Privacy Policy

Last updated: March 22, 2026

1. Information We Collect

When you use ojamafy, we collect the following categories of information:

  • Account information: Email address and authentication credentials. Passwords are securely managed by our authentication provider and are never directly accessible to us.
  • Resume data: Personal and professional information you enter or import, including name, contact details, employment history, education, skills, certifications, and projects.
  • Job application data: Job titles, company names, URLs, job descriptions, application status, and any notes you provide.
  • Usage data: Page views, feature interactions, timestamps, and general usage patterns collected for analytics and service improvement.
  • Technical and security data: IP address, user agent, request timestamps, and related technical information collected for security monitoring, fraud prevention, and service integrity.
  • Service performance data: Anonymized records of processing operations, including response times and error rates, collected for service reliability monitoring and improvement.
  • Feedback data: Any feedback, bug reports, or suggestions you voluntarily submit through the platform.

Sensitive personal information: Resumes you provide may contain information that is considered sensitive or special category data under applicable law, such as information revealing racial or ethnic origin, disability status, or other protected characteristics. We process this information solely because you have voluntarily provided it as part of your resume content. We do not request, require, or use such information for any purpose other than delivering the Service to you.

1b. Email Scanning (OjamaDash Feature)

If you opt in to the OjamaDash feature by connecting your email account, we access the following limited data from your email:

  • Email metadata and message content: Subject lines, sender addresses, dates, and email body text. Body text is read by our classification system to determine email type (e.g., application confirmation, interview, offer, rejection). We do not store full email bodies — only metadata (subject, sender, date) and classification results are persisted. Attachments are never accessed.
  • Scope: We only search for job-application-related emails using narrow keyword filters. Personal, financial, medical, and other non-job-related emails are not accessed.
  • Purpose: Email content is analyzed using automated classification to detect job-application-related updates and automatically update your application tracking dashboard.
  • Token security: Your email OAuth tokens are encrypted at rest using AES-128 (Fernet encryption) with a dedicated encryption key.
  • Disconnect anytime: You can disconnect your email at any time from the OjamaDash page. Disconnecting immediately and permanently deletes all stored tokens, scan results, and notifications associated with your email connection.

This feature requires explicit opt-in. It is not enabled by default and is currently available only to beta testers.

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain our resume optimization and application tracking services.
  • Process your content through our proprietary technology to generate personalized recommendations and optimizations.
  • Improve and develop new features based on aggregated, anonymized usage patterns.
  • Send transactional communications (password resets, account confirmations, service notifications).
  • Detect, prevent, and address security issues, fraud, or technical problems.

3. Legal Basis for Processing

Where applicable law requires a legal basis for processing your personal data, we rely on the following:

  • Contract performance: Processing necessary to provide the Service to you under our Terms of Service (e.g., processing your resume data, managing your account).
  • Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.
  • Consent: Where you have given clear consent for a specific processing activity. You may withdraw consent at any time by contacting us or deleting your account, without affecting the lawfulness of processing carried out prior to withdrawal.

4. Automated Processing

Portions of our service rely on automated processing technology, including third-party processing services, to generate recommendations and optimizations based on the content you provide. This processing is performed solely to deliver the Service to you. Your content is not used to train or improve third-party models, and we contractually require our processors to handle your data in accordance with this policy.

Nature of processing: The automated processing produces advisory recommendations and suggestions only. These outputs are not legally or otherwise binding decisions, and do not produce legal effects or similarly significant effects on you.

Human review: You have the right to request human review of any output produced by our automated processing. To request human review, contact us at the address provided in the Contact section below.

User control: You retain full control over all outputs generated by the Service. All recommendations and optimizations are suggestions that you review, modify, and approve before use. No changes are made to your content without your explicit action.

5. Data Storage and Security

We implement industry-standard technical and organizational measures to protect your data, including:

  • Encryption of data at rest and in transit.
  • Secure authentication and access controls.
  • Rate limiting, input validation, and security monitoring.
  • Regular review of our data collection, storage, and processing practices.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Data breach notification: In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities as required by applicable law, including within 72 hours where required by GDPR, and in accordance with applicable U.S. state breach notification laws.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with:

  • Service providers: Trusted third-party vendors who assist us in operating the platform. These providers are contractually bound to use your data solely on our behalf and in accordance with this policy. Categories of service providers include:
    • Cloud infrastructure and hosting providers
    • Authentication and identity management providers
    • Automated content processing providers
  • Legal compliance: When required by applicable law, regulation, legal process, or enforceable governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity subject to this policy.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data — your data is visible within the application at all times.
  • Export your data — download your resume in standard, machine-readable formats at any time (right to data portability).
  • Delete your account and all associated data — available directly in your account settings. Deletion is permanent and irreversible.
  • Rectify inaccurate data — you can edit your information at any time through the application.
  • Restrict processing — you may request that we limit the processing of your personal data in certain circumstances.
  • Object to processing — you may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
  • Object to automated decision-making — you may object to decisions based solely on automated processing and request human review of such decisions.
  • Withdraw consent — you may stop using the service and delete your account at any time.

To exercise any of these rights, use the controls available in the application or contact us at the address below. We will respond to your request within 30 days (or 45 days for requests made under the California Consumer Privacy Act). If we need additional time, we will inform you of the reason and extension period.

8. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Specific retention periods are as follows:

  • Account and resume data: Retained for as long as your account is active. Permanently deleted when you delete your account.
  • Job application data: Retained for as long as your account is active. Permanently deleted when you delete your account.
  • Feedback data: Retained for as long as your account is active. Permanently deleted when you delete your account.
  • Analytics and usage data: When your account is deleted, analytics records are anonymized (your user identifier is removed) rather than deleted. These anonymized records are retained for aggregate analytics and service improvement purposes and can no longer be linked to you.
  • Security and audit logs: When your account is deleted, security log records are anonymized (your user identifier is removed). These anonymized records may be retained as required for legal compliance, fraud prevention, and security audit purposes.
  • Service performance records: Anonymized performance data (response times, error rates) may be retained indefinitely for service reliability purposes. This data cannot be linked to individual users.

9. Cookies and Local Storage

We use the following storage technologies:

  • Session cookie: A strictly necessary HTTP-only cookie used to maintain your authenticated session. This cookie is essential for the Service to function and does not require separate consent under applicable privacy laws.
  • Local storage: Browser local storage is used to temporarily cache authentication data and application state for performance. This data is cleared when you log out.

Analytics cookies: We use Google Analytics 4 (GA4) to collect aggregate website usage statistics such as page views, traffic sources, session duration, and general geographic regions. GA4 uses cookies to distinguish unique visitors. You can opt out of analytics cookies via the cookie consent banner shown on your first visit, or by declining cookies in your browser settings.

We do not use third-party advertising or tracking cookies beyond the analytics described above.

Do Not Track: Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no industry standard for how to respond to DNT signals, we do not currently alter our data collection or processing practices in response to DNT signals. However, we do not engage in cross-site tracking of our users.

10. Children's Privacy

The service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

11. International Data Transfers

Your data may be processed and stored in jurisdictions outside your country of residence, including the United States and other countries where our service providers operate. These jurisdictions may have different data protection laws than your own.

Where we transfer personal data outside of the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, we rely on appropriate legal mechanisms to ensure adequate protection of your data, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office.
  • Data Processing Agreements with our service providers that include appropriate safeguards.
  • Supplementary technical and organizational measures where necessary to ensure an adequate level of protection.

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Categories of personal information collected: As described in Section 1, we collect identifiers (email, name), professional or employment-related information (resume content), internet or electronic network activity information (usage data, IP address), and inferences drawn from the above (processing outputs).

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your personal information for cross-context behavioral advertising.

Sensitive personal information: We may process sensitive personal information contained in your resume (such as racial or ethnic origin) solely because you have provided it. We do not use sensitive personal information for any purpose other than delivering the Service.

Your California rights include:

  • The right to know what personal information we collect, use, and disclose.
  • The right to delete your personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information (we do not sell or share).
  • The right to limit the use of sensitive personal information.
  • The right to non-discrimination for exercising your privacy rights.

Verification: To protect your privacy, we will verify your identity before fulfilling any rights request by confirming your account email address.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require written proof of the agent's authorization and verify your identity directly.

To exercise your California privacy rights, contact us at contact@ojamafy.com. We will respond within 45 days of receiving your verified request.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by sending an email to the address associated with your account before the changes take effect. We will also update the "Last updated" date at the top of this page.

Where required by applicable law, we will obtain your consent before implementing material changes to how we process your personal data. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Service.

14. Contact and Accountability

ojamafy has designated a privacy contact person who is responsible for our compliance with applicable privacy laws and for overseeing our personal data handling practices.

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, contact our privacy contact at contact@ojamafy.com.

Complaints: If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the appropriate supervisory authority:

  • European Union: Your local Data Protection Authority (a list is available at edpb.europa.eu).
  • United Kingdom: The Information Commissioner's Office (ico.org.uk).
  • Canada: The Office of the Privacy Commissioner of Canada (priv.gc.ca).
  • California: The California Privacy Protection Agency (cppa.ca.gov).

You also have the right to challenge our compliance with applicable privacy laws by contacting us at the address above. We will investigate and respond to your concerns in a timely manner.

Back to Home