Water logoWaterApplySign in

Legal

Privacy Policy

Last updated: May 23, 2026

This Privacy Policy describes how WaterApply ("WaterApply", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use the WaterApply website, web application, browser extension, and related services (collectively, the "Service"). We are committed to protecting your privacy and being transparent about how your information, including the contents of resumes and job postings you submit, is handled.

Plain-English summary.We collect the email you sign up with, the resumes and job descriptions you submit, the tailored documents we generate for you, and basic usage data. We use Anthropic's Claude API to power our AI features and Anthropic does not train its models on your content. We never sell your data. You can export or delete your data at any time by emailing us.

1. Who We Are

WaterApply is operated by an individual sole proprietor (the "Operator") based in Toronto, Ontario, Canada. For all privacy-related inquiries, requests under applicable data protection laws, or general questions, contact:

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and similar laws, WaterApply is the "data controller" of personal information processed through the Service.

2. Scope

This Privacy Policy applies to:

  • The WaterApply website and web application at waterapply.app (and any subdomains).
  • The WaterApply Chrome / browser extension.
  • Any APIs, emails, or other interactions branded as part of the Service.

It does notapply to third-party services that you may reach through WaterApply (for example, job posting sites whose content you ask us to parse, the Stripe customer portal, or your own email client when you click "Open in Gmail").

3. Information We Collect

3.1 Information You Provide

  • Account information. When you create an account, we collect your email address and a password (stored hashed by our authentication provider, Supabase).
  • Master resume content. When you upload a resume (PDF or DOCX), we collect the file itself and the structured fields extracted from it by AI (contact information, work history, education, skills, project descriptions, etc.).
  • Job postings. When you save or tailor against a posting, we collect the posting URL, the parsed posting content (title, company, location, description, requirements), and any notes you add.
  • Generated outputs. Tailored resumes, cover letters, and recruiter outreach drafts produced by the Service are stored against your account so you can retrieve and re-export them.
  • Recruiter contact information.If you use the recruiter outreach feature, you may provide a recruiter's name, email address, title, LinkedIn URL, and stated location. We process this information solely to draft an outreach message for you. We do not send the email; you do.
  • Payment information. When you upgrade to a paid plan, payment details (card number, billing address, etc.) are collected directly by Stripe, our payment processor. We receive only a customer ID, subscription status, billing cycle, and last four digits of the card for receipts and access control.
  • Support communications. If you contact us, we keep a record of the message and our reply.

3.2 Information Collected Automatically

  • Log and device data. IP address, browser type and version, operating system, referring URL, pages viewed, timestamps, and similar diagnostic data.
  • Usage data. Counters required to enforce plan limits (e.g., number of tailorings, cover letters, and recruiter outreaches per billing period), feature interactions, and error events.
  • Cookies and similar technologies. Session cookies for authentication, a local-storage flag for your cookie consent choice, and, only with your consent, basic analytics cookies. See our Cookie Policy for details.

3.3 Information from Third Parties

  • Stripe. Subscription events (created, updated, canceled, payment failed) so we can keep your access state in sync with your billing state.
  • Supabase. Authentication events (sign-up, sign-in, password reset) forwarded to us so we can maintain your account.

4. How We Use Your Information — Purposes and Legal Bases

Where the GDPR or UK GDPR applies, we rely on the following legal bases for processing:

PurposeCategories UsedLegal Basis (GDPR / UK GDPR)
Provide the Service (parse resumes, tailor resumes, draft cover letters and outreach)Account data, resume content, job postings, recruiter contactsPerformance of a contract (Art. 6(1)(b))
Authenticate users and prevent unauthorized accessAccount data, log dataLegitimate interests (Art. 6(1)(f)) and contract
Process payments and manage subscriptionsStripe customer ID, subscription statusContract (Art. 6(1)(b))
Send transactional emails (verification, receipts, security alerts)Email addressContract (Art. 6(1)(b))
Optional product updates / marketing emailsEmail addressConsent (Art. 6(1)(a)); withdrawable at any time
Maintain logs, debug, and monitor abuseLog data, usage dataLegitimate interests (Art. 6(1)(f))
Comply with legal obligations (tax, fraud prevention, lawful requests)Billing records, account data, communication recordsLegal obligation (Art. 6(1)(c))

We do not use your resume content, job postings, generated outputs, or recruiter contact information for any purpose other than providing the Service to you. We do not sell personal information.

