Privacy Policy
Last updated : 20 April 2026
1. Who we are
BWD Consulting is a French simplified joint-stock company (SASU) registered under SIREN number 103 470 100, with registered office at 19 Rue Elsa Triolet, 91160 Saulx-les-Chartreux.
We operate the JobZen.io platform, accessible at https://jobzen.io, providing job matching, personalized alerts, and career coaching services.
Contact: privacy@jobzen.io
2. Data we collect
a) Identification and contact data
- Email address
- First and last name (optional)
b) Professional data (candidates)
- CV/Resume (PDF format)
- Skills and technologies extracted from CV
- Work experience
- Education and training
- Salary expectations
- Preferred location and remote work preferences
- Contract types sought
c) Preference and behavioral data
- Job alert criteria configured
- Matching score threshold
- Feedback on received alerts (relevant / not relevant)
- History of job applications submitted and actions taken
d) Technical data
- IP address (automatically collected)
- Browser type and operating system
- Authentication logs (login, logout, account creation)
- Session identifier (managed by Supabase Auth, not stored in JobZen.io databases)
e) Payment data (premium subscribers)
- Payments are processed exclusively by Stripe, Inc. — we never store your payment card details. Only a Stripe transaction identifier is retained.
3. Purposes of processing
| Purpose | Legal basis |
|---|---|
| Providing matching and alert services | Contract performance |
| CV profile extraction and analysis | Contract performance |
| CV coaching and interview preparation (paid plans) | Contract performance |
| Service improvement | Legitimate interest |
| Sending transactional emails (confirmations, alerts) | Contract performance |
| Fraud prevention and security | Legitimate interest + Legal obligation |
| Billing and accounting | Legal obligation |
| Responding to data subject requests | Legal obligation |
4. CV and automated processing
Important notice: As part of providing the matching and coaching service, your CV and professional data are processed by automated systems, including language processing models provided by third-party data processors (see section 6).
This automated processing enables:
- Structured extraction of skills, experience, and preferences
- Calculation of a match score against job listings
- Generation of personalized coaching suggestions
You have the right not to be subject to a decision based solely on automated processing. To exercise this right or request human intervention, contact privacy@jobzen.io.
5. Data retention
| Category | Retention period |
|---|---|
| Account data | Until explicit account deletion |
| CV file | CV file automatically deleted if not updated for 12 months (account remains active) |
| Authentication and security logs | 365 days (legal basis: legitimate security interest, Art. 6.1.f) |
| Document access logs | Duration of account — deleted on account closure |
| Billing data | 10 years (legal accounting obligation) |
| Data after account deletion | Deleted within 30 days, except billing data |
After account deletion, your personally identifiable data is permanently erased within 30 days. Authentication and security logs may be retained for up to 365 days from the date they were recorded for platform security purposes under Art. 6.1.f GDPR, without allowing reconstruction of your user profile.
6. Sub-processors and data transfers
| Sub-processor | Role | Location |
|---|---|---|
| Supabase, Inc. | Authentication and database | EU (AWS Frankfurt) |
| Hostinger, UAB | Server hosting | EU (Lithuania) |
| Anthropic, PBC | LLM processing (matching, coaching) | United States |
| Mistral AI | Alternative LLM processing | France (EU) |
| Resend, Inc. | Transactional email delivery | United States |
| Stripe, Inc. | Payment processing | United States |
| Sentry, Inc. | Error monitoring | United States |
Transfers outside the EU: Some sub-processors (Anthropic, Resend, Stripe, Sentry) are established in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, pursuant to Article 46 of the GDPR.
Note on LLM processing: Your CV and professional data may be transmitted to language processing models for matching and coaching features. This data is processed in transit and is not used to train the sub-processors' models.
Complete and up-to-date list of sub-processors: The detailed list is maintained at https://jobzen.io/legal/sub-processors and updated without modifying this document.
7. Your rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to withdraw consent at any time
How to exercise your rights:
- Via the "Delete my account" button in Settings (deletion scheduled, effective within 30 days — cancellable during that period)
- Export your data as JSON: via "Download my data" in Settings (candidates and recruiters)
- By email to privacy@jobzen.io (response within 30 days)
Right to lodge a complaint: You have the right to lodge a complaint with the CNIL (French data protection authority): https://www.cnil.fr
8. Cookies
JobZen.io uses strictly necessary cookies for service functionality (session, authentication). We do not use advertising cookies or third-party tracking for targeting purposes. Analytics, if enabled, are GDPR-compliant and cookieless.
9. Security
We implement appropriate technical and organizational measures including TLS 1.3 encryption in transit, encrypted storage of sensitive data, role-based access control, administrator access logging, and daily encrypted backups.
10. API Partners — third-party CV processing
JobZen.io provides an API allowing partner companies (recruiters, HR platforms) to use our profile analysis services. In this context:
- CVs and professional data transmitted via the partner API belong to your partner's candidates and are not stored on our servers. Raw content is processed in memory and not persisted.
- JobZen.io acts as a data processor (Art. 28 GDPR) on behalf of the partner, who remains the data controller with respect to their own candidates.
- Only usage metadata (timestamp, operation type, data volume processed) is retained for billing purposes, for a period of 90 days.
- Each API partner must accept a Data Processing Agreement (DPA) defining mutual obligations before using the service.
If you are a candidate whose data was transmitted by a partner via the JobZen.io API and wish to exercise your rights, please contact the partner directly (as data controller) or email privacy@jobzen.io.
11. Changes
We reserve the right to modify this policy. In case of material changes, you will be notified by email or in-app notification at least 30 days before the new provisions take effect.
BWD Consulting — SIREN 103 470 100 — 19 Rue Elsa Triolet, 91160 Saulx-les-Chartreux Hébergeur / Hosting provider: Hostinger, UAB — Jonavos g. 60C, Kaunas, Lituanie
Exercise your rights
To exercise your rights (access, rectification, erasure, portability), contact our DPO:
privacy@jobzen.io