Privacy Policy

Last Updated: March 15, 2026

Effective Date: March 15, 2026

1. Introduction

Welcome to Career Journal. Your privacy is important to us.

This Privacy Policy explains how Career Journal (“Career Journal,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you use our website, applications, and services (collectively, the “Service”).

By using the Service, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service.

2. Who We Are (Data Controller)

Legal Entity: Career Journal

Contact:

• Email: privacy@thecareerjournal.com
• Website: https://thecareerjournal.com

We act as a “data controller” for the personal information we collect and process through the Service. This means we determine the purposes and means of processing your personal data.

3. Compliance with Canadian Privacy Laws (PIPEDA)

Career Journal complies with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. We are committed to protecting the privacy of Canadian users in accordance with these requirements.

Key PIPEDA Principles We Follow:

• Accountability for personal information under our control
• Identifying purposes for collection before or at the time of collection
• Obtaining consent when required for collection, use, or disclosure
• Limiting collection to what is necessary for identified purposes
• Limiting use, disclosure, and retention to the stated purposes
• Ensuring accuracy of personal information
• Protecting personal information with appropriate safeguards
• Being open about our policies and practices
• Providing access to personal information upon request
• Providing recourse for privacy complaints and inquiries

Cross-Border Data Storage: Your personal information may be stored or processed outside Canada (including in the United States), and while it is in another jurisdiction, it may be subject to the laws of that jurisdiction, including lawful access by government authorities, courts, or law enforcement in that jurisdiction.

Privacy Commissioner of Canada: If you have concerns about our privacy practices, you may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

Conflict with Other Laws: If there is any conflict between this Privacy Policy and PIPEDA or applicable provincial privacy laws, those laws will prevail.

4. Information We Collect

We collect several types of information from and about users of our Service.

4.1 Information You Provide Directly

Account Information:

• Email address (required)
• Password (encrypted)
• Name (if provided)
• Profile information (if provided)

Payment Information:

• Credit card information (collected and processed by our third-party payment processor - we do NOT store full credit card numbers)
• Billing address
• Payment history

Content You Create:

• Career achievements and documentation
• Notes and journal entries
• STAR method responses
• PDF exports and documents
• Any other content you input into the Service

Communications:

• Email correspondence with our support team
• Feedback and survey responses
• Customer service requests

4.2 Information We Collect Automatically

Usage Data:

• Pages visited and features used
• Time spent on pages
• Navigation paths
• Buttons clicked and forms submitted
• Search queries within the Service
• Achievement creation and editing activity

Device and Browser Information:

• IP address
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen resolution
• Referring website
• Campaign and referral parameters contained in URLs (for example, UTM parameters and ad click identifiers such as gclid, fbclid, or ttclid), when present
• Geographic location (country/city level based on IP)

Cookies and Similar Technologies:

• Session cookies (essential for Service functionality)
• Consent-preference storage used to remember whether you accepted or declined analytics
• Analytics cookies and similar technologies (via PostHog after your explicit analytics choice, including cookieless analytics if you decline cookies)
• See Section 11 (Cookie Policy) for detailed information

4.3 Information from Third-Party Sources

We may receive information about you from:

Payment Processors:

• Transaction confirmations
• Payment success/failure notifications
• Fraud prevention data

Analytics Services:

• Aggregated usage statistics
• Performance metrics

We do NOT purchase data from data brokers or third-party marketing lists.

4. How We Use Your Information

We use your personal information for the following purposes, based on the legal bases described in Section 5:

4.1 To Provide the Service

• Create and maintain your account
• Process your subscription payments
• Store and display your career achievements
• Generate AI-assisted documents, PDF exports, and reports
• Provide STAR method templates and tools
• Enable data synchronization across devices
• Provide customer support

4.2 To Improve and Develop the Service

• Analyze usage patterns and trends
• Identify and fix bugs
• Develop new features
• Optimize performance and user experience
• Conduct research and analytics
• Measure marketing and referral performance using campaign parameters included in URLs and, where enabled, analytics events

4.3 To Communicate With You

• Send transactional emails (account confirmations, password resets, payment receipts)
• Respond to your inquiries and support requests
• Send important Service updates and security alerts
• Send marketing communications about new features (with your consent - you can opt out)

