Privacy Policy - DreamVelo

Last Updated: October 13, 2025
Effective Date: October 13, 2025

At DreamVelo, your privacy is paramount. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered career platform. We are committed to transparency and data protection compliance under GDPR, CCPA, and other applicable privacy laws.

1. Information We Collect
2. How We Use Your Information
3. Data Storage and Security
4. Data Sharing and Third Parties
5. Your Rights and Choices
6. Cookies and Tracking
7. Data Retention
8. International Data Transfers
9. Children's Privacy
10. Changes to This Policy
11. Contact Us

1. Information We Collect

1.1 Information You Provide

When you use DreamVelo, you voluntarily provide:

Account Information: Email address, password (encrypted), name
Resume Data: Work experience, education, skills, achievements
Career Preferences: Job titles, locations, industries, salary expectations
Application Data: Job applications, cover letters, interview notes
Payment Information: Processed securely by Stripe (we never store credit card details)
Communications: Support tickets, feedback, chat messages

1.2 Information We Collect Automatically

Usage Data: Features used, pages viewed, time spent, actions taken
Device Information: Browser type, operating system, IP address
Analytics: Google Analytics data (anonymized)
Error Logs: Technical diagnostics for troubleshooting

1.3 Information from Third Parties

Job Search APIs: Job listings, company data (from JSearch API)
Authentication: Firebase Authentication data
Payment Processor: Transaction status from Stripe

2. How We Use Your Information

We use your information to:

2.1 Provide Core Services

Analyze your resume and extract skills using AI
Match you with relevant job opportunities
Generate compatibility scores for job listings
Create personalized cover letters and interview prep materials
Track your job applications and career progress

2.2 Process Payments

Process subscription payments via Stripe
Manage your subscription status and billing
Provide receipts and transaction history

2.3 Improve Our Services

Analyze usage patterns to improve AI matching algorithms
Identify and fix technical issues
Develop new features based on user behavior
Conduct A/B testing for product improvements

2.4 Communicate with You

Send transactional emails (account confirmations, password resets)
Provide customer support
Send product updates and feature announcements (with your consent)
Share career tips and job search advice (opt-in only)

2.5 Legal and Security

Comply with legal obligations and law enforcement requests
Prevent fraud, abuse, and security breaches
Enforce our Terms of Service
Protect our rights and the rights of our users

3. Data Storage and Security

3.1 Where We Store Data

Your data is stored securely using industry-leading cloud providers:

Firebase (Google Cloud): User accounts, profiles, application data
AWS (Amazon Web Services): Application infrastructure, CDN, backups
Cloudflare: API proxies, security, DDoS protection

3.2 Security Measures

We implement robust security practices:

Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Authentication: Secure password hashing (bcrypt), optional multi-factor authentication
Access Controls: Role-based access, principle of least privilege
Monitoring: 24/7 security monitoring, intrusion detection, logging
Regular Audits: Quarterly security assessments and vulnerability scanning
API Security: Rate limiting, domain validation, JWT authentication

3.3 Payment Security

Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. We never store or have access to your full credit card details. Stripe uses industry-leading security measures including tokenization and 3D Secure authentication.

4.1 Service Providers

We share data with trusted third-party service providers who help us operate DreamVelo:

Google (Firebase, Gemini AI): User authentication, database, AI processing
Stripe: Payment processing
AWS: Hosting, CDN, infrastructure
Cloudflare: API proxies, security, performance
JSearch (RapidAPI): Job listings data
Google Analytics: Anonymous usage analytics

Important: All service providers are bound by strict data processing agreements (DPAs) and are GDPR-compliant.

4.2 We Do NOT Share Data With:

Employers or recruiters (unless you explicitly apply to a job)
Data brokers or advertisers
Marketing companies (we don't sell your data)
Social media platforms (no cross-site tracking)

4.3 Legal Disclosures

We may disclose your information if required by law, court order, or to:

Comply with legal process or government requests
Enforce our Terms of Service
Protect against fraud or security threats
Protect our rights, property, or safety, or that of our users

5. Your Rights and Choices

You have comprehensive control over your data. Under GDPR, CCPA, and other privacy laws, you have the right to:

5.1 Access Your Data

View all data we hold about you
Export your data in machine-readable format (JSON)
Access via: Settings → Profile → Data Management → Export Data

5.2 Correct Your Data

Update your profile information anytime
Edit or delete resume data, job applications, notes
Access via: Settings → Profile → Edit

5.3 Delete Your Data

Request complete account deletion
All personal data permanently deleted within 30 days
Access via: Settings → Profile → Data Management → Delete Account
Or email: privacy@dreamvelo.com

5.4 Opt-Out of Communications

Unsubscribe from marketing emails (click "Unsubscribe" in any email)
Disable notifications via Settings → Notifications
Note: We'll still send transactional emails (receipts, security alerts)

5.5 Data Portability (GDPR)

Export your data in JSON format
Transfer your data to another service
Request via: privacy@dreamvelo.com

5.6 Right to Object (GDPR)

Object to data processing for direct marketing
Object to automated decision-making (AI profiling)
Request manual review of AI decisions

5.7 California Privacy Rights (CCPA)

If you're a California resident, you have additional rights:

Right to know what personal information is collected
Right to know if personal information is sold or disclosed (we don't sell data)
Right to opt-out of the sale of personal information (N/A - we don't sell)
Right to deletion (same as GDPR)
Right to non-discrimination for exercising your rights

6. Cookies and Tracking

6.1 Cookies We Use

Essential Cookies: Authentication, session management (required)
Analytics Cookies: Google Analytics (anonymous usage tracking)
Preference Cookies: Remember your settings (dark mode, language)

6.2 Third-Party Cookies

Google Analytics: Anonymous usage analytics
Stripe: Payment processing and fraud prevention

6.3 Cookie Management

You can control cookies via your browser settings:

Block all cookies (may break functionality)
Block third-party cookies only
Clear cookies regularly

6.4 Do Not Track (DNT)

We respect Do Not Track (DNT) browser signals. If DNT is enabled, we disable non-essential analytics tracking.

7. Data Retention

7.1 Active Accounts

We retain your data for as long as your account is active and you're using DreamVelo.

7.2 Inactive Accounts

Free Accounts: Data retained for 2 years of inactivity, then deleted
Professional Accounts: Data retained for 3 years after subscription ends
Deleted Accounts: Data permanently deleted within 30 days

7.3 Backups

Backup data is retained for 90 days and then permanently deleted. Deleted accounts are removed from backups during the next backup cycle.

7.4 Legal Holds

We may retain data longer if required for legal reasons (compliance, litigation, investigations).

8. International Data Transfers

8.1 Global Infrastructure

DreamVelo operates globally using cloud infrastructure. Your data may be transferred to and processed in:

United States (AWS US-East, Firebase US)
European Union (AWS EU-West, Firebase EU)
Other regions where our service providers operate

8.2 GDPR Compliance

For users in the European Economic Area (EEA), UK, and Switzerland:

We use Standard Contractual Clauses (SCCs) for data transfers
All service providers are GDPR-compliant
Data Processing Agreements (DPAs) in place with all processors
EU Representative: Available upon request

9. Children's Privacy

DreamVelo is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@dreamvelo.com, and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically. When we make significant changes:

We'll update the "Last Updated" date at the top
We'll notify you via email (for material changes)
We'll post a notice on our website
Continued use of DreamVelo after changes constitutes acceptance

We recommend reviewing this policy periodically: dreamvelo.com/privacy

11. Contact Us

Privacy Questions or Requests?

DreamVelo LLC
Email: privacy@dreamvelo.com
Support: support@dreamvelo.com
Website: dreamvelo.com

Response Time: We aim to respond to all privacy requests within 30 days (GDPR/CCPA requirement). For urgent matters, please indicate "URGENT" in your subject line.

GDPR Representative (EU Users)

If you are located in the European Union and have questions about our GDPR compliance, contact:

Email: gdpr@dreamvelo.com

Data Protection Officer (DPO)

For privacy and data protection inquiries:
Email: dpo@dreamvelo.com

Legal Entity: DreamVelo LLC
Jurisdiction: United States
Compliance: GDPR, CCPA, PIPEDA, LGPD compliant
Security Standards: SOC 2 Type II, ISO 27001 (in progress)

Table of Contents