Privacy Policy.

Your Next Seat (“the Service”) is a job-discovery tool for managers and above. We aggregate publicly listed roles, score them against your CV, and help you track applications. [Legal entity to be confirmed before billing launches 01 July 2026] is the data controller for the personal data described here. For privacy questions, contact [email protected].

This policy covers the Your Next Seat web application, any browser extension, and the communications we send you. It explains what we collect, why, how long we keep it, who we share it with, and your rights.

• Account data. Email address, password (hashed; never stored in plain text), display name, the role you are assigned (user, manager, or admin).
• Profile data. CV or resume content you upload, structured profile fields (work history, education, skills, languages, cover-letter preferences), notification preferences.
• Usage data. Searches you run, jobs you track, the status you set on each tracked job, Apply clicks. Used to enforce plan limits and show your application history.
• Billing data. Your subscription tier, plan status, and a Paddle order/customer reference. We do not receive or store your full card number or bank details — these are handled by Paddle (see Section 6).
• Technical data. IP address at the time of a request (rate-limiting and abuse prevention; not retained long-term), browser user-agent, session and refresh cookies (httpOnly, scoped to our domain).

We do not collect: full payment-card or bank data, government-ID numbers, health or biometric data, or your browsing history outside the Service.

We do not use your data for advertising targeting, and we do not sell your personal data.

Full inventory in our Cookie Policy. Summary:

Your data stays inside the Service except for these service providers (processors and sub-processors), who act on our instructions:

• Payments — Paddle.com (Merchant of Record). Paddle processes your payment, billing details, and taxes, and acts as a separate controller for the payment transaction. Paddle may use an identity-verification partner in some flows. Paddle receives the data needed to bill you (name, email, billing country, payment instrument); we do not receive your full card details. See Paddle’s privacy notice.
• Transactional email. Our email service provider sends transactional email (registration, approval, password reset, billing). It receives your email address, display name, and the email body. It does not receive your CV or tracked jobs.
• Product analytics. Our EU-region product-analytics provider measures how the Service is used. Loaded only if you accept analytics in the cookie banner. It does not receive your CV or tracked jobs.
• Job aggregation. Our job-listing aggregator fetches public job listings. It does not receive your personal data; it returns public listings only.
• AI features (post-launch, where applicable). Our AI provider processes CV text and job descriptions for opt-in LLM features. Under their commercial terms, your data is not used to train their models. If you do not use LLM features, no data is sent.
• Hosting and database. Our hosting and database providers store data on our behalf within the European Economic Area.
• Encrypted off-site backups (operator access only).
• Legal compliance. We may disclose data where compelled by valid legal process; we will notify you unless legally prohibited.

We do not transfer your data to third parties for their own marketing.

Where personal data is transferred outside the UK or the EEA (for example, to a US-based AI provider or US-based Paddle affiliates), we rely on appropriate safeguards such as Standard Contractual Clauses and the UK International Data Transfer Addendum, and/or applicable adequacy decisions.

Depending on where you live, you may have rights to: access a copy of your data; correct inaccurate data; delete your account and request erasure; restrict or object to processing; data portability (machine-readable export); and withdraw consent for optional features. To exercise any right, email [email protected]; we respond within 30 days (or the period your local law requires).

• EU/EEA and UK. GDPR and UK GDPR apply; you may lodge a complaint with your supervisory authority (e.g. the UK ICO or your national DPA).
• California. CCPA and CPRA rights, including the right to know, delete, correct, and opt out of “sale” and “sharing” (we do neither). We do not discriminate for exercising rights.
• Australia. The Privacy Act 1988 and Australian Privacy Principles apply.
• New Zealand. The Privacy Act 2020 applies.
• UAE and Saudi Arabia. The UAE PDPL and KSA PDPL may apply to residents.

The Service is for adults (18+). We do not knowingly collect data from children. If you believe a child has provided data, contact [email protected].

We use TLS in transit, bcrypt password hashing, httpOnly session cookies, authentication rate limiting, encrypted backups, and admin audit logging. No system is perfectly secure. If we discover a breach affecting your personal data, we will notify the relevant authority and, where required, you, in line with applicable law (e.g. GDPR Art. 33/34 — without undue delay and, to the supervisory authority, within 72 hours of becoming aware where feasible).

We may update this policy. Material changes (broadening what we collect or who we share with) trigger email notice and a 30-daynotice period. Minor changes update the “Last updated” date at the top.

[email protected]— privacy questions, data requests, breach reports.