Privacy Policy
Data we collect from candidates
Account email, bcrypt-hashed password, saved jobs, job-alert preferences (keyword, category, location, frequency), email-opt-in preference, candidate profile (name, phone, location, experience level, resume URL), and application history including name, email, phone, resume URL, and cover note submitted through AxoCareers.
Email verification
When you create an account, we send a verification email containing a single-use, expiring token link. The token itself is stored only as a SHA-256 hash. We require a verified email before employers can post jobs. Verification is optional for candidate features at this time.
Job alerts and marketing emails
Job-alert digest emails, saved-job expiry reminders, and other marketing emails are only sent when you have explicitly opted in (emailOptIn = trueon your candidate profile). Each such email includes a signed unsubscribe link. Clicking that link or using the /unsubscribe form sets your preference to opted out immediately — no confirmation required for one-click links from emails; the manual form sends a confirmation email first to prevent third-party abuse.
Transactional emails
Account creation, email verification, password reset, payment confirmation, job submission / approval / rejection, and applicant-received notifications are sent regardless of marketing opt-in because they relate to actions you have taken on AxoCareers.
Email event logging
Every email send attempt (success or failure) is logged internally in anEmailEvent table containing: recipient email, campaign name, send timestamp, provider message ID (if sent via Resend), and event type (sent / failed). This is used for delivery monitoring and job-alert deduplication. We do not track opens or clicks beyond what the email provider exposes.
Data we collect from employers
Account email, bcrypt-hashed password, company name/profile, job posting content, billing/payment metadata, application click counts, and (for internal-apply jobs) a list of submitted applications.
Password security
Passwords are hashed with bcrypt (12 rounds) before storage. We never store or log plaintext passwords. Password reset uses a single-use, 1-hour expiring token sent to your account email. Failed login attempts are tracked per account and IP address — repeated failures cause a temporary 15-minute lockout to prevent credential stuffing.
Application click tracking
When you click "Apply" on any listing, we record the click (job, timestamp, referrer, user agent, and a hashed visitor identifier — see IP hashing below). For sponsored listings, this records estimated CPC revenue. This tracking happens regardless of login status.
IP hashing
We do not store raw IP addresses. Click tracking and failed-login tracking store an HMAC-SHA256 hash of your IP address, which cannot be reversed back to your original IP. Hashes are used only to detect duplicate/abusive clicks and credential stuffing — never shared with partners or advertisers.
Security and rate-limiting logs
We use Upstash Redis for rate limiting. Redis stores sliding-window counters keyed on hashed IPs — no personal data. Rate-limit hits and suspicious click activity are logged for abuse detection. If Sentry is configured, server-side errors are reported to Sentry; Sentry's data processing terms apply in that case.
Third-party service providers
- Stripe — processes all payments. Full card details are handled by Stripe only; AxoCareers stores only Stripe's customer and session IDs.
- Resend — delivers transactional and marketing emails. Processes recipient email addresses and message content.
- Upstash — provides Redis for rate limiting. Stores hashed IP counters with short TTLs. No personal data is stored in Upstash beyond what the rate-limit counters require.
- Hosting provider — Vercel (or your chosen host) receives all request logs as part of normal web hosting. Request logs typically contain IP addresses and paths; Vercel's privacy policy applies.
- Database provider — Neon / Supabase / Railway / AWS RDS (depending on deployment) stores all application data. Provider's security and privacy terms apply.
- Sentry — error monitoring, if configured. Error events may include request metadata and stack traces; Sentry's data processing terms apply.
USAJobs and other public / partner data sources
Some job listings are imported from USAJobs.gov and other approved partner feeds. We preserve and display the original source attribution and apply URL. We do not sell or share applicant data with these sources.
Cookies
We use an HTTP-only, signed JWT session cookie for authentication. See our Cookie Policy.
Data retention
Account data is retained while your account is active. Click-tracking records, email events, failed-login attempts, and rate-limit counters have short TTLs or are pruned periodically. On a verified deletion request (see below), we delete or anonymize your personal data, except where legally required to retain it (e.g. payment records for tax purposes).
Data deletion and export requests
Submit a request at /data-request. We will send a confirmation link to the email you provide. The request is only activated after you click that link — this prevents someone else from filing a deletion request for your account. Once confirmed, we aim to process requests within 30 days.
Marketing opt-out
Use the signed unsubscribe link in any marketing/alert email, or visit /unsubscribe. Manual unsubscribe via the form sends a confirmation link first. This does not affect transactional emails.
Contact
Questions about this policy or your data? Visit /contact.