4.4 To Ensure Security and Prevent Fraud

• Detect and prevent fraud and abuse
• Protect against security threats
• Monitor for suspicious activity
• Enforce our Terms of Service
• Comply with legal obligations

4.5 To Comply with Legal Obligations

• Respond to legal requests (subpoenas, court orders)
• Comply with tax and accounting regulations
• Meet data protection and privacy law requirements

We do NOT:

• Sell your personal information to third parties
• Use your career achievement data for marketing purposes
• Share your content publicly without your permission
• Use automated decision-making or profiling that produces legal effects

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal information based on the following legal bases:

Contract (Article 6(1)(b) GDPR):

• Processing necessary to provide the Service you’ve subscribed to
• Account creation, authentication, payment processing

Consent (Article 6(1)(a) GDPR):

• Marketing communications (you can withdraw consent anytime)
• Non-essential cookies (you can withdraw consent via cookie settings)
• Analytics cookies and similar technologies, including PostHog-based usage analytics and associated campaign attribution where enabled

Legitimate Interest (Article 6(1)(f) GDPR):

• Service improvement and development
• Fraud prevention and security
• Customer support

We have assessed that our legitimate interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 10).

Legal Obligation (Article 6(1)(c) GDPR):

• Compliance with laws and regulations
• Response to legal requests
• Tax and accounting requirements

6. How We Share Your Information

We do NOT sell, rent, or trade your personal information. We only share your information in the following limited circumstances:

6.1 Service Providers (Data Processors)

We share information with third-party service providers who perform services on our behalf. These providers are contractually obligated to:

• Use your information only for the purposes we specify
• Implement appropriate security measures
• Comply with applicable data protection laws

Our Service Providers Include:

Payment Processing:

• Stripe, Inc.
• Purpose: Process credit card payments, subscription billing
• Data Shared: Payment information, billing address, email
• Location: United States
• Privacy Policy: https://stripe.com/privacy

Cloud Hosting and Infrastructure:

• Amazon Web Services (AWS)

• Purpose: Cloud infrastructure and data storage

• Data Shared: All user data and content

• Location: United States

• Privacy Policy: https://aws.amazon.com/privacy/

• Cloudflare, Inc.

• Purpose: Content delivery network (CDN), hosting, security

• Data Shared: All user data and content, connection information

• Location: United States

• Privacy Policy: https://www.cloudflare.com/privacypolicy/

Analytics:

• PostHog, Inc.
• Purpose: Analyze usage patterns, track features, improve Service
• Data Shared: Usage data, device information, anonymized user IDs
• Location: United States
• Privacy Policy: https://posthog.com/privacy

AI Model and Document Generation:

• OpenAI
• Purpose: Generate AI-assisted career documents and structured outputs such as review recaps, promotion cases, resume bullets, and interview story banks
• Data Shared: Prompts, achievement content, structured notes, and related output content necessary to generate the requested document or response
• Location: United States
• Privacy Policy: https://openai.com/policies/privacy-policy/

Transactional Email Delivery:

• Plus Five Five, Inc. (Resend)
• Purpose: Send account confirmations, password resets, billing receipts, service updates, and support-related emails
• Data Shared: Email address, name (if provided), and email content or metadata necessary to deliver transactional messages
• Location: United States
• Privacy Policy: https://resend.com/legal/privacy-policy

6.2 Legal Requirements

We may disclose your information if required by law or in good faith belief that such disclosure is necessary to:

• Comply with legal obligations, court orders, or subpoenas
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the safety of users or the public
• Protect against legal liability

6.3 Business Transfers

If Career Journal is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal information.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

We do NOT:

• Share your information with advertisers
• Sell your information to data brokers
• Share your content with other users (unless you explicitly choose to)

7. International Data Transfers

Data Storage Location: Your information is primarily stored on servers located in the United States.

7.1 For Canadian Users (PIPEDA Principle 4.8.2)

As disclosed in Section 3, your personal information may be stored or processed outside Canada (including in the United States). While your information is in another jurisdiction, it may be subject to the laws of that jurisdiction, including lawful access by government authorities, courts, or law enforcement in that jurisdiction.

By using our Service, you consent to the transfer of your personal information outside of Canada for the purposes described in this Privacy Policy.

7.2 For EEA, UK, and Swiss Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal information may be transferred to countries outside the EEA/UK/Switzerland, including the United States, which may not provide the same level of data protection as your home country.

Safeguards for International Transfers:

We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with our service providers
• Adequacy Decisions: We may transfer data to countries deemed adequate by the EU Commission (e.g., Canada has received an adequacy decision from the EU Commission)
• Additional Security Measures: Encryption in transit and at rest, access controls, regular security audits

Service Provider Locations:

• Payment Processing (Stripe): United States
• Cloud Hosting (AWS, Cloudflare): United States
• Analytics (PostHog): United States
• AI Model Processing (OpenAI): United States
• Transactional Email Delivery (Resend): United States

You have the right to request information about the safeguards we use for international transfers. Contact privacy@thecareerjournal.com.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

Active Account:

• Account data: Retained while your account is active
• Content (achievements, notes): Retained indefinitely while account is active
• Usage data: Retained for 12 months for analytics purposes

After Account Cancellation:

• Account data: Retained for 30 days (grace period for reactivation)
• Content: Retained for 30 days (grace period for reactivation)
• After 30 days: All data deleted from production systems

After Account Deletion Request:

• Account and content: Deleted within 30 days of request
• Backups: May remain in backup systems for up to 90 days

Legal/Financial Records:

• Payment records: Retained for 7 years for tax and accounting purposes
• Legal communications: Retained as long as necessary for legal compliance

Exceptions:

• If we have a legal obligation to retain data (e.g., pending litigation)
• If necessary for legitimate business purposes (e.g., fraud prevention)

8.2 Anonymized Data

We may retain anonymized, aggregated data indefinitely for analytics and research purposes. This data cannot be used to identify you personally.

9. Data Security

We implement industry-standard security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

9.1 Security Measures

Technical Safeguards:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Secure password hashing (bcrypt or similar)
• Regular security updates and patches
• Firewalls and intrusion detection systems
• Regular security audits and vulnerability scans

Organizational Safeguards:

• Access controls (need-to-know basis)
• Employee training on data protection
• Confidentiality agreements with employees and contractors
• Incident response procedures
• Data breach notification procedures

Physical Safeguards:

• Secure data centers with restricted access
• Environmental controls (fire, flood protection)

9.2 Your Responsibility

You are responsible for:

• Maintaining the confidentiality of your password
• Not sharing your account credentials
• Logging out from shared devices
• Notifying us of unauthorized access

9.3 No Guarantee

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You use the Service at your own risk.

9.4 Data Breach Notification

In the event of a data breach that may affect your personal information:

• We will notify you via email within 72 hours of discovery
• We will notify relevant supervisory authorities as required by law
• We will provide information about the breach, affected data, and steps taken
• We will provide guidance on protective measures you can take

10. Your Privacy Rights

Depending on your location, you have certain rights regarding your personal information.

10.1 Rights for All Users

Access and Export:

• You can access your account information and content at any time through your account settings
• You can export your data by contacting support@thecareerjournal.com

Correction:

• You can update your account information through your account settings
• Contact us if you need help correcting inaccurate data

Deletion:

• You can delete your account through account settings
• Contact privacy@thecareerjournal.com to request immediate deletion

Cancellation:

• You can cancel your subscription at any time through account settings

10.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

Under GDPR, you have the following rights:

Right of Access (Article 15):

• Request confirmation of whether we process your personal data
• Request a copy of your personal data
• Request information about processing purposes, categories, recipients, retention

Right to Rectification (Article 16):

• Request correction of inaccurate or incomplete personal data

Right to Erasure / “Right to be Forgotten” (Article 17):

• Request deletion of your personal data in certain circumstances
• Note: We may retain data if required by law or for legitimate purposes

Right to Restriction of Processing (Article 18):

• Request restriction of processing in certain circumstances (e.g., while we verify accuracy)

Right to Data Portability (Article 20):

• Request your personal data in a structured, machine-readable format
• Request transfer of your data to another service provider where technically feasible

Right to Object (Article 21):

• Object to processing based on legitimate interests
• Object to direct marketing (we will stop immediately)
• Object to automated decision-making (if applicable)

Right to Withdraw Consent (Article 7(3)):

• Withdraw consent for processing at any time (where processing is based on consent)
• Withdrawal does not affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint (Article 77):

• Lodge a complaint with your local supervisory authority if you believe we have violated GDPR

