Privacy Policy
Last updated: 21 June 2026
1. Who we are
Autoply (“we”, “our”, “us”) operates the website at autoply.tech and the Chrome Extension “Autoply — Apply to Jobs in One Click” (Chrome Web Store ID: ljdpkdmflbimiklokjldkjbgbjccadmf). We are the data controller for personal data collected through these services.
Contact: privacy@autoply.tech
2. What we collect
Website and dashboard (autoply.tech)
- Account data: email address, full name (when provided). Used to create and maintain your account.
- CV content: the text and file you upload. Stored in Supabase Storage, encrypted at rest. Used solely to generate tailored applications.
- Job preferences: target titles, locations, salary expectations — stored in your profile. Used to filter and rank job matches.
- Application records: which jobs you saved, their status, and outcomes. Used to power your dashboard.
- Gmail OAuth token: a refresh token scoped to read-only Gmail access when you connect Gmail. We never store your Gmail password. Stored encrypted. Used only to detect recruiter replies.
- BYOK API key: if you provide your own AI provider key, it is stored encrypted and never logged or forwarded anywhere except the AI provider you specified.
- Payment data: handled entirely by Stripe. We store only your Stripe customer ID and a record of credits purchased — never card details.
Chrome Extension (on-device storage only)
- Autoply session and refresh tokens: stored in
chrome.storage.localon your device. Used to authenticate your requests to autoply.tech and to silently renew your session. Never transmitted to any third party. - Your email address: stored in
chrome.storage.localsolely to display which account is connected in the extension popup. Never transmitted to any third party beyond the initial authentication with Supabase. - Extension preferences: your settings (daily save limit, per-site toggles, working hours) stored in
chrome.storage.local. Never transmitted externally. - Daily usage counter: a daily count of jobs saved, broken down by source (e.g. LinkedIn), stored in
chrome.storage.local. Used solely to display rate-limit warnings to you in the extension popup. Resets each day. Never transmitted externally. - Saved job URL list: to avoid showing the “Save” button twice on the same listing, the extension stores a small list of saved job keys in
chrome.storage.local. Contains only job page identifiers — no personal data. Automatically trimmed to the 200 most recent entries. Never transmitted externally.
3. Legal basis for processing (GDPR)
For users in the UK or EU, we process your personal data on the following legal bases:
- Contract performance (Article 6(1)(b)): processing your CV, job preferences, application records, and session token is necessary to deliver the service you signed up for.
- Legitimate interests (Article 6(1)(f)): aggregated, anonymised usage statistics to improve the service — never linked back to individual users.
- Consent (Article 6(1)(a)): connecting your Gmail account. You can revoke this at any time from your dashboard settings.
4. How we use your data
- To queue and track job applications saved through the extension or dashboard.
- To tailor your CV and cover letter using AI (your data is sent to whichever AI provider you configure — Anthropic, OpenAI, Google, or Mistral).
- To detect recruiter replies in your Gmail inbox and surface them in your dashboard (only when Gmail is connected).
- To send you transactional emails (save confirmations, recruiter reply alerts) via Resend.
- To compute platform-level statistics (anonymised and aggregated — never individual).
5. What we never do
- We never sell your data to third parties.
- We never read Gmail emails that are not from known recruiter domains or job-related senders.
- We never store your Gmail password.
- We never use your CV or applications to train AI models.
- We never share individual application data with employers, recruiters, or any other party.
6. Chrome Extension — full disclosure
The Autoply Chrome Extension (ID: ljdpkdmflbimiklokjldkjbgbjccadmf) complies with the Chrome Web Store Developer Program Policies. The following is a complete description of all data the extension collects, uses, and transmits.
Data collected and transmitted externally
The only data the extension transmits outside your device is job listing content, sent to autoply.tech when you click “Save with Autoply”:
- Job title, company name, location, salary (where present on the page), and job description text — read from the job board page you are viewing at the moment you click the button.
- Transmitted over HTTPS to autoply.tech. Stored in your Autoply account database. Not shared with any other third party.
Data stored locally only (never transmitted)
- Autoply session and refresh tokens — kept in
chrome.storage.local; used only to authenticate save requests to autoply.tech and to silently renew expired sessions. - Your email address — kept in
chrome.storage.local; used only to display which account is connected in the extension popup. Never transmitted externally. - Extension preferences — kept in
chrome.storage.local; used only to control local extension behaviour. - Daily usage counter — kept in
chrome.storage.local; used only to display rate-limit warnings to you inside the extension popup. Resets each calendar day. - Saved job URL list — kept in
chrome.storage.local; used only to prevent showing the “Save” button twice on already-saved listings.
Permissions used
storage— to read and write the items above inchrome.storage.local.- Host permissions for
autoply.techandukzdupixodmnvnbjwvbz.supabase.co— to authenticate your session and transmit saved job data to your account. - Content scripts on LinkedIn, Indeed, Reed, Totaljobs, CV-Library, Greenhouse, Lever, and Workable — to inject the “Save with Autoply” button on job listing pages only.
What the extension does not do
The extension does not read browser cookies, monitor general browsing history, read emails, interact with any page outside the supported job board URLs, transmit data in the background, or collect any data passively — it acts only when you click the “Save with Autoply” button.
7. Third-party services and data shared
- Supabase (EU region) — database and file storage. Receives: account data, CV content, job preferences, application records, encrypted session tokens.
- Stripe (US) — payment processing. Receives: email address, billing details you enter during checkout. Governed by Stripe's own privacy policy.
- Resend (US) — transactional email. Receives: your email address and email content (e.g. “a recruiter replied”).
- Railway (US) — server-side automation workers. Processes: job data and application logic on our behalf; does not have independent access to your personal data.
- Anthropic / OpenAI / Google / Mistral — AI providers. Receives: your CV content and job description text when generating tailored applications. Only the provider you have configured (via BYOK or Autoply's hosted AI) receives this data.
- Google (Gmail API) — only when you connect Gmail. Receives: OAuth token to read emails from your inbox. Governed by Google's privacy policy. You can disconnect at any time.
8. International data transfers
Our primary database (Supabase) is hosted in the EU. Some third-party processors (Stripe, Resend, Railway) are based in the United States. Where data is transferred outside the UK/EU, we rely on Standard Contractual Clauses or equivalent mechanisms as required by UK GDPR and GDPR. For questions about international transfers, email privacy@autoply.tech.
9. Security
- All data in transit is protected by TLS/HTTPS.
- CVs and API keys are encrypted at rest in Supabase Storage.
- Authentication tokens are stored in
chrome.storage.local(not in web-accessible storage). - We do not log or transmit your BYOK API key except directly to the AI provider you specified.
10. Data retention
Your data is retained for as long as your account is active. You can delete your account at any time from Settings → Delete Account. All associated personal data is permanently deleted within 30 days. On-device extension data (session and refresh tokens, email address, preferences, usage counters) can be cleared at any time from the extension's Settings page using “Clear cached data”.
11. Your rights (GDPR / UK GDPR)
If you are based in the UK or EU, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your data (“right to be forgotten”).
- Export your data in a portable format.
- Withdraw consent (e.g. Gmail connection) at any time.
- Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.
Email privacy@autoply.tech and we will respond within 30 days.
12. Changes to this policy
If we make material changes to this privacy policy, we will update the “Last updated” date at the top of this page and notify active users by email at least 7 days before the changes take effect. Continued use of Autoply after that date constitutes acceptance of the updated policy.
13. Contact
Privacy questions: privacy@autoply.tech
General enquiries: hello@autoply.tech