Legal
Privacy Policy
Effective: 26 May 2026
The short version
- ✓ We collect only what we need to provide the service (account info, resume content, payment info via Stripe).
- ✓ We never sell your data.
- ✓ We share data only with vendors we use to run the product (Supabase, Anthropic, OpenAI, Stripe).
- ✓ You can export and delete your data at any time from your account settings.
- ✓ GDPR and CCPA rights are respected globally.
1. Who we are
Offersly is operated by Offersly Pte. Ltd., a company registered in Singapore. For privacy questions email [email protected]. See also our Trust & data protection page for sub-processor details and your data rights.
2. What we collect
Account data — email address, hashed password (via Supabase Auth), account creation date.
Resume content — everything you type or upload into Offersly: name, contact info, photo, summary, work history, education, skills, target role/company, application status, tags, achievement vault entries, chat messages with AI Coach, mock interview transcripts.
Payment data — handled directly by Stripe. We never see or store your card details. We do store a reference (Stripe customer ID, subscription ID) and your plan status (free / pro).
Usage data — page views, feature clicks, errors, browser/device info. Used to fix bugs and improve UX. Not used for tracking advertising.
Share-link analytics — when someone views your public share URL, we increment a counter and timestamp. We do not record viewer identity, location, or browser fingerprint.
Cookies — see Section 8 below.
3. How we use your data
We use your data only to:
- Provide the Service (build, save, export your resumes);
- Process AI requests on your behalf (see Section 4);
- Process payments via Stripe;
- Send transactional emails (account confirmation, password reset, billing receipts);
- Respond to your support requests;
- Detect and prevent fraud, abuse, or security issues;
- Comply with legal obligations.
We do not use your resume content to train AI models — neither ours nor any third party's.
4. Third-party providers
We share specific data with these providers solely to run the product:
- Supabase (EU-hosted PostgreSQL) — stores your account, resume content, and application data. Supabase Privacy.
- Anthropic (Claude) — receives your resume text when you invoke AI features (Tailor, Coach, Mock Interview, Translate, Cover Letter, Improve Bullet, JD Scraper, Parser). Anthropic does not train its models on content submitted through its API. Anthropic Commercial Terms · Privacy.
- OpenAI — used only for optional voice transcription (Mock Interview Speak mode, on browsers without on-device speech recognition). Audio is transcribed and discarded; not retained or used for training. OpenAI Business Terms.
- Stripe — handles all payment processing. We never see card details. Stripe Privacy.
- Cloudflare — hosting and CDN. Cloudflare Privacy.
- QuickChart.io — generates QR code images when you add a portfolio URL to your resume. The URL you paste is sent to QuickChart to render the QR code.
We do not use advertising trackers, third-party analytics that fingerprint users, marketing pixels, or data brokers.
5. Data retention
We retain personal data only for as long as it serves the purposes for which it was collected, in line with our Retention Limitation obligation (Singapore PDPA §25).
| Data type | Retention period |
|---|---|
| Active account + resume content | For the life of your account |
| Inactive accounts (no sign-in) | Warning email at 18 months · permanent deletion at 24 months (roll-out planned) |
| AI conversation history (Coach, Mock Interview) | Stored inside the parent resume — deleted with the resume (future: auto-pruned after 180 days) |
| Activity feed events | 30 days, then auto-pruned |
| Encrypted backups | 7–28 days (Supabase Point-in-Time Recovery) |
| Stripe payment + billing records | 7 years (IRAS requirement) |
| Audit logs of admin access | 2 years |
If you delete your account from /settings, your data is removed from our active database immediately and from encrypted backups within 30 days. Stripe records persist per legal requirement above.
6. Your rights
Regardless of where you live, you have the right to:
- Access — request a copy of all personal data we hold about you (JSON export).
- Correct — update inaccurate or incomplete data (you can edit most data directly from the dashboard).
- Delete — request deletion of your account and resume content.
- Port — export your resume data in machine-readable format.
- Object / restrict processing — opt out of specific uses where applicable.
- Withdraw consent — for any processing based on consent, at any time.
To exercise these rights, use the self-service flows in Settings & data, or email [email protected] from the address tied to your account. We respond within 30 calendar days.
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:
- Singapore residents: Personal Data Protection Commission (PDPC) — pdpc.gov.sg/complaints-and-reviews
- EU/UK residents: Your local data protection authority — list at edpb.europa.eu/about-edpb/members
- California residents: California Privacy Protection Agency — cppa.ca.gov
7. Singapore (PDPA), EU/UK (GDPR) & California (CCPA) specifics
Singapore (PDPA):
- Our lawful basis for processing is generally deemed consent under §17 (necessary for service performance), with express consent for optional features like public share links and any future marketing communications.
- We comply with all eleven PDPA obligations — see our Trust & data protection page for the full mapping.
- Our Data Protection Officer can be reached at [email protected].
- If you are not satisfied with our handling of your personal data, you may lodge a complaint with the PDPC at pdpc.gov.sg/complaints-and-reviews.
- For cross-border transfers (e.g. AI processing in the United States), we rely on Standard Contractual Clauses incorporated in our sub-processor DPAs, providing protection comparable to PDPA §26.
EU/UK (GDPR/UK-GDPR): Our lawful bases are (a) performance of contract (to provide the Service you signed up for), (b) consent (for optional features like public sharing), and (c) legitimate interests (fraud prevention, product improvement). You have the right to lodge a complaint with your local supervisory authority (see Section 6).
California (CCPA/CPRA): We do not sell personal information. We do not share personal information for cross-context behavioural advertising. California residents have the rights listed in Section 6 above plus the right to non-discrimination for exercising them.
8. Cookies
We use only essential cookies:
- Authentication cookies — set by Supabase Auth when you log in. HttpOnly, Secure, SameSite=Lax. Necessary for the Service to function.
- Preference cookies — small localStorage entries that remember your dashboard view mode, onboarding dismissal, and other UI preferences. Stay on your device; never sent to our servers.
We do not use advertising or third-party analytics cookies. There is no marketing pixel on this site.
9. Security
Data in transit is encrypted (HTTPS / TLS 1.2+). Data at rest is encrypted by Supabase (AES-256). Passwords are hashed with bcrypt-equivalent by Supabase Auth — we never see them.
No system is 100% secure. If a breach occurs that involves personal data, we will notify affected users within 72 hours where required by law (GDPR Article 33).
10. Children
The Service is not intended for users under 16. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.
11. International transfers
Your data may be transferred to and processed in countries other than your own — primarily the EU (Supabase) and US (Anthropic, OpenAI, Stripe, Cloudflare). All transfers are protected by appropriate safeguards (Standard Contractual Clauses, Data Processing Agreements, or equivalent).
12. Changes to this policy
We may update this policy. Material changes will be announced by email to registered users at least 14 days before taking effect.
13. Contact
Privacy questions, data requests, complaints:
[email protected]
Offersly Pte. Ltd., Singapore
See also our Terms of Service.