Privacy Policy

Last updated: May 4, 2026

1. Introduction

HintCraft Spółka z o.o. ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our job landing system and related services (collectively, the "Service").

We comply with the General Data Protection Regulation (GDPR), Polish data protection laws (RODO), and other applicable privacy regulations.

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood how we handle your personal data.

2. Data Controller Information

Data Controller:

HintCraft Spółka z o.o.
ul. Kazimierza Morawskiego 5/127
30-102 Kraków, Poland
VAT EU: PL6762694168
Email: contact@hintcraft.com

For data protection matters, please email us at contact@hintcraft.com with "Data Protection" or "GDPR" in the subject line.

3. What Personal Data We Collect

We collect only the personal data necessary to provide and improve the Service. The data we collect depends on how you interact with our platform.

3.1 Information You Provide Directly

Account Registration:

• Email address (required for account creation and login)
• Authentication credentials are managed by Auth0 (operated by Okta, Inc., USA). We do not store passwords on our servers.
• Name (optional, for personalization)

Profile Information:

• Professional background and experience
• Career goals and preferences
• Skills and qualifications
• Interview preparation content (questions, answers, practice sessions)
• Resume and cover letter drafts
• Job application tracking data

Payment Information:

• Billing name and address
• Payment method details (processed by Stripe; we do not store full credit card numbers)
• Transaction history and invoices
• EU Consumer Rights Consent: For customers in EU/EEA/UK countries, we store your consent to waive the 14-day withdrawal right (as required by EU Consumer Rights Directive 2011/83/EU) per-purchase/per-license, along with the date and time consent was given. This consent is captured at checkout and is required for immediate access to digital services.

Communications:

• Messages you send us via email or contact forms
• Support tickets and correspondence
• Feedback and survey responses

3.2 Information Collected Automatically

Technical Data:

• IP address (anonymized for analytics)
• Browser type and version
• Device type and operating system
• Time zone and language preferences
• Referral source (how you found us)

Usage Data:

• Pages visited and features used
• Time spent on the Service
• Click patterns and navigation paths
• Session duration and frequency
• Feature usage statistics

Cookies and Similar Technologies:

• Essential cookies for authentication and functionality
• Preference cookies for language settings
• See our Cookie Policy for details

3.3 Information from Third-Party Services

Authentication Provider (Auth0):

• We use Auth0 (operated by Okta, Inc., USA) to authenticate users. When you sign in, Auth0 returns basic profile information to us (name, email, and where applicable a profile picture). Passwords are managed by Auth0 and are not transmitted to or stored by us.

Payment Processor:

• Stripe provides us with payment status, transaction IDs, and billing information necessary to manage your subscription

4. How We Use Your Personal Data

We process your personal data for the following purposes:

4.1 Service Delivery

• Create and manage your account
• Provide access to features based on your subscription level
• Store and retrieve your interview preparation content
• Process AI-powered suggestions and recommendations
• Track your job applications and progress
• Deliver customer support and respond to inquiries

4.2 Service Improvement

• Analyze usage patterns to improve features and user experience
• Identify and fix technical issues
• Develop new features and functionality
• Conduct research and analytics (using anonymized data)

4.3 Communication

• Send transactional emails (account confirmations, password resets, subscription updates)
• Notify you about important changes to our Service or policies
• Respond to your questions and support requests
• Send service announcements and feature updates (you can opt out of non-essential communications)

4.4 Legal and Security

• Comply with legal obligations and court orders
• Prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service and Fair Use Policy
• Protect the rights, property, and safety of HintCraft, our users, and others

4.5 Business Operations

• Process payments and manage subscriptions
• Generate invoices and maintain financial records
• Conduct internal audits and quality assurance

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contractual Necessity (Art. 6(1)(b) GDPR):

• Processing necessary to provide the Service you've subscribed to
• Managing your account and delivering core features

Legitimate Interests (Art. 6(1)(f) GDPR):

• Improving our Service and user experience
• Preventing fraud and ensuring security
• Analyzing anonymous usage statistics
• Marketing our services (where not requiring consent)

Legal Obligation (Art. 6(1)(c) GDPR):

• Complying with tax, accounting, and other legal requirements
• Responding to legal requests and court orders

Consent (Art. 6(1)(a) GDPR):

• Sending optional marketing communications (you can withdraw consent anytime)
• Using optional cookies (if we introduce them in the future)

6. How We Share Your Data

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

We share your data only in the following limited circumstances:

6.1 Service Providers

We work with trusted third-party service providers ("sub-processors") who process data on our behalf. All sub-processors are bound by data processing agreements (DPAs) and are required to protect your data and use it only for specified purposes.

Authentication:

• Auth0 (operated by Okta, Inc., USA) - User authentication and session management. Configured with EU data residency where supported.

Payment Processing:

• Stripe, Inc. (USA, with EU operations) - Payment processing and checkout. Stripe's privacy policy: stripe.com/privacy

AI Services:

• Mistral AI (France, European Union) - Processing interview questions and generating AI responses. Mistral does not use your data to train their models. AI processing happens within the EU.

Analytics:

• Mixpanel, Inc. (USA) - Product analytics. Loaded only after you grant analytics consent through our cookie banner.

Email Delivery:

• Resend (USA, with EU sending region available) - Transactional and notification email (account confirmations, password resets, billing notifications, optional marketing).

Infrastructure:

• Railway Corp. (USA, with EU regions used) - Application and database hosting. We use Railway's EU regions (Netherlands and/or Germany) for our application database.
• Railway Buckets (S3-compatible object storage on Railway) - Stores user-uploaded files (such as resumes and supporting documents) within the same EU region as the application database.

A consolidated, current list of sub-processors is available on request to contact@hintcraft.com.

6.2 Legal Requirements

We may disclose your data when required by law or to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service or Fair Use Policy
• Protect against fraud, security threats, or illegal activity
• Protect the rights, property, or safety of HintCraft, our users, or the public

6.3 Business Transfers

If HintCraft is involved in a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your options regarding your data.

6.4 With Your Consent

We may share data with third parties if you explicitly consent to such sharing.

7. International Data Transfers

HintCraft is based in Poland (European Union). We design our stack to keep personal data within the EU wherever practical.

EU-Resident Processing:

• Your application data (profile, application tracking, interview prep content, uploaded files) is stored within the EU on Railway infrastructure (Netherlands and/or Germany).
• AI processing is handled by Mistral AI on servers located in France.

US-Headquartered Sub-Processors:

Some of our sub-processors are headquartered in the United States. We rely on these sub-processors only where they are necessary to deliver the Service, and only under appropriate safeguards:

• Auth0 / Okta (authentication) - configured with EU data residency where supported.
• Stripe (payment processing) - PCI DSS-certified, processes payment data under its own GDPR commitments.
• Mixpanel (analytics) - loaded only after you grant analytics consent.
• Resend (email delivery) - EU sending region available; we use it for transactional and notification email.

For these transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards under Articles 44-49 GDPR, plus each provider's own GDPR-compliance program (DPF certification where applicable, encryption in transit and at rest, access controls).

Your Rights:

You can request the current list of sub-processors and copies of the relevant transfer mechanisms at any time by emailing contact@hintcraft.com.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy or as required by law.

8.1 Active Accounts

• Account and profile data: Retained while your account is active
• AI prompt history and practice sessions: Retained while your account is active (you can delete anytime)
• Usage analytics: Anonymized and aggregated data retained indefinitely for product improvement

8.2 After Subscription Expiration

When your paid subscription expires, we retain your data so that you can return to the Service without losing your work:

Up-to-3-Year Retention:

• We retain your account data for up to 3 years after your subscription expires.
• During this period you can sign in to view your data. Premium features are paused until you renew.
• You can request an export of your data at any time by emailing contact@hintcraft.com (see Section 9).
• After the 3-year window, we may delete your account and associated data. Where we are able, we will email you before doing so. If you would like a guaranteed advance notice, contact us and we will record the request.

Early Deletion:

• You may request immediate deletion of your account and data at any time by emailing contact@hintcraft.com.
• We will action verified deletion requests within 30 days, subject to the legal-retention exceptions in Section 8.3.

8.3 Legal and Financial Records

• Payment and invoice records: Up to 6 years (Polish tax law requirement)
• Legal claims or disputes: Until resolved or statute of limitations expires
• Fraud prevention records: As long as necessary to prevent repeat offenses

8.4 Anonymized Data

• Aggregate statistics and anonymized usage data may be retained indefinitely for research and product improvement
• This data cannot be linked back to you personally

9. Your Rights Under GDPR

As an individual in the EU/EEA, you have the following rights regarding your personal data:

9.1 Right of Access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you.

9.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data in certain circumstances:

• Data no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• Data processed unlawfully

Note: We may retain certain data where legally required (e.g., financial records for tax purposes).

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we use your data in certain situations.

9.5 Right to Data Portability (Art. 20 GDPR)

You can request a copy of your data in a structured, machine-readable format (e.g., JSON or CSV) by emailing contact@hintcraft.com with the subject line "Data Export Request". We will respond within 30 days.

9.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it anytime. This does not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority:

Poland (UODO):
Urząd Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl

EU Data Protection Authorities:
Find your local authority at edpb.europa.eu

9.9 How to Exercise Your Rights

To exercise any of these rights, email us at contact@hintcraft.com with the subject "Data Rights Request" and identify which right you wish to exercise. Self-service tools for export and deletion are on our product roadmap; until they ship, the email path is the primary route.

We will respond to your request within 30 days (this may be extended by up to 2 months for complex requests, in which case we will let you know).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

10.1 Security Measures

Technical Security:

• Encryption of data in transit (TLS)
• Encryption of sensitive data at rest
• Authentication (including password hashing) is delegated to Auth0
• Regular security reviews and vulnerability assessments
• Firewall protection and access controls at the infrastructure layer

Access Controls:

• Limited employee access to personal data (need-to-know basis)
• Multi-factor authentication for internal systems
• Regular access reviews and logging

Organizational Measures:

• Employee training on data protection and security
• Data breach response plan
• Vendor security assessments

10.2 Your Responsibility

You are responsible for:

• Keeping your password secure and confidential
• Not sharing account access with others
• Logging out from shared devices
• Reporting suspected security incidents to us immediately

10.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

• Notify you without undue delay (within 72 hours where required by law)
• Inform you of the nature of the breach and potential risks
• Explain steps we're taking to mitigate the breach
• Advise you on protective measures you can take
• Report the breach to relevant supervisory authorities as required

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. We will delete such data promptly.

12. AI and Your Data

12.1 How We Use AI

Our Service uses artificial intelligence to:

• Generate interview question suggestions
• Provide feedback on your answers
• Analyze job descriptions
• Offer personalized recommendations

12.2 AI Data Processing

When you use AI features:

• Your input (questions, answers, profile information relevant to the prompt) is sent to Mistral AI (servers in France, European Union).
• Processing is done in real time to generate responses.
• Mistral AI does not use your data to train their AI models.
• We may retain AI request and response logs for up to 30 days for debugging, abuse-prevention, and quality assurance, after which they are deleted or aggregated. Access to these logs is restricted to engineering staff on a need-to-know basis.
• All AI processing remains within the EU.

12.3 Your Control

• You can request deletion of your AI interaction history by emailing contact@hintcraft.com.
• You can choose not to use AI features and still access non-AI parts of the Service where available.
• We do not use your data to train third-party AI models, and we will not do so without your explicit consent.

13. Marketing Communications

13.1 Types of Communications

We may send you:

Transactional Emails (cannot opt out):

• Account confirmations and password resets
• Subscription and billing notifications
• Service announcements and security alerts
• Responses to your support requests

Marketing Emails (can opt out):

• Feature updates and tips
• Educational content about job searching
• Product announcements and offers

13.2 Opting Out

You can unsubscribe from marketing emails:

• Click "Unsubscribe" link in any marketing email
• Update preferences in your account settings
• Email us at contact@hintcraft.com

You will continue to receive essential transactional emails even after opting out of marketing.

14. Third-Party Links

The Service may contain links to external websites, resources, or services not operated by us (e.g., job boards, company websites).

We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing any personal data.

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do not sell personal information (nothing to opt out of)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise CCPA rights, email us at contact@hintcraft.com with "CCPA Request" in the subject.

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements

16.1 Notification of Changes

When we make significant changes, we will:

• Update the "Last updated" date
• Notify you via email or in-app notification
• Post a prominent notice on our website
• Request consent for material changes affecting your rights

16.2 Your Acceptance

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree, please stop using the Service and contact us to delete your account.