Privacy Policy

1.1 Information you provide

• Google account information — when you sign in with Google OAuth 2.0 we receive your name, email address, and profile picture from Google.
• Résumé content — text extracted from the PDF or document you upload in order to perform the analysis.

1.2 Information collected automatically

• Usage data — pages visited, features used, timestamps, and browser type, collected via standard server logs and (if applicable) analytics.
• Local storage — your analysis history and selected journey entry are stored in your browser's localStorage. This data never leaves your device unless you explicitly request a new analysis.

1.3 Information we do NOT collect

• We do not collect payment information (the Service is currently free).
• We do not collect sensitive personal data such as biometrics, health records, or government ID numbers.
• We do not build advertising profiles or sell your data.

We use the information we collect to:

• Authenticate you and manage your account session.
• Send your résumé text to OpenAI to generate your skill-gap analysis, roadmap, and pivot résumé.
• Display personalised results in the app.
• Improve the reliability and quality of the Service (aggregated, anonymised usage data only).
• Respond to your support requests.
• Comply with legal obligations.

We process your data on the following legal bases (GDPR Art. 6):

• Contract — to deliver the Service you requested.
• Legitimate interest — to improve and secure the Service.
• Consent — where you have given explicit consent (e.g. optional analytics).
• Legal obligation — when required by law.

To generate your analysis, we transmit the text content of your résumé and your chosen target role to OpenAI's API. OpenAI processes this data on our behalf as a data processor. We have enabled OpenAI's zero data retention option where available, meaning OpenAI does not store your inputs to train its models.

Please review OpenAI's Privacy Policy and their Usage Policies for details on how they handle API data.

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

• Service providers — OpenAI (AI analysis), Google (authentication), and our hosting provider, each bound by appropriate data-processing agreements.
• Legal compliance — if required by law, court order, or government authority.
• Business transfer — in the event of a merger or acquisition, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
• With your consent — for any other purpose with your explicit agreement.

• Account data (name, email) is retained for as long as your account is active. You may delete your account at any time (see Section 7).
• Analysis history is stored locally in your browser and is not retained on our servers beyond what is needed to serve the response.
• Server logs are retained for up to 90 days for security and debugging purposes.

We use:

• Session cookies — set by NextAuth.js to maintain your authenticated session. These expire when you sign out or close your browser.
• localStorage — to persist your journey history on your device. No third-party can access this data.

We do not use third-party advertising cookies. If we add analytics in future, we will update this policy and seek your consent where required by the GDPR Art. 7 or equivalent law.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure ("right to be forgotten") — ask us to delete your account and associated data.
• Restriction — ask us to restrict processing of your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

California residents (CCPA/CPRA): you have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

Indian residents (DPDPA 2023): you have the right to access, correct, and erase your personal data and to nominate a person to exercise these rights on your behalf.

To exercise any of these rights, email us at privacy@fynzz.com. We will respond within 30 days (or sooner as required by law).

We implement industry-standard technical and organisational measures to protect your data, including TLS/HTTPS encryption in transit and access controls on our infrastructure. However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR Art. 33.

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13 in accordance with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us personal data, please contact us and we will delete it promptly.

Your data may be processed in countries outside your own (for example, OpenAI's servers are located in the United States). Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) for transfers out of the EU/EEA.

The Service may contain links to third-party websites (e.g. course providers in your roadmap). We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal data.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

If you are in the EU/EEA and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority. You may also review our Terms of Service.