Skip to main content

Privacy Policy

Effective Date: 19 May 2026  ·  Version 1.0

This Privacy Policy explains how HireGPS ("Company," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the HireGPS mobile application, website, and related services (collectively, the "Services"). Please read this Policy carefully before using our Services.

HireGPS is a pre-launch business-to-consumer (B2C) career intelligence platform. Our Services help users evaluate how their CV or résumé may be interpreted from a professional recruiter's screening perspective before submitting job applications. The platform is available as an iOS and Android mobile application and via our website at hiregps.app.

This Policy applies to all personal information we collect across our mobile applications, website, and any related products or services. It governs your use of the Services regardless of how you access them.

This Policy has been prepared with reference to the following legal frameworks:

  • EU General Data Protection Regulation (GDPR — Regulation 2016/679)
  • UK GDPR and Data Protection Act 2018
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) amendments
  • Children's Online Privacy Protection Act (COPPA) — United States
  • Turkish Personal Data Protection Law (KVKK — Law No. 6698)
  • UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
  • Apple App Store Review Guidelines — Privacy Requirements
  • Google Play Developer Policy — Data Safety Requirements

Important: HireGPS does not represent any employer, staffing agency, or hiring organisation. The Services are intended as informational career guidance only and do not make employment decisions, guarantee interviews, or determine candidate eligibility for any role.

HireGPS acts as the data controller for personal information processed under this Policy. Our company formation is currently in progress; registered entity details will be published at www.hiregps.app/legal upon completion and no later than the public launch of the Services.

You can contact us regarding any privacy matter through the following channels:

For users in the EU/EEA or United Kingdom, our EU/UK representative details will be published at the address above upon finalisation of our corporate structure.

We collect information you provide directly, information generated through your use of our Services, and limited information received from third parties. The categories below describe this in full.

3.1 Information You Provide Directly

A. Account Information

  • Full name
  • Email address
  • Password (stored as a one-way cryptographic hash; never stored in plaintext or reversible form)
  • OAuth authentication identifiers (if Apple Sign-In or Google Sign-In is used)

B. CV and Career Content

  • Employment history (employer name, job title, dates of employment, location, responsibilities, achievements)
  • Education history (institution name, qualification type and level, field of study, graduation year, country)
  • Certifications and professional qualifications
  • Language skills and assessed proficiency levels
  • Technical tools, systems, and skills
  • User-supplied explanations for employment gaps
  • Relocation preferences and mobility intentions
  • Work authorisation status

C. Target Role Information

  • Target position title and seniority level
  • Target industry and job function
  • Target location and country
  • Company name and estimated company size (optional)
  • Key requirements extracted from a job posting (optional free-text input)

D. User Preferences and Settings

  • Analytics participation preference (opt-in; off by default)
  • Notification preferences

3.2 Information Collected Automatically

When you use our Services, we automatically collect:

  • Device type, operating system version, and application version
  • Application session duration and in-app feature engagement events
  • Crash reports and error diagnostic logs
  • Approximate geographic location derived from IP address (country level only)
  • API response times and analysis processing metrics

Note on 'GPS' in Our Name: HireGPS does not collect precise GPS location data, real-time location signals, or device location coordinates. The term 'GPS' in our brand name is used metaphorically to describe career navigation guidance and does not refer to geolocation technology.

3.3 Information from Third Parties

  • Subscription status, entitlement, and billing event notifications from Apple and Google, delivered via RevenueCat
  • Authentication session tokens from Apple Sign-In or Google Sign-In (where used)

Version 1.0 does not include LinkedIn import, job-board integration, or social media profile linking. We do not purchase or receive personal information from data brokers.

3.4 Information We Do Not Collect

  • Keystroke-level monitoring data
  • Precise GPS coordinates or real-time location
  • Payment card numbers, bank account details, or full financial credentials
  • Biometric identifiers
  • Government-issued ID numbers

4.1 Providing and Operating the Services

  • Parsing, structuring, and storing your CV content to enable analysis
  • Constructing recruiter persona models across 10 regions, 21 industries, 20 job functions, and 7 seniority levels
  • Running deterministic scoring across eight assessment categories to generate a 0–100 shortlist score
  • Producing a Shortlist, Hold, or Reject classification and risk inventory
  • Generating recruiter-oriented explanations and ranked improvement recommendations
  • Delivering CV rewrite suggestions and interview preparation content to Premium subscribers
  • Managing your account, subscription entitlements, and billing status

4.2 Improving the Services

  • Diagnosing and resolving technical issues through crash reports and error logs
  • Monitoring platform performance, availability, and latency
  • Conducting anonymised and aggregated analysis of feature usage to inform product development (where you have opted in)

4.3 Communications

  • Sending transactional messages (account verification, subscription confirmations, security alerts)
  • Providing customer support responses
  • Sending service-related notices and Policy updates

4.4 Legal Compliance and Security

  • Detecting, investigating, and preventing fraudulent accounts and abuse
  • Complying with applicable legal obligations and responding to lawful requests
  • Enforcing our Terms of Service and protecting our rights

4.5 Purposes for Which We Will Never Use Your Information

The following restrictions are absolute and may not be overridden by internal policy change or commercial arrangement.

  • Selling, licensing, or renting your personal information to any third party
  • Using your CV content to train, fine-tune, or improve any AI or machine-learning model for general purposes
  • Sharing your profile with employers, recruiters, staffing agencies, or hiring platforms without your explicit consent
  • Commercial behavioural advertising or third-party ad targeting
  • Using any protected characteristic — including race, ethnicity, national origin, gender, age, religion, disability, pregnancy, family status, or sexual orientation — as a scoring signal, input variable, or output factor

For users in the European Economic Area and the United Kingdom, we process personal information on the following legal bases:

Performance of a Contract (Article 6(1)(b) GDPR)

We process information necessary to provide the Services you have requested, including:

  • Account creation and authentication
  • CV parsing, storage, and analysis processing
  • Score generation, risk identification, and explanation delivery
  • CV rewrite and interview preparation services (Premium)
  • Subscription management and premium access enforcement

Legitimate Interests (Article 6(1)(f) GDPR)

We process information for our legitimate interests, where those interests are not overridden by your rights:

  • Fraud detection and abuse prevention
  • Platform security monitoring and incident response
  • Ensuring consistency and accuracy of analysis outputs
  • Application stability and performance monitoring

Consent (Article 6(1)(a) GDPR)

We rely on your consent for:

  • Anonymised usage analytics (where you have opted in via the analytics toggle in Account settings)
  • Marketing communications (obtained separately at the point of collection)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Legal Obligation (Article 6(1)(c) GDPR)

We process information to comply with legal obligations, including:

  • Tax and financial record retention requirements
  • Responding to binding requests from competent authorities

5.1 Automated Decision-Making Disclosure

HireGPS applies deterministic, rules-based logic to produce your shortlist score and classification. While AI language models are used for limited parsing and explanation-generation tasks, the core scoring arithmetic, risk-trigger evaluation, and classification decision are produced by deterministic rule functions — not by opaque AI inference.

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The HireGPS score and classification are provided for informational and self-improvement purposes only. They do not constitute employment decisions, are not shared with employers, and have no binding legal or contractual effect. No employment eligibility determination is made by our platform.

You may request a review of any analysis output, correct input data via the Parsing Review screen, and delete your analysis records at any time.

6.1 How AI Is Used

HireGPS uses third-party AI model providers for specific, bounded language-processing functions. AI is used only for:

  • CV parsing and extraction of structured fields from uploaded documents
  • Quality classification of achievement language (e.g., strong, adequate, weak, or unanchored)
  • Grammar and vague-language detection
  • Natural language rendering of recruiter-risk explanations from structured templates
  • CV rewrite suggestions within the faithfulness constraints described below

6.2 How AI Is Not Used

  • AI does not determine the scoring weights, scoring thresholds, or classification thresholds
  • AI does not trigger or suppress recruiter-risk flags
  • AI does not make or influence employment eligibility decisions
  • AI does not generate facts, credentials, or employment claims that are not present in your source content

6.3 Rewrite Faithfulness Commitment

Our CV rewrite functionality operates under a strict faithfulness principle. The system is designed and instructed not to introduce:

  • Metrics, figures, or quantitative claims not present in your source CV or confirmed by you
  • Responsibilities, outcomes, or achievements not stated or user-confirmed
  • Certifications, qualifications, or credentials not stated
  • Dates, durations, or timeframes not stated or inferrable with certainty
  • Projects, promotions, title changes, or scope claims not present in source content

You remain solely responsible for reviewing and approving all rewritten content before any external use, including job applications.

6.4 AI Vendors and Training Restrictions

We intend to engage AI and infrastructure vendors that provide contractual commitments or platform-level controls designed to restrict the use of submitted customer content for generalised AI model training. Planned safeguards include data processing agreements (DPAs), enterprise processing configurations, and restricted-retention settings where available from our vendors.

We use Anthropic's Claude API for all AI-powered CV analysis. Anthropic processes this data as a data processor on our behalf, bound by a Data Processing Addendum (DPA) incorporated into their Commercial Terms of Service. The current DPA can be reviewed at https://www.anthropic.com/legal/dpa.

We will publish our subprocessor list at www.hiregps.app/subprocessors. Material changes to AI processing arrangements will be communicated in accordance with Section 14 of this Policy.

7.1 Service Providers (Data Processors)

We share personal information with trusted third-party service providers who process it on our behalf, solely for the purposes described in this Policy and under binding data processing agreements:

  • Cloud infrastructure providers (server hosting, managed database services, object storage)
  • AI API providers (CV text parsing and content generation; restricted to transactional processing only — no training use)
  • RevenueCat (cross-platform subscription entitlement management and webhook delivery)
  • Apple Inc. and Google LLC (app store billing infrastructure and transaction processing)
  • Crash reporting and application performance monitoring tools
  • Customer support ticketing platforms

7.2 Legal Disclosure

We may disclose your information where required by law, including in response to:

  • Court orders, subpoenas, or other binding legal process
  • Requests from competent regulatory or law enforcement authorities
  • Situations involving an imminent risk to the safety of any person
  • Protection or enforcement of our legal rights

7.3 Business Transfers

If HireGPS is involved in a merger, acquisition, asset sale, or similar corporate transaction, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

7.4 What We Do Not Share

We do not share your personal information with:

  • Employers, recruitment firms, staffing agencies, or corporate hiring teams
  • Advertising networks, data brokers, or third-party marketers
  • Job boards, applicant tracking system providers, or employment databases
  • Any party that would use your data to evaluate you as a job candidate without your explicit consent

HireGPS operates as a global service. Where personal information is transferred from the EU/EEA, United Kingdom, or other jurisdictions with cross-border transfer restrictions to countries not recognised as providing an adequate level of data protection, we will ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTA) for transfers from the UK
  • Adequacy decisions where applicable to the recipient country
  • Binding Corporate Rules or other equivalent mechanisms where available

For users in Turkey, data transfers are conducted in accordance with Article 9 of the KVKK and relevant guidance from the Personal Data Protection Authority (KVKK Authority). A list of countries to which data is transferred will be made available upon request.

We retain your personal information only for as long as necessary for the purposes described in this Policy, or as required by applicable law. Our current retention standards are as follows:

Account and Profile Data

Retained while your account is active. Following account deletion, core account data is targeted for deletion within a reasonable period in accordance with our deletion workflows, subject to any applicable legal retention obligations.

CV Files and Structured Content

Retained while your account is active. Following an account deletion request, CV files and associated structured data are targeted for deletion within 24 hours. Backup and archive deletion timelines may extend beyond this window; legal counsel guidance on appropriate disclosure wording is ongoing.

Analysis Records and Audit Trails

Retained for approximately two years from the date of generation, then deleted.

Session and Activity Logs

Retained for approximately 90 days, then deleted.

Subscription and Transaction Records

Retained for up to seven years as required by applicable tax and financial record-keeping obligations.

Anonymised and Aggregated Analytics

Retained indefinitely in non-personally-identifiable aggregated form.

Note: Our deletion automation workflows are under active development and are expected to continue evolving prior to launch. The timelines above represent our current operational targets and implementation intent.

We implement reasonable technical and organisational measures designed to protect your personal information against unauthorised access, disclosure, alteration, or destruction.

10.1 Technical Safeguards

  • Encrypted cloud storage with server-side encryption (AES-256 or equivalent) at the database layer
  • Keys managed via cloud-provider Key Management Service (KMS)
  • Encryption in transit using TLS 1.3 minimum
  • Certificate pinning enforced in the mobile application
  • Passwords stored exclusively as one-way cryptographic hashes
  • JSON Web Tokens (JWTs) for authentication with 24-hour expiry and 7-day refresh windows
  • Account lockout after five consecutive failed login attempts (30-minute lockout period)
  • CV files are not stored locally on your device following upload
  • Analysis results cached in OS-provided encrypted storage containers on device

10.2 Organisational Safeguards

  • Access to personal data limited to personnel who require it to perform their role
  • Data processing agreements in place with all subprocessors
  • Internal authorisation controls and access review procedures
  • Defined incident response and breach notification procedures

No method of transmission over the internet, and no method of electronic storage, is completely secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security.

11.1 Rights Available to All Users

  • Right to Access: Request a copy of the personal information we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Deletion: Delete your account and all associated data via Account > Delete Account
  • Right to Data Portability: Export your data in a structured, machine-readable format via Account > Export My Data
  • Right to Withdraw Consent: Withdraw consent for consent-based processing at any time via Account > Privacy & Data Controls

11.2 EU / EEA and UK Users (GDPR / UK GDPR)

  • Right to Object: Object to processing based on legitimate interests
  • Right to Restriction: Request restriction of processing in certain circumstances
  • Right Not to be Subject to Automated Decision-Making: As described in Section 5.1, our Services do not make legally significant automated decisions
  • Right to Lodge a Complaint: Contact your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU)

11.3 California Residents (CCPA / CPRA)

  • Right to Know: Know what personal information we collect, use, disclose, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising
  • Right to Limit Use of Sensitive Personal Information: Request that we limit use of sensitive personal information to disclosed purposes
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

HireGPS does not sell personal information. We do not share personal information for cross-context behavioural advertising as defined under CPRA. Accordingly, no 'Do Not Sell or Share' opt-out mechanism is required under current operations; however, all CCPA/CPRA deletion and access rights are fully supported.

11.4 Turkish Users (KVKK)

  • All rights under Article 11 of KVKK No. 6698 apply in full
  • Right to apply to the Personal Data Protection Authority (KVKK Kurumu) to lodge a complaint

11.5 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at support@hiregps.app or use the in-app tools in Account > Privacy & Data Controls. We will respond to verified requests within 30 days (or the shorter period required by applicable law). We may need to verify your identity before processing your request.

HireGPS is an individual career development platform. Our Services are available to users aged 16 and above. We do not knowingly provide the Services to children under the age of 13.

12.1 Users Aged 13–15

Users between the ages of 13 and 15 should not use the Services without verifiable parental or guardian consent. We do not proactively verify age during registration in version 1.0; however, we will act promptly upon becoming aware that a user under 16 is using the platform without appropriate consent.

12.2 COPPA Compliance (United States)

We do not knowingly collect personal information from children under the age of 13 in the United States without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take reasonable steps to delete that information promptly.

12.3 Parental Contact

Parents or legal guardians who believe their child under 13 has provided personal information to us without consent may contact us at support@hiregps.app to request review, correction, or deletion.

Our mobile application does not use browser cookies. Our website uses strictly necessary cookies only — for session management and security token handling — without which the Services cannot function correctly.

We do not deploy social media tracking pixels, third-party retargeting cookies, or behavioural advertising trackers on our website or application. Where third-party analytics tools are used, they are configured to operate in anonymised, aggregated mode only.

14.1 Apple App Store (iOS)

The iOS application has been developed in accordance with Apple's App Store Review Guidelines and Apple's Privacy Policy requirements. App Privacy information (data types collected, linked to you, not linked to you, and used to track you) is disclosed on the App Store product page in the 'App Privacy' section.

  • Subscriptions are managed through Apple In-App Purchase (StoreKit 2)
  • Manage or cancel your subscription via Settings > [Your Apple ID] > Subscriptions
  • Refund requests for Apple purchases are subject to Apple's refund policy

14.2 Google Play (Android)

The Android application has been developed in accordance with Google Play Developer Policy and Data Safety requirements. Data safety information is disclosed in the Google Play Store Data Safety section.

  • Subscriptions are managed through Google Play Billing Library (v5+)
  • Manage or cancel your subscription via Google Play app > Account > Subscriptions

We may update this Policy periodically. When we make changes, we will notify you through:

  • An in-app notification at next launch
  • An email to your registered address
  • An updated version date at the top of this Policy

For material changes, we will provide at least 30 days' prior notice. Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of that revision, to the extent permitted by applicable law.

For any questions, requests, or concerns relating to this Policy or the processing of your personal information: