Privacy Policy

Last updated: 21 May 2026 Effective from: 26 May 2026

This Privacy Policy explains how Trackr Pro collects, uses, shares, and protects your personal data. It also explains your rights under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and (where applicable) the EU General Data Protection Regulation ("EU GDPR").

We have tried to write this in plain English. Where we use legal terms, we explain them. If anything is unclear, email privacy@trackr-pro.com and we will help.

---

Trackr Pro is operated by Hamza Ntwari, a sole trader based in London, United Kingdom. For the purposes of UK GDPR, Hamza Ntwari is the data controller for the personal data we process about you.

For service of formal correspondence or to request our postal address, email legal@trackr-pro.com and we will reply with the relevant address.

We are not required to appoint a Data Protection Officer (DPO) under UK GDPR. For all privacy questions, contact:

• •General privacy enquiries: privacy@trackr-pro.com
• •Formal data subject requests: privacy@trackr-pro.com (with subject line "Data Subject Request")
• •Legal correspondence: legal@trackr-pro.com

We aim to respond to privacy enquiries within 5 working days, and to formal data subject requests within the statutory deadline of one calendar month.

We collect personal data in three ways: data you give us directly, data generated when you use the service, and data from third parties (limited).

2.1 Data you give us directly

• •Account data: name, email address, password (stored as a one-way hash), authentication tokens
• •CV files and content: the documents you upload, including any personal details inside them (names, contact information, employment history, education, certifications)
• •Job application data: job descriptions you save, dates you applied, your notes, cover letters you draft or generate, application status
• •Voice recordings and transcripts: if you use Voice Interview Prep, the audio you record and the transcribed text
• •Payment data: if you subscribe to a paid plan, your payment is processed by Stripe; we do not store full payment card numbers ourselves. We retain billing email, billing country for VAT, and a Stripe customer reference.
• •Communications: emails you send us, support tickets, feedback

2.2 Data generated when you use the service

• •Usage data: which features you use, AI credits consumed, when you log in
• •Smart Profile keywords: anonymised skill, experience, and capability keywords extracted from your CVs by our AI pipeline (see Section 4 for detail)
• •Technical data: IP address, browser type, device type, operating system, referring page, error logs
• •Cookies and similar technologies: see Section 14

2.3 Data from third parties

• •OAuth profile data: if you sign in using a third-party identity provider (where available), we receive basic profile data (name, email) from that provider in line with the scopes you authorise

UK GDPR requires us to have a "lawful basis" for each thing we do with your data. We rely on the following bases.

You can object to or withdraw consent for any consent-based processing at any time (see Section 11).

Our legitimate-interests assessments are available on request to privacy@trackr-pro.com.

Trackr Pro uses third-party AI providers to deliver several features. AI processing of your personal data is one of the most important things this policy covers, so we explain it in detail.

4.1 Which features use AI

• •CV Match Scoring: scores your CV against a JD on a 0-100 scale
• •AI Cover Letters: drafts a cover letter from the JD and your CV
• •Smart Profile keyword extraction: anonymised keywords extracted once per CV upload (see 4.4)
• •Voice Interview Prep (Plus and Pro): transcribes recorded interviews and generates AI feedback. The deeper, history-aware version of interview prep is a Pro feature, but voice recording and transcription are available on both paid tiers
• •Duplicate Detection: compares JDs to identify duplicate or re-listed roles

4.2 The PII redaction pipeline

Before any AI request leaves our infrastructure, your CV and the relevant job description go through a redaction pipeline that strips personally identifiable information.

Removed before any prompt is built:

• •Full name and initials
• •Email address
• •Phone number (any format)
• •Home address (street, city, postcode)
• •LinkedIn profile URL
• •Personal website URLs
• •Date of birth and age references
• •National Insurance, SSN, or equivalent identifiers
• •Photos (if embedded in the CV)

Retained for the model to use:

• •Skills, languages, certifications
• •Employer names, role titles, employment dates
• •Project names and descriptions
• •Education institutions and dates

The redaction runs in two layers: client-side stripping before the request is built, then server-side named-entity recognition before the request leaves our environment.

4.3 What this means in practice

When an AI provider processes your data on our behalf, the model sees:

• •Your career context (skills, experience, dates, employers)
• •The job description (with any identifiers in it removed)

The model does NOT see:

• •Your name
• •Your contact details
• •Your home address
• •Your photo or any identifying personal markers

4.4 The Smart Profile (long-term keyword profile)

When you upload a new CV, our pipeline extracts a set of standardised professional keywords (skills, technologies, role types, experience levels) from your anonymised CV content. These keywords are stored against your account and intelligently merged with your existing keyword profile over time.

The Smart Profile exists so that fast, AI-free features (such as the Preliminary Match Score in the Chrome extension) can compare a JD against your profile in milliseconds without spending AI credits.

About the Smart Profile:

• •It consists only of standardised keywords (e.g. "Python", "engineering management", "AML compliance", "5+ years"), not raw CV content
• •It is generated AFTER PII redaction. The AI that produces it never sees your name or contact details.
• •It is stored against your account, scoped to you only, and used only to deliver features to you
• •You can request to see your current Smart Profile, correct it, or have it deleted at any time (see Section 11)
• •We do not share your Smart Profile with third parties beyond the sub-processors required to store it (see Section 6)

4.5 What AI providers do with the data we send

We use providers on API tiers that do not train on customer data. Specifically:

• •OpenAI — used via the OpenAI API. OpenAI's API tier does not train on customer data (see openai.com/policies)
• •Anthropic — used via the Anthropic API. Anthropic's API tier does not train on customer data (see anthropic.com/legal)
• •Groq — used via the Groq API. Groq does not train on customer data (see groq.com/privacy)
• •Google Gemini — used via the Gemini API on no-training tiers where applicable

We do not use consumer-tier ChatGPT or consumer-tier Claude, both of which train on data by default. We do not authorise any AI provider to train on data we send them.

Under UK GDPR, you have a right to know about automated decisions that may affect you. Trackr Pro performs the following automated processing:

None of these decisions produce legal effects or significantly affect you in the GDPR Article 22 sense, because:

• •You always make the actual application decision; we suggest, you decide
• •We never submit applications or reject anyone on your behalf
• •No score or flag is communicated to any employer or recruiter

If you believe an automated output has caused you harm or unfair treatment, contact privacy@trackr-pro.com and we will review.

We share data only with the third-party services required to deliver Trackr Pro. We never sell your data. We never share your CV, applications, or interview transcripts with employers, recruiters, or anyone outside the sub-processor list below.

Current sub-processors

We may add or change sub-processors. We will update this list and notify subscribers by email when we make material changes.

If you want copies of our Data Processing Agreements (DPAs) with these sub-processors, email privacy@trackr-pro.com.

Some of our sub-processors are located outside the United Kingdom and the European Economic Area (mainly the United States). When your data is transferred to a country that the UK does not consider to have an "adequate" level of data protection, we use additional legal protections:

• •Standard Contractual Clauses (SCCs) approved by the European Commission, combined with the UK's International Data Transfer Addendum (UK IDTA), with each sub-processor
• •Encryption in transit and at rest for all transferred data
• •Anonymisation where possible (the PII redaction pipeline described in Section 4.2 means most data sent to US-based AI providers is already de-identified before transfer)

For our EU-located sub-processors (currently Supabase Frankfurt, Stripe Europe), transfers are within the EEA and rely on the existing UK-EU adequacy decision.

You can request a copy of the safeguards we have in place by emailing privacy@trackr-pro.com.

We keep your personal data only for as long as we need it for the purposes set out in this policy. Specific retention periods:

If a longer retention is required by law (for example, in connection with a legal claim, a tax obligation, or a regulatory investigation), we will keep the relevant data only as long as that obligation requires.

We use the following technical and organisational measures:

• •Encryption in transit for all connections to and from Trackr Pro (TLS 1.2 or higher)
• •Encryption at rest for all data stored in our database and object storage
• •PII redaction pipeline before any AI request leaves our infrastructure (see Section 4.2)
• •Access control based on user authentication; your data is scoped to your account only
• •Password hashing using industry-standard one-way hashing (bcrypt or equivalent); we never store passwords in plain text
• •Sub-processor agreements with all third parties handling your data
• •Regular security review of our codebase and infrastructure
• •Incident response process in the event of a data breach (see Section 10)

No system is 100% secure. We continue to improve security as the service grows. If you identify a security issue, please report it responsibly to security@trackr-pro.com.

If we discover a personal data breach that poses a risk to your rights and freedoms, we will:

• •Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33
• •Notify affected users without undue delay, with a description of the breach, the likely consequences, and the measures we are taking
• •Provide guidance on steps you can take to protect yourself

You can also contact us at any time at security@trackr-pro.com if you believe your account or data has been compromised.

You have the following rights in relation to your personal data. Each right is free to exercise unless your request is manifestly unfounded or excessive.

We will respond to all requests within one calendar month. If a request is particularly complex, we may extend the deadline by two further months and will tell you why.

We may ask for proof of identity before responding to a request, to make sure we do not disclose your data to someone else.

If you think we have not handled your personal data in accordance with the law, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• •Website: https://ico.org.uk
• •Telephone: 0303 123 1113
• •Postal: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the chance to address your concerns before you go to the ICO, so please contact us first at privacy@trackr-pro.com if you can. But your right to complain to the ICO is not conditional on contacting us first.

If you are based in the EU, you may also complain to your local data protection authority.

Trackr Pro is not directed at children. The service is intended for users aged 18 and over.

If you are between 13 and 17, you may only use Trackr Pro with verifiable consent from a parent or legal guardian, in line with UK GDPR Article 8.

We do not knowingly collect personal data from anyone under 13. If you become aware that a child under 13 has provided us with personal data, please contact privacy@trackr-pro.com and we will delete it.

Trackr Pro uses the following categories of cookies and similar technologies:

Non-essential cookies are set only with your consent, captured via our cookie banner on first visit. You can change your cookie preferences at any time via the "Cookie preferences" link in our site footer.

For full details, see our Cookie Policy.

If you sign up for our mailing list, register an account, or contact us, we may send you:

• •Service messages (account activity, billing receipts, security notices, breach notifications): these are required for service delivery and you cannot opt out without closing your account
• •Product update messages (new features, founding-member offer reminders): you can opt out at any time via the link at the bottom of any message
• •Marketing messages (general updates, blog posts, surveys): sent only with your consent; you can opt out at any time via the link at the bottom of any message

Withdrawing consent or unsubscribing does not affect the lawfulness of any marketing we sent before the withdrawal.

Trackr Pro may contain links to external sites (job boards, ATS platforms, payment portals, social media). We are not responsible for the privacy practices of those sites. Read their privacy policies before sharing personal data with them.

We may update this Privacy Policy from time to time:

• •Minor changes (typo fixes, clarifications, formatting): we update the "Last updated" date and post the new version. Continued use of the service confirms acceptance.
• •Material changes (new processing purposes, new sub-processors significant to your data, changes to your rights or our retention periods): we notify registered users by email at least 30 days before the change takes effect. Where required by law, we will obtain renewed consent.

You can review the current version at trackr-pro.com/privacy. Previous versions are available on request to privacy@trackr-pro.com.

• •Personal data: any information about an identified or identifiable person
• •Data controller: the person or entity that decides how and why personal data is processed (Hamza Ntwari, for Trackr Pro)
• •Data processor / sub-processor: a third party that processes personal data on behalf of the controller (e.g. OpenAI, Supabase)
• •PII (personally identifiable information): data that can identify you directly (name, email, phone, address)
• •Special category data: sensitive personal data (health, ethnicity, religion, etc.); Trackr Pro does not intentionally process special category data, but incidental capture in voice recordings or open CV fields is treated with extra care
• •DPO (Data Protection Officer): not required for Trackr Pro at current scale under UK GDPR; for all privacy contacts use privacy@trackr-pro.com
• •ICO: the UK Information Commissioner's Office, the supervisory authority for data protection
• •SCCs / IDTA: Standard Contractual Clauses and UK International Data Transfer Addendum, legal mechanisms for transferring data to countries without adequacy decisions
• •DPA (Data Processing Agreement): a contract between a controller and a processor governing how personal data is handled

---

Contact

For any privacy-related question, request, or complaint:

• •Email: privacy@trackr-pro.com (privacy enquiries and data subject requests)
• •Email: legal@trackr-pro.com (legal correspondence and notices)
• •Email: security@trackr-pro.com (security issues and breach reports)

Trackr Pro is built and operated from the United Kingdom by Hamza Ntwari.