Privacy Policy
Last updated: April 1, 2026
1. Overview
This Privacy Policy describes how Jobtoss ("Jobtoss," "we," "us," or "our") collects, uses, stores, and protects your information when you use the Jobtoss Chrome extension and related services (the "Service"). By installing or using Jobtoss, you agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the extension and discontinue use.
Jobtoss is a Chrome extension that helps job seekers apply faster by tailoring resumes to job descriptions, generating cover letters, and auto-filling job application forms using AI.
2. Information We Collect
2.1 Account Data
When you create an account, we collect:
- Email address (for authentication and account communications)
- Name (from Google OAuth or manual entry)
2.2 Profile Data (User-Provided)
To power resume tailoring, cover letter generation, and form auto-fill, we collect the information you provide during onboarding and profile editing:
- Full name, phone number, mailing address, location, LinkedIn URL
- Work history (employers, titles, dates, descriptions)
- Education history (schools, degrees, fields of study, GPAs, graduation dates)
- Skills, tools, and competencies
- Writing samples (optional, used for voice matching in cover letter generation)
- Job preferences (target roles, locations, salary range)
- Work authorization status and language proficiency
- AI-generated voice profile analysis (derived from your writing samples, if provided)
All profile data is provided voluntarily by you. We only collect what you choose to enter.
2.3 Application Data
When you use Jobtoss to apply for jobs, we collect:
- Job posting URLs you apply to
- Company names and role titles
- ATS platform detected (Greenhouse, Lever, Ashby, LinkedIn, or other)
- Keywords matched between your resume and job descriptions
- Job description text from the posting
- AI-generated tailored resume and cover letter text
- Screening question answers (both fixed and AI-generated)
- Application notes and callback status you enter
- Timestamps of applications
2.4 Website Content Accessed by the Extension
When you use Jobtoss on a job posting page, the extension reads the job description, job title, company name, and application form fields from that page. This content is used solely to tailor your resume, generate a cover letter, and auto-fill the application form.
The extension does not access, read, or collect content from any websites other than pages where you actively invoke Jobtoss on a detected job application form. The extension does not run in the background on non-job pages, does not monitor your browsing activity, and does not collect data from any page where you are not actively using the Service.
2.5 Usage Data
To enforce subscription limits and improve the Service, we collect:
- Daily and monthly application counts
- Subscription tier and status
- AI model used per request (for cost tracking)
- Rate limit tracking (request counts per time window)
- AI token usage and cost tracking per request
3. Information We Do NOT Collect
We want to be explicit about what Jobtoss does not collect:
- Browsing history — We do not track, collect, or store your browsing history, visited URLs, or any activity on websites other than pages where you actively use Jobtoss.
- Passwords or financial information — Payments are handled entirely by Stripe. We never see, store, or process your credit card number, bank account information, or any other financial credentials.
- Content from non-job-related websites — The extension only reads page content when it detects a job application form and you actively engage with the Jobtoss popup.
- Screenshots or recordings — We do not capture screenshots, recordings, or visual representations of your screen or browsing activity.
- Keystrokes or input monitoring — We do not log keystrokes or monitor your input on any website.
- Data from other browser extensions — We do not interact with or collect data from any other extensions installed in your browser.
4. How We Use Your Information
We use the information we collect for the following purposes and no others:
| Purpose | Data Used |
|---|---|
| Resume tailoring | Work history, skills, education, job description text — sent to Anthropic's Claude AI |
| Cover letter generation | Writing samples, work history, job description — sent to Anthropic's Claude AI |
| Screening question answers | Profile data, job context — sent to Anthropic's Claude AI |
| Form auto-fill | Profile data (name, email, phone, work history, education, preferences) |
| Usage limit enforcement | Application counts, subscription tier |
| Service improvement | Aggregated, anonymized usage patterns (never individual-level data) |
| Account administration | Email address, name |
| Transactional communications | Email address (for verification, password resets, billing receipts) |
We do not use your data to train AI models. We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your data for advertising or ad targeting.
5. Third-Party Services
Jobtoss uses the following third-party services to operate. Each service receives only the minimum data necessary for its function:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase (hosted on AWS) | Authentication, database, file storage | Account data, profile data, application records |
| Anthropic (Claude AI) | Resume tailoring, cover letter generation, screening answers | Work history, skills, education, job descriptions, writing samples |
| Stripe | Payment processing | Email address (for billing). Stripe handles all payment card data directly; we never see or store your card number. |
| OAuth sign-in | Email, name, profile picture (via Google OAuth consent screen) | |
| Cloudflare | CDN, web application firewall, DDoS protection | API traffic is routed through Cloudflare for security. No user data is stored by Cloudflare. |
| Resend | Transactional emails (verification, password resets, billing receipts) | Email address (for delivery only) |
Each third-party service has its own privacy policy governing its handling of data. We encourage you to review those policies:
- Supabase: supabase.com/privacy
- Anthropic: anthropic.com/privacy
- Stripe: stripe.com/privacy
- Google: policies.google.com/privacy
- Cloudflare: cloudflare.com/privacypolicy
- Resend: resend.com/legal/privacy-policy
We are not responsible for the privacy practices of any third-party service. Our use of third-party services does not constitute an endorsement of their data practices.
6. Data Storage and Security
We take the security of your data seriously and implement the following measures:
- Row Level Security (RLS): All database queries are enforced through Supabase's Row Level Security policies, ensuring that users can only access their own data.
- Server-side AI processing: All AI calls are routed through server-side Edge Functions. API keys never appear in the extension code or on your device.
- Authentication: JWT tokens with 60-minute expiry. Sessions are refreshed automatically.
- File storage: Generated documents (tailored resumes, cover letters) are stored using signed URLs with 1-hour expiry. Files are encrypted at rest.
- Encryption in transit: All data transmitted between your browser, our servers, and third-party services is encrypted using TLS.
- Encryption at rest: All stored data is encrypted at rest on Supabase (AWS infrastructure).
No system is perfectly secure. While we use commercially reasonable security measures, we cannot guarantee absolute security. You acknowledge that you provide your data at your own risk and that we are not responsible for circumvention of any privacy settings or security measures we have in place.
7. Data Retention
- Account and profile data: Retained while your account is active. Deleted upon account deletion.
- Application records: Retained while your account is active. Deleted upon account deletion.
- Generated documents (tailored resumes, cover letters): Retained while your account is active. Deleted upon account deletion.
- Usage logs: Retained for up to 90 days for debugging and abuse prevention, then automatically purged.
When you delete your account, all associated data — including your profile, application history, and generated documents — is permanently deleted and cannot be recovered.
8. Your Rights
You have the following rights regarding your data:
- Access: View all your data at any time within the extension's settings pages (Profile Editor and Application Log).
- Export: Export your application history as a CSV file from the extension.
- Correction: Edit your profile data at any time in the extension.
- Deletion: Delete your account and all associated data via the extension settings or by contacting support@jobtoss.io. Deletion is permanent and irreversible.
To exercise any of these rights, use the controls within the extension or contact us at support@jobtoss.io.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the categories and specific pieces of personal information we collect about you, the sources from which it was collected, the purposes for which it is used, and the third parties with whom it is shared.
- Right to Delete: You may request deletion of your personal information. Use the delete account feature in the extension or contact support@jobtoss.io.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale: Jobtoss does not sell your personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (such as work authorization status) for the purposes of providing the Service as described in this Privacy Policy.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise these rights, contact support@jobtoss.io with your request. We will verify your identity and respond within 45 days as required by law.
Categories of Personal Information Collected (CCPA Disclosure)
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, phone, address | Yes |
| Professional or employment-related information | Work history, skills, education | Yes |
| Internet or network activity | Pages visited within ATS platforms when using Jobtoss | Yes (limited) |
| Geolocation data | City/state from user-entered location | Yes (user-provided only) |
| Commercial information | Subscription tier, payment history | Yes |
| Inferences | AI-generated voice profile, keyword match scores | Yes |
We do not collect: Protected classification characteristics, biometric information, sensory data, financial account numbers, or Social Security numbers.
10. Chrome Extension Permissions
Jobtoss requests only the permissions necessary for its core functionality:
| Permission | Why We Need It |
|---|---|
| activeTab | Read job descriptions and form fields from the current tab when you invoke Jobtoss |
| storage | Store your session, preferences, and cached data locally in your browser |
| unlimitedStorage | Store master profiles and application history beyond the default 10MB storage quota |
| scripting | Detect ATS platforms and fill application form fields on job pages |
| tabs | Check which tab is active for ATS detection when you open the popup |
| identity | Enable Google OAuth sign-in |
| alarms | Keep the service worker alive for session refresh and run periodic sync tasks |
11. Host Permissions
We request access only to the following specific domains, which correspond to the ATS platforms Jobtoss supports:
- boards.greenhouse.io — Greenhouse job applications
- job-boards.greenhouse.io — Greenhouse embedded job boards
- jobs.lever.co — Lever job applications
- jobs.ashbyhq.com — Ashby job applications
- www.linkedin.com/jobs — LinkedIn job postings and Easy Apply
The extension does not request broad host permissions (such as access to "all websites"). It only activates on the domains listed above and on pages where its universal detection system identifies a job application form that you choose to interact with.
12. Chrome Web Store Compliance
Jobtoss's use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:
- We only request permissions necessary for the extension's stated functionality.
- We do not sell user data to third parties.
- We do not use or transfer user data for purposes unrelated to the extension's core functionality (resume tailoring, cover letter generation, and form auto-fill).
- We do not use or transfer user data to determine creditworthiness or for lending purposes.
13. Children's Privacy
Jobtoss is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete such information. If you believe a minor has provided us with personal information, please contact us at support@jobtoss.io.
14. International Users
Jobtoss is operated from the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your personal information to and processing of it in the United States, where data protection laws may differ from those in your jurisdiction.
15. Third-Party Websites and Platforms
When you use Jobtoss on a third-party website (such as Greenhouse, Lever, Ashby, or LinkedIn), your interactions with that website are governed by that website's own privacy policy and terms of service. Jobtoss is not responsible for the privacy practices, data collection, or data handling of any third-party website or platform. We encourage you to review the privacy policies of any third-party websites you use in connection with the Service.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the extension's update notes and, where applicable, by email to the address associated with your account. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
17. Contact
For privacy questions, data requests, or to exercise your rights under this policy:
Email: support@jobtoss.io