Privacy Policy

—1. Information We Collect

We collect only what we need to run the service. Nothing more.

1.1 Account Data

When you register, we collect your email address and, optionally, a display name. This is used only for login, account management, and service emails.

1.2 Professional Documents

When you upload a CV (PDF or DOCX), we extract the text in memory. When you paste a job description, we keep that text for the life of your project. These documents may contain professional details like employment history, qualifications, and career information relevant to Life Sciences roles — Pharmacovigilance, Regulatory Affairs, Clinical Operations, Medical Affairs, Quality Assurance, and related fields.

1.3 Payment Information

Payments are handled entirely by Stripe, Inc. We never see, receive, or store your card number or bank details. We only keep a Stripe customer ID and your subscription status. See Stripe's Privacy Policy for details.

1.4 Usage Data

We collect basic usage metrics (features used, number of tailorings) and technical data (browser type, session timestamps) to keep the service running smoothly. We do not use third-party analytics or advertising trackers.

—2. How We Use Your Data

Your data is used for these purposes only:

• →Delivering the service — generating tailored CVs, cover letters, and ATS scores based on the job description and CV you provide.
• →Role classification — detecting the relevant Life Sciences role family from the job description to improve output quality. This is done with keyword algorithms on our servers — no data is shared externally for this.
• →Account management — logging you in, managing your subscription, enforcing usage limits.
• →Service emails — password resets, subscription confirmations. We don't send marketing emails without your explicit opt-in.
• →Improving the service — reviewing overall usage trends (never individual CVs) to improve features and reliability.

—3. File Handling and Raw Document Deletion

When you upload a CV or resume, we extract the text in memory and then immediately delete the original file. The raw PDF or DOCX is never written to persistent storage. Only the extracted text is kept, and only for the period described in Section 4.

—4. Data Retention

Your project data — extracted CV text, job description, and generated documents — is kept for 90 daysfrom the date of processing so you can review and download your results. After that, it's automatically and permanently deleted.

Account data (email, subscription status) is kept while your account is active. When you delete your account, all associated data is removed within 30 days.

You can request deletion of any or all of your data at any time — see Section 15.

—5. Third-Party AI Processing

To generate tailored CVs and analyses, your extracted text is sent to third-party AI providers via encrypted API connections. We currently use:

• →Groq, Inc. — fast LLM inference. See Groq Privacy Policy.
• →Anthropic, PBC — advanced language model processing. See Anthropic Privacy Policy.

We only use providers that meet all of the following standards:

• →No training on your data — API data is not used to train or improve their models.
• →Enterprise data handling — reviewed data processing terms before integration.
• →Encrypted in transit — TLS 1.2 or higher on all API calls.
• →Minimal exposure — we send only the text needed for the task. Your email, payment info, and account details are never sent to AI providers.

We may switch AI providers to improve quality or reliability. Any new provider will be held to the same standards above, and this page will be updated.

—6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or CV content to anyone — not to advertisers, data brokers, or recruitment agencies.

Data is shared only with these service providers, strictly to operate the platform:

• →Groq / Anthropic — AI processing (see Section 5).
• →Stripe, Inc. — payment processing (see Section 1.3).
• →Supabase — database hosting and authentication infrastructure.

We may disclose data if required by a court order or binding legal process. We'll inform you if we're legally able to do so.

—7. Data Security

We use appropriate technical and organisational measures to protect your data, including:

• →Encryption in transit (TLS 1.2+) and at rest.
• →Row-level security so you can only access your own data.
• →Hashed credentials and secure session management.
• →Regular review of access controls and security settings.

No system is completely immune to threats. If a breach affects your personal data, we'll notify you and the relevant authority — typically within 72 hours under GDPR.

—8. Your Rights Under GDPR

If you're in the EEA, UK, or a jurisdiction with equivalent data protection law, you have these rights:

• →Access — request a copy of all personal data we hold about you.
• →Rectification — request correction of inaccurate or incomplete data.
• →Erasure — request deletion of your personal data, including your CV text, generated documents, and account.
• →Restriction — ask us to limit how we process your data in certain situations.
• →Portability — receive your data in a structured, machine-readable format.
• →Objection — object to processing based on legitimate interests.
• →Withdraw consent — where processing is consent-based, you can withdraw at any time without affecting anything done before that point.

Email us at Section 15 to exercise any of these rights. We'll respond within 30 days. If you're unsatisfied, you can complain to your local data protection authority.

—9. Lawful Basis for Processing

We process your data under the following legal bases:

• →Contract (Article 6(1)(b)) — processing is necessary to deliver the CV tailoring service you signed up for.
• →Consent (Article 6(1)(a)) — you give consent when creating your account and uploading documents for processing.
• →Legitimate interests (Article 6(1)(f)) — maintaining service security, preventing fraud, and improving reliability — balanced against your rights.

—10. Cookies and Tracking

We use only strictly necessary session cookiesto keep you logged in. These are essential for the service and can't be disabled.

We don't use analytics cookies, advertising cookies, social media pixels, or any other tracking technology. Because we only use essential cookies, no cookie banner is required under EU ePrivacy rules.

—11. International Data Transfers

Some of our service providers (AI providers, infrastructure) are based outside the EEA. Where transfers occur, we make sure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions — so your data is protected to GDPR standards.

—12. Children's Privacy

NoxPharm is built for working professionals and is not intended for anyone under 16. We don't knowingly collect data from children. If we discover we have, we'll delete it immediately.

—13. Chrome Extension

The NoxPharm Chrome extension reads publicly visible job listing content — title, company, location, and description — from pages you actively visit on supported job sites: LinkedIn, Indeed, Glassdoor, TotalJobs, BioSpace, Jobs.ie, and IrishJobs.

How it handles data:

• →Local only — job data is stored in your browser via chrome.storage.local. It's never sent to our servers unless you click "Tailor CV".
• →No background collection — the extension only reads content when you're on a supported job page. It doesn't monitor your browsing history or run in the background.
• →Saved jobs stay local — jobs you save are stored in your browser only, never synced to our servers.
• →Session check — when you visit a NoxPharm page, the extension makes a same-origin request to check if you're signed in. No data is sent; only your login status and plan tier are returned.
• →No cross-site access — the extension only reads from the declared job sites and noxpharm.com.
• →Minimal permissions — the extension requests only storage and tabs — the bare minimum needed.

Installing the extension means you agree to this Privacy Policy. You can uninstall at any time from your browser's extension manager, which removes all locally stored data.

—14. Changes to This Policy

We may update this policy when our practices, technology, or legal requirements change. If we make material changes, we'll email registered users at least 14 daysbefore they take effect. The "Last updated" date at the top of this page always reflects the most recent version.

—15. Contact Us

Questions about this policy, data rights requests, or data protection concerns — reach us at:

This policy is governed by the laws of France. Disputes are subject to the jurisdiction of the courts of Paris, France. This does not limit your rights under mandatory data protection law in your country of residence.