Legal Policy

Spotly ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. By using Spotly, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: First name, last name, email address, and cohort number when you create an account or are invited by a manager.
• CV/Resume: PDF files containing your professional experience, education, and skills.
• Profile Picture: Avatar images in JPEG, JPG, or PNG format.
• Professional Links: LinkedIn profile URL and GitHub username (optional).
• CV Metadata: Parsed information from your CV including skills, English proficiency level, employment status, and other professional details.

1.2 Information We Collect Automatically

• Usage Data: Information about how you interact with our platform, including pages visited and features used.
• Authentication Tokens: Secure tokens used to maintain your login session.
• Timestamps: Profile creation date, last update date, and last login information.

1.3 Information from Third Parties

• GitHub Data: When you connect your GitHub account via OAuth, we fetch your public profile information, repositories, and contribution data in real-time using GitHub's GraphQL API. This data is not stored on our servers and is only retrieved when needed during your active session.
• AI-Powered CV Analysis: Your uploaded CV is processed by our AI service (built with FastAPI and PydanticAI) to extract skills, experience levels, and other relevant professional information.

2. How We Use Your Information

We use the collected information for the following purposes:

• Profile Creation and Management: To create and maintain your graduate profile on our platform.
• Talent Matching: To enable managers and recruiters to discover and evaluate potential candidates based on skills, experience, and qualifications.
• Platform Authentication: To verify your identity and maintain secure access to your account using Supabase authentication.
• Communication: To send you account-related notifications, invitations, and platform updates.
• Service Improvement: To analyze platform usage and improve our services, features, and user experience.
• Security: To protect against unauthorized access and ensure the integrity of our platform through HMAC-SHA256 request signing.

3. How We Share Your Information

3.1 Within the Platform

• Manager Accounts: Users with manager role permissions can view all graduate profiles, including CVs, avatars, professional links, skills, and parsed CV data. This facilitates the talent discovery and recruitment process.
• Graduate Privacy: Graduate users cannot view other graduates' profiles. Your information is only visible to you and authorized manager accounts.

3.2 Public Accessibility

Important: Your CV and profile avatar are stored in publicly accessible AWS S3 storage. Anyone with the direct URL can access these files. By uploading these files, you consent to this level of public visibility.

3.3 Third-Party Service Providers

• AWS S3: We use Amazon Web Services S3 for secure cloud storage of your CV and avatar files.
• Supabase: We use Supabase for user authentication and session management.
• GitHub: We integrate with GitHub's API to fetch your public repository and contribution data in real-time (with your consent).
• Vercel: Our frontend application is hosted on Vercel's infrastructure.

3.4 We Do NOT:

• Sell your personal information to third parties
• Share your data with marketing companies or advertisers
• Use your information for purposes other than those stated in this policy
• Store your GitHub data on our servers (all GitHub data is fetched in real-time and discarded after your session)

4. Data Storage and Security

4.1 Where We Store Your Data

• File Storage: CVs and avatars are stored in AWS S3 buckets with public read access.
• Database: Account information, metadata, and parsed CV data are stored in our secure database infrastructure.
• GitHub Data: Not stored. Fetched in real-time from GitHub's API when needed.

4.2 Security Measures

• HMAC-SHA256 Request Signing: All communication between our frontend and backend is cryptographically signed to prevent unauthorized access.
• AWS Application Load Balancer: Additional security layer for traffic management and DDoS protection.
• OAuth 2.0: Secure authentication flow for GitHub integration without storing your GitHub credentials.
• Encrypted Connections: All data transmission uses HTTPS encryption.
• Secure Session Management: Authentication tokens are stored securely using HTTP-only cookies.

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

5. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: You can view and download your profile information at any time through your account dashboard.
• Update: You can update your personal information, CV, and avatar through your account settings.
• Delete: You can request deletion of your account and all associated data. Note that this will permanently remove your profile from our platform.
• Revoke GitHub Access: You can disconnect your GitHub account at any time through your account settings or directly through GitHub's application settings.
• Opt-Out of Communications: You can unsubscribe from non-essential communications while still maintaining your account.

To exercise these rights, please contact us using the information provided at the end of this policy.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Active Accounts: Data is retained indefinitely while your account remains active.
• Deleted Accounts: Upon account deletion, your data is permanently removed from our active systems within 30 days.
• Backup Systems: Data in backup systems may be retained for up to 90 days for disaster recovery purposes.
• Legal Requirements: We may retain certain information if required by law or for legitimate business purposes (e.g., fraud prevention).

7. Cookies and Tracking Technologies

We use the following cookies and similar technologies:

• Essential Cookies: Required for authentication and core platform functionality (e.g., session tokens).
• Preference Cookies: Store your theme preferences (light/dark mode).
• Security Cookies: Used to maintain secure sessions and prevent unauthorized access.

We do not use third-party analytics or advertising cookies.

8. Children's Privacy

Spotly is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

10. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us: