out by emailing privacy@xpani.com

6.6 Restrict Processing

You can request we limit how we use your data while we investigate a concern or dispute.

6.7 Withdraw Consent

Where we process data based on consent, you can withdraw consent at any time. This doesn't affect processing that occurred before withdrawal.

6.8 Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority:

• EU/EEA: Your local Data Protection Authority
• South Africa: Information Regulator (POPIA)
• UK: Information Commissioner's Office (ICO)
• California: California Attorney General

7. Cookies and Tracking

We use cookies and similar technologies. For full details, see our Cookie Policy.

In summary, we use:

• Essential Cookies: Required for the service to function (login, security)
• Analytics Cookies: Google Analytics to understand usage patterns
• Preference Cookies: Remember your settings and choices

You can control cookies through your browser settings or our cookie consent banner.

8. Data Retention

We retain your data for different periods depending on the type:

9. International Data Transfers

Xpani AI is based in the United States (Wyoming). Your data may be transferred to and processed in the US and other countries where our service providers operate.

9.1 EU/EEA Users

If you're in the EU/EEA, your data is protected by:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Data Processing Agreements: With all service providers
• Adequacy Decisions: Where available (e.g., UK, Switzerland)
• Additional Safeguards: Encryption, access controls, security measures

9.2 Data Protection Officer

For EU/EEA data protection inquiries, contact our Data Protection Officer at: dpo@xpani.com

10. Children's Privacy

If you believe we have collected information from a child under 16, please contact us immediately at privacy@xpani.com and we will delete it.

Users aged 16-18 should obtain parental consent before using the service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We'll email you at least 30 days before changes take effect
• We'll display a prominent notice on the service
• We'll update the "Last Updated" date
• Previous versions will be archived

Your continued use after changes become effective constitutes acceptance of the new policy. If you don't agree, you must stop using the service and may delete your account.

12. Contact Us

For privacy-related questions, requests, or concerns, contact us: