Swiffit believes in transparency, privacy, and your right to control your data.

1. What We Collect

We collect only the information necessary to provide and improve the Service:

• Account information: Email address, name, and avatar (from Google OAuth if used).
• Resume data: The files you upload and the text we extract from them. This data is used solely to provide the enhancement service.
• Job descriptions: URLs and text you provide for matching and tailoring.
• Usage data: Enhancement counts, feature usage, and anonymous analytics to improve the product.
• Payment information: Processed entirely by Stripe. We never see or store your full card number, CVC, or billing address.
• Device data: Browser type, operating system, and IP address collected automatically for security and abuse prevention.

2. How We Use Your Data

• To parse, analyze, and enhance your resume against job descriptions.
• To generate ATS compatibility scores and recruiter heatmaps.
• To generate downloadable PDF and DOCX documents.
• To manage your account and subscription.
• To send transactional emails (password resets, receipts, subscription updates).
• To detect and prevent fraud, abuse, and security incidents.
• To improve the Service through aggregated, anonymized usage analytics.

Legal basis (GDPR Article 6)

For EU and EEA users, we process your personal data under the following legal bases under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)): Processing necessary to deliver the Service you signed up for — account management, resume parsing and enhancement, subscription billing, transactional email.
• Legitimate interest (Art. 6(1)(f)): Fraud and abuse prevention, security monitoring, and aggregated, anonymized product analytics used to improve the Service. Where we rely on legitimate interest, we have balanced our interest against your rights.
• Consent (Art. 6(1)(a)): Non-essential analytics cookies (PostHog) and error reporting (Sentry). You can accept or decline in the cookie banner and change your preference at any time.
• Legal obligation (Art. 6(1)(c)): Retention of billing records and responses to lawful requests from public authorities where required.

3. AI Processing

We use Anthropic's Claude API to process your resume and job descriptions. Key facts about our AI processing:

• No model training: Anthropic does not use API inputs to train their models. Your data is processed and discarded.
• No data retention: Your resume content is not retained by Anthropic after processing is complete.
• No fabrication: Our AI enhances the presentation of your existing experience — it never invents credentials, skills, or qualifications.
• Confidence flagging: Changes the AI is less certain about are flagged with a “Verify” label so you can review them.

See Anthropic's Privacy Policy for more details on their data handling practices.

4. Data Storage & Security

Your data is stored securely using industry-standard protections:

• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Infrastructure: Hosted on Supabase (AWS) with row-level security (RLS) ensuring only you can access your own data.
• File storage: Uploaded files are stored in encrypted cloud storage with per-user isolation.
• Access control: Internal access to user data is restricted, logged, and requires multi-factor authentication.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Period.

We share data only with the following service providers, solely to operate the Service:

• Anthropic — AI processing (resume enhancement, scoring, diagnostics).
• Stripe — Payment processing and subscription management.
• Supabase — Database hosting, authentication, and file storage.
• PostHog — Anonymous product analytics (no personal data is sent).

We may also disclose data if required by law, court order, or to protect the safety and security of the Service or its users.

6. Cookies

We use essential cookies for authentication sessions and remembering your preferences (theme, dismissed banners). Optional analytics cookies are only set if you accept them in the cookie banner. We do not use advertising cookies, retargeting pixels, or social media trackers.

7. Your Rights

You have the following rights regarding your personal data:

• Access: View all your data in the app at any time.
• Portability: Export a structured JSON copy of your account data from Settings, and download your enhanced resumes in PDF or DOCX format.
• Correction: Update your profile information at any time.
• Deletion: Delete your account and all associated data from Settings. This is permanent and irreversible.
• Objection: Object to specific data processing activities.
• Restriction: Request that we limit how we use your data.

If you are in the EU/EEA, these rights include those granted under the General Data Protection Regulation (GDPR). If you are in California, you have additional rights under the CCPA. For any data requests, contact us at hello@swiff.it. We will respond within 30 days.

8. Children's Privacy

Swiffit is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

9. Data Retention

We retain your data for as long as your account is active. When you delete your account, we delete your personal data from our production systems immediately. This includes your profile, uploaded resumes, enhancement history, cover letters, application tracker, reminders, notifications, usage events, and tool history. Backups that contain your data are overwritten on our standard rolling 30-day backup rotation, after which no copy of your personal data remains. Anonymized, aggregated analytics that cannot be linked back to you may be retained indefinitely.

10. International Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for any international data transfers, including standard contractual clauses where required by applicable law.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email or in-app notification at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

• Email: hello@swiff.it
• Contact page: swiff.it/contact

Data Protection Officer

For data-protection inquiries, including GDPR data-subject requests (access, portability, erasure, rectification, objection, restriction), reach our Data Protection Officer at privacy@swiff.it. Please include the email address on your Swiffit account so we can verify your identity. We respond within 30 days as required by GDPR Article 12(3).

EU representative

Swiffit is based in the United States and does not currently maintain an establishment in the EU. We serve EU users directly and respond to data-protection inquiries through the DPO email above. If you are an EU data subject and prefer to contact a supervisory authority, you may contact the data protection authority in your EU member state; a directory is maintained by the European Data Protection Board.

Breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where feasible, within 72 hours of becoming aware, as required by GDPR Articles 33 and 34. Notifications will include the nature of the breach, the approximate categories and number of data subjects and records affected, likely consequences, and the measures we have taken or propose to take in response. Where the breach is unlikely to result in such risk, we will still log it internally for audit purposes and notify supervisory authorities as required by law.