VagaIA

Privacy Policy

Last updated: 23 March 2026

1. Data Controller

The data controller for your personal data is Tiago de Jesus Santos, reachable at suport@vagaia.pt.

2. Data Collected and Purpose

VagaIA collects and processes the following personal data:

  • Email address and password: required to create and authenticate your account. Passwords are stored in encrypted form (bcrypt) and are never accessible in plain text.
  • CV data: name, phone number, location, LinkedIn profile, professional summary, work experience, education, skills and languages. This data is provided voluntarily for the CV analysis and adaptation service.
  • Job offers and analysis results: the job offer text you submit and the generated results (compatibility score, adapted CV, strengths and gaps) are stored for future reference in your account.
  • Billing data: Stripe customer identifier, token transaction history and subscription plan. Payment details (card number, etc.) are handled exclusively by Stripe and never reach our servers.
  • Technical data: account and analysis creation timestamps, token balance.
  • Referral programme data: when you use the invite feature, we store the relationship between your account and the account of the person you invited (referrer/invitee), as well as the tokens awarded. The email address you provide to send an invite is used solely to send that email and is not stored in our systems afterwards.

3. Legal Basis for Processing

  • Performance of a contract (Art. 6(1)(b) GDPR): processing of account, CV and analysis data is necessary to provide the service you requested.
  • Legal obligation (Art. 6(1)(c) GDPR): billing data is processed to comply with tax and legal obligations.
  • Legitimate interest (Art. 6(1)(f) GDPR): sending invite emails to non-users, at the explicit request of a registered user, is based on the legitimate interest of both parties. The email is sent once only and the recipient may ignore it without any consequence.

4. Sharing with Third Parties

Your data is shared only with the following sub-processors, strictly necessary for the service to function:

  • Anthropic, Inc. (USA) — AI service: your CV text and job offer are sent to the Anthropic API to generate the compatibility analysis and adapted CV. Anthropic processes this data under its Privacy Policy and Data Processing Agreement (DPA), which includes Standard Contractual Clauses (SCCs) approved by the European Commission as a safeguard for international transfers.
  • Stripe, Inc. (USA) — payment processing: to process token and subscription payments. Stripe receives your user identifier and transaction details. Stripe processes data under its Privacy Policy and uses Standard Contractual Clauses as a safeguard.

We do not sell, rent or share your data with third parties for marketing purposes.

5. International Data Transfers

Some of the sub-processors listed above are based in the United States of America, outside the European Economic Area (EEA). These transfers are carried out on the basis of Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), which ensure an adequate level of protection for your personal data.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: you can export all your data in JSON format via Profile → Account in the app.
  • Right to rectification: you can correct your profile and CV data directly in the app.
  • Right to erasure: you can delete your account and all associated data via Profile → Account.
  • Right to data portability: you can export your data in machine-readable format (JSON) via the app.
  • Right to object and restriction: you may contact us to exercise these rights.

To exercise your rights, contact us at suport@vagaia.pt. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) or any other competent supervisory authority.

7. Retention Period

  • Account and CV data is retained for as long as your account is active.
  • After account deletion, all data is immediately erased from our systems.
  • Billing data (transaction records) may be retained for up to 10 years to comply with Portuguese tax and legal obligations.

8. Security

We adopt appropriate technical and organisational measures to protect your personal data, including: bcrypt password hashing, HTTPS-encrypted communications, JWT authentication with expiry, and restricted database access. The database is hosted on European infrastructure (Railway EU).

9. Cookies and Local Storage

VagaIA does not use cookies. The authentication token is stored in your browser's localStorage solely to keep your session active. This mechanism is not a cookie and is not subject to cookie consent rules.

10. Changes to This Policy

We may update this Privacy Policy periodically. In the event of material changes, we will notify users by email. The date of the last update is shown at the top of this page.

11. Contact

For questions about this Privacy Policy or about the processing of your data, contact us at: suport@vagaia.pt

← Back to home