Privacy Policy

1. Who We Are

Driora is a career intelligence service available at drioracareers.com. It is operated by Ergyn Pelinku as a sole-proprietor product. "Driora," "we," "us" and "our" all refer to Ergyn Pelinku operating Driora.

For all data and privacy matters, contact us at [email protected]. We aim to respond to all requests within 5 business days and always within the legally required timeframe.

2. What Data We Collect

We collect only the data we need to generate your career intelligence report and operate the service securely.

Data	Required?	How We Get It	Where It Is Stored
Email address	Yes	Form submission	Report cache (24h), waitlist table (until unsubscribe)
Name	Yes	Form submission	Report cache (24h)
Phone number	No (optional)	Form submission	Report cache (24h)
LinkedIn URL	No (optional)	Form submission	Report cache (24h)
Resume content (text extracted from PDF, DOCX or TXT)	Yes	File upload	Report cache (24h)
IP address	Automatic	Web server	Rate-limits table (1-hour sliding window, then purged)
Session data	Automatic	Web server	Flask session cookie + Redis (session lifetime only)

What we do NOT collect

• We do not use any third-party analytics or tracking pixels at this time.
• We do not purchase data from brokers or other external sources.
• We do not scrape your social media profiles.
• We do not collect payment card data (we are a free service currently).

3. Why We Collect It (Legal Basis)

Report generation (contract / legitimate interest)

When you submit the report form, you are entering into a transactional relationship with us: you provide your resume and details, we generate and deliver an AI-powered career intelligence report. We process your name, email, phone number (if given), LinkedIn URL (if given) and resume content because this is necessary to perform that service. Under GDPR, the legal basis is performance of a contract (Article 6(1)(b)).

Waitlist and marketing communications (consent)

If you join the waitlist or opt in to receive product updates, we store your email address for that purpose. Under GDPR, the legal basis is consent (Article 6(1)(a)). You can withdraw this consent at any time by unsubscribing via the link in any email we send, or by emailing [email protected].

Rate limiting and security (legitimate interest)

We log your IP address in a rate-limits table to prevent abuse and protect the service from automated attacks. The legal basis is legitimate interest (Article 6(1)(f)). IP addresses are automatically purged after a 1-hour sliding window.

Session management (legitimate interest)

We use a Flask session cookie and Redis to maintain your session during your visit, including CSRF protection. This is strictly necessary for the service to function securely.

4. Who Else Processes Your Data

We work with the following sub-processors. Each receives only the minimum data needed to perform its function. A full list with DPA links is on our Sub-Processors page.

Sub-processor	Purpose	Location	DPA
Anthropic	AI report generation via Claude API. Receives your PII-redacted resume text and job context to produce the report. For the company-research section it also runs web searches about the target employer; those queries are about the company and role, never about you. They are screened to exclude your personal data.	United States	anthropic.com/legal/dpa
Resend	Transactional email delivery (report delivery, waitlist confirmation).	United States	resend.com/legal/dpa
Render	Application hosting and compute.	United States	render.com/legal
Supabase	Primary database (PostgreSQL). Stores waitlist data and report cache.	United States (US East, Virginia)	supabase.com/legal/dpa
Upstash	Redis cache and job queue (temporary session data, rate-limit counters).	United States	Upstash DPA (PDF)
Cloudflare	DNS, CDN edge caching and email forwarding.	Global edge (US primary)	Built into Cloudflare ToS / GDPR commitments
Sentry	Error monitoring. May receive anonymized stack traces that include request context.	United States	sentry.io/legal/dpa

We do not sell, rent or trade your personal data. We do not share data with advertising networks or data brokers.

5. International Data Transfers

Driora is operated from the United States and all sub-processors listed above are also based in the United States. If you access the service from the European Economic Area (EEA), the United Kingdom or Switzerland, your personal data is transferred to the US.

We rely on the following mechanisms to make those transfers lawful under GDPR Chapter V:

• Standard Contractual Clauses (SCCs) incorporated into each sub-processor's Data Processing Agreement. Each of the sub-processors listed above has executed EU SCCs (2021 Commission Decision).
• Where a sub-processor participates in the EU-US Data Privacy Framework or equivalent adequacy mechanism, we additionally rely on that certification.

You can request a copy of the applicable safeguards by emailing [email protected].

6. How Long We Keep It

Data	Retention Period	Reason
Email, name, phone, LinkedIn URL, resume content (report cache)	24 hours from submission	Transactional only; automatically purged after report delivery
Resume content, target role, follow-up answers, rewrite output (Coach Mode session)	7 days from submission	Held while you review the scorecard and answer follow-up questions; automatically purged after the window so you have a chance to come back without losing context. Cancelled sessions are wiped immediately.
Email address (waitlist)	Until you unsubscribe or request deletion	You gave explicit consent to be on the waitlist
IP address (rate-limits table)	1-hour sliding window, then purged	Abuse prevention; no longer needed after the window expires
Session data (Flask session + Redis)	Session lifetime only (cleared on browser close or explicit sign-out)	Strictly necessary for secure session management

When you request deletion of your data, we will remove it from active systems within 30 days and from backup systems within 90 days.

7. Your Rights (GDPR)

If you are located in the EEA, the United Kingdom or Switzerland, you have the following rights under GDPR. There is no charge to exercise them.

Right of access (Article 15)

You can request a copy of all personal data we hold about you.

Right to rectification (Article 16)

You can ask us to correct inaccurate personal data or complete incomplete data.

Right to erasure ("right to be forgotten") (Article 17)

You can ask us to delete your personal data. We will do so unless we are legally required to retain it.

Right to data portability (Article 20)

You can request your personal data in a structured, machine-readable format so you can transfer it to another service.

Right to restriction of processing (Article 18)

You can ask us to pause processing of your data in certain circumstances, for example while a dispute is being resolved.

Right to object (Article 21)

You can object to processing based on legitimate interests (for example, our rate-limiting use of IP addresses).

Right to withdraw consent (Article 7)

Where processing is based on your consent (such as the waitlist), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Your Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights.

Right to know

You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes and the categories of third parties with whom we share it.

Right to delete

You can request deletion of personal information we have collected from you, subject to certain exceptions.

Right to opt out of sale or sharing

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. There is nothing to opt out of, but we provide this notice for transparency. Do Not Sell or Share My Personal Information.

Right to correct

You can request correction of inaccurate personal information.

Right to limit use of sensitive personal information

We do not use sensitive personal information for purposes beyond what is necessary to provide the service.

Right to non-discrimination

We will not discriminate against you for exercising any CCPA right. You will receive the same quality of service regardless of whether you submit a data request.

To exercise any CCPA right, email [email protected]. We will respond within 45 days. Full instructions are on our Data Request page.

9. Cookies and Tracking

We use only essential cookies. Specifically, a Flask session cookie is set to maintain your session state and provide CSRF protection. This cookie is strictly necessary; the service cannot function without it. It does not contain personal data in plaintext and is not used for tracking.

We do not currently use any analytics, advertising or third-party tracking cookies. We do not use Google Analytics, Meta Pixel, Hotjar or similar tools.

If we introduce non-essential cookies in the future, we will update the Cookie Policy, show a consent banner to EU/UK users before activating any such cookies and obtain prior consent where required by law.

Full details are in our Cookie Policy.

10. Children

Driora is not directed at children under 16 (the GDPR threshold for EU/EEA users) or under 13 (the US COPPA threshold). We do not knowingly collect personal data from anyone under these ages. If you believe a child has submitted data through the service, please contact [email protected] and we will delete it promptly.

11. Security

We take reasonable technical and organizational measures to protect your data:

• Encryption in transit: All connections to Driora use TLS 1.2 or higher.
• Encryption at rest: Data stored in Supabase (PostgreSQL) is encrypted at rest by Supabase. In addition, your Coach Mode resume content is encrypted at the application layer using authenticated symmetric encryption (Fernet, AES-128-CBC + HMAC-SHA256). The encryption key is held in Driora's deployment environment and is not stored in the database itself, so a database snapshot leak alone would not expose the resume text.
• Short retention windows: Report data (including your resume text) is automatically purged after 24 hours. Coach Mode session data is purged after 7 days. Both windows limit exposure regardless of the encryption layer.
• Rate limiting: IP-based rate limiting is enforced at the application layer to prevent automated abuse.
• No third-party sale: We never sell, rent or trade your data to any third party for their own commercial purposes.
• Access control: Only Driora's application code and, where operationally necessary, the sole founder (Ergyn Pelinku) can access personal data.

No system is perfectly secure. If you believe you have found a security vulnerability, please disclose it responsibly at [email protected].

12. Changes to This Policy

We may update this policy as the service evolves. When we make material changes, we will update the "Last updated" date at the top of this page. If you are on the waitlist, we will notify you by email at least 30 days before material changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.

13. Contact

All data and privacy questions go to:

Driora / Ergyn Pelinku
Email: [email protected]

We respond to all requests within 5 business days and always within the 30-day legal deadline.