RoleApt Privacy Policy
Last updated: 5 July 2026 Version: 1.2
1. Who we are and how to contact us
RoleApt is operated by Bebox EOOD, a company registered in Bulgaria.
| Data controller | Bebox EOOD |
| Registered address | Prof. Aleksandar Fol 2, en. K, ap. 23, 1700 Sofia, Bulgaria |
| VAT number | BG205313951 |
| Service | RoleApt (roleapt.com, app.roleapt.com) |
| Data protection contact | privacy@roleapt.com |
| Legal / terms contact | legal@roleapt.com |
Bebox EOOD is the data controller for the personal data described in this Policy. We decide why and how your personal data is processed when you use RoleApt.
We have not appointed a Data Protection Officer (DPO), because our processing does not meet the mandatory thresholds in Article 37 GDPR (we are not a public authority, our core activities do not consist of large-scale systematic monitoring, and special-category data is processed only on your instruction to deliver the service, not as a core large-scale activity). You can raise any data protection question with us at privacy@roleapt.com. Because Bebox EOOD is established in the EU (Bulgaria), no Article 27 EU representative is required.
This Policy explains what personal data we collect, why, on what legal basis, who we share it with, how long we keep it, and what rights you have. It is written to satisfy Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни, ЗЗЛД).
Providing your data (Article 13(2)(e)). Providing your account data (email and authentication) is necessary to create and use a RoleApt account; without it we cannot provide the service. Uploading sources or a headshot, and consenting to our processing of any special-category data they contain, is entirely voluntary - but the profile synthesis, fit-check, and CV/cover-letter features cannot function without source material. You are free to decline; the consequence is simply that those features cannot run for you.
2. Scope of this Policy
This Policy applies to:
- the RoleApt marketing site at roleapt.com;
- the RoleApt application at app.roleapt.com;
- all account, billing, and support interactions with RoleApt.
It does not apply to third-party websites we link to, to employer/job-board pages whose job descriptions you paste or fetch into RoleApt, or to how your own device or browser is configured.
3. A note on the data you upload
RoleApt exists to turn your career materials into a synthesized profile, a job fit-check, and tailored CVs and cover letters. To do that, you upload CVs, documents, and pasted text.
These materials routinely contain special-category personal data. Real CVs commonly reveal health information, racial or ethnic origin, religious or philosophical beliefs, trade-union membership, political opinions, and sexual orientation. A profile photo (headshot) can reveal racial or ethnic origin and is biometric-adjacent.
RoleApt does not detect, classify, or strip this data. We process whatever you choose to submit, exactly as you submit it, in order to provide the service you asked for. Because of this, we ask for your explicit consent (Article 9(2)(a) GDPR) when you set up your account - through a separate, affirmative step, distinct from accepting our Terms, and before you first use the profile features. That consent covers our processing of any special-category data your materials contain - including, where applicable, its transfer to and processing in the United States by our LLM provider (see Sections 4.6 and 7) - for the sole purpose of generating your profile and artifacts. We do not treat the act of uploading, by itself, as that consent.
You can withdraw that consent at any time (see Section 10). Today, the action that genuinely stops and erases processing of an uploaded source is to delete your account or to email privacy@roleapt.com and ask us to delete the source. Please note an important limitation, explained in full in Sections 9 and 10: archiving a source does not delete it. Archiving is a reversible soft-archive that retains the stored file and the text we extracted from it (so the source can be restored), and it does not, by itself, remove that data from our systems (though a later successful profile build will purge archived sources - see Section 9). We are candid about this because we do not want you to rely on archiving as an immediate erasure or consent-withdrawal mechanism - it is not one.
Please only upload what you need. If your CV contains sensitive details that are not relevant to the roles you are targeting, consider removing them before you upload.
4. The personal data we process
The table below lists each category of personal data we process, why we process it, and the legal basis under Article 6 GDPR (and Article 9 where special-category data is involved).
4.1 Account identity and authentication
- What: Email address; password (stored only as a salted hash by our authentication provider, never in plaintext and never visible to us); Google OAuth subject id if you sign in with Google; account creation timestamp; a canonicalized form of your email (lowercased, with Gmail dot/alias normalization) used solely as an anti-abuse idempotency key; if you enable two-factor authentication, your MFA recovery codes (stored hashed; shown to you in plaintext only once at enrollment) and session/grant records.
- Why: To create and secure your account, log you in, and prevent signup-bonus abuse (for example, delete-and-resignup loops and Gmail alias farming).
- Legal basis: Article 6(1)(b) (performance of our contract with you - providing the account); Article 6(1)(f) legitimate interest (fraud and abuse prevention via the canonical-email key and MFA). Our legitimate interest is operating a sustainable free tier without subsidizing abuse; it does not override your interests because the data used is minimal and derived.
4.2 Uploaded profile sources (may contain special-category data)
- What: CVs and documents you upload (PDF, DOCX, TXT, MD), stored in a private file bucket; text you paste in as a source; the text we extract from your uploads; and file metadata (file name, MIME type, size, extraction status). As explained in Section 3, these can contain special-category data. Image files submitted as a source are rejected at upload; only text is extracted and processed.
- Why: To feed our profile synthesizer, build your canonical profile, and act as raw material for the fit-check and CV/cover-letter generation.
- Legal basis: Article 6(1)(b) (providing the service you instructed). For any special-category data inside the text: Article 9(2)(a) explicit consent, which you give through the separate consent step at account setup (Section 3).
4.3 Profile photo / headshot (may contain special-category data)
- What: An optional headshot (PNG/JPEG) you upload, stored in a private bucket, and the reference to it on your profile.
- Why: To render the Portrait CV template.
- Legal basis: Article 6(1)(b); and Article 9(2)(a) explicit consent (given through the separate consent step at account setup, Section 3) where the image reveals special-category data (for example racial or ethnic origin).
4.4 Synthesized profile and versions
- What: Your structured profile (name, contact details including addresses, work experience, education, skills, achievements), the markdown rendering of it, your custom instructions, and up to the last five profile snapshots used for revert.
- Why: The canonical profile is the input to all artifact generation; snapshots let you revert changes.
- Legal basis: Article 6(1)(b).
4.5 Job applications and job-description data (includes third-party personal data)
- What: Job records you create: job-description URL, job-description text, parsed job data, company, role, location, your notes, tags, application URL, deadline, and contact name. This is mostly third-party (employer) data plus your own free-text notes. Some of it can be personal data about people other than you - for example a named hiring contact you enter, or individuals named in a job description you paste or fetch.
- Why: To track jobs you are considering and to provide job-description context to the fit-check and CV/cover-letter generation.
- Legal basis: Article 6(1)(b) (providing the service to you); for the third-party personal data, Article 6(1)(f) legitimate interest (supporting your job search and application tracking). See the Article 14 note below.
Article 14 - data about third parties. Some of the data above is not collected from the person it concerns but from you, or from an employer's publicly published job posting. This concerns hiring contacts you name and any individuals named in job-description text or your notes. The source of that data is you, or the public job posting; the purpose and legal basis are as stated above (Article 6(1)(f), supporting your job search). We do not separately notify those individuals, relying on the Article 14(5)(b) disproportionate-effort exemption: we have no independent contact details for them, the data is limited and incidental, it is held only for as long as your account/job record exists, and it is minimised to what you choose to enter.
4.6 Generated artifacts and LLM processing records
- What: The CVs and cover letters we generate for you (DOCX), stored in a private bucket, plus metadata (kind, format, template, model name, credit cost). We also retain internal LLM processing records used for quality and debugging: (a) call records containing the full generated text, prompt version, model, token counts, cost, and latency; and (b) generation-run records containing the system prompt, the user message we sent to the model (which includes your profile and job-description text), and the raw model response. These records can contain the same special-category data your sources contain.
- Why: To deliver your editable draft CVs and cover letters; and to debug generation failures, attribute cost, and audit output quality and parse failures.
- Legal basis: Article 6(1)(b) (delivering your outputs); Article 6(1)(f) legitimate interest (operational debugging and quality auditing of the non-special-category content of LLM calls). For any special-category content carried in these records, our basis is the Article 9(2)(a) explicit consent described in Section 3 - not legitimate interest, which cannot lawfully process Article 9 data. That same consent is the Article 9 condition for the special-category content transferred to Anthropic in the United States under the SCCs (Section 7). We minimize retention by deleting these records when you delete your account, and we are working to shorten retention of prompt/response logs that may carry special-category data.
4.7 Billing and tax data
- What: Your Stripe customer id; credit-ledger entries (credit amount, reason, Stripe payment/invoice/charge ids, idempotency key, metadata, expiry where applicable); and the billing name, address, and VAT/tax id you enter at checkout. Your card number is never stored by RoleApt - it is handled entirely by Stripe. Your billing name, address, and VAT id are written to and held by Stripe.
- Why: To process one-time credit-pack purchases, calculate and invoice VAT, link receipts, and keep statutory accounting records.
- Legal basis: Article 6(1)(b) (processing your purchase). The statutory accounting and VAT records are kept by Stripe on our behalf to satisfy our Article 6(1)(c) legal obligation under Bulgarian accounting and VAT law. When you delete your account the local credit-ledger rows cascade-delete, but we first archive a pseudonymous, content-free record of the financial facts (the credit amount, reason, Stripe identifiers, and date, keyed to a one-way hash of your email and holding no profile content) so we can meet that Article 6(1)(c) obligation; the full accounting and VAT records are additionally held Stripe-side.
4.8 Product analytics
- What: Product-usage events such as signup, login, profile built, source added, job-description extracted, application added, fit-check run, CV generated, cover letter generated, artifact downloaded, credit purchased, generation failed, and page views, with context such as your user id, application id, template id, credit cost, fit verdict and score, pack size, and error code. These events are processed by PostHog (EU Cloud) and, via Google Tag Manager, by Google Analytics 4, only after you consent (Section 8).
- Why: To understand how the product is used and where the conversion funnel can be improved.
- Legal basis: Article 6(1)(a) consent. The analytics SDK is loaded and initialised only after you give consent through our cookie banner (see Section 8); it does not load or initialise before then.
4.9 Error and operational telemetry
- What: When error monitoring is enabled, exception stack traces with limited context (user id, route, action, and any metadata attached to the error). Separately, our servers emit operational log lines containing your user id, the action, the model, token counts, cost, and latency to our hosting provider's log drain. In addition, as with any web service, our hosting and edge providers generate platform request/access logs that routinely include your IP address and browser user-agent (see Section 4.10 and Section 6).
- Why: Error monitoring, security, reliability, and LLM cost/usage observability.
- Legal basis: Article 6(1)(f) legitimate interest (security, debugging, service reliability). Our legitimate interest is keeping the service stable and secure; the data is limited to operational identifiers and does not override your interests.
4.10 Anti-abuse and signup-hardening signals
- What: On signup, the bot-protection token from our challenge widget plus your client IP address are sent to Cloudflare for verification, and your email domain is checked against a throwaway-domain blocklist.
- Why: To protect signup against bots and abuse.
- Legal basis: Article 6(1)(f) legitimate interest (fraud and abuse prevention). Our legitimate interest is protecting the integrity of signups.
- Note on your IP address: We do not store your IP address in our own application database. However, your IP is processed by Cloudflare for bot verification, and - like any request to any website - it may appear in our hosting provider's (Vercel) and edge access logs for security and reliability purposes. Those platform logs are retained according to each provider's standard log-retention periods, not by us in our own tables.
5. Where your data comes from
Most personal data we hold comes directly from you: what you type, upload, paste, and enter at checkout.
Some data is generated by us or our processors about your use of the service: the synthesized profile, the generated artifacts, LLM processing records, analytics events, error telemetry, and operational logs.
Some data is about third parties and comes from you or from a public source rather than from the person it concerns - for example a hiring contact you name, or individuals named in a job description. When you paste a job-description URL, we (or our fetching providers) retrieve the content at that URL from the third-party site that hosts it (see Section 6). That content is mostly employer-published data, not your personal data, but the URL itself can be linkable to you. See the Article 14 note in Section 4.5 for how we handle third-party personal data.
6. Who we share your data with (processors and sub-processors)
We do not sell your personal data. We share it only with vendors who process it on our behalf to run RoleApt, under data processing agreements, and only as needed for the service. The table below is our current list of sub-processors, their role, what we share, where they are located, and the safeguard relied on for any transfer outside the EEA (see Section 7).
| Sub-processor | Role | Data shared | Location | Safeguard |
|---|---|---|---|---|
| Supabase | Database, authentication, and private file storage | Account email and hashed password; OAuth id; all profile sources (files + pasted/extracted text, may include special-category data); profile photo; synthesized profile; job applications and job-description data; generated artifacts; credit ledger and billing linkage; MFA recovery-code hashes; LLM processing records | EU (eu-central-1) | DPA; EU data residency |
| Stripe | Payment processing, hosted checkout, card handling, VAT (Stripe Tax) calculation and invoicing. RoleApt (Bebox EOOD) is the seller of record; Stripe is the payment processor and tax calculator, not the merchant of record. | Card data (held by Stripe, never by us); buyer name, billing address, VAT/tax id, email, purchase amount; your user id as customer metadata | US and EU | Stripe DPA; EU Standard Contractual Clauses for US transfer; PCI-DSS handled by Stripe |
| Anthropic (Claude) | LLM inference for profile synthesis, job-description parsing, fit-check, and CV/cover-letter generation | Profile source text, synthesized profile, and job-description text sent in prompts (may include special-category data) | US | Anthropic Commercial Terms and DPA; EU Standard Contractual Clauses for US transfer; Article 9(2)(a) explicit consent as the separate Article 9 condition for any special-category content (Section 3); reliance on Anthropic's commercial commitment not to train on submitted data. A transfer impact assessment for this transfer is documented and held on file; zero-data-retention is not required (no training on inputs; no prompt/response content retained at rest by default). |
| Vercel | Application hosting (app, serverless functions, edge) | All request/response data in transit; platform request/access logs including client IP address and user-agent; server logs including operational log lines with user id, action, token counts, and cost | US and EU edge | Vercel DPA; EU Standard Contractual Clauses for any US processing |
| PostHog | Product analytics (loaded only after analytics consent) | Event names and properties (user id, application id, template id, fit score, verdict, pack size, error code) | EU Cloud | PostHog DPA; EU residency; loaded only after analytics consent |
| Google (Google Analytics 4, via Google Tag Manager) | Product analytics and traffic measurement (loaded only after analytics consent) | Event names and properties (user id, application id, template id, fit score, verdict, pack size, error code); page URLs; approximate location derived from IP | US | Google Ads Data Processing Terms and Google's Standard Contractual Clauses; EU-US Data Privacy Framework (Google is certified); loaded only after analytics consent, with Google Consent Mode v2 set to denied until you opt in. |
| Resend | Transactional email | Recipient email address and email content (for example purchase confirmations, low-credit warnings and a tokenised data-export link; export emails do not embed special-category content) | US | Resend DPA; EU Standard Contractual Clauses for US transfer |
| Sentry | Error monitoring | Exception stack traces with context (user id, route, action, metadata) | EU region | Sentry DPA; EU region |
| Cloudflare (Turnstile) | Bot/abuse protection on signup; edge protection | Bot-protection token and client IP address sent for verification | US / global edge | Cloudflare DPA; EU Standard Contractual Clauses; IP used for verification, not stored in our own database |
URL-fetch providers. When you paste a job-posting URL (instead of pasting the text), RoleApt fetches and extracts that public page using a third-party reader service (Jina AI, with Firecrawl as a fallback). Only the public job-posting URL you paste is sent to these services - never your profile, CV, account details, or any other personal data. We list them here for transparency.
When you paste a LinkedIn job URL, we fetch the public guest job-posting page from LinkedIn to read the job description. That is an outbound fetch of employer-published job data, not a transfer of your personal data to LinkedIn as a processor.
We may also disclose personal data where we are legally required to (for example to comply with a valid court order or regulatory request), or to establish, exercise, or defend legal claims. If we ever undergo a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction, subject to this Policy.
We will keep this sub-processor list current. See Section 14 for how we notify you of changes.
7. International data transfers
RoleApt stores its primary data in the EU (Supabase eu-central-1), and our analytics vendor is configured for an EU region (PostHog EU Cloud). Our error-monitoring vendor (Sentry) is configured for an EU region (see Section 6).
However, some processing necessarily involves transfers of personal data outside the European Economic Area (EEA), primarily to the United States:
- Anthropic (US): your profile, CV, and job-description text - which may include special-category data - is sent in every generation prompt. The transfer itself is made under the Standard Contractual Clauses (see below); separately, your Article 9(2)(a) explicit consent (Section 3) is the condition that permits us to process any special-category content at all.
- Stripe (US/EU): billing identity, address, VAT id, and card data (card held by Stripe).
- Vercel (US/EU edge): all in-transit data, platform request/access logs (including IP and user-agent), and server logs.
- Resend (US): recipient email and email content (when enabled).
- Cloudflare (US/global): the signup token and client IP.
For every such transfer the transfer mechanism is the European Commission's Standard Contractual Clauses (SCCs) together with each vendor's Data Processing Agreement, supplemented by technical and organizational measures (encryption in transit, access controls, EU-region storage of the primary copy where available). Where a vendor is certified under the EU-US Data Privacy Framework, that adequacy mechanism may also apply. Your Article 9(2)(a) explicit consent is a separate condition that permits processing of any special-category content in these transfers - it is not the transfer mechanism. We have carried out and documented a transfer impact assessment for the Anthropic transfer, which we hold on file and make available to a supervisory authority on request.
You can request more information about the safeguards in place for a specific transfer by emailing privacy@roleapt.com.
8. Cookies and analytics consent
RoleApt uses cookies and similar technologies in two ways:
Strictly necessary cookies that make the service work - keeping you logged in, maintaining your session, and protecting forms against abuse. These are required to deliver the service and do not need consent under the ePrivacy rules and Bulgarian law.
Analytics cookies / SDKs (PostHog, and Google Analytics loaded via Google Tag Manager) that help us understand product usage. These are non-essential. They load and initialise only after you give consent through our cookie banner - not in any pre-consent or "cookieless" initialisation mode; for the Google tags we additionally set Google Consent Mode v2 to denied until you opt in. Cookies set only after consent include PostHog's (for example
ph_*) and Google Analytics' (_ga,_ga_*). You will be able to decline analytics with no loss of functionality, and to change or withdraw your choice at any time via the Cookie settings link in the footer or by clearing the relevant cookies.
We do not use advertising or cross-site tracking cookies.
9. How long we keep your data (retention)
While your account is active, we keep the data described in Section 4 so the service works for you.
When you delete your account (self-service from your account page), your authentication record is permanently deleted and the linked database rows cascade-delete immediately - including your synthesized profile and snapshots, profile-source rows, job applications, generated-artifact records, the local credit-ledger rows and billing linkage in our database, MFA recovery hashes, and LLM processing records. There is no waiting/grace period: deletion of these database rows is immediate. Before those rows are deleted, we archive a pseudonymous, content-free record of your financial facts (credit amounts, reasons, Stripe identifiers, dates) and a per-action usage record (action type, outcome, credit cost, time), keyed to a one-way hash of your email, so we can meet our statutory accounting and chargeback-defence obligations without retaining any of your content (Article 17(3)(b) and (e)).
Please be aware of the following important points about deletion and retention:
- Stored files are removed on account deletion. Uploaded source files, your headshot, and generated CV/cover-letter files live in private storage buckets that are purged as part of the account-deletion process: storage is cleared first, so if that step fails the deletion aborts rather than leaving your files behind. If you ever believe a stored file has survived deletion, email privacy@roleapt.com and we will remove it without undue delay and within one month of your request (Article 12(3)).
- Archiving a source is reversible only until your next successful profile build. Archiving is a soft-archive: the stored file and the text we extracted from it are retained so the source can be restored - but the next time you successfully (re)build your profile, archived sources are permanently purged (both the file and the extracted text), except any whose content is part of the profile you just built. Archiving is a UI convenience, not an immediate erasure or consent-withdrawal mechanism; to remove a source immediately, delete your account or email privacy@roleapt.com.
- Active (non-archived) source files are not auto-deleted on a fixed schedule. Sources you keep remain until you delete your account or ask us to delete them; archived sources are purged on your next successful profile build (above).
- Local credit-ledger rows are deleted on account deletion, after the pseudonymous financial record is archived. As noted above, the credit-ledger rows in our own database cascade-delete with your account; a content-free, pseudonymous financial and usage record (keyed to a one-way hash of your email) survives to meet our statutory accounting and chargeback-defence obligations.
- Statutory accounting and VAT records survive account deletion. To meet our legal obligations under Bulgarian accounting and VAT law, Stripe retains your customer record, charges, and VAT invoices for the statutory accounting period - 10 years under the Bulgarian Accountancy Act (Закон за счетоводството) and the VAT Act (ЗДДС) - even after you delete your RoleApt account, and we additionally keep a pseudonymous, content-free financial record server-side (described above). Together these satisfy the legal hold without retaining any of your profile content.
Where data is retained only under a legal-hold or legitimate-interest basis after you leave, we restrict its use to that purpose.
10. Your rights
Under the GDPR and the Bulgarian ЗЗЛД, you have the following rights over your personal data:
- Access (Article 15) - get a copy of the personal data we hold about you.
- Rectification (Article 16) - correct inaccurate or incomplete data. You can edit your profile and account details directly in the app.
- Erasure / "right to be forgotten" (Article 17) - delete your account and data, self-service from your account page, or by emailing us. Note the statutory billing/tax retention and the automatic storage purge on deletion described in Section 9. Archiving a source does not erase it (see Section 9); to erase a specific source today, delete your account or email privacy@roleapt.com.
- Restriction of processing (Article 18) - ask us to limit how we use your data in certain circumstances.
- Data portability (Article 20) - receive the personal data you provided in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
- Objection (Article 21) - object to processing based on our legitimate interests (Sections 4.1, 4.5, 4.6, 4.9, 4.10), on grounds relating to your particular situation.
- Withdraw consent (Article 7(3)) - where we rely on your consent (special-category data in your uploads, and its transfer to the US, under Article 9(2)(a); and analytics under Article 6(1)(a)), you can withdraw it at any time. Withdrawing consent does not affect processing already carried out. To withdraw consent to processing of your uploaded sources, delete the relevant source by deleting your account or by emailing privacy@roleapt.com - this is the step that actually stops and erases the processing. (Archiving does not withdraw consent or erase data; see Section 9.) You can withdraw consent to a headshot by deleting your account or emailing us, and we will remove the stored image. You withdraw analytics consent via the cookie settings.
- No solely-automated decisions (Article 22) - see Section 12.
How to exercise your rights: use the controls in the app where available (edit profile, delete account, cookie settings), or email privacy@roleapt.com with your request. We will respond without undue delay and within one month of receiving your request, extendable by two further months for complex requests, in which case we will tell you. We will not charge a fee unless your request is manifestly unfounded or excessive. We may ask you to verify your identity before we act.
Right to complain: if you believe we have mishandled your personal data, you can lodge a complaint with the Bulgarian supervisory authority:
Commission for Personal Data Protection (Комисия за защита на личните данни, КЗЛД) Address: 2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria Email: kzld@cpdp.bg Website: www.cpdp.bg
You may also complain to the supervisory authority in your EU country of residence or work. We would, however, appreciate the chance to address your concern first - please contact us at privacy@roleapt.com.
11. How we protect your data (security)
We apply technical and organizational measures appropriate to the risk, including:
- Encryption in transit (HTTPS/TLS) for all data exchanged with the service and our processors.
- Private storage buckets for your uploaded sources, headshot, and generated artifacts, not publicly accessible.
- Row-level access controls in our database that scope your data to your account, with service-role access limited to trusted backend operations (such as billing webhooks).
- Hashed credentials: passwords and MFA recovery codes are stored only as hashes; we never see your plaintext password.
- Optional two-factor authentication (2FA) you can enable on your account.
- Bot and abuse protection on signup.
- Vetted sub-processors under data processing agreements (Section 6).
No system is perfectly secure, and we cannot guarantee absolute security. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the КЗЛД within 72 hours as required by Article 33 GDPR, and we will notify you without undue delay where the breach is likely to result in a high risk to you (Article 34).
12. Automated processing and AI-generated drafts
RoleApt uses a large language model (Anthropic's Claude) to synthesize your profile and to generate fit-checks, CVs, and cover letters. Source materials and job descriptions you provide may be in any language; the outputs RoleApt produces are in English. Everything RoleApt produces is an editable draft. You review, edit, and decide what to do with it.
We do not make decisions about you that produce legal effects or similarly significantly affect you on a solely automated basis within the meaning of Article 22 GDPR. The AI generates content as a tool at your request; it does not decide your eligibility for anything, score you for a third party, or make hiring decisions. Employers, not RoleApt, decide on job applications.
The fit-check produces an informational assessment to help you, not an automated decision with legal effect. RoleApt does not guarantee any employment or interview outcome.
13. Children
RoleApt is intended for adults seeking work and is not directed at children. You must be at least 18 years old to use RoleApt (see the Terms of Service). Separately, 16 is the age of valid consent for information society services under the GDPR as applied in Bulgaria; we do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has provided us personal data, contact privacy@roleapt.com and we will delete it.
14. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our service, our sub-processors, or the law. When we make a material change - including adding a new sub-processor that processes your personal data - we will update the "Last updated" date and the version marker above and, where the change is significant, notify registered users by email in advance of it taking effect. We encourage you to review this Policy periodically. The current version is always available on roleapt.com.
15. Contact
Questions about this Policy or about how we handle your personal data:
- Data protection: privacy@roleapt.com
- Legal / terms: legal@roleapt.com
- Postal: Bebox EOOD, Prof. Aleksandar Fol 2, en. K, ap. 23, 1700 Sofia, Bulgaria
This Privacy Policy is provided in English. Bulgarian consumers retain all mandatory protections afforded by Bulgarian law, including the Personal Data Protection Act (ЗЗЛД), regardless of the language of this Policy.