Privacy Policy
Last updated: February 24, 2026
Kareeo ("Kareeo", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have over it.
By using our website at https://kareeo.com or our application, you agree to the practices described in this policy.
1. Who We Are
Kareeo is the data controller for personal data collected through our website and application. If you have questions about this policy, contact us at privacy@kareeo.com.
2. Data We Collect and Why
We collect only the data that is necessary for the purpose it is used ("data minimisation"). Below are the categories of data we process and the lawful basis under which we process them.
| Data Category | Examples | Purpose | Lawful Basis (GDPR) |
|---|---|---|---|
| Account Data | Name, email address, password (hashed) | Create and manage your account | Contract (Art. 6(1)(b)) |
| Resume / Career Data | CV content, work history, skills, job preferences | Provide AI career coaching features | Contract (Art. 6(1)(b)) |
| Usage Data | Pages visited, features used, session duration | Improve product quality and fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Payment Data | Billing address, last-4 digits of card (via Stripe) | Process subscription payments | Contract (Art. 6(1)(b)) |
| Communications | Emails you send us, support tickets | Respond to inquiries | Legitimate interest (Art. 6(1)(f)) |
| Technical Data | IP address, browser type, device identifiers | Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Cookie / Tracking Data | Session cookies, analytics beacons | Site performance, analytics | Consent (Art. 6(1)(a)) |
We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
3. Data Minimisation by Design (GDPR Article 25)
In accordance with Article 25 of the General Data Protection Regulation (GDPR), Kareeo applies the principle of data protection by design and by default:
- Collect only what is necessary. We do not collect data fields unless they are required to deliver a specific feature. For example, we do not ask for your date of birth, gender, or nationality unless you voluntarily include them in your uploaded resume.
- Default to less data. Privacy-preserving options are the default. Analytics are anonymised before processing. Cookie consent is opt-in (not pre-ticked).
- Storage limitation. Data is retained only as long as needed for its stated purpose. Inactive accounts are flagged for deletion after 12 months of inactivity (users are notified first).
- Access controls. Only engineering personnel with a legitimate operational need can access production data, and all access is logged.
- Pseudonymisation. Where technically feasible, analytics data is processed in pseudonymised or aggregate form.
4. AI Processing of Your Data
Kareeo uses AI models (including large language models) to analyse your resume and career data in order to provide career coaching, job matching, and skill gap analysis. Please note:
- Your resume data is sent to AI model providers only to the extent necessary to generate responses.
- We use data processing agreements (DPAs) with all AI sub-processors to ensure your data is not used to train their public models.
- You can delete your career data at any time from your account settings, which will cease further AI processing of that data.
- Fully automated decisions with significant effects on you (within the meaning of GDPR Art. 22) are not made by Kareeo — all AI output is advisory and presented to you for your review.
5. Who We Share Data With
We share data only with trusted sub-processors necessary to operate our service:
- Supabase — Database hosting (EU/US, covered by SCCs)
- Stripe — Payment processing (PCI-DSS compliant)
- Resend / SendGrid — Transactional email delivery
- AI model providers — Career data analysis (DPAs in place, no model training)
- Vercel — Application hosting and edge functions
We do not sell or share your personal data with advertising networks, data brokers, or any third party for commercial purposes.
6. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- An adequacy decision by the European Commission.
You may request a copy of the relevant safeguards by contacting us at privacy@kareeo.com.
7. How Long We Keep Your Data
- Account data — Retained while your account is active, then deleted within 30 days of account closure.
- Resume / career data — Retained while you have an account. Deletable at any time via account settings.
- Usage / analytics data — Retained for up to 24 months in aggregate form.
- Payment records — Retained for 7 years to comply with accounting obligations.
- Support communications — Retained for up to 3 years from the date of the last interaction.
8. Your Rights Under GDPR (EEA / UK Residents)
If you are in the European Economic Area or the United Kingdom, you have the following rights:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Correct inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing — Ask us to limit how we use your data.
- Right to data portability — Receive your data in a machine-readable format.
- Right to object — Object to processing based on legitimate interests.
- Rights related to automated decision-making — We do not make solely automated decisions with significant effects (Art. 22). If this changes, we will update this policy and provide opt-out options.
To exercise any of these rights, email privacy@kareeo.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
9. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:
- Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete — You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
- Right to Correct — You may request correction of inaccurate personal information we hold about you.
- Right to Opt-Out of Sale / Sharing — We do not sell or share your personal information as defined under CCPA. You may still submit a preference via our Your Privacy Choices page.
- Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information beyond what is necessary to provide the service.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
To submit a California privacy request, visit our Your Privacy Choices page or email privacy@kareeo.com. We will verify your identity before fulfilling requests. You may also designate an authorised agent to submit requests on your behalf.
10. Cookies
We use cookies and similar tracking technologies as described in our Cookie Policy. You can manage your cookie preferences at any time via our cookie consent banner or our Your Privacy Choices page.
11. Children's Privacy
Kareeo is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately at privacy@kareeo.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-app notice at least 14 days before the change takes effect. Continued use of Kareeo after changes take effect constitutes acceptance.
13. Contact Us
For any privacy-related questions or requests:
- Email: privacy@kareeo.com
- General contact: support@kareeo.com
Legal disclaimer: This Privacy Policy is provided for informational purposes and reflects our current data practices. It does not constitute legal advice. If you have specific legal concerns, please consult a qualified privacy attorney.