Privacy Policy

Last updated: May 2026

This Privacy Policy ("Policy") explains what information ApplyFuel ("we", "us", "our") collects when you use the ApplyFuel Chrome extension or the ApplyFuel website at applyfuel.com (together, the "service"), how we use it, who we share it with, how long we keep it, and what rights you have over it.

ApplyFuel is operated by Mahadi Hassan, sole proprietor, located in Bangladesh. You can reach us at mh@mahadihassan.com.

By creating an account or otherwise using the service you agree to this Policy. If you do not agree, do not use the service.

1. The short version

We only collect what is needed to run the service for you. We do not collect anything you do not actively provide or trigger.
We send the profile you give us and the job posting you choose to extract to third-party AI providers in order to generate CVs, cover letters, and form answers for you. We list every provider below.
We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use it to train AI models.
You can delete your account at any time. Most data is removed within 30 days. Some payment records are kept for up to 7 years because tax law requires it.
The service is not directed at children under 16. We do not knowingly collect data from anyone under 16.

The rest of this Policy is the long version.

2. Information we collect

2.1 Account information

You provide this when you sign up:

email address;
a password, which we store as a salted hash. We never see or store your password in plaintext.
a username (if you set one for display);
timestamp of when you signed up.

2.2 Profile information

You provide this in the extension or webapp at your own pace:

full name, professional headline, location, phone number;
links to your professional profile and code-hosting profile;
work experience, education, skills, languages, certifications, projects;
the CV / resume file you upload (PDF), and the structured text we extract from it;
a generated avatar URL, if you sign in with Google.

You can edit, replace, or delete any field at any time from the extension Settings page or the webapp Settings page.

2.3 Job session data

We create a session record each time you click "Extract Job" in the extension. The session contains:

the URL, page title, company, location, and full visible text of the job posting on the active tab at the moment you clicked Extract;
the CVs, cover letters, and form answers we generated for that job;
the form questions you (or our form detector) supplied, and the answers we generated;
the application status you set (Saved, Applied, Interview, Offer, Rejected) and the history of status changes;
internal telemetry about which extraction adapter produced the result (used to improve the extractor).

We only read content from a tab when you explicitly click Extract Job or Detect Form Fields. We do not read the contents of any tab in the background, and we do not read any tab on which you have not clicked Extract.

2.4 Payment information

If you purchase credits:

the payment itself is processed by Stripe, Inc. (United States). ApplyFuel never sees and never stores your full card number, CVC, or bank account details.
we store the Stripe Checkout session identifier and payment intent identifier we generated for your purchase, the credit pack you bought, the amount paid in USD, the purchase timestamp, the resulting credit lot, and the raw Stripe webhook payload we received (used for idempotency and audit).

2.5 Credit and usage data

To run the credit and free-tier system we keep, for each generation:

which action it was (extract, CV, cover letter, form answers);
which AI tier you used and which underlying model;
token usage and computed cost;
credits deducted (or, for free-tier calls, the monthly counter incremented);
timestamp.

This data is yours to inspect through your account; we use it to enforce credit limits, prevent abuse, debug failed generations, and tune cost calculations.

2.6 Device identifier

The extension generates a random UUID the first time it makes an API call and stores it in your browser's local extension storage. The webapp generates an equivalent UUID and stores it in a first-party cookie. This identifier is attached to every authenticated API request you make.

We use it to:

enforce free-tier monthly limits on a per-device basis (without it, one user could create unlimited accounts and never hit the free-tier limit);
detect and rate-limit abusive behaviour against the service.

The identifier is not a hardware fingerprint, is not shared with any third party, and is not tied to your identity outside our backend. You can reset it by uninstalling the extension and reinstalling it, or by clearing browser site data for applyfuel.com.

2.7 Technical and security information

When you use the service we automatically log:

IP address (used to throttle abusive traffic and diagnose errors);
request path, HTTP method, response status code, request duration;
user-agent string;
timestamp.

We retain server access logs for up to 30 days and then delete them.

2.8 Sign-in tokens

After you sign in we issue you a JWT access token and a JWT refresh token. The extension stores them in chrome.storage.local. The webapp stores them in browser storage. They never leave your device until you make an authenticated request, at which point the access token is sent to our backend.

2.9 Acceptance of legal documents

When you accept these legal documents we record, per account: which document you accepted, which version, and when. This is an audit trail for our own compliance; it is not shared.

2.10 What we do NOT collect

To be explicit, we do not collect:

the contents of any browser tab, page, or window on which you have not explicitly clicked Extract Job or Detect Form Fields;
your browsing history;
keystrokes, screen recordings, mouse movements, scroll events, or any similar surveillance signal;
precise geolocation, GPS, or device-sensor data;
contacts, address book, calendar, microphone, camera, or any other device sensor;
files on your device other than the CV PDF you choose to upload;
the contents of your localStorage, sessionStorage, cookies, or IndexedDB on any host page;
payment card numbers, CVCs, or bank account numbers (Stripe handles these and we never see them);
any data from minors under 16.

3. How we use your information

We use your information only for the purposes listed below:

To deliver the core product. Generate tailored CVs, cover letters, and form answers from your profile and the job posting you extracted. Render and serve generated PDFs.
To authenticate you. Verify your password (against the salted hash), issue and refresh sign-in tokens, send one-time verification codes by email.
To run the credit and free-tier system. Track your credit balance, monthly free-tier counters, and purchase history. Resolve pricing per AI tier. Calculate cost per generation.
To show you your job pipeline. Saved jobs, generated documents, application statuses, search and filter results.
To diagnose errors and operate the service. Read logs, debug failed generations, investigate abuse, plan capacity.
To prevent abuse. Throttle suspicious traffic, prevent free-tier abuse via the device identifier, suspend accounts that violate our Terms.
To send transactional email related to your account. Sign-up confirmation, one-time verification codes, password reset, payment receipt, security notice, material changes to these documents.
To comply with the law. Respond to valid legal requests; retain payment records as required by tax law.

We do NOT:

sell your personal information to anyone;
share your personal information with advertisers or data brokers;
use your data to train AI models or improve any model on behalf of any third party;
auto-submit applications on your behalf, simulate clicks, or interact with third-party platforms on your behalf;
send marketing email or push notifications without your explicit opt-in.

4. Automated decision-making

ApplyFuel uses third-party large language models to draft CVs, cover letters, and form answers from your profile and the job posting you submit. These drafts are statistical output and may be wrong, incomplete, or unsuitable. The drafts have no legal or contractual effect on you and are not used to make any decision about you. You decide which drafts to send and to whom. ApplyFuel does not make any automated decision about you in the sense of Article 22 of the EU General Data Protection Regulation.

5. Who we share your information with

We share data only with the service providers ("subprocessors") that are needed to operate ApplyFuel. Each one receives only the minimum data needed for its function.

Subprocessor	What they receive	Purpose	Location
OpenRouter, Inc.	Your profile data and the job posting text, on each generation request you trigger	Routes AI generation requests to the underlying language-model provider	United States
Anthropic, PBC	Your profile data and the job posting text, on each generation request you trigger	Generates CVs, cover letters, and form answers	United States
OpenAI, L.L.C.	Your profile data and the job posting text, on each generation request you trigger	Generates CVs, cover letters, and form answers	United States
Google LLC (Generative Language API / Gemini)	Your profile data and the job posting text, on each generation request you trigger	Generates CVs, cover letters, and form answers	United States
Google LLC (OAuth)	Authorisation code (when you sign in with Google); in return we receive your verified email, name, and profile picture URL	Sign-in with Google	United States
Stripe, Inc.	Your name, email, and the payment instrument details you enter on the Stripe-hosted Checkout page (card or bank); webhook events about your purchase	Processes credit purchases; sends purchase confirmations to our backend	United States
SMTP email provider (configured at deployment)	Recipient email address and message body for transactional email (verification codes, receipts, account notices)	Delivers transactional email	Provider-dependent (US or EU)
Contabo GmbH	All data stored by the service (database rows, uploaded CV files, server logs)	Hosts our backend servers, database, and file storage	Germany / European Union

We may also disclose information if we are required to do so by a valid legal request (court order, subpoena, or applicable law). Where we are permitted to do so, we will notify you in advance.

We do not transfer or sell your account or your data to any other third party, except in the event of a business sale, merger, or asset transfer, in which case we will give you advance notice by email and a reasonable opportunity to delete your account before the transfer.

6. International data transfers

Our backend infrastructure is hosted in Germany (European Union). If you are located outside the EU, your data will be transferred to and stored on servers in the EU. Several of our subprocessors (OpenRouter, Anthropic, OpenAI, Google, Stripe) are located in the United States; using the service means you accept that your profile data and the job posting text you submit is transferred to those providers in the United States for processing, and that if you purchase credits the payment data you enter is transferred to and processed by Stripe in the United States. Where required, we rely on Standard Contractual Clauses approved by the European Commission, on the EU-US Data Privacy Framework (where the receiving party is certified under it), or on other appropriate safeguards under applicable data-protection law.

If you do not accept this international transfer, do not use the service.

7. How long we keep your data

Category	Retention
Account record (email, password hash, settings)	Active while your account is active; deleted within 30 days after you delete your account, unless retention is required by law
Profile data and uploaded CV	Same as account record
Job sessions and generated documents	Same as account record; you can also delete individual sessions at any time
Server access logs	Up to 30 days, then deleted
Payment records (purchase records, Stripe Checkout session and webhook payloads, credit lots)	Up to 7 years from the transaction, to comply with tax and accounting law, even after account deletion
Legal-acceptance audit trail	Same as account record
AI generation transit data (request and response in subprocessor systems)	Subject to each subprocessor's retention policy. We do not control retention on the subprocessor side. See their privacy pages.

8. How we protect your data

All traffic between your browser, our backend, and our subprocessors uses HTTPS / TLS.
Passwords are stored as salted hashes; we never see your password in plaintext.
All third-party API keys we hold (LLM provider keys) are encrypted at rest with Fernet symmetric encryption before being written to the database.
Database access is restricted to the application server and the operator (Mahadi Hassan). We have no employees with database access.
We follow industry-standard security practices, but no system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you by email without undue delay, and where required by law within 72 hours of becoming aware.

You are responsible for keeping your password and sign-in tokens confidential and for using a strong, unique password.

9. Your rights

Subject to applicable law, you have the right to:

Access the data we hold about you. Email mh@mahadihassan.com.
Correct any inaccurate data. You can edit your profile and CV at any time from the extension or webapp; for any field you cannot edit yourself, email us.
Delete your account and all associated data. Email mh@mahadihassan.com from your registered email address to request deletion. Deletion is permanent and processed within 30 days, except where retention is required by law (see Section 7).
Export your data in a portable format. Email mh@mahadihassan.com and we will provide a JSON export within 30 days.
Object to specific processing, or withdraw consent. Email mh@mahadihassan.com.
Restrict processing in limited circumstances under applicable data-protection law.
Lodge a complaint with your local data-protection authority if you believe we are mishandling your data. For EU residents this is your national DPA; for UK residents this is the ICO.

We will respond to any rights request within 30 days. We may need to verify your identity before acting on a request.

10. Cookies and local storage

10.1 Webapp (applyfuel.com)

The webapp uses first-party cookies and localStorage strictly to:

keep you signed in (sign-in tokens, device identifier);
remember your UI preferences (theme, layout, last-used tier, etc.).

We do not use advertising cookies, tracking pixels, or analytics cookies. We do not embed any third-party analytics or advertising SDK.

10.2 Extension

The Chrome extension uses chrome.storage.local on your device to store the same kinds of preferences (sign-in tokens, last-used tier, theme, font scale, last extracted job session ID, onboarding flags, cached terms and privacy documents, the device identifier). Nothing in chrome.storage.local leaves your device unless you explicitly trigger a backend action (sign in, extract job, generate, etc.).

The extension does not set any cookies and does not read or write localStorage, sessionStorage, IndexedDB, or any other storage on any host page.

11. Children

ApplyFuel is not directed at children under 16, and we do not knowingly collect data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal information, email mh@mahadihassan.com and we will delete the data.

12. Sign-in with Google

If you choose to sign in with Google, we receive from Google your verified email address, your name, and a profile picture URL. We use this only to create or look up your account. We do not receive your contacts, calendar, drive, or any other Google data. We are not affiliated with, endorsed by, or sponsored by Google. You can revoke our access at any time from your Google account at myaccount.google.com.

13. Do Not Track

Our service does not respond to "Do Not Track" browser signals, because we do not track you across other websites. We collect only the data described in this Policy, regardless of any browser signal.

14. Changes to this Policy

If we materially change this Policy, we will bump its version number, update the "Last updated" date at the top, and notify registered users by email at least 7 days before the change takes effect. Continued use of the service after that date constitutes acceptance.

15. Contact

For any privacy question, request, or complaint:

Mahadi Hassan — mh@mahadihassan.com — applyfuel.com