Privacy Policy

1. Introduction

ByeByeApply, operated by Ygora AS (Norwegian organization number 934 293 098), is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered career guidance platform.

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using ByeByeApply, you consent to the data practices described in this policy.

2. Data We Collect

2.1 Information You Provide

• Account Information: Email address, password (encrypted)
• Career Preferences: Work style preferences, industry interests, location preferences, company size/maturity preferences
• Skills & Experience: Your professional skills, achievements, and career goals
• Company Interactions: Notes about companies, outreach messages, follow-up tasks
• Conversation History: Your interactions with our AI agents (Discovery, Match, Outreach, Progress)

2.2 Personal Portfolio Data

• Portfolio Content: Slogan, profile pitch, "I Thrive When", unique angle, what you're looking for, resource links
• Coffee Booking: Coffee note, preferred location, and conversation topics you set
• Contact Messages: When someone contacts you via your portfolio, we store their name, email, and message. You are notified by email — the sender never sees your email address directly

2.3 Activity Tracking Data

• Standalone Activities: Coffees, meetings, events, and other activities you log (stored in your profile)
• Company Activities: Interactions linked to specific companies you track

2.4 Automatically Collected Data

• Usage Data: Pages visited, features used, time spent on platform (via Vercel Analytics — privacy-focused, no cross-site tracking)
• Technical Data: IP address, browser type, device information, session data
• Timestamps: When you create, update, or access data

3. How We Use Your Data

We use your personal data for the following purposes:

• Provide Our Service: Match you with companies, generate outreach strategies, track your progress
• AI Processing: Our AI agents analyze your preferences to provide personalized recommendations
• Communication: Send you follow-up reminders, platform updates, and support messages
• Improvement: Analyze usage patterns to improve our platform and AI agents
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Comply with legal obligations and enforce our terms

4. Email Communications

We send different types of emails based on your preferences and account activity:

4.1 Job Search Emails (opt-out available)

• Weekly company matches: Sent on Wednesdays when we find new companies matching your preferences
• Follow-up check-ins: "Did they reply?" reminders 1-2 weeks after you send a message
• Job search tips: Motivation and guidance during your first 4 weeks

4.2 Product Updates (opt-out available)

• Feature announcements: Major new features and improvements (~1-2/month)
• Platform updates: Important changes to the platform

4.3 Transactional Emails (cannot opt out)

• Account security: Password resets, security alerts (required for your account)
• Payment receipts: Transaction confirmations (when applicable)

4.4 Your Control

• Manage preferences: Settings
• Unsubscribe: Every email includes an unsubscribe link
• Right to object: You can opt out of any non-essential emails at any time

4.5 Legal Basis

• Service emails: Contractual necessity (GDPR Article 6(1)(b))
• Job search & product emails: Legitimate interest (GDPR Article 6(1)(f)) - existing customer relationship
• You can object at any time by updating your preferences or unsubscribing

5. Ygora Networking Dinners

Ygora is our networking dinner service that connects professionals for curated dinner conversations. This section explains how we handle your data specifically for Ygora dinners.

5.1 Data We Collect for Dinners

• Contact Information: Name, email, phone number (optional)
• Professional Information: Job title, company name, company type, years of experience
• Preferences: Conversation topics of interest, dietary restrictions
• Membership Status: Oda Network membership level (self-declared), ByeByeApply account status

5.2 How We Use Dinner Data

• Group Matching: We match you with 4-6 other professionals based on topic interest and experience level
• Event Coordination: Restaurant reservations, calendar invitations, and logistics
• Communication: Confirmation emails, group details, conversation starters, and post-dinner feedback requests
• Service Improvement: Feedback helps us improve matching and the overall experience

5.3 Data Shared with Your Dinner Group

When you sign up for a dinner, you consent to the following information being shared with your dinner group members:

• Shared: First name, conversation topic
• Not Shared: Email, phone, full name, company details, LinkedIn profile

You can choose to share more information directly with group members at the dinner.

5.4 Dietary Information

Dietary restrictions are considered sensitive data. We only use this information to:

• Select appropriate restaurants
• Inform restaurant staff (without identifying you by name)

We do not share your dietary restrictions with other dinner guests.

5.5 Data Retention for Dinners

• Active Signups: Retained while you have upcoming or recent dinners
• Dinner History: Past attendance retained for 24 months to improve future matching
• Feedback: Anonymized and aggregated after 12 months
• Account Deletion: All dinner data deleted when you delete your account

5.6 Legal Basis

• Consent: You explicitly consent when signing up for a dinner
• Contract: Processing necessary to provide the dinner service
• Legitimate Interest: Improving matching algorithms based on feedback

6. ByeByeBias — Anonymous Company Browsing

ByeByeBias allows companies to discover candidates without seeing any identifying information. This section explains how your data is handled in this context.

6.1 What Companies See

• Shown: Your superpower, work flow preferences, unique angle, what you're looking for, skills, preferred industries, and preferred locations
• Never shown: Your name, email address, portfolio URL, photo, age, gender, or any other identifying information

6.2 Opt-In Only

Your profile is only visible to companies if you explicitly enable the "Visible to companies" toggle in your Career Hub settings. You can disable it at any time.

6.3 No Algorithmic Scoring or Ranking

ByeByeBias is a search and filter tool only. Companies can filter candidates by skills, preferred industries, and preferred locations. No algorithmic scoring, ranking, or profiling is applied. Results are sorted by last-updated date only. This ensures compliance with the EU AI Act and prevents discriminatory bias in candidate presentation.

6.4 Connection Requests

Companies can request a connection with you. The request is sent to you via email relay — the company never sees your email address. You choose whether to respond and reveal your identity.

6.5 Search Engine Indexing & Anonymity Protection

To protect the anonymity guarantee of ByeByeBias, we apply the following indexing rules automatically based on your privacy settings:

• Visible to companies (anonymous browse) enabled: Your portfolio page is never indexed by search engines, even if your portfolio is set to "Public". This prevents companies from re-identifying you by searching for your profile text online.
• Visible to companies disabled, portfolio set to Public: Your portfolio page may be indexed by search engines and appear in search results. This is the only combination under which your portfolio is publicly discoverable via Google or similar.
• Portfolio set to Shared or Private: Never indexed, regardless of your company search setting.

This design ensures that opting into anonymous company discovery and opting into public internet visibility are mutually exclusive — you cannot be re-identified via a search engine while participating in ByeByeBias browse.

7. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on:

• Consent: You explicitly consent to our data processing when you sign up
• Contract Performance: Processing is necessary to provide our service to you
• Legitimate Interests: We have legitimate interests in improving our service and preventing fraud
• Legal Obligations: We must comply with applicable laws and regulations

8. Data Sharing & Third Parties

We share your data with the following third parties:

• OpenAI: Our primary AI provider. We use OpenAI's models (GPT-4o-mini) to power our conversational agents. Your messages are processed by OpenAI to generate responses. Ygora AS (the company behind ByeByeApply) has signed a Data Processing Agreement (DPA) with OpenAI that ensures GDPR-compliant data handling. OpenAI does not use your data for training their models.
• Groq AI: Our fallback AI provider. If OpenAI is unavailable, we use Groq's AI models to ensure service continuity. Groq does not store your data permanently.
• Supabase: Our database and authentication provider. Data is stored securely in EU data centers.
• Vercel: Our hosting provider. Data is processed in accordance with their privacy policy.
• Brreg.no: We access public Norwegian company registry data to match you with companies. No personal data is shared with Brreg.
• Resend: Our email delivery provider (Plus Five Five, Inc.). We share your email address with Resend to send transactional emails, portfolio contact notifications, connection request notifications, and job search updates. Ygora AS has signed a Data Processing Agreement (DPA) with Resend (effective January 14, 2026) that includes EU Standard Contractual Clauses (SCCs) and EU-U.S. Data Privacy Framework compliance. Resend does not use your data for marketing purposes.
• Stripe: Our payment processor. When you make a purchase, Stripe processes your payment information (card details, billing address). We do not store your full card details - Stripe handles this securely under PCI-DSS compliance. Stripe acts as an independent data controller for payment processing.
• Tavily: Our company research provider. We use Tavily's API to gather publicly available information about companies to provide you with better matches. No personal data is shared with Tavily.

We never sell your personal data to third parties. We only share data with service providers necessary to operate our platform, and they are contractually obligated to protect your data.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data
• Right to Data Portability: Receive your data in a machine-readable format (JSON)
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to certain types of data processing
• Right to Withdraw Consent: Withdraw your consent at any time

To exercise any of these rights, visit your Privacy Settings or contact us at privacy@byebyeapply.com.

10. Data Retention

We retain your personal data for the following periods:

• Active Accounts: Data is retained while your account is active
• Inactive Accounts: After 24 months of inactivity, we will send a reminder. If no response within 30 days, your account will be archived.
• Deleted Accounts: When you delete your account, all personal data and your authentication credentials are immediately and permanently deleted. The only exceptions are:
• Anonymized audit logs (no personal identifiers, used for compliance verification only)
• Aggregated usage statistics (no personal identifiers)
• Data required for legal compliance if applicable (e.g., financial records for 7 years)

11. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Row-Level Security (RLS) ensures users can only access their own data
• Authentication: Secure password hashing (bcrypt) and session management
• Monitoring: Continuous monitoring for security threats and unauthorized access
• Regular Audits: Periodic security audits and vulnerability assessments

12. International Data Transfers

Your data is primarily stored in EU data centers (Supabase EU region). When data is transferred outside the EU (e.g., to OpenAI or Groq AI for processing), we ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all third-party processors, including OpenAI and Resend
• Encryption during transfer and processing
• OpenAI's commitment not to use customer data for model training

13. Cookies

ByeByeApply uses only strictly necessary cookies required for the platform to function:

• Authentication cookies (Supabase): Session tokens that keep you logged in. These are essential for the service and cannot be disabled while using the platform.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across websites. Vercel Analytics (used for aggregate page views) is privacy-focused and does not use cookies or track individual users across sites.

Under GDPR and the ePrivacy Directive, strictly necessary cookies do not require consent. We inform you of their use here for transparency.

14. Children's Privacy

ByeByeApply is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@byebyeapply.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our platform. Your continued use of ByeByeApply after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

17. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority. For users in Norway, this is: