Privacy Policy

At Idynic, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered career development platform.

[COMPANY LEGAL NAME - ⚖️ REVIEW REQUIRED] (“we”, “us”, or “our”) operates the Idynic platform and is the data controller responsible for your personal information.

2.1 Information You Provide Directly

When you create an account or use our Service, you may provide:

• Account Information: Name, email address, password
• Professional Information: Resume, work history, skills, education, certifications
• Career Stories: Narrative descriptions of your professional experiences, achievements, and projects
• Opportunity Information: Job descriptions, company details, application materials
• Communications: Messages sent to our support team or through the platform
• Payment Information: Billing details (processed by Stripe - we do not store full credit card numbers)

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: Browser type, operating system, device identifiers, IP address
• Log Data: Server logs, error reports, API requests
• Cookies & Similar Technologies: See Section 5 for details

2.3 Information from Third-Party Sources

We may receive information from:

• Social Login Providers: If you sign in via Google, LinkedIn, etc., we receive basic profile information
• Public Sources: Publicly available professional information (LinkedIn, company websites) if you authorize us to enrich your profile
• Analytics Providers: Aggregated usage analytics from services like Google Analytics

We use your personal information for the following purposes:

3.1 To Provide the Service

• Parse and analyze your resume to extract professional identity markers
• Generate AI-powered career insights and recommendations
• Match you with relevant opportunities
• Create tailored solution profiles and application materials
• Maintain and improve your identity graph

3.2 To Communicate with You

• Send service-related notifications and updates
• Respond to your inquiries and support requests
• Send administrative messages about your account
• Send marketing communications (only with your consent - you can opt out anytime)

3.3 To Improve and Develop the Service

• Analyze usage patterns to understand how features are used
• Conduct research and development for new features
• Train and improve our internal AI models (using anonymized data)
• Troubleshoot technical issues and bugs
• Conduct A/B testing and experimentation

3.4 For Security and Legal Compliance

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service
• Comply with legal obligations and law enforcement requests
• Protect our rights, property, and safety, and that of our users

3.5 Legal Basis for Processing (EU/EEA Users)

Under GDPR, we process your data based on:

• Contract Performance: To provide the Service you signed up for
• Legitimate Interests: To improve the Service, prevent fraud, and ensure security
• Consent: For marketing communications and optional data processing (you can withdraw consent anytime)
• Legal Obligation: To comply with applicable laws

4.1 Third-Party AI Providers

We use the following third-party AI services to power our features:

• OpenAI: For natural language processing and content generation
• Anthropic (Claude): For advanced reasoning and analysis tasks
• [OTHER AI PROVIDERS - ⚖️ REVIEW REQUIRED]

4.2 AI Training Opt-Out

By default, your data is NOT used to train third-party AI models.

We have opted out of AI training with our providers wherever this option is available. This means:

• OpenAI does not use your data to improve their models (we use their zero-retention API)
• Anthropic does not train on your data
• Your professional information remains private and confidential

4.3 Our Internal AI Models

We may use anonymized, aggregated data to improve our own AI models and Service features. This means:

• All personally identifiable information is removed before use
• Data is aggregated across many users to identify patterns
• Individual users cannot be re-identified from this data
• You can opt out of this by emailing privacy@idynic.com with subject line “Opt Out of Internal Training”

4.4 Other Third-Party Services

We also use the following service providers:

• AWS (Amazon Web Services): Cloud hosting and data storage
• Stripe: Payment processing
• Google Analytics / PostHog / [ANALYTICS - ⚖️ REVIEW REQUIRED]: Usage analytics
• SendGrid / [EMAIL PROVIDER - ⚖️ REVIEW REQUIRED]: Email delivery

All third-party services are bound by data processing agreements and are required to protect your information in accordance with applicable laws.

⚖️ REVIEW REQUIRED: Verify list of all third-party processors. Ensure Data Processing Agreements (DPAs) are in place with all vendors. Confirm GDPR Standard Contractual Clauses (SCCs) for international transfers.

We use cookies and similar tracking technologies to provide and improve our Service. You can control cookie preferences through our cookie banner and browser settings.

5.1 Types of Cookies We Use

5.2 Managing Cookie Preferences

You can control cookies through:

• Cookie Banner: Adjust preferences when you first visit the site
• Account Settings: Manage cookie preferences in your account dashboard
• Browser Settings: Most browsers allow you to block or delete cookies
• Do Not Track: We honor Do Not Track signals where technically feasible

5.3 Other Tracking Technologies

• Local Storage: Used to save your preferences and cache data for performance
• Web Beacons: Small transparent images in emails to track open rates (you can disable image loading)
• Fingerprinting: We do NOT use browser fingerprinting or device fingerprinting techniques

⚖️ REVIEW REQUIRED: Ensure cookie policy complies with ePrivacy Directive, GDPR, CCPA, and other applicable laws. Verify cookie categorization is accurate. Confirm “essential cookies” are truly necessary for service function.

We do not sell, trade, or rent your personal information to third parties.

We may share your information in the following circumstances:

6.1 With Your Consent

• When you explicitly authorize us to share your profile or application materials
• When you use sharing features (e.g., sharing a solution profile link with a recruiter)
• When you integrate with third-party services (LinkedIn, job boards, etc.)

6.2 With Service Providers

We share data with third-party vendors who perform services on our behalf, under strict confidentiality obligations:

• Cloud hosting (AWS)
• Payment processing (Stripe)
• AI services (OpenAI, Anthropic)
• Email delivery (SendGrid or similar)
• Analytics (Google Analytics or similar)
• Customer support tools

6.3 For Legal Reasons

We may disclose information when required by law or to:

• Comply with legal process (subpoenas, court orders)
• Respond to lawful requests from public authorities
• Protect our rights, property, or safety
• Prevent fraud, abuse, or security threats
• Investigate violations of our Terms of Service

6.4 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

6.5 Aggregated & Anonymized Data

We may share aggregated, anonymized data that cannot be used to identify you individually for:

• Industry research and benchmarking
• Marketing and promotional purposes
• Product development and improvement

We implement industry-standard security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

7.1 Technical Safeguards

• Encryption in Transit: TLS/SSL encryption for all data transmitted over the internet
• Encryption at Rest: AES-256 encryption for data stored in databases and file systems
• Access Controls: Role-based access controls (RBAC) and principle of least privilege
• Authentication: Multi-factor authentication (MFA) for sensitive operations
• Logging & Monitoring: Security event logging and anomaly detection
• Firewalls & Intrusion Detection: Network security controls and threat monitoring

7.2 Organizational Safeguards

• Employee Training: Regular security and privacy training for all staff
• Background Checks: Screening for employees with access to sensitive data
• Confidentiality Agreements: All employees sign NDAs
• Incident Response Plan: Defined procedures for security incidents and data breaches
• Regular Audits: Periodic security assessments and penetration testing

7.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users without undue delay (within 72 hours for GDPR compliance)
• Provide details about the breach and potential impact
• Describe steps we are taking to address the breach
• Recommend actions you can take to protect yourself
• Notify supervisory authorities as required by law (e.g., ICO for UK, CNIL for France)

7.4 Limitations

While we use reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

You are responsible for:

• Keeping your password confidential
• Not sharing your account with others
• Logging out of shared devices
• Reporting suspicious activity immediately

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes.

8.1 Retention Periods by Data Type

8.2 Data Deletion

When you delete your account or request data deletion:

• Your personal data is marked for deletion and removed from active systems within 30 days
• Backup copies are automatically purged within 90 days of the deletion request
• We may retain minimal information (email, user ID) in a suppression list to prevent accidental re-creation of your account
• Anonymized, aggregated data derived from your information may be retained indefinitely

⚖️ REVIEW REQUIRED: Retention periods must comply with applicable laws (GDPR, tax laws, financial regulations, statute of limitations for legal claims). Specific retention periods should be determined based on jurisdiction and business needs.

You have the following rights regarding your personal information (specific rights may vary based on your location):

How to Exercise Your Rights

To exercise any of these rights:

• Account Settings: Update most information directly in your account
• Email: Send requests to privacy@idynic.com
• Subject Line: Clearly state your request (e.g., “Data Access Request”, “Deletion Request”)
• Verification: We may ask for identity verification to prevent fraud

We will respond to your request within 30 days.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws.

10.1 Data Controller

[COMPANY LEGAL NAME - ⚖️ REVIEW REQUIRED] is the data controller responsible for your personal information.

