Privacy Policy

CareerOnTrack (“we,” “us,” or “our”) is an AI-powered career intelligence platform that helps job seekers transition from cold-applying to network-powered job campaigns. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website, applications, and services (collectively, the “Service”).

We are committed to protecting your privacy and handling your data responsibly. This policy is written in plain language to help you understand your rights and our practices. If anything is unclear, please contact us at privacy@careerontrack.com.

CareerOnTrack is operated by PotentiaOS Inc. For privacy inquiries, contact our Privacy Officer at privacy@careerontrack.com. We will respond to all privacy requests within 30 days.

We collect the following categories of personal information:

What we do NOT collect: We never collect identity documents (such as visas or work permits), Social Insurance Numbers (SIN), Social Security Numbers (SSN), financial data beyond salary ranges, or any government-issued identification numbers.

We may use third-party AI services to power our AI features. When you interact with CareerOnTrack’s AI-powered features:

• Your conversation data is sent to our AI service providers for processing via secure API connections
• Our AI service providers do not use your data to train their models (per our data processing agreements)
• We implement prompt caching to reduce redundant API calls and improve response times
• AI outputs are validated against strict schemas before storage or display
• All AI-generated content is presented as suggestions. You review and approve all resumes, outreach messages, and action plans before use

Features that use AI:

• Resume tailoring (generates customized resumes for specific job postings)
• ARIA chat coaching (text-based career coaching sessions)
• ARIA voice sessions (voice-based mock interviews and coaching)
• Outreach message drafting (personalized networking messages)
• Skill gap analysis (strategic insights about your skills vs. market demand)
• Course prescriptions (learning recommendations with ROI scoring)
• Market Pulse briefings (personalized market intelligence)
• LinkedIn post drafting (thought leadership content suggestions)

Voice sessions:

We use a third-party voice AI provider to power ARIA voice sessions (mock interviews and coaching calls). Voice audio is processed in real time and is not stored by the voice provider after the session ends. Transcripts are stored securely in our database under your account. The voice provider operates under a data processing agreement that prohibits training use of your audio.

Automated decision-making:

CareerOnTrack uses automated systems to calculate your Career Readiness Score (CRS) and generate your daily action queue. These are guidance tools, not binding decisions. They do not affect your employment prospects, creditworthiness, or any legal status. You can retake the readiness assessment at any time and request human review of any automated recommendation.

AI output accuracy:

AI-generated content (resumes, outreach messages, coaching advice) may contain errors or require editing. CareerOnTrack is not responsible for outcomes resulting from AI-generated content you choose to use. Always review AI outputs before submission or use.

We work with carefully selected third-party service providers to operate CareerOnTrack. These providers are bound by data processing agreements and are only permitted to process your data as necessary to provide their services to us.

Cross-border transfers: Your data may be processed in the United States or other jurisdictions by our service providers. Transfers are protected by Standard Contractual Clauses (SCCs) with each processor where required by applicable law.

We do not sell your data. We do not sell, rent, or share your personal information with third parties for their marketing purposes. Data shared with our processors is used solely to operate the Service.

Provider changes: We may change our third-party service providers from time to time to improve security, performance, or cost-effectiveness. Any new providers will be held to the same data protection standards described in this policy.

We respect Do Not Track signals and Global Privacy Control (GPC) preferences. If your browser sends these signals, we will not set non-essential cookies or tracking.

All Users

• Export all your data at any time (JSON format from Settings)
• Delete your account and all associated data
• Correct inaccurate information in your profile
• Opt out of marketing communications

Canadian Users (PIPEDA)

• Right to access your personal information (we respond within 30 days)
• Right to correct inaccurate information
• Right to withdraw consent at any time (you may lose access to features requiring that data)
• Right to know if your data has been transferred outside Canada
• Right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

UK/EU Users (GDPR)

• Right of access (Subject Access Request, we respond within 30 days)
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability (machine-readable format)
• Right to object to processing based on legitimate interests
• Right not to be subject to solely automated decision-making with legal effects
• Right to lodge a complaint with your supervisory authority (ICO for UK; relevant DPA for EU)

California Users (CCPA/CPRA)

• Right to know what personal information is collected
• Right to know if personal information is sold or shared (we do not sell data)
• Right to delete personal information
• Right to opt out of sale or sharing
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information (including residency status)
• Right to non-discrimination for exercising your rights

Sensitive data: Residency status, collected for international professionals to enable personalized career guidance, is classified as sensitive personal information under CPRA. You can limit our use of this data at any time through your account settings.

• All connections encrypted in transit (TLS/HTTPS)
• Data encrypted at rest (AES-256)
• Sensitive tokens encrypted with AES-256-CBC before database storage
• Row-Level Security enforced at database level. Each user can only access their own data
• No plaintext personally identifiable information in application logs
• Production database access restricted to service accounts with least privilege
• Security headers applied on every response (CSP, HSTS, X-Frame-Options, and more)
• Bot protection on account creation (honeypot, timing analysis, rate limiting)
• Regular security reviews and dependency auditing

In the event of a data breach affecting your information, we will notify you and relevant authorities within 72 hours of becoming aware, as required by GDPR, or as soon as reasonably possible under PIPEDA.

CareerOnTrack is not intended for users under 18 years of age (or 16 for GDPR purposes). We do not knowingly collect personal information from minors. If we discover that a minor’s data has been collected, it will be deleted immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes via email (if you have an account) and by updating the “Last Updated” date above. For GDPR users, material changes to processing purposes will require fresh consent.

To exercise any of your rights or ask questions about this policy:

• Email: privacy@careerontrack.com
• Response timeframe: 30 days (GDPR/PIPEDA), 45 days (CCPA)

Supervisory authorities:

• Canada: Office of the Privacy Commissioner (priv.gc.ca)
• UK: Information Commissioner’s Office (ICO) at ico.org.uk
• EU: Your local data protection authority
• California: California Privacy Protection Agency (cppa.ca.gov)