Last updated: 8 July 2026
This policy covers the hosted version of Caddie AI at app.caddie.careers (“the Service”, “we”, “us”). Caddie AI's engine is also published as MIT-licensed open source — if you run it yourself on your own machine or infrastructure instead of using our hosted Service, this policy doesn't apply: your data never leaves your own setup except to the AI provider you configure.
| Data | Why |
|---|---|
| Email address, and a hashed password (or your Google account ID, name and email if you sign in with Google) | Create and secure your account |
| Your base CV and cover letter, job descriptions you paste or fetch, and the drafts, edits and scoring criteria you create in the app | The core of the Service — matching, scoring and drafting only work by processing this content |
| Application status, notes, and the edits you make to drafts | To track your pipeline and let the app learn your preferences over time |
| Billing status and a Stripe customer/subscription ID | To run the free trial and paid plan. We never see or store your card details — Stripe handles those directly |
| Basic technical data (IP address, timestamps, error logs) | Security, abuse prevention, and debugging |
We don't run any advertising or analytics trackers on the Service. The only cookie we set is a signed, HTTP-only session cookie used to keep you logged in.
To score a role and draft a CV, cover letter or screening answers, the relevant text (your CV, the job description, your stated preferences) is sent to our LLM routing provider, OpenRouter, which forwards it to an underlying model provider to generate a response. This is the only way the AI features work. We don't use your data to train models, ours or anyone else's.
Fetching a job posting you paste a link to means we (or a headless browser we run) request that page from the job board or employer's site, the same as if you'd opened it yourself.
We don't sell your data. We share it only with the vendors that run parts of the Service on our behalf, each bound to use it only to provide their service to us:
We may also disclose data if required by law, or to protect the security of the Service.
We keep your account data, documents and drafts for as long as your account is active, so the Service can keep working the way you left it. If you'd like your account and data deleted, email us (below) and we'll delete it, other than what we're required to keep for legal, tax or fraud-prevention reasons.
Passwords are hashed (bcrypt) and never stored in plain text. Data is stored per-account in an isolated Postgres database, transferred over HTTPS, and the session cookie is signed and, in production, marked Secure. No system is 100% secure, but we don't do anything by half — if you find an issue, please tell us.
Depending on where you live, you may have the right to access, correct, export or delete your personal data, or to object to or restrict its processing. Email us (below) and we'll act on it. Since Caddie AI's engine is open source, you always have the option of self-hosting instead, which keeps your data under your own control entirely.
Our infrastructure and the vendors listed above may process data outside your country of residence. Where required, we rely on the vendor's own safeguards (e.g. standard contractual clauses) for cross-border transfers.
The Service is intended for people applying to jobs and isn't directed at children. We don't knowingly collect data from anyone under 16.
If this policy changes materially, we'll update the date above and, for significant changes, let existing account holders know by email.
Questions, requests, or anything else: privacy@caddie.careers