10.2 Legal Basis for Processing

We process your data under the following legal bases:

• Contract (GDPR Art. 6(1)(b)): To provide the Service you signed up for
• Legitimate Interests (GDPR Art. 6(1)(f)): To improve the Service, prevent fraud, ensure security
• Consent (GDPR Art. 6(1)(a)): For marketing communications and optional features (you can withdraw consent anytime)
• Legal Obligation (GDPR Art. 6(1)(c)): To comply with tax, financial, and other legal requirements

10.3 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated GDPR:

• UK: Information Commissioner's Office (ICO) - ico.org.uk
• Ireland: Data Protection Commission (DPC) - dataprotection.ie
• Germany: Your state's Datenschutzbehörde
• Other EU countries: See EDPB member list

10.4 Data Protection Officer

⚖️ REVIEW REQUIRED: If required by GDPR, we have appointed a Data Protection Officer (DPO). You can contact our DPO at: dpo@idynic.com

Note: A DPO is required if you engage in large-scale processing of special categories of data or systematic monitoring of individuals. Determine if this applies.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.1 Your CCPA Rights

• Right to Know: Request details about the personal information we collect, use, and disclose
• Right to Access: Request a copy of your personal information
• Right to Deletion: Request deletion of your personal information
• Right to Correction: Request correction of inaccurate information (CPRA)
• Right to Opt-Out: Opt-out of sale or sharing of personal information for targeted advertising
• Right to Limit Use: Limit use of sensitive personal information (CPRA)
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

11.2 Categories of Personal Information Collected

We collect the following categories of personal information:

• Identifiers (name, email, IP address)
• Professional information (resume, work history, skills)
• Commercial information (subscription, payment history)
• Internet activity (usage data, browsing behavior)
• Inferences drawn from the above (career interests, skill assessments, opportunity matches)

11.3 Do Not Sell or Share My Personal Information

We do not sell your personal information and have not sold personal information in the past 12 months.

Under CCPA, “sharing” includes disclosing personal information for cross-context behavioral advertising. We do not currently engage in this practice.

11.4 Exercising CCPA Rights

To exercise your CCPA rights:

• Email: privacy@idynic.com
• Subject: “CCPA Request - [Right you're exercising]”
• We will verify your identity before processing
• We will respond within 45 days (extendable by 45 days if necessary)

11.5 Authorized Agents

You may designate an authorized agent to make CCPA requests on your behalf. The agent must provide written authorization or a power of attorney.

Our Service is not intended for individuals under the age of [18 / 16 / 13 - ⚖️ SPECIFY].

We do not knowingly collect personal information from children under [AGE]. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@idynic.com.

If we learn that we have collected personal information from a child under [AGE] without parental consent, we will delete that information as quickly as possible.

COPPA Compliance (U.S.)

If our Service is directed to children under 13 in the United States, we comply with the Children's Online Privacy Protection Act (COPPA) by:

• Obtaining verifiable parental consent before collecting data
• Providing parents with notice of our information practices
• Allowing parents to review, delete, or refuse further collection of data
• Not conditioning participation on disclosure of more data than necessary

Current Policy: Our Service is NOT currently directed to children under 13, and we do not knowingly collect their information.

⚖️ REVIEW REQUIRED: Determine appropriate minimum age (varies by jurisdiction: 13 in U.S. under COPPA, 16 in EU under GDPR for consent, 18 for employment-related services). Implement age verification if necessary.

Your personal information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

13.1 Where We Store Data

We primarily store and process data in:

• United States: [AWS REGIONS - ⚖️ REVIEW REQUIRED]
• Europe: [AWS EU REGIONS - ⚖️ IF APPLICABLE]

13.2 Safeguards for International Transfers (EU/EEA)

If you are in the EU/EEA and your data is transferred outside the EEA, we use the following safeguards:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with third-party processors
• Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection (e.g., UK, Switzerland, Japan)
• Data Processing Agreements: All processors sign DPAs committing to GDPR-level protection

13.3 Third-Party Processors

Our key third-party processors and their locations:

• AWS (Amazon Web Services): U.S. (covered by SCCs)
• Stripe: U.S. (covered by SCCs)
• OpenAI: U.S. (covered by SCCs)
• Anthropic: U.S. (covered by SCCs)

⚖️ REVIEW REQUIRED: Verify that all international data transfers are covered by appropriate safeguards (SCCs, adequacy decisions, or other approved mechanisms). Ensure DPAs with third-party processors include required transfer provisions. Consider impact of Schrems II decision on U.S. transfers.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Updating the “Last Updated” date at the top of this page
• Sending you an email notification (to the address associated with your account)
• Displaying a prominent notice on the Service or in your account dashboard
• For significant changes affecting your rights, we may require you to affirmatively accept the new policy

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For non-material changes (typos, clarifications, additional examples), we may update this policy without notice, but the “Last Updated” date will always reflect the most recent version.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: