IssuePay Logo
Get started free Log in

Privacy Policy

IssuePay is committed to protecting your privacy. This Privacy Policy describes what personal data we collect, how we use it, who we share it with, and what rights you have. The data controller is IssuePay, a company incorporated in Delaware, USA, reachable at general@issuepay.app.

1. Scope

This policy applies to the IssuePay website and application at issuepay.app, including account creation, job posting and applications, candidate management, profile and resume tools, AI-powered features, meetings and calls, and subscription and billing experiences.

2. Data We Collect

We collect the following categories of personal data:

  • Account Data: name, email address, username/handle, profile image, and authentication identifiers.
  • Social Login Data: limited profile data from providers such as Google and GitHub when you choose OAuth login (email, name, profile picture, and unique identifier).
  • Profile & Resume Data: CV and resume files, work experience, skills, education, portfolio links, and related profile content.
  • Jobs & Recruitment Data: job postings, applications and answers, recruiter notes, candidate status, ATS screening results, and related hiring workflow data.
  • GitHub Profile Data: publicly available GitHub repository and activity data, accessed when you connect your GitHub account or when an organization uses our ATS candidate analysis features. This data is obtained from the GitHub API and includes only public information.
  • Usage & Device Data: server logs, feature usage events, device type, browser version, and security and anti-fraud signals.
  • Payments & Subscription Data: billing address and subscription metadata processed through Stripe. We do not store full card details on our servers.
  • Communications Data: support messages and user-submitted content in platform communication features.

2a. Data Obtained from Third Parties (Article 14 Disclosures)

In some cases we collect data about you from sources other than yourself. Where this occurs, we disclose the following:

  • GitHub API: When our ATS Agent analyzes a candidate's technical background, we retrieve publicly available repository and commit data from the GitHub API. The legal basis is legitimate interest (enabling skills-based candidate matching) or contract performance (where the user enabled the Career Agent). This data is retained for up to 2 years from the date of analysis.
  • Recruiting Organizations: If a recruiter uploads your CV or profile data on your behalf, that data is subject to this policy. The recruiter acts as an independent data controller and is responsible for having a lawful basis to share your data with us.

For all third-party sourced data, you hold the same rights as for data you provided directly (see Section 8).

3. How We Use Your Data

  • Provide and operate IssuePay services.
  • Authenticate users and secure accounts.
  • Enable job applications, candidate review, and hiring workflows.
  • Power AI features: the Career Agent (automated job discovery and application) and the ATS Agent (candidate screening, scoring, and work history verification) by sending relevant profile, CV, and application data to Microsoft Azure OpenAI.
  • Process subscriptions, credits, and billing via Stripe.
  • Monitor platform errors and stability via Sentry (legitimate interest).
  • Understand aggregate usage patterns via Umami Analytics (cookieless; no personal data).
  • Comply with legal obligations and enforce platform terms.

4. Legal Basis for Processing

We process personal data under one or more of the following lawful bases. Where multiple frameworks apply (GDPR, LGPD, PDPA, POPIA, UK GDPR), we rely on equivalent bases under each:

  • Contract performance: processing your account data, CV, applications, and AI feature outputs to deliver the services you signed up for.
  • Legitimate interests: platform security, error monitoring (Sentry), fraud prevention, aggregate analytics (Umami), improving platform reliability, and GitHub-based candidate analysis for ATS features. These interests do not override your fundamental rights.
  • Legal obligation: retaining billing records for tax compliance; disclosing data to authorities where required by law.
  • Consent: where we ask for your explicit agreement (e.g., optional analytics, audio features). You may withdraw consent at any time , see Section 8.

5. Automated Decision-Making and Profiling

Our ATS Agent uses AI to automatically score, rank, and screen job candidates based on their profile, CV, application answers, work history, and GitHub data. These outputs assist recruiters but do not constitute final decisions.

The following decisions may have a significant effect on you as a candidate:

  • Being ranked out of consideration based on an AI score.
  • Being moved to a "no-fit" category before any human review.

The following are informational only and not subject to automated decision-making rights:

  • Candidate ranking within a recruiter pipeline (humans make final decisions).
  • CV optimization suggestions (recommendations only).

Your rights regarding automated decisions:

  • Right to an explanation of how the AI reached its output.
  • Right to express your point of view and provide additional context.
  • Right to request human review of any decision significantly affecting you.
  • Right to contest the outcome and request a remedy if the decision was incorrect.

To exercise these rights, contact us at general@issuepay.app. We will respond within 30 days and provide an explanation of the logic used, its significance, and the consequences.

These rights apply under GDPR Art. 22, LGPD Art. 20, POPIA S.71, and equivalent laws in other jurisdictions.

