← Back to Apto

Privacy Notice

How this Apto instance processes your personal data, and the rights you have under the EU General Data Protection Regulation (GDPR).

Operator template. Apto is self-hosted software. The organisation running this instance is the data controller and must complete the contact details below and confirm this notice reflects their actual processing. This text is provided to support compliance and is not legal advice.

1. Who is responsible (controller)

The data controller is the operator of this instance: [Operator legal name, address, contact email / DPO]. Contact them to exercise your rights or raise concerns.

2. What data we process

Category	Examples	Source
Account identity	Name, email address, profile photo, the provider you signed in with	Your SSO provider (Google / GitHub / LinkedIn) at sign-in
Career profile	Headline, seniority, ambitions, target roles/domains, interests, skills, experience, education, certifications, links, phone, location	Entered by you, or imported from a CV file / LinkedIn at your request
Opportunities	Job descriptions you add and the scores/action plans generated from them	Provided/created by you in the app
Technical	A session cookie and a short-lived sign-in (CSRF) cookie	Created by the app for security

We do not use advertising, analytics, profiling or third-party tracking, and we do not sell your data.

3. Why we process it (purposes & lawful basis)

Provide the service — authenticate you and store your profile, opportunities and documents. Lawful basis: performance of a contract (Art. 6(1)(b)).
Optional AI assistance — if the operator enables a Cloud API, text you choose to import/analyse is sent to that provider. Lawful basis: your consent / your request (Art. 6(1)(a)/(b)).
Security — session and CSRF cookies. Lawful basis: legitimate interests (Art. 6(1)(f)) and these are strictly necessary cookies, so no consent banner is required under the ePrivacy Directive.

4. Cookies

Only strictly necessary cookies are used: apto_session (keeps you signed in, ~30 days) and apto_oauth_state (sign-in security, ~10 minutes). Both are HttpOnly, SameSite=Lax, and Secure over HTTPS. No analytics or marketing cookies are set.

5. Who else receives data (recipients / sub-processors)

Identity providers — Google, GitHub and/or LinkedIn process the sign-in. LinkedIn may, at your request and with your authorisation, return your profile for import (Member Data Portability).
AI provider (optional) — if enabled by the operator: Anthropic or OpenRouter receives only the text you choose to analyse/import.
Hosting — the server operator's infrastructure (e.g. the operator's VM/cloud).

Some recipients may process data outside the EEA; the operator is responsible for ensuring an appropriate transfer mechanism (e.g. Standard Contractual Clauses).

6. Where data is stored & for how long

Your data is stored in a database on the operator's own server. It is kept until you delete it. You can reset your content or delete your account at any time from Privacy & data in the app — deletion removes your profile, opportunities, sessions and account immediately. Inactive sessions expire after 30 days.

7. Your rights

Under the GDPR you may: access your data (Art. 15), receive a portable copy (Art. 20), have it rectified (Art. 16) or erased (Art. 17), restrict or object to processing (Art. 18/21), and withdraw consent at any time. You can exercise the core rights yourself in Privacy & data:

Download my data — a JSON export of everything we hold (access + portability).
Reset my data — erase your profile and opportunities, keep the account.
Delete my account — erase everything, including the account.

You also have the right to lodge a complaint with your national Data Protection Authority.

8. Security

Traffic is served over HTTPS, session cookies are HttpOnly/Secure, sign-in is CSRF-protected, and each user's data is isolated. Third-party access tokens are stored only as needed to perform an action you requested.