Privacy Policy

This Privacy Policy describes how Goldfish Walkers, LLC (“we,” “us,” “our”) collects, uses, and shares information when you use the INAJ service (the “Service”). It is part of, and incorporated into, our Terms of Service.

The short version: we use the information you give us to run a job-search workflow for you. We send your resume and feedback to AI providers so they can generate evaluation reports and application materials on your behalf. We do not sell your personal information to third parties, and we don’t use it to train any AI model.

1. Information we collect

Information you provide

• Account information — your name and email address, plus a password (which we store only as an Argon2id hash, never in plaintext).
• Resume content — the text of your CV / résumé, edited through the in-app editor or uploaded as a file you ask us to convert.
• Job preferences and profile — the criteria you set (compensation, role types, location, dealbreakers) and any notes you record about yourself.
• Job postings you submit — URLs and any surrounding context you ask us to evaluate.
• Feedback you write — the free-text reasons you provide when you discard a posting or ask us to proceed with one we initially deprioritized.
• Contact-form messages — any message you send us through the Service.

Information collected automatically

• Session and authentication data — a session cookie set by Flask-Login so we know you are signed in.
• Audit log — an internal record of meaningful actions you take in the Service (sign-in, sign-out, enqueueing a resume generation, submitting feedback, etc.), including timestamps and the action name. We use this for security, debugging, and rate-limit enforcement.
• IP address — recorded on certain operations (sign-up, sign-in, contact-form submission, password reset) to enforce rate limits and detect abuse.
• reCAPTCHA tokens — when you submit certain public forms, your browser sends a token to Google as part of the reCAPTCHA anti-spam check.

We do not knowingly collect information from anyone under 18, and the Service is not directed to minors. If you believe a child has provided us information, please contact us.

2. How we use information

• Operate the Service — evaluate job postings against your profile, generate tailored résumés and application materials, classify feedback, and produce the reports and PDFs you see in your dashboard.
• Communicate with you — send email verification, password resets, account notices, and the service notifications you opt into.
• Secure the Service — detect and prevent fraud, abuse, and unauthorized access; enforce rate limits.
• Maintain and improve the Service — troubleshoot, debug, measure usage, and develop new features.
• Comply with legal obligations — respond to lawful requests, enforce our agreements, and protect rights, property, and safety.

3. AI providers — how your content is processed

To generate the outputs the Service produces, we send relevant portions of Your Content to one or more AI model providers. We currently use the following providers, and the categories of data we send to each are listed below:

• Anthropic, PBC (Claude models) — resume content, job postings, profile and preferences, and free-text feedback, used to produce evaluation reports, classify feedback, and generate tailored application materials.
• Google LLC (Gemini models) — job postings and limited surrounding context for cheaper bulk evaluation. Separately, Google operates the reCAPTCHA anti-spam service used on certain public forms.
• OpenAI, L.L.C. — reserved for future features; not currently used to process Your Content. If we begin using OpenAI to process Your Content, we will update this policy before doing so.

Each AI provider processes the content we send under its own business-customer terms. We do not use Your Content to train any AI model, and the agreements we have in place with these providers prohibit them from doing so as well, except as required for short-term abuse detection on their side. We do not share Your Content with any AI provider for advertising purposes.

4. Other service providers

Beyond the AI providers above, we use a small number of service providers to operate the Service. They receive only the information they need to perform their service, under contractual confidentiality and security obligations:

• Stripe, Inc. — processes credit and debit card payments for our $49/month subscription. We do not store, see, or have access to your full card number, expiry, or CVC at any point. When you subscribe, your card data is collected by Stripe directly on stripe.com under their PCI-DSS compliance and never touches our servers. We retain only the opaque customer and subscription identifiers Stripe issues to us so that we can recognise repeat customers and reflect subscription status (active, past-due, cancelled) in your account. Refunds within our 30-day window (see Terms of Service) are issued automatically to your original payment method via Stripe.
• MailChannels — sends transactional email (sign-up verification, password reset, service notifications). Receives your email address and the message body.
• Cloudflare — provides DNS, TLS termination, and (optionally) tunneling for the public web endpoint. Receives standard request metadata.
• Hosting and storage infrastructure — the systems on which the Service runs.

5. We do not sell your personal information

We do not sell your personal information to third parties. We do not rent it, trade it, or share it with advertising networks, data brokers, or marketing partners. We do not display third-party advertising in the Service.

The only sharing of Your Content with third parties is the transmission to AI providers and other service providers described above, for the sole purpose of operating the features you asked us to perform.

6. Legal disclosures and business transfers

We may disclose information if we believe in good faith that disclosure is required by law, subpoena, or other legal process, or is reasonably necessary to (a) protect the rights, property, or safety of users, third parties, or the public, (b) detect or prevent fraud or abuse, or (c) enforce our Terms. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred to the successor entity, subject to a privacy policy at least as protective as this one.

7. Data retention

We retain information for as long as your account is active and for a reasonable period afterward to comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account information and Your Content are retained while your account is active.
• Generated outputs (evaluation reports, tailored résumés, application history) are retained in your account so you can refer back to them.
• Audit-log records are retained for security and debugging, generally for up to 24 months.
• Backups may persist for a limited additional period after deletion before they are overwritten on the normal backup rotation.

8. Your choices and rights

You can access and edit most of your information directly in the Service (resume, profile, preferences, password, email address). You can also:

• Request deletion of your account and Your Content by emailing us or using the contact form. We will delete your data within a reasonable period, subject to retention obligations described above.
• Export the documents and reports stored in your account at any time from the dashboard.
• Withdraw consent to further processing by closing your account.
• Lodge a complaint with a data-protection authority if you believe we have not complied with applicable law.

Depending on where you live, you may have additional rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), or similar laws — for example the right to know what personal information we hold about you, the right to correct it, and the right to non-discrimination for exercising those rights. To exercise any of these rights, contact us and we will respond within the timeframes required by law.

9. Security

We take reasonable measures to protect information from unauthorized access, alteration, disclosure, and destruction. Measures include Argon2id password hashing, TLS in transit, per-client data isolation on the server, and audit logging of privileged actions. No method of transmission or storage is 100% secure; you use the Service at your own risk.

10. Cookies and similar technologies

We use a single session cookie to keep you signed in. We do not use third-party advertising or analytics cookies. The Google reCAPTCHA widget, when displayed on certain public forms, may set its own cookies under Google’s privacy policy.

11. International users

The Service is operated from, and information is processed in, the United States. If you access the Service from outside the United States, you understand and consent to the transfer and processing of your information in the United States and other countries where our service providers operate.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will give you reasonable notice, for example by posting the updated date at the top of this page and, for changes that materially affect your rights, by emailing the address on your account. Your continued use of the Service after an update means you accept the updated policy.

13. Contact us