6. Data Sharing and Processors

We share data only when necessary to operate the platform. Our key data processors and recipients are:

  • Microsoft Azure OpenAI , AI model processing for Career Agent and ATS screening. Data processed: CVs, application content, GitHub profiles. Safeguards: Standard Contractual Clauses, encryption, limited retention.
  • Stripe , payment processing and subscription management. PCI-DSS Level 1 certified.
  • Amazon Web Services (S3) , file storage for CVs, profile images, and documents. Encryption at rest and in transit.
  • Google , OAuth authentication (Google Sign-In) and web font delivery.
  • GitHub (Microsoft) , OAuth authentication and public profile data for ATS candidate analysis.
  • Sentry , error monitoring and session replay on error only. No personal data is intentionally sent. Retention: 30–90 days.
  • Umami Analytics (self-hosted) , cookieless, privacy-first analytics. No personal data or cross-site tracking. No data leaves IssuePay infrastructure.
  • Recruiting organizations , when you apply to a job, your application data is shared with that organization. They act as an independent data controller.
  • Legal authorities , when required by applicable law, legal process, or to protect the rights and safety of users.

IssuePay does not sell your personal information. We do not share your data for cross-context behavioral advertising.

7. International Data Transfers

Some of our processors operate outside your country of residence, including Microsoft Azure OpenAI and Amazon Web Services (both based in the United States). Where data is transferred internationally, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Strict access controls limiting data access to personnel with a genuine need.
  • Sub-processor agreements that include equivalent supplementary safeguards.

We conduct Transfer Impact Assessments where required to ensure adequate protection for your data when processed outside your jurisdiction.

8. Data Retention

  • Account data: retained for the duration of your account and deleted within 90 days of account closure.
  • Profile and CV data: retained while your account is active and for up to 12 months after closure to support active applications.
  • Job application and recruitment data: retained for up to 2 years to support hiring workflows, candidate appeals, and legal obligations.
  • Billing and payment records: retained for up to 7 years as required by tax and accounting obligations.
  • Error logs (Sentry): retained for 30–90 days.
  • Consent records: retained for the duration of consent plus 2 years as evidence of lawful processing.
  • Authentication logs: retained for 1 year for security and fraud prevention.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access , request a copy of the personal data we hold about you.
  • Rectification / Correction , request that we correct inaccurate data. You can also self-correct most fields in your account settings.
  • Erasure / Deletion , request deletion of your data. We may retain data where required by law (e.g., billing records) or to defend legal claims.
  • Restriction , request that we limit processing of your data in certain circumstances.
  • Objection , object to processing based on legitimate interests. We will stop unless we have compelling grounds.
  • Portability , receive your data in a structured, machine-readable format (e.g., JSON or CSV).
  • Withdraw Consent , where processing is based on consent, withdraw at any time. Withdrawal does not affect lawfulness of prior processing. Withdrawal is as easy as giving consent , contact us or adjust settings.
  • Opt-Out of Sale (CCPA/CPRA) , IssuePay does not sell personal information. No opt-out is required, but you are entitled to this right.
  • Human Review , request human review of automated decisions affecting you (see Section 5).
  • Non-Discrimination , IssuePay will not deny service, charge different prices, or provide degraded service for exercising these rights.

To exercise any of these rights, contact us at general@issuepay.app with your name, account email, the right you are exercising, and what data it concerns. We will verify your identity and respond within 30 days (45 days where permitted for complex requests).

10. Supervisory Authorities and Complaints

You have the right to lodge a complaint with the data protection authority in your jurisdiction if you believe your rights have been violated. Key authorities include:

  • Portugal / EU (GDPR): Comissão Nacional de Proteção de Dados (CNPD) , cnpd.pt. Or your national DPA in another EU member state.
  • United Kingdom (UK GDPR): Information Commissioner's Office (ICO) , ico.org.uk
  • California, USA (CCPA/CPRA): California Privacy Protection Agency (CPPA) , cppa.ca.gov, or the California Attorney General , cag.ca.gov
  • Brazil (LGPD): Autoridade Nacional de Proteção de Dados (ANPD) , anpd.gov.br
  • Canada (PIPEDA / Law 25): Office of the Privacy Commissioner of Canada , priv.gc.ca. Quebec residents: Commission d'accès à l'information (CAI) , cai.gouv.qc.ca
  • Thailand (PDPA): Personal Data Protection Committee (PDPC) , pdpc.go.th
  • Singapore (PDPA): Personal Data Protection Commission (PDPC) , pdpc.gov.sg
  • South Africa (POPIA): The Information Regulator , informationregulator.org.za

Filing a complaint with a supervisory authority does not prevent you from seeking other remedies through courts or alternative dispute resolution.

11. Security

We implement administrative, technical, and organizational safeguards to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls based on the principle of least privilege, and multi-factor authentication for administrative access. No method of transmission or storage is fully risk-free.

12. Children's Privacy

IssuePay is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe a child under 13 has provided personal data to us, contact us at general@issuepay.app and we will delete the data promptly.

13. External Links

IssuePay may link to third-party websites. We are not responsible for their privacy practices and encourage you to review their policies.

14. Updates to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you by email or prominent notice on the platform. Continued use of IssuePay after updates constitutes acceptance of the revised policy.

15. Contact

For privacy requests, questions, or to exercise your rights, contact us at general@issuepay.app.

Privacy Policy | IssuePay

Effective Date: 25th June 2026