Privacy Policy

Account & Profile Information

• Name (first, last, middle, prefix, suffix), email address, username, and profile photo (via Google OAuth sign-in or email registration)
• Contact details you provide: phone number, location, LinkedIn URL, GitHub URL, portfolio URL
• Work experience, education history, skills, personal projects, and certifications
• Resume and cover letter content you upload or that we generate for you
• Job preferences, target roles, and location preferences
• Sensitive fields (optional, encrypted at rest with AES-GCM): date of birth and the last four digits of your Social Security Number, used only to auto-fill background-check fields on job applications when you explicitly enter them.
• Work authorization & EEO (optional, self-declared): citizenship or work-authorization status, and voluntary EEO fields (gender, ethnicity, veteran status, disability status). You can decline to provide any of these — they are used solely to auto-fill corresponding application questions with the values you chose.

Job Data

• Job postings you analyze or interact with through the Service
• Job match scores, skill gap analyses, and application status
• Employer information extracted from job listings

Generated Documents

• Tailored resumes and cover letters generated by our AI
• Document quality scores and improvement suggestions

Usage & Analytics Data

• Pages visited, features used, and actions taken within the Service
• Device type, browser type, operating system, and screen resolution
• IP address, approximate geographic location (country/region level)
• Referral source and session duration

Payment & Subscription Information

• Billing details are processed by Stripe. We do not store your full credit card number, CVC, or bank account details on our servers. We receive only a tokenized reference (Stripe customer ID), card brand, last four digits, and expiration date from Stripe.
• Subscription tier (free, pro, max, etc.), monthly document-generation quota, credit usage counters, bonus credit balance, and the timestamp of your last credit reset are stored on our servers to enforce plan limits.

Networking & Outreach Data

• When you use the Contact Suggestions feature, we fetch and cache third-party professional contact records (full name, job title, LinkedIn URL, work email, seniority, department, tenure, location, photo URL) keyed by company domain. See Section 4 for details.
• AI-generated LinkedIn DM and email drafts, your outreach pipeline status per contact (not contacted, reached out, replied, interview, closed), and any notes you add.

ATS Credentials (Optional, Local-Only)

• If you choose to save credentials for job-board sites (e.g., LinkedIn, Indeed) so the automation agent can log in on your behalf, those credentials are encrypted locally in the Chrome extension using AES-GCM 256-bit encryption with a device-bound key and are never stored on our servers in plaintext. See Section 6.

Waitlist / Survey Data

• If you join our beta waitlist, we collect your use case description, current company, role, applications per week, and feature interests for admission review.

We use the information we collect to:

• Provide the Service — match you with relevant job postings, generate tailored resumes and cover letters, and track your applications
• Improve job matching — train and refine our machine learning models using anonymized and aggregated data to improve match accuracy for all users
• Communicate with you — send transactional emails, document-ready notifications, and product updates (you can opt out of non-essential communications)
• Ensure security — detect fraud, prevent abuse, and enforce our Terms of Service
• Analytics — understand usage patterns to improve features, fix bugs, and guide product decisions

We do not sell your personal information to third parties. We do not use your individual resume content to train AI models — only anonymized, aggregated patterns (e.g., which skills appear most frequently in successful applications) are used for model improvement.

The Aladdin Chrome Extension operates with scoped permissions and collects data only in the context of job-seeking activity:

• Job page analysis — when you visit a job listing on a supported job site (e.g., LinkedIn, Indeed, Greenhouse, Lever), the extension reads the page content to extract job title, company name, requirements, and description for analysis
• Active tab only — the extension only reads page content on job-related sites when you explicitly trigger an analysis or when our job detection heuristic identifies a job listing. It does not read content on non-job-related websites
• No browsing history — we do not track, store, or transmit your general browsing history. The extension does not monitor pages outside of recognized job platforms
• Local processing — initial job detection heuristics run locally in the browser. Only confirmed job listing data is transmitted to our servers for analysis
• Credential handling — during active automation sessions (when you use the autonomous application agent), the extension may transmit credentials over a secure WebSocket connection (WSS) to fill application forms on your behalf. Credentials are processed ephemerally and are not stored on our servers

When you generate application documents for a job, the Service may suggest relevant professional contacts at the target company to help you network. Contact data (names, job titles, LinkedIn URLs, and work emails) is sourced from licensed third-party business data providers and cached on our servers to improve performance.

We also store your outreach tracking status (e.g., whether you have contacted someone, received a reply, or scheduled an interview) and any AI-generated outreach drafts associated with your account. We do not sell, rent, or share third-party contact data. We do not contact anyone on your behalf without your explicit action.

If you are a third party whose contact information appears in our system and you would like it removed, email privacy@aladdin-ai.net. Aladdin users can request deletion of their outreach history at any time from Settings.

The Service uses large language models — primarily Google Gemini (Gemini 1.5 Flash and related variants) — to generate personalized resumes, cover letters, outreach drafts, job match scores, and skill gap analyses.

What is sent to the model. For each generation we send the relevant portions of your profile (e.g., work experience, skills, education, projects, contact name used in the letter) along with the job posting content (title, company, description, requirements) and, for outreach drafts, the contact's public professional details (name, title, company). We do not send sensitive identifiers like your SSN or date of birth to the model.

What we store. Generated resumes, cover letters, LinkedIn DM drafts, email outreach drafts, outreach subject lines, and any quality scores or improvement suggestions are stored in your account so you can view, re-download, or edit them. Drafts are visible only to you.

How Google handles this data. Data sent to the Gemini API is processed under Google's Generative AI API terms. Per those terms, Google does not use Gemini API inputs or outputs to train its foundation models. We also run an on-premise resume-agent service in our infrastructure that invokes Gemini; prompts and outputs pass through that service but are not retained by it outside the generated document record.

Training on your data. We do not use the content of your resumes, cover letters, outreach drafts, or profile to train AI models. We may use anonymized, aggregated statistics (for example, how often a particular skill appears in successful applications) to improve our ranking and matching pipelines.

If you use the autonomous application agent to have Aladdin log in to an ATS (such as Workday, Greenhouse, Lever, or SAP SuccessFactors) on your behalf, you can optionally save the site's username and password inside the Chrome extension.

Encryption at rest. Credentials are encrypted locally using AES-GCM 256-bit with a device-bound key. The encryption key is generated on first use and stored in chrome.storage.session (which is cleared when the browser closes) with a fallback to chrome.storage.local for older Chrome versions. Each credential field uses its own random 12-byte initialization vector.

Never stored on our servers. Plaintext ATS credentials are never persisted on our servers. During an active automation session, the extension transmits the decrypted credentials over an authenticated WebSocket Secure (WSS) channel to our agent server, which uses them in-memory to fill the login form and then discards them. The server-side process only ever sees the domain it was instructed to act on, plus the credential for that domain for the duration of the login step.

Page content during sessions. During active automation sessions the extension may transmit page DOM snapshots and screenshots to our agent server and to AI providers (Google Gemini, Anthropic, or OpenAI depending on the task) so the agent can understand and interact with the form. This data is processed transiently and not retained beyond the session, except for minimal logs we use for debugging and abuse prevention.

Authentication tokens. Your Aladdin JWT access and refresh tokens are encrypted in the extension storage using a separate AES-GCM key and are automatically invalidated 30 days after your last web-app login.

Aladdin uses Stripe for all payment processing. Stripe is PCI DSS Level 1 compliant and is the data controller for the card number, CVC, and full billing address that you enter into its checkout form.

What we store. On our servers we store a Stripe customer identifier, your subscription tier (free, pro, max, trial, etc.), your monthly credit allocation, credits used this billing period, top-up credit balance, and the timestamps of your most recent daily and monthly quota resets. We receive metadata such as card brand, last four digits, and expiry from Stripe for receipts. We do not receive or store your full card number, CVC, or bank account details.

Credit usage history. We track each document generation against your quota to enforce plan limits. The counters reset on a daily and monthly cadence and are retained alongside your account until you delete it.

We integrate with the following third-party services, each governed by their own privacy policies:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• User data is stored in a PostgreSQL database hosted on AWS (US-East-2, Ohio) with automated backups and point-in-time recovery
• Frequently accessed data (e.g., session tokens, quota counters) is cached in Redis with password authentication and in-memory encryption
• Authentication uses httpOnly, Secure, SameSite cookies to prevent XSS and CSRF attacks
• API keys and secrets are stored in environment variables and secret management services, never in source code
• We conduct regular security audits and employ multiple independent AI code reviewers to catch vulnerabilities before deployment
• Access to production systems is restricted to authorized personnel with multi-factor authentication

We use the following cookies:

Analytics cookies are only set when you explicitly consent via our cookie banner. We use Datadog RUM for analytics, which sets session tracking cookies only after consent. Essential cookies cannot be disabled as they are required for the Service to function. We do not use third-party advertising cookies or tracking pixels.

Some anonymized, aggregated data (e.g., skill frequency statistics used to improve ranking models) may be retained indefinitely as it cannot be linked back to you.

You can request deletion of your account at any time via Settings → Data Management → Delete Account, or by emailing privacy@aladdin-ai.net. When you delete your account:

• We begin purging your personal data within 30 days. Most records (profile, work history, applications, outreach state, drafts, quota rows, waitlist entry, preferences, feedback, notifications, credentials stored in our database such as encrypted Gmail tokens) are hard-deleted via cascading foreign keys.
• Generated documents are retained for up to 90 days after deletion for backup recovery purposes and then permanently removed from S3.
• Anonymized, aggregated analytics that cannot be re-identified (skill frequencies, model training statistics) may be retained indefinitely.
• Payment records are retained for up to 7 years as required by US tax and financial regulations.
• The cached_contacts table is shared across users and keyed by company — it does not contain your personal data. Your per-user outreach rows that referenced those contacts are deleted.
• To remove data stored locally inside the Chrome extension (cached job sessions, saved ATS credentials, encryption keys), uninstall the extension or clear its data via Chrome's extension settings.
• If you have authorized Gmail access, disconnect the integration in Settings or at myaccount.google.com/permissions to revoke our OAuth grant upstream with Google.

Data export. Before deleting, you can export a full JSON copy of your data via Settings → Data Management → Export Data.

Your data is processed and stored on servers located in the United States (AWS US-East-2, Ohio). If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our legal mechanism for international data transfers. These clauses provide appropriate safeguards for the protection of your personal data when it is transferred outside the EEA.

Our third-party service providers (Stripe, Datadog, Google Cloud / Gemini, Anthropic, OpenAI, AWS) maintain their own data processing agreements and transfer mechanisms. You may request a copy of the applicable Standard Contractual Clauses by contacting us at privacy@aladdin-ai.net.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access — request a copy of the personal data we hold about you (available via Settings → Data Management → Export Data)
• Right to rectification — request correction of inaccurate or incomplete personal data (edit directly in your profile)
• Right to erasure — request deletion of your personal data (available via Settings → Data Management → Delete Account)
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format (JSON export)
• Right to restrict processing — request that we limit how we use your data
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — withdraw consent at any time where processing is based on consent (e.g., analytics cookies can be revoked via the cookie banner)

To exercise any of these rights, use the self-service tools in your account settings or contact us at privacy@aladdin-ai.net. We will respond within 30 days. If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

Legal basis for processing: (a) performance of a contract (providing the Service), (b) legitimate interest (improving our Service, preventing fraud, and ensuring security), and (c) your consent (where explicitly obtained, such as for analytics cookies).

Data controller: Aladdin AI, contactable at privacy@aladdin-ai.net.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you (available via Settings → Data Management → Export Data)
• Right to delete — request deletion of your personal information, subject to certain legal exceptions (available via Settings → Data Management → Delete Account)
• Right to correct — request correction of inaccurate personal information (edit directly in your profile)
• Right to opt-out of sale/sharing — we do not sell or share your personal information with third parties for cross-context behavioral advertising
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights

To submit a verifiable consumer request, use the self-service tools in your account settings or email privacy@aladdin-ai.net. We will verify your identity and respond within 45 days.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@aladdin-ai.net.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service. We encourage you to review this policy periodically to stay informed about how we protect your data.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: