Privacy Policy
Effective Date: 24 March 2026 Last Updated: 24 March 2026
1. Introduction
Inflow Studio Pty. Ltd. (ABN 13 696 426 981, ACN 696 426 981) trading as Job Refined ("we," "us," "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our website at https://jobrefined.ai and related services (the "Services").
This Privacy Policy complies with:
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
- The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); and
- Other applicable data protection laws in the jurisdictions where we operate.
By using the Services, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are
Data Controller / Entity: Inflow Studio Pty. Ltd. ABN: 13 696 426 981 | ACN: 696 426 981 Trading as: Job Refined Based in Australia Email: hello@jobrefined.ai Product Website: https://jobrefined.ai Company Website: https://www.inflowstudio.com.au
For GDPR purposes, Inflow Studio Pty. Ltd. is the data controller responsible for your personal data. Job Refined is a product operated by Inflow Studio Pty. Ltd.
3. Information We Collect
3.1. Information You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Information | Email address, password (hashed), first name, last name | Account creation, authentication, communication |
| Profile Information | Phone number, location, LinkedIn URL, website URL, GitHub URL, avatar, job interests | Profile personalization, career coaching |
| Resume Data | Resume files (PDF, DOCX), parsed resume content (personal info, summary, skills, experience, education, certifications, languages, projects, volunteer work, awards, publications) | AI-powered resume analysis, polishing, and export |
| Job Application Data | Job title, company name, company URL, job URL, job source, salary range, work type, location, status, job description text | Application tracking, AI matching |
| Cover Letter Data | Generated cover letter content, tone/length preferences, custom emphasis, version history | Cover letter generation and export |
| Interview Data | Mock interview sessions (type, difficulty, duration, language), conversation transcripts, scoring, AI feedback | Mock interview practice and scoring |
| Career Coach Data | Chat conversations, queries, career questions | AI career coaching |
| Notes & Reminders | Application notes, reminder text, scheduled dates | Personal organization |
| Payment Information | Credit pack purchases, payment method type (last 4 digits only), transaction history, currency preference | Billing and transaction records |
| Student Verification | University email address, verification status | Student discount eligibility |
| BYOK API Keys | Third-party LLM API keys (encrypted at rest) | BYOK feature functionality |
| Support Requests | Support ticket content, category, attachments | Customer support |
3.2. Information Collected Automatically
| Category | Data Elements | Purpose |
|---|---|---|
| Session Data | Device type, IP address, user agent, session tokens | Authentication, security |
| Usage Data | AI feature usage (chain type, model used, token counts, timestamps), credit consumption | Service delivery, analytics, billing |
| Security Logs | Login attempts, failed authentication events, account lockout events | Security monitoring, fraud prevention |
| Audit Logs | Administrative actions, timestamps, IP addresses (anonymized after 90 days) | Compliance, accountability |
3.3. Information from Third Parties
| Source | Data Elements | Purpose |
|---|---|---|
| Google OAuth (if used) | Email address, name, profile photo | SSO authentication |
| Google Places API | Location data (based on your search queries) | Location autocomplete |
| Stripe | Payment confirmation, transaction status | Payment processing |
3.4. Sensitive Information
We do not intentionally collect sensitive information (such as racial or ethnic origin, political opinions, religious beliefs, health information, or sexual orientation). However, resumes you upload may incidentally contain such information. We process resume content solely for the purpose of providing AI career services and do not use any sensitive information for profiling or targeted purposes.
4. How We Use Your Information
4.1. Legal Bases for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the Services (resume parsing, AI polish, cover letter generation, application tracking) | Contract performance (Art. 6(1)(b)) — necessary to deliver the services you requested |
| Processing payments and managing credits | Contract performance (Art. 6(1)(b)) |
| Account security, fraud prevention, rate limiting | Legitimate interests (Art. 6(1)(f)) — security of our systems and users |
| Sending transactional emails (verification, password reset, reminders) | Contract performance (Art. 6(1)(b)) |
| AI usage analytics and service improvement | Consent (Art. 6(1)(a)) — you may opt out via Settings |
| Complying with legal obligations (tax records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) |
| Data retention and automated cleanup | Legitimate interests (Art. 6(1)(f)) — storage limitation principle |
| Student verification | Contract performance (Art. 6(1)(b)) — to provide student pricing |
4.2. Australian Privacy Principles
Under the Australian Privacy Act, we collect and use your personal information in accordance with the Australian Privacy Principles (APPs), including:
- APP 3 (Collection): We only collect information that is reasonably necessary for our functions.
- APP 5 (Notification): This Privacy Policy serves as our notification of collection.
- APP 6 (Use or Disclosure): We only use information for the purpose it was collected, or a directly related purpose you would reasonably expect.
- APP 11 (Security): We take reasonable steps to protect your information from misuse, interference, loss, and unauthorized access.
5. AI Data Processing
5.1. How AI Features Use Your Data
When you use AI-powered features, portions of your data are sent to third-party LLM providers for processing:
| AI Feature | Data Sent to LLM | LLM Provider |
|---|---|---|
| Job Description Parsing | Job description text | OpenRouter → OpenAI (GPT-4o-mini) |
| Resume Parsing | Resume text content | OpenRouter → OpenAI (GPT-4o-mini) |
| Resume Polish | Resume text + parsed job description | OpenRouter → OpenAI (GPT-4o) |
| Cover Letter Generation | Resume + job description + your instructions | OpenRouter → OpenAI (GPT-4o) |
| Mock Interviews | Job description + conversation context | OpenRouter → Google (Gemini Flash) |
| Career Coach | Conversation context + your queries | OpenRouter → Google (Gemini Flash) |
| Rejection Learning | Rejection feedback text | OpenRouter → OpenAI (GPT-4o-mini) |
5.2. PII Protection Before LLM Processing
Before any data is sent to an LLM provider, we apply PII tokenization:
- Full recursive tokenization (for sensitive operations like Resume Polish and Cover Letter): Names, email addresses, phone numbers, social security numbers, credit card numbers, and API key patterns are replaced with deterministic tokens.
- Light tokenization (for lower-risk operations like JD Parsing): Names, emails, and phone numbers are replaced with tokens.
- After the LLM response is received, tokens are reversed to restore your original information.
5.3. Zero-Data-Retention (ZDR)
We enforce Zero-Data-Retention on all AI API calls routed through OpenRouter:
- Account-level: Our OpenRouter organization account has ZDR enabled.
- Per-request: Every API call includes a
provider.zdr: trueparameter, instructing the LLM provider not to store, log, or use your data for model training.
Limitations:
- For BYOK users connecting directly to OpenAI (not via OpenRouter), ZDR enforcement depends on OpenAI's API data usage policy (API data is not used for training by default as of March 2023).
- We cannot guarantee ZDR enforcement for direct third-party provider connections.
5.4. AI Consent
You may opt out of AI data processing at any time through your account Settings. Opting out will disable AI-powered features, but you may still use manual features (resume editing, application tracking, notes).
6. Data Sharing and Disclosure
6.1. Third-Party Service Providers
We share your data with the following categories of third-party service providers, solely for the purposes of providing the Services:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment details, email, transaction data | United States |
| OpenRouter | LLM API gateway | Tokenized content (PII removed) for AI features | United States |
| OpenAI | LLM processing | Tokenized content (via OpenRouter) | United States |
| LLM processing (Gemini), OAuth, Places API | Tokenized content, auth data, location queries | United States | |
| Anthropic | LLM processing (BYOK only) | Tokenized content (via OpenRouter) | United States |
| Amazon Web Services (AWS) | File storage (S3) | Uploaded files (resumes, exports) | Region configurable |
| Resend | Transactional email | Email address, email content | United States |
| Vercel | Frontend hosting | Frontend assets (no user data stored) | Global CDN |
| Railway | Backend hosting | All backend data (encrypted in transit) | United States |
| Cloudflare | DNS, CDN, DDoS protection | Traffic metadata, IP addresses | Global |
| Qdrant | Vector database (for career memory) | Vectorized career insights (no raw PII) | Configurable |
6.2. Cross-Border Data Transfers
Your data may be transferred to and processed in countries outside Australia, including the United States. In accordance with APP 8 (Cross-border disclosure) of the Australian Privacy Act and Chapter V of the GDPR, we ensure that:
- (a) Third-party providers maintain adequate data protection standards;
- (b) Appropriate safeguards are in place (such as Standard Contractual Clauses for EU data subjects); and
- (c) You are informed of the countries where your data may be processed (as listed in Section 6.1 above).
6.3. When We May Disclose Your Data
We may disclose your personal information:
- (a) With your consent — when you have given explicit consent to share specific information;
- (b) For legal compliance — when required by law, regulation, legal process, or governmental request;
- (c) For safety and security — to protect the rights, property, or safety of Inflow Studio Pty. Ltd., our users, or the public;
- (d) In a business transfer — in connection with a merger, acquisition, reorganization, or sale of assets, in which case your data may be transferred to the successor entity; and
- (e) Aggregated or de-identified data — we may share aggregated, anonymized data that cannot reasonably identify you for analytics and reporting purposes.
6.4. What We Do NOT Do
We do not:
- Sell your personal information to any third party;
- Use your data for targeted advertising;
- Share your resume or application data with employers or recruiters without your explicit consent;
- Allow LLM providers to train their models on your data (ZDR enforced); or
- Share your data with data brokers.
7. Data Retention
We retain your data only for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by law.
| Data Type | Retention Period | Action After Retention |
|---|---|---|
| Active user account data | Duration of account | Deleted upon account deletion |
| Expired sessions | Immediately after expiry | Deleted automatically |
| Expired/used verification tokens | 48 hours after expiry | Deleted automatically |
| Audit log IP addresses | 90 days | Anonymized (set to NULL) |
| AI usage logs | 365 days | Deleted automatically |
| JD parse failure logs | 90 days | Deleted automatically |
| In-app notifications (read) | 90 days | Deleted automatically |
| Payment and billing records | 7 years | Anonymized (PII removed, financial records retained for tax/legal compliance) |
| Deleted user accounts | 30-day grace period | Permanently hard-deleted (all user data) |
| Inactive user accounts | 730 days (2 years) of inactivity | Warning emails sent at 30 and 10 days before deletion; then soft-deleted with 30-day grace period |
| Consent records | Duration of account + 30-day grace | Retained as part of deletion audit trail |
All retention jobs run automatically every 24 hours. For full technical details, see our internal Data Retention Policy.
8. Data Security
We implement the following security measures to protect your personal information:
8.1. Encryption
- In transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
- At rest: Sensitive data fields (phone number, LinkedIn URL, location, website URL, GitHub URL) are encrypted in the database. BYOK API keys are encrypted using AES-256-GCM.
- Passwords: Stored as bcrypt hashes with a cost factor of 12. We never store plaintext passwords.
8.2. Authentication & Access Control
- JWT tokens using RS256 (asymmetric) signing with 15-minute access token expiry.
- Refresh token rotation with 7-day expiry, stored as SHA-256 hashes.
- Optional TOTP-based two-factor authentication.
- Tiered account lockout after repeated failed login attempts.
- Rate limiting on all endpoints (5 auth attempts per 15 minutes, 200 AI requests per hour per user, 100 requests per minute per IP).
8.3. Application Security
- Security headers: HSTS, CSP, Referrer-Policy, Permissions-Policy.
- PII redaction in application logs (API keys, emails, phone numbers masked).
- Parameterized database queries (no raw SQL injection vectors).
- Input validation using Pydantic models.
- File upload limits: 10 MB maximum, with type validation.
- Request body limits: 1 MB (JSON), 15 MB (multipart).
8.4. Infrastructure Security
- Cloudflare DDoS protection and CDN.
- Railway managed hosting with encrypted connections.
- AWS S3 with appropriate access controls for file storage.
- Regular dependency updates and vulnerability scanning.
8.5. Data Breach Response
In the event of a personal data breach, we will:
- (a) Assess the breach and its potential impact;
- (b) Notify the Office of the Australian Information Commissioner (OAIC) within 30 days if the breach is likely to result in serious harm (Notifiable Data Breaches scheme);
- (c) Notify affected individuals as soon as practicable;
- (d) For EU data subjects, notify the relevant supervisory authority within 72 hours as required by GDPR Article 33; and
- (e) Take steps to contain and remediate the breach.
9. Your Rights
9.1. Rights Under GDPR (EU/EEA Users)
If you are located in the European Economic Area, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Settings → Data Export, or email us |
| Rectification (Art. 16) | Correct inaccurate personal data | Edit your profile in Settings |
| Erasure (Art. 17) | Request deletion of your personal data | Settings → Delete Account, or email us |
| Restriction (Art. 18) | Restrict processing of your data | Email us |
| Data Portability (Art. 20) | Receive your data in a machine-readable format (JSON/ZIP) | Settings → Data Export |
| Objection (Art. 21) | Object to processing based on legitimate interests | Email us |
| Withdraw Consent (Art. 7(3)) | Withdraw consent for optional processing (analytics, AI) | Settings → Privacy toggles |
| Automated Decisions (Art. 22) | Not be subject to solely automated decision-making | N/A — our AI assists but does not make decisions about you |
9.2. Rights Under Australian Privacy Act
If you are located in Australia, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (APP 12) | Request access to your personal information | Settings → Data Export, or email us |
| Correction (APP 13) | Request correction of inaccurate information | Edit your profile, or email us |
| Anonymity (APP 2) | Option to deal with us anonymously where practicable | Note: an account with email is required for core services |
| Complaint (APP 1) | Lodge a complaint about our handling of your information | Email us or contact the OAIC |
9.3. How to Exercise Your Rights
- Self-service: Many rights can be exercised directly through your account Settings page.
- Email: Contact us at hello@jobrefined.ai with the subject line "Privacy Rights Request."
- Response time: We will respond to all requests within 30 days (or 72 hours for GDPR-related urgent requests).
- Verification: We may need to verify your identity before processing your request.
9.4. Complaints
If you are unsatisfied with our response to your privacy concerns:
- Australia: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
- EU/EEA: You may lodge a complaint with your local supervisory authority.
10. Cookies and Tracking
10.1. Essential Cookies
We use essential cookies and local storage to:
- Maintain your authentication session;
- Store your language and currency preferences; and
- Ensure the security and functionality of the Services.
These cookies are strictly necessary for the Services to function and cannot be disabled.
10.2. Analytics
We offer optional analytics tracking that you may enable or disable through your account Settings. When enabled, we collect usage patterns to improve the Services. We do not use third-party advertising trackers or sell tracking data.
10.3. No Third-Party Advertising
We do not display advertisements on the Services and do not share your data with advertising networks.
11. Children's Privacy
The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal information, please contact us at hello@jobrefined.ai.
12. Career Memory (Mem0)
12.1. What Is Career Memory?
Job Refined uses a persistent memory system (powered by Mem0 and Qdrant) to build a long-term understanding of your career profile across sessions. This includes:
- Career insights derived from resume analysis;
- Interview performance patterns;
- Strengths and areas for improvement identified over time; and
- Preferences and goals you've shared with the AI Career Coach.
12.2. How Career Memory Data Is Stored
Career memory data is stored as vectorized representations (embeddings) rather than raw text. These embeddings are:
- Associated with your user ID;
- Used solely to personalize AI features for you; and
- Deleted when you delete your account.
12.3. Your Control Over Career Memory
You may:
- View your career memory through the Career Coach interface;
- Request deletion of specific memories; and
- Delete all career memory by deleting your account.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- (a) Posting the updated Privacy Policy on the Website with a revised "Last Updated" date;
- (b) Sending an email notification to your registered email address; and
- (c) Where required, requesting your renewed consent.
Material changes will take effect 30 days after notification. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Email: hello@jobrefined.ai
- Website: https://jobrefined.ai
- Subject Line: "Privacy Inquiry"
For complaints about our handling of your personal information, you may also contact:
- Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au Phone: 1300 363 992
This Privacy Policy was last updated on 24 March 2026.