Privacy Policy
Last updated: 17 May 2026
1. Who We Are (Data Controller)
AppliTrackr is operated by LazyByte – Wojciech Rygorowicz, a sole trader registered in Poland under the Central Registration and Information on Business (CEIDG).
LazyByte – Wojciech Rygorowicz
ul. Strzelecka 2/5, 48-200 Prudnik
woj. opolskie, Poland
NIP: 7551941162 · REGON: 524940097
Electronic delivery: AE:PL-44263-70091-VCRWI-28
For privacy-related enquiries, please use the in-app feedback form or send correspondence to the registered address above.
2. What Personal Data We Collect
2.1 Account data
- Email address — used for authentication, password resets, and transactional notifications.
- Full name — used to personalise your dashboard experience.
2.2 CV and job-search data
Data you voluntarily enter into the application:
- CV personal information: name, job title, email address, phone number, location, website URL, professional summary, profile photo.
- CV sections: work experience (employer, role, dates, description), education (institution, degree, field, dates), skills, languages, certifications, projects.
- Job applications: company name, position, application status, salary range, application date, job URL, recruiter contact flag, notes.
- Vault documents: files you upload (cover letters, certificates, and other documents in PDF, PNG, or JPG format).
- Dashboard notes: personal text notes you create in the dashboard.
All content data is entered by you voluntarily. You control what information you include and can delete it at any time.
2.3 Payment data
If you subscribe to AppliTrackr Premium, payments are processed by Stripe, Inc. We store only:
- Stripe customer ID and subscription ID
- Payment status and amount
- Subscription period dates
Card details and full payment credentials are processed directly by Stripe and are never stored by us. Stripe is PCI DSS compliant. For details, see Stripe's Privacy Policy.
2.4 Usage analytics
We use PostHog to collect anonymised usage events (e.g. pages visited, features used, buttons clicked). This data helps us understand how the product is used and improve it. PostHog is hosted on EU infrastructure (eu.posthog.com).
2.5 Technical / session data
Authentication session tokens managed by Supabase Auth, stored as HTTP-only cookies in your browser. These are required for the service to function.
3. Legal Basis for Processing (GDPR Art. 6)
| Data category | Legal basis |
|---|---|
| Account data (email, name), CV data, job application data, vault files, dashboard notes | Art. 6(1)(b) — performance of a contract (providing the service you requested) |
| Payment records (Stripe IDs, amount, status) | Art. 6(1)(c) — legal obligation (Polish accounting regulations require retention for 5 years) |
| Usage analytics (PostHog events) | Art. 6(1)(f) — legitimate interest in improving the service and understanding how it is used |
4. Who We Share Your Data With
We do not sell your personal data. We use the following third-party processors to operate the service:
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting and file storage (CV avatars, vault documents) | EU / US¹ |
| Stripe, Inc. | Payment processing and subscription management | US¹ |
| PostHog, Inc. | Usage analytics | EU (eu.posthog.com) |
| Vercel, Inc. | Application hosting and edge delivery | US¹ |
¹ Transfer to the United States is covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission.
5. How Long We Keep Your Data
- Account and content data (CVs, job applications, vault files, notes): retained for the duration of your account. When you delete your account (Settings → Danger Zone), all associated data is permanently deleted from our systems within 30 days.
- Payment records: retained for 5 years from the transaction date to comply with Polish accounting regulations (Ustawa z dnia 29 września 1994 r. o rachunkowości).
- Usage analytics: event-level data is retained by PostHog for up to 2 years. Aggregated statistics may be retained indefinitely.
- Session tokens: expire automatically; cleared on logout.
6. Your Rights Under GDPR
As a data subject within the European Economic Area, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — delete your account and all associated data. This is available directly in the app: Settings → Danger Zone → Delete my account. For data that cannot be self-deleted (e.g. payment records retained for legal compliance), submit a written request.
- Right to restriction of processing (Art. 18) — request that we limit processing of your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest (analytics). This will not affect processing required to perform the contract.
To exercise any of the above rights, please contact us via the in-app feedback form or by post to the address in Section 1. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish data protection supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)ul. Stawki 2, 00-193 Warszawa, Poland
uodo.gov.pl
7. Cookies
AppliTrackr uses the following cookies:
- Essential session cookies — issued by Supabase Auth to maintain your login session. These are strictly necessary for the service to function and cannot be disabled without logging out.
- Analytics cookies — set by PostHog to track usage events. You may opt out of analytics tracking by contacting us via the in-app feedback form.
We do not use advertising cookies, retargeting cookies, or any third-party tracking for commercial purposes.
8. Security
We take reasonable technical and organisational measures to protect your data, including:
- All data is transmitted over HTTPS (TLS encryption).
- Database access is protected by Row-Level Security (RLS) — each user can only access their own data, enforced at the database layer.
- File storage is access-controlled by user identity.
- Passwords are never stored — authentication is managed by Supabase Auth using industry-standard hashing.
- Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified).
No system is 100% secure. If you believe your account has been compromised, please contact us immediately.
9. Children
AppliTrackr is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes, we will notify you via the email address associated with your account. Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions or to exercise your rights:
- In-app: use the feedback form available in the dashboard.
- By post: LazyByte – Wojciech Rygorowicz, ul. Strzelecka 2/5, 48-200 Prudnik, Poland.
- Electronic delivery address: AE:PL-44263-70091-VCRWI-28 (eDO Post / e-Doręczenia).