Privacy Policy

The data controller is the wathafak team. Where required by law, an EU representative and a KSA local representative will be designated and listed on this page once appointed. Contact for all data-protection matters: privacy@wathafak.com.

(a) Account identifiers: email address and authentication identifier issued by the sign-in provider. (b) CV Content: documents you upload (PDF, DOCX) or text you paste, the extracted plain text, and the structured representation we generate from them. CVs frequently contain Personal Data including name, contact details, employment history, education, and may contain Special Category data such as nationality, gender, or photographs. (c) Job Descriptions: text or URLs you submit, and the structured fields we extract. (d) Application records: tailored CV variants, cover letters, match scores, status, notes, follow-up timestamps. (e) Service logs: per-request identifiers, model name, latency, and error context retained for security and audit. (f) Product analytics: page views and event identifiers via PostHog, stored only with your explicit consent.

We process Personal Data on the lawful bases of (i) performance of a contract (operating the Service you requested), (ii) legitimate interest (security, fraud prevention, product improvement at aggregate level), and (iii) consent (optional analytics cookies). Specifically: rendering and persisting your CV; sending CV and JD content to AI sub-processors to generate tailored variants, match scores, gap analyses, and cover letters; tracking application status; producing exports; sending operational emails (e.g. password recovery). We do not engage in automated decision-making producing legal effects.

CV Content and Job Descriptions are transmitted to large language model providers (currently Anthropic, OpenAI, and OpenRouter, collectively the "AI Sub-processors") via authenticated API calls solely to generate the tailored output you requested. We have agreements in place that prohibit training on your content where supported by the provider; where the provider does not offer that guarantee, we do not use them for your content. We retain a request identifier and model name for audit. We do not transmit Personal Data outside the scope of fulfilling a specific user request.

We do not sell, rent, or trade Personal Data. We share data only with: (i) the AI Sub-processors listed in Section 4, (ii) infrastructure sub-processors who host or transmit data (cloud storage, database, email delivery, error monitoring), (iii) the authentication provider (Ory) for sign-in flows, (iv) competent authorities when legally compelled by valid order under applicable law, and (v) successors in the event of a merger or acquisition, subject to equivalent privacy protections. We never share your data with advertisers or data brokers.

Account data and content remain in your account until deletion. Upon deletion of an individual record (CV, job, application), the record is removed from active databases immediately and purged from backups within thirty (30) days. Upon account deletion, all associated content is removed within thirty (30) days, except where retention is required by law (e.g., financial records related to billing, retained for the statutory period). Server logs are retained for ninety (90) days for security and debugging, after which they are deleted or fully anonymised. Aggregated, non-identifying analytics may be retained indefinitely.

You have the right to access, rectify, erase, restrict processing, object to processing, and request portability of your Personal Data. EU/UK residents may lodge a complaint with their supervisory authority (in the EU, the Data Protection Authority of your member state; in the UK, the ICO). KSA residents may contact the Saudi Data and Artificial Intelligence Authority (SDAIA). You may exercise these rights from in-app settings or by emailing privacy@wathafak.com. We respond within thirty (30) days. There is no charge for reasonable requests.

We employ industry-standard technical and organisational measures including encryption in transit (TLS 1.2+ exclusively), encryption at rest for stored files, network isolation of databases and object storage from the public internet, role-based access for our team, audit logging of administrative actions, malware scanning on uploaded files, and authenticated download proxies. Authentication and session management are delegated to Ory Kratos. We do not process payment card data; payment processing, where applicable, is delegated to a PCI-DSS compliant provider.

We use strictly necessary cookies (authentication session, CSRF token, language preference) without prior consent under the legitimate-interest basis. Optional analytics cookies (PostHog) are set only after explicit consent through the cookie banner; consent may be withdrawn at any time. We do not use third-party advertising cookies, cross-site tracking pixels, or remarketing tags. The full cookie inventory is available on request.

Data may be transferred to and processed in jurisdictions outside the EEA, UK, or KSA, including the United States, where AI Sub-processors and certain infrastructure providers operate. Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK and KSA mechanisms where required, alongside supplementary measures including encryption and access controls. A list of sub-processors and their processing locations is available on request.

The Service is not directed to or intended for individuals under the age of sixteen (16). We do not knowingly collect Personal Data from children. If we discover that we have collected Personal Data from a child, we will delete it promptly. If you are a parent or guardian and believe your child has provided us data, contact privacy@wathafak.com.

Material changes will be communicated in-app and to the email associated with your account at least fourteen (14) days before they take effect. Non-material changes (typographical fixes, clarification of existing meaning) take effect immediately and are reflected by the "Last updated" date. Continued use of the Service after the effective date constitutes acceptance.

Data Protection Contact: privacy@wathafak.com. For complaints we have not resolved, EU residents may contact their national supervisory authority, UK residents may contact the Information Commissioner's Office (ico.org.uk), and KSA residents may contact the Saudi Data and Artificial Intelligence Authority (sdaia.gov.sa).