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

10.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following rights:

Right to Know (§1798.100):

• Request disclosure of personal information we collected about you in the past 12 months
• Categories of personal information collected
• Categories of sources
• Business or commercial purposes
• Categories of third parties with whom we shared information

Right to Delete (§1798.105):

• Request deletion of personal information we collected from you
• Subject to certain exceptions (e.g., legal obligations, fraud prevention)

Right to Correct (§1798.106):

• Request correction of inaccurate personal information

Right to Opt-Out of Sale/Sharing (§1798.120):

• We do NOT sell your personal information
• We do NOT share your information for cross-context behavioral advertising

Right to Limit Use of Sensitive Personal Information (§1798.121):

• If applicable, you can limit use of sensitive personal information

Right to Non-Discrimination (§1798.125):

• We will not discriminate against you for exercising your CCPA rights
• We will not deny service, charge different prices, or provide different quality

10.4 How to Exercise Your Rights

To exercise any of the above rights:

Email: privacy@thecareerjournal.com

Include in your request:

• Your name and email address associated with your account
• Specific right(s) you wish to exercise
• Sufficient detail to allow us to locate your information

Verification:

• We may ask you to verify your identity before fulfilling requests
• We may request additional information to confirm your identity
• For California residents: We may use a two-step verification process

Response Time:

• GDPR: We will respond within 30 days (extendable to 60 days for complex requests)
• CCPA: We will respond within 45 days (extendable to 90 days for complex requests)

Authorized Agents:

• California residents may designate an authorized agent to make requests on your behalf
• We may require proof of authorization

No Fee:

• We do not charge a fee for your first request in a 12-month period
• We may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests

11. Cookie Policy

11.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and improve your experience.

11.2 How We Use Cookies and Similar Technologies

We use cookies and similar technologies, including local storage and URL-based campaign parameters, as described below:

Strictly Necessary Cookies and Similar Technologies (Essential):

• Purpose: Enable basic functionality, authentication, security, and remember your consent choice
• Examples: Session cookies, authentication tokens, security tokens, and local storage used to remember whether you accepted or declined analytics
• Legal Basis: Legitimate interest (necessary for Service functionality)
• You cannot opt out of these technologies when they are strictly necessary for the Service to function or to honor your privacy choices

Analytics Cookies and Similar Technologies (Non-Essential):

• Provider: PostHog
• Purpose: Understand how users interact with the Service, track feature usage, identify bugs
• Information Collected: Pages visited, features used, anonymized user IDs, device information, and campaign or referral parameters present in the URL when analytics is enabled
• Legal Basis: Consent
• Choice Handling: If you accept analytics, PostHog may use cookies or similar technologies. If you explicitly decline analytics cookies, we may still use PostHog in privacy-preserving cookieless mode. You can clear your consent preference in your browser storage settings.

Cookie Consent Banner: When you first visit our Service, a cookie consent banner will appear for all users. This banner allows you to:

• Accept analytics cookies and similar technologies
• Reject non-essential cookies and similar technologies
• Review our full Cookie Policy

We request an explicit analytics choice before PostHog captures analytics activity on the marketing site. If you accept, PostHog may use cookies or similar technologies. If you explicitly decline analytics cookies, PostHog may run in privacy-preserving cookieless mode. Strictly necessary technologies may be used automatically because they are required for the Service to function and to respect your consent choices.

Referral and Campaign Parameters:

• Purpose: Attribute visits and signups to the marketing source that led you to our Service
• Examples: utm_source, utm_medium, utm_campaign, utm_content, gclid, fbclid, ttclid
• How We Handle Them: We may read these parameters from the URL and preserve them in links across our marketing site and signup flow during your browsing session. On our marketing site, we do not store these parameters in browser storage before you consent to analytics.
• Legal Basis: Legitimate interest for same-session routing and attribution, and consent where they are used with non-essential analytics technologies

11.3 Third-Party Analytics Technologies

PostHog Analytics:

• PostHog may load on the marketing site before you choose, but it does not capture analytics activity until you explicitly accept or decline analytics in the consent banner
• If you accept analytics, PostHog may set cookies or use similar technologies to track usage across sessions
• If you decline analytics cookies, PostHog may operate in privacy-preserving cookieless mode instead of storing a persistent analytics identifier in a cookie
• Privacy Policy: https://posthog.com/privacy

11.4 Managing Cookies

Browser Settings:

• You can configure your browser to refuse all cookies or alert you when cookies are sent
• Most browsers allow you to delete cookies
• Note: Disabling cookies may affect Service functionality

Do Not Track:

• We currently do not respond to Do Not Track (DNT) signals
• We may implement DNT support in the future

11.5 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a set period (typically 30 days to 2 years) or until you delete them

12. Marketing Communications

12.1 Transactional Emails (Required)

You will receive certain transactional emails related to your use of the Service, including:

• Account creation confirmation
• Password reset emails
• Payment receipts and billing notifications
• Important Service updates and security alerts
• Responses to your support requests

You cannot opt out of transactional emails as they are necessary for the Service.

12.2 Marketing Emails

We may send you marketing communications about:

• New features and updates
• Tips for using the Service
• Special offers or promotions

Marketing emails are sent only with your consent.

How to Opt Out:

• Click the “Unsubscribe” link in any marketing email
• Email privacy@thecareerjournal.com with “Unsubscribe” in the subject

We will process opt-out requests within 2-5 business days.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not owned or controlled by Career Journal.

We are not responsible for:

• The privacy practices of third-party websites
• The content of third-party websites
• The accuracy or reliability of third-party services

We recommend:

• Reviewing the privacy policy of any third-party website you visit
• Being cautious about sharing personal information with third parties

Third-party links we may include:

• Social media platforms (if applicable)
• Payment processor websites
• Documentation or help resources
• Blog posts or external resources

14. Changes to This Privacy Policy

14.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• Changes in applicable laws
• New features or services
• Feedback from users or regulators

14.2 Notice of Changes

For Material Changes:

• We will notify you at least 30 days before changes take effect
• Notice will be sent via email to your registered email address
• Notice will be posted prominently on the Service
• We may require you to re-consent to the updated Privacy Policy

For Non-Material Changes (e.g., clarifications, formatting):

• We will post the updated Privacy Policy on this page
• The “Last Updated” date at the top will be revised
• Continued use of the Service constitutes acceptance

14.3 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14.4 Previous Versions

You can request previous versions of this Privacy Policy by contacting privacy@thecareerjournal.com.

15. California “Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes.

We do NOT share your personal information with third parties for their direct marketing purposes.

If you are a California resident and have questions, contact privacy@thecareerjournal.com.

16. Nevada Privacy Rights

Nevada law (SB 220) allows Nevada residents to opt out of the sale of certain personal information.

We do NOT sell your personal information as defined by Nevada law.

If you are a Nevada resident and have questions, contact privacy@thecareerjournal.com.

17. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Career Journal - Privacy Team

Email: privacy@thecareerjournal.com

Response Time:

• We aim to respond to all privacy inquiries within 10 business days
• For GDPR/CCPA requests, we will respond within the legally required timeframes (30-45 days)

18. Supervisory Authority

18.1 EEA, UK, and Swiss Users

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights.

Find your supervisory authority:

• EU: https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner’s Office (ICO) - https://ico.org.uk
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch

18.2 California Users

California residents may file complaints with:

California Attorney General 1300 I Street Sacramento, CA 95814 Phone: (916) 445-9555 Website: https://oag.ca.gov/contact

19. Governing Law and Jurisdiction

Governing Law: This Privacy Policy and any disputes arising from it are governed by and construed in accordance with the laws of the Province of British Columbia and the laws of Canada applicable therein, without regard to conflict of law principles.

Jurisdiction: Any legal action or proceeding relating to this Privacy Policy or your personal information shall be brought exclusively in the courts located in British Columbia, Canada. You consent to the jurisdiction and venue of such courts.

International Users: If you are accessing the Service from outside Canada, you acknowledge that your information will be transferred to, stored, and processed in the United States and Canada, and you consent to such transfer and processing in accordance with this Privacy Policy and applicable law.

Compliance with Multiple Jurisdictions: Where you are subject to privacy laws in multiple jurisdictions (e.g., GDPR in the EU, CCPA in California, PIPEDA in Canada), we will comply with the requirements of all applicable laws. In the event of any conflict between this Privacy Policy and applicable privacy laws in your jurisdiction, the applicable laws will prevail.

END OF PRIVACY POLICY