Privacy Policy

01Who we are

AHA Match AI is a consumer career tool operated by Artmac Soft LLC, a company registered in the United States with its principal place of business at 2120 Prairie Dr, Ste 604, Prosper, TX, USA. The Services are offered globally to software and technology applicants and are not restricted to any one country or state. Contact us at [email protected].

02Information we collect

Account information. When you register, we collect your email address, name, password (hashed with bcrypt), and optional city / state / country.

Resume & profile data. When you upload a resume we store the file and extract structured fields — contact info, work history, education, skills, project roles, and location entities. You can also edit profile data manually via the Application Vault.

Job match data. Job descriptions you submit for analysis, saved listings, tracker entries, and the match scores between your profile and each job.

Authentication & sessions. Session cookies (HttpOnly, SameSite=Lax, Secure), OTP codes during email verification, and password-reset tokens.

Support & feedback. Ticket content, in-app feedback ratings, and any attachments you submit.

Technical data. Browser, OS, device type, IP address, pages visited (for analytics), and error logs — to maintain the service and improve reliability.

03Sign in with Google (Optional)

AHA Match AI offers Sign in with Googleas an optional authentication method in addition to standard email and password sign-up. This feature is fully optional — you may use AHA Match AI without ever connecting a Google account.

When you click “Continue with Google” on the login or registration page, Google displays its standard consent screen showing exactly the information we request. We request only the following scopes:

• openid — To confirm Google has verified your identity
• https://www.googleapis.com/auth/userinfo.email — To receive your Google account email address
• https://www.googleapis.com/auth/userinfo.profile — To receive your name and profile picture URL

Information we receive (only with your consent):

• Your email address
• Your name
• Your profile picture URL
• Your Google account ID (an opaque sub identifier)

How we use this information:

• Account creation or sign-in — We match your Google email against existing AHA Match AI accounts, or create a new account if none exists.
• Profile pre-fill — We populate your AHA Match AI profile with your name and profile picture so you don't have to re-enter them.
• Authentication — We authenticate you on subsequent visits when you choose to sign in with Google.

Limited Use commitment. AHA Match AI's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google account information for advertising or ad personalization.
• We do not sell, transfer, or share Google account information with third parties, except as necessary to provide and improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior notice to users.
• We do not allow humans to read Google account information, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the information has been aggregated and anonymized.
• We do not use Google account information to train, develop, or improve generalized or non-personalized AI/ML models.

Sign in with Google does not grant access to your Gmail, Google Calendar, Google Contacts, Google Drive, Google Photos, or any other Google service. Each of those requires separate, explicit consent (see Section 04 below).

Revoking access. You may revoke AHA Match AI's access to your Google account at any time at myaccount.google.com/permissions. Revoking Google access does not delete your AHA Match AI account; to delete your account, use Settings → Delete Account within AHA Match AI.

04Google Drive Integration (Optional)

AHA Match AI offers an optional Google Drive integration that allows you to import a resume or job description directly from your Google Drive instead of uploading a file from your device. This feature is entirely optional and user-initiated — Google Drive is never connected automatically, and AHA Match AI cannot access any file in your Drive unless you explicitly choose to connect Drive and manually select a file.

Scope We Request

When you click “Connect Google Drive” in Settings → Integrations or on the Upload page, we request the following Google OAuth scope:

• https://www.googleapis.com/auth/drive.file— Per-file access. Google restricts this scope so that AHA Match AI can only access files you explicitly select through the Google file picker, or files our application itself creates.

What AHA Match AI Can Access

• Only the specific files you manually select in the Google file picker — and nothing else.
• Basic metadata (file name, size, modified date) for the files you select, displayed so you can confirm your selection.

What AHA Match AI Cannot Access

• Any file you have not explicitly selected through the Google file picker.
• Drive folders, shared drives, or files belonging to anyone other than you.
• Any other Google service (Gmail, Calendar, Contacts, Photos, etc.).
• Your Drive file list, search index, or directory structure.

User-Driven Access

All Google Drive access is initiated and controlled by the User. AHA Match AI does not autonomously browse, list, scan, or access any file in your Google Drive. Every file import requires the User's manual selection through Google's official file picker, which serves as the sole gateway for granting access to individual files.

How We Use Files You Import

• Download the file content (resume or job description) you selected.
• Extract structured fields from the file using the same processing applied to any resume or job description uploaded to AHA Match AI.
• Save the extracted profile to your Application Vault, exactly as if you had uploaded the file via drag-and-drop.

How We Store and Retain Drive Data

• File content is stored as part of your AHA Match AI profile only if you choose to save it. We do not maintain any separate copy of your Drive file outside the profile you save.
• OAuth tokens (access token and refresh token) are encrypted at rest in our database and associated exclusively with your AHA Match AI account.
• Token deletion occurs immediately when you disconnect Google Drive in Settings or revoke access via your Google account.
• Retention — Imported files and extracted data remain in your account until you delete them or delete your AHA Match AI account.

Limited Use Commitment (Google API Services)

AHA Match AI's use of information received from Google Drive APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• We do not transfer Google Drive data to third parties, except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger or acquisition with prior user notice.
• We do not use Google Drive data for advertising purposes.
• We do not allow humans to read Google Drive data, except (a) with your explicit consent, (b) for security purposes, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
• We do not use Google Drive data to train, develop, or improve generalized or non-personalized AI/ML models.

Revoking Google Drive Access

You may disconnect Google Drive at any time through:

• Settings → Integrations → Google Drive → Disconnect within AHA Match AI, or
• Directly at myaccount.google.com/permissions.

Upon disconnection, stored Google OAuth tokens are deleted immediately. Files you previously imported and saved to your AHA Match AI profile remain in your account until you delete them.

05Chrome extension (AHA Copilot)

The AHA Copilot Chrome extension exists to auto-fill job applications on supported ATS platforms. Specifically it:

• Reads your Application Vault from the AHA Match backend (requires you to be logged in).
• Reads form field labels and structure on the current job application page to map vault data to the right fields.
• Caches vault data locally in chrome.storage.local for speed. Cache is cleared on logout.
• Stores a developer-only verbose-logging flag in chrome.storage.session (cleared when you close the browser). This is extension-controlled and not readable or writable by web pages. We never store user data here.
• Never runs on non-supported sites — it only activates on supported ATS domains.
• Never auto-submits — you always click Submit yourself.
• Never sends data to third parties — all traffic is between your browser and the AHA Match backend.

06How we use your data

• To provide the core service — AI-powered resume analysis, skill matching, and job discovery.
• To populate the Application Vault and fill job applications via the Chrome extension.
• To generate cover letters and interview prep content.
• To authenticate you and keep your account safe.
• To communicate with you about your account, security events, and support requests.
• To improve the service based on aggregate, de-identified usage patterns.
• To comply with legal obligations.

07How we share your data

We do not sell, rent, or share your personal data with advertisers, data brokers, or marketing platforms. We only share in these limited cases:

• Service providers. Infrastructure vendors bound by contract to use your data only to run the service (cloud hosting, transactional email, and optional Google Drive import when you connect it).
• Legal compliance. If required by valid legal process — subpoena, court order, or regulatory request.
• Business transfer. In the event of a merger or acquisition, with advance notice to you.

08Data retention

We retain your data for as long as your account is active. When you delete your account:

• Personal data, resumes, and profile data are deleted within 30 days.
• Support tickets are kept for 90 days for operational reasons, then deleted.
• Aggregate, de-identified analytics may be retained indefinitely.
• Records we're legally required to retain (e.g., financial) are kept for the required period.

09Cookies & tracking

We use two kinds of cookies:

• Essential cookies (session, CSRF) — required for the service to function. Cannot be disabled.
• Analytics cookies — anonymous usage metrics. We do not currently run third-party analytics like Google Analytics.

See the Cookie Policy for specifics.

10Your privacy rights

Every user can:

• Access your data in the Settings page.
• Correct your profile anytime in Settings.
• Delete your account from Settings — everything is removed within 30 days.
• Export a copy of your data by emailing [email protected].
• Disconnect integrations — revoke Google Drive access in Settings.

GDPR (European users). You have additional rights including data portability, restriction of processing, objection to processing, and the right to lodge a complaint with your local data protection authority.

CCPA (California residents). You have the right to know what data we collect, to delete your data, and to opt out of the sale of personal data. We do not sell your data, so no opt-out is needed.

11Data security

We use industry-standard controls: HTTPS/TLS in transit, bcrypt-hashed passwords, HttpOnly Secure cookies, rate limiting to stop brute-force attempts, CSRF protection on forms, and regular security updates. No system is 100% secure — if we discover a breach that affects you, we will notify you within 72 hours as required by law.

12International data transfers

Our servers are located in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US.

13Children's privacy

AHA Match AI is not intended for users under 16 years of age. We do not knowingly collect data from children under 16. If you believe a child has provided us with data, please email [email protected] and we'll delete it.

14Third-party links

The service may link to third-party sites — job boards, company career pages, ATS platforms. We are not responsible for their privacy practices.

15Changes to this policy

We may update this policy over time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. The “Last updated” date above reflects the most recent revision.

16Payment processing & billing data

Billing and payment data — card or bank details, transaction IDs, billing address, tax region — is processed by Lemon Squeezy (Lemon Squeezy LLC, Wilmington, Delaware, USA), our third-party payment provider and merchant of record. We do not store full card numbers or CVV codes on our servers at any time.

When you make a purchase, we receive a minimal billing record from Lemon Squeezy that includes:

• A Lemon Squeezy subscription ID and customer ID (opaque identifiers).
• Your plan code, status, start date, and next renewal date.
• The masked last-four digits of your card or a payment-method hash, for reference only.
• Country of billing (for tax calculation).

Lemon Squeezy's handling of your payment data is governed by its own privacy policy — lemonsqueezy.com/privacy. For chargebacks, disputes, or billing-record export requests, contact us at [email protected] and we will coordinate with Lemon Squeezy on your behalf.

17Contact us

For privacy questions, data requests, or concerns:

• Email — [email protected]
• Security issues — [email protected]
• Postal address — Artmac Soft LLC, 2120 Prairie Dr, Ste 604, Prosper, TX, USA