5. How We Share Your Information

We do not sell your personal information. We share it only with the categories of recipients below, and only as needed for the purposes described above.

RecipientPurposeRegion
Supabase, Inc.Authentication, database hosting, file storageUnited States (primary)
Anthropic, PBCAI processing (resume parsing, resume tailoring, cover letter generation, recruiter outreach drafts) via the Claude APIUnited States
Stripe, Inc.Payment processing, subscription management, customer portalUnited States
Resend (Resend Inc.)Transactional email delivery (verification, password reset, receipts)United States
Railway Corp.Application hostingUnited States
Google LLC (Chrome Web Store)Browser extension distribution and update channelUnited States
Functional Software, Inc. (Sentry)Error monitoring and crash reporting. We strip request bodies, cookies, and authorization headers before transmission, and drop events that originate on high-PII routes (resume tailoring, cover letter generation, recruiter outreach).United States
PostHog Inc.Product analytics (event counts, plan tier, feature usage). Loaded only after you click "Accept all" in the cookie banner. We never send resume content, cover letter content, recruiter contact information, or job posting text to PostHog. Session recording and DOM autocapture are disabled.United States

Each of these processors is bound by a written agreement (or that processor's published Data Processing Addendum) requiring them to handle personal information only on our instructions and to maintain appropriate security measures.

We may also disclose personal information when we have a good-faith belief that disclosure is necessary to (a) comply with a lawful request or court order, (b) protect the rights, property, or safety of WaterApply, our users, or others, (c) investigate or prevent fraud or abuse, or (d) in connection with a corporate transaction (merger, acquisition, sale of assets), in which case we will require the successor to honour this Privacy Policy or notify you to seek your consent for material changes.

5.1 AI Sub-Processor Disclosure (Anthropic)

When you tailor a resume, generate a cover letter, or draft a recruiter outreach message, we transmit the following to Anthropic's Claude API for processing: your master resume content, the job posting content, the recruiter information you entered (if applicable), and our system prompts. Anthropic processes this content solely to return a result to us and does not use it to train its models when accessed through the API (as of the date of this policy). Anthropic may retain inputs and outputs for a limited period for trust-and-safety and abuse-prevention purposes per Anthropic's usage policies and data retention policies. See Anthropic's Privacy Policy.

6. International Data Transfers

WaterApply is operated from Canada and our primary sub-processors are located in the United States. If you access the Service from the European Economic Area ("EEA"), the United Kingdom, or any other jurisdiction with data export restrictions, your personal information will be transferred to and processed in jurisdictions that may not provide the same level of protection as your home country.

For such transfers, we rely on appropriate safeguards including:

  • Standard Contractual Clauses("SCCs") adopted by the European Commission and the UK's International Data Transfer Addendum, where required, with our sub-processors;
  • Canada's adequacy decisionfrom the European Commission (Decision 2002/2/EC) for transfers between the EEA and Canada under the federal Personal Information Protection and Electronic Documents Act ("PIPEDA");
  • Other lawful transfer mechanisms where the above are not applicable (e.g., your explicit consent or necessity for performing the contract you have with us).

You may request a copy of the relevant transfer safeguards by emailing us at the address in Section 1.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

CategoryRetention
Account record (email, hashed password)Until you delete your account, then up to 30 days for backup recycling.
Master resume + parsed resume dataUntil you delete the master resume or your account.
Job postings, tailored resumes, cover letters, outreach draftsUntil you delete the underlying application, the master resume, or your account.
Recruiter contact detailsStored only as part of an outreach draft; deleted with the draft.
Billing recordsRetained for as long as required by tax and accounting law in our jurisdiction (typically 6 years in Canada).
Server logs and security telemetryUp to 90 days.
Support correspondenceUp to 24 months after the matter is closed.

8. Your Rights

Subject to applicable law, you have the following rights:

8.1 Universal Rights We Honour for All Users

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete data.
  • Deletion: Ask us to delete your personal information, subject to retention exceptions (e.g., tax records).
  • Portability: Request your data in a structured, machine-readable format.
  • Withdraw consent: Where processing is based on consent (e.g., marketing emails, optional analytics cookies), withdraw it at any time.

8.2 EEA / UK Residents (GDPR & UK GDPR)

In addition to the rights above, you have the right to:

  • Object to processing based on legitimate interests.
  • Request restriction of processing.
  • Lodge a complaint with your local supervisory authority (in the UK: the Information Commissioner's Office; in Ireland: the Data Protection Commission; etc.).
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 11).

8.3 California Residents (CCPA / CPRA)

You have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete your personal information, subject to exceptions.
  • Correct inaccurate personal information.
  • Opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under the CCPA / CPRA.
  • Limit the use of sensitive personal information. We process resume contents (which may include sensitive details such as immigration status or membership in protected classes) only to provide the Service and not for inferring characteristics about you.
  • Not be discriminated against for exercising your rights.

We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code § 1798.121.

8.4 Canadian Residents (PIPEDA & Quebec Law 25)

You have the right to:

  • Access and request correction of your personal information.
  • Withdraw consent to specified processing, subject to legal or contractual restrictions.
  • File a complaint with the Office of the Privacy Commissioner of Canada, or with the Commission d'accès à l'information du Québec if you reside in Quebec.
  • Be informed of automated decision-making, where applicable (see Section 11).

Under Quebec's Law 25, you may also request data portability and information about the technological means used to make decisions affecting you.

8.5 How to Exercise Your Rights

Email waterapply1@gmail.com from the email address associated with your account. We will respond within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before fulfilling certain requests. Where permitted, you may also authorize an agent to make a request on your behalf.

9. Cookies and Similar Technologies

We use a small number of cookies and similar storage mechanisms. Full details are in our Cookie Policy. In summary:

  • Strictly necessary: Session cookies for authentication and CSRF protection. Cannot be disabled.
  • Functional: Local-storage flags for your cookie consent choice and UI preferences.
  • Analytics: Loaded only after you accept analytics cookies in our consent banner.
  • No advertising cookies. We do not load advertising or cross-site tracking cookies.

10. Marketing Communications

We may send you product updates, newsletters, or feature announcements only if you opt in (for example, by checking a box during signup). Every marketing email contains an unsubscribe link. You can also unsubscribe at any time by emailing us. Transactional messages (account verification, password reset, billing receipts, security alerts) are sent regardless of marketing preferences because they are required to provide the Service.

11. Automated Decision Making

WaterApply uses AI to generate suggested resume rewrites, cover letters, and recruiter outreach drafts. We do not make decisions that produce legal or similarly significant effects about you solely by automated means. Our AI outputs are suggestions you can edit, accept, or reject. We do not use AI to evaluate, score, or rank you for employment, credit, insurance, housing, or any other consequential decision.

We do use automated rate-limiting and abuse-detection signals to enforce plan limits and terms of service. These determinations are reviewable: if you believe an automated decision was made in error, contact us.

12. Children's Privacy

WaterApply is intended for users 16 years of age or older. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a person under 16, we will delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can remove it.

Where local law sets a higher age of digital consent (for example, certain EU Member States set the threshold at 14, 15, or 16 under GDPR Article 8), you must meet that higher local threshold to use the Service.

13. Security

We implement technical and organizational measures designed to protect personal information, including:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of data at rest provided by our cloud sub-processors.
  • Row-level security in our database to ensure users can only read their own data.
  • Hashed and salted password storage (handled by Supabase Auth).
  • Strict scoping of API tokens issued to the browser extension.
  • Periodic dependency upgrades and security patches.
  • Limited administrative access to production systems.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and we are not responsible for unauthorized access caused by compromised account credentials or device-level breaches outside our control. If we become aware of a security incident affecting your personal information, we will notify you and applicable supervisory authorities as required by law.

14. Third-Party Links and Services

The Service may link to or interact with third-party websites (for example, job posting sites you parse, or your email client when you click "Open in Gmail"). Those third parties have their own privacy policies and we are not responsible for their practices. Please review their policies before using them.

15. Browser Extension — Specific Disclosures

The WaterApply browser extension:

  • Reads the content of a job posting page only when you click the extension icon or trigger the tailoring action. It does not run a passive content script that watches every page you visit.
  • Sends the parsed posting content and your selected master resume identifier to the WaterApply API. It does not send any other tab content, browsing history, or page DOM.
  • Stores only your authentication token in chrome.storage.local.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes that adversely affect your rights, we will notify you by email or via an in-app notice and, where required, ask for your consent. The "Last updated" date at the top of this page indicates when this Policy was last revised.

17. Contact

For privacy-related questions, requests, or complaints, contact:

WaterApply Privacy
Email: waterapply1@gmail.com
Region: Toronto, Ontario, Canada

For unresolved concerns, you have the right to lodge a complaint with your local data protection authority.