Privacy Policy

GapFix ("GapFix", "we", "us", or "our") provides an AI-powered career-growth mobile app for iOS and Android, along with the website at gapfix.app (collectively, the "Service"). We respect your privacy and are committed to handling your personal information transparently and lawfully. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to all users of the Service, anywhere in the world. For the purpose of the EU/UK General Data Protection Regulation (GDPR), the data controller is GapFix. For users in California, GapFix acts as a "business" under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). For users in India, GapFix acts as a "Data Fiduciary" under the Digital Personal Data Protection Act, 2023 (DPDP Act). Equivalent roles apply under similar regimes in Brazil (LGPD), the UK (UK GDPR), Canada (PIPEDA), and other jurisdictions. If any term in this Policy conflicts with a mandatory provision of the law of your country or region, the local law prevails for users located there.

We collect the minimum information needed to operate the Service. **Information you give us directly:** - Account details: name, email address, and password (or social-login token if you sign in with Apple, Google, or similar). - Profile information: target role, professional title, experience level, and any skills or goals you choose to share. - Resume or CV content (PDF, DOCX, or TXT) that you upload for AI gap analysis. - Communications you send to support, including any attachments. - Survey responses or feedback you voluntarily submit. **Information collected automatically when you use the Service:** - Device and technical information: device model, operating system and version, app version, language, time zone, mobile network and carrier, crash logs, and a device-generated identifier (e.g., IDFA / advertising ID where you have permitted it). - Usage information: lessons completed, quiz answers, streaks, in-app navigation, time spent in features, feature toggles you set, and similar product analytics events. - Approximate location, derived from IP address only (we do not collect precise GPS location). - Cookies and similar technologies on the website (see the "Cookies" section below). **Information from third parties:** - Sign-in providers (Apple, Google) — limited profile fields you authorize. - App stores (Apple App Store, Google Play) — subscription status, receipts, and purchase events. Apple and Google handle the actual payment; we do not receive your full card or banking details. - Analytics and crash-reporting providers — aggregated and pseudonymous information about app performance. We do not knowingly collect special categories of personal data (such as health data, biometric data, or political opinions). Please do not include such information in your CV or messages to us.

We use your information for the purposes below: **To provide the Service:** create and authenticate your account; generate your personalized 90-day learning plan; deliver lessons, boosters, streaks, and progress tracking; sync data across your devices. **To improve the Service:** debug and fix issues; measure feature performance; train and improve our AI models on aggregated, de-identified data. **To communicate with you:** send service messages (e.g., subscription confirmations, security alerts, important changes), respond to support requests, and send product updates or marketing emails where you have opted in. You can opt out of marketing emails at any time using the unsubscribe link or in your account settings. **To process payments:** to enable Premium subscriptions through Apple's App Store or Google Play and to confirm receipts. Apple and Google process the payment; we receive only the information needed to grant or revoke your subscription. **To keep the Service safe:** detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms. **To comply with law:** respond to lawful legal requests, enforce our agreements, and protect the rights, property, and safety of GapFix, our users, and the public. We do not use your personal information for automated decisions that produce legal or similarly significant effects on you.

For users in the European Economic Area, the United Kingdom, and other jurisdictions that recognize "legal bases" for processing, we rely on the following: **Contract (Art. 6(1)(b) GDPR):** to provide the Service you have signed up for, including creating your account, running your learning plan, and processing subscriptions. **Legitimate interests (Art. 6(1)(f) GDPR):** to improve the Service, secure our systems, prevent fraud, and conduct internal analytics — balanced against your rights and freedoms. **Consent (Art. 6(1)(a) GDPR):** for optional cookies, marketing communications, and any processing where we ask for your explicit consent. You can withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. **Legal obligation (Art. 6(1)(c) GDPR):** to comply with tax, financial, or regulatory requirements that apply to us. **Vital interests / public interest (Art. 6(1)(d), (e) GDPR):** in narrow cases such as protecting life or responding to a legal investigation. For users in India under the DPDP Act, processing is based on your consent or on a "legitimate use" expressly recognized by the Act.

We do not sell your personal information. We do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose information only to the categories of recipients below, and only as needed: **Service providers (data processors / subprocessors):** cloud hosting and storage, customer-support tooling, email delivery, analytics, crash reporting, AI model providers used for gap analysis, and similar vendors. These providers are bound by written agreements that limit their use of your data to providing services to us, require security safeguards, and prohibit any independent use. **App stores and payment processors:** Apple App Store and Google Play handle subscription billing. We receive purchase confirmations and subscription status only. **Authentication providers:** if you sign in with Apple or Google, we share what is needed to verify your identity. **Legal and safety:** we may disclose information when we have a good-faith belief that disclosure is required to comply with applicable law, a valid legal process, or a lawful government request, or to protect the rights, safety, or property of GapFix, our users, or the public. We push back on overbroad requests where appropriate. **Business transfers:** if GapFix is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you and your data will continue to be protected under a privacy policy at least as protective as this one, or you will be given the opportunity to opt out. A current list of subprocessors is available on request to help@gapfix.app.

GapFix is operated from India. Your information may be processed in countries other than the one you live in, including India, the United States, and the European Economic Area, depending on where our service providers are located. When we transfer personal data out of the EEA, the United Kingdom, or other jurisdictions with cross-border restrictions, we rely on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an applicable adequacy decision. For users in India under the DPDP Act, we may transfer your data outside India to jurisdictions that the Government of India has not restricted from time to time. You can request a copy of the safeguards we have in place by contacting us at help@gapfix.app.

We keep your personal data only for as long as we need it for the purposes described in this Policy, or longer if required by law. Typical retention windows: - **Account data:** while your account is active, plus up to 90 days after deletion to allow you to recover the account if deletion was unintended. - **Learning content (uploaded CVs, plans, lessons completed):** while your account is active. Deleted on account deletion. - **Subscription and billing records:** up to 7 years after the last transaction, where required by tax and accounting law. - **Support communications:** up to 3 years from the last contact. - **Server logs and crash data:** up to 12 months. - **Backups:** rolling backups are overwritten on a regular cycle (typically 30 days). When we no longer need to retain personal data, we delete or anonymize it.

Depending on where you live, you have some or all of the following rights: - **Access:** ask for a copy of the personal data we hold about you. - **Rectification:** correct inaccurate or incomplete data. - **Erasure (the "right to be forgotten"):** delete your data, subject to limited exceptions (e.g., legal obligations). - **Restriction:** limit how we process your data in certain circumstances. - **Portability:** receive your data in a structured, machine-readable format and transmit it to another controller. - **Objection:** object to processing based on our legitimate interests, including direct marketing. - **Withdraw consent:** where we rely on consent, you can withdraw it at any time. **California (CCPA/CPRA):** in addition to the above, you have the right to know the categories and specific pieces of personal information collected; the right to opt out of "sale" or "sharing" (we do neither, but the right is available); the right to limit the use of "sensitive personal information"; and the right not to be discriminated against for exercising your rights. **Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, and other US state laws:** equivalent rights apply where you reside. **India (DPDP Act):** you may also nominate another individual to exercise your rights in the event of your death or incapacity. **Brazil (LGPD), Canada (PIPEDA), Australia, Japan, South Korea:** equivalent rights apply where you reside. To exercise any right, email help@gapfix.app from the address registered to your account, or use the in-app data tools where available. We may need to verify your identity before responding. We respond within 30 days (45 days for CCPA, with one 45-day extension permitted; 30 days under DPDP). You can also delete your account directly in the app at Settings → Account → Delete account. We will not retaliate against you for exercising any of these rights.

We use industry-standard administrative, technical, and physical safeguards to protect your personal information. These include encryption in transit (TLS 1.2+) and encryption at rest, role-based access controls, least-privilege access for employees and contractors, secure development practices, regular vulnerability scans, mandatory two-factor authentication for production systems, and audit logging of access to user data. No method of transmission or storage is perfectly secure. If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify supervisory authorities and affected users in accordance with applicable law (e.g., 72 hours under GDPR and DPDP, "without unreasonable delay" under CCPA). You are responsible for keeping your account credentials confidential. Please contact us at help@gapfix.app if you suspect any unauthorized use of your account.

Our mobile app does not use browser cookies. It uses local device storage, secure keychain or keystore entries for authentication tokens, and software development kits ("SDKs") for analytics and crash reporting. SDKs that collect personal data only initialize after you have given any required consent. Our website uses cookies and similar technologies for the following purposes: - **Strictly necessary:** keep you signed in, remember your consent choices, and protect against fraud. These cannot be disabled and do not require consent. - **Preferences:** remember settings such as theme and language. - **Analytics:** help us understand how the website is used. We use privacy-respecting analytics where available. - **Marketing:** measure the effectiveness of campaigns. We use these only with your consent. Where required (EEA, UK, certain US states), we present a consent banner the first time you visit. You can change your preferences at any time. We respect Global Privacy Control (GPC) signals as an opt-out for users in California and other US states that recognize them. You can also manage cookies through your browser settings, but disabling cookies may break parts of the website.

GapFix is intended for adults pursuing professional career growth and is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. In the United States, we do not knowingly collect personal information from children under 13 (COPPA). In the EEA, we follow the GDPR digital-services age threshold of the child's country of residence. In India, we treat anyone under 18 as a child for the purposes of the DPDP Act and require verifiable parental consent before processing. If you are a parent or guardian and believe a child has provided us with personal information, please contact help@gapfix.app and we will delete it promptly.

Most browsers offer a "Do Not Track" (DNT) signal. Because there is no industry-agreed standard for how to interpret DNT, we do not respond to it. We do honor the Global Privacy Control (GPC) signal where applicable law (such as California's CCPA/CPRA and Colorado's CPA) requires us to treat it as a valid opt-out of "sale" or "sharing" of personal information.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If the changes are material — for example, a new use of your data or a new category of recipients — we will give you reasonable advance notice through the app, by email, or via a banner on the website, and where required by law we will obtain your consent before applying the changes to your existing data. If you do not agree with any changes, you can delete your account before they take effect.

For all privacy questions, requests, or complaints, contact: **Email:** help@gapfix.app **Postal address:** GapFix, Bangalore, Karnataka, India We aim to respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority — for example, your national data protection authority in the EEA or UK, the California Privacy Protection Agency in California, or the Data Protection Board of India for users in India. You can also reach us through the in-app help options or the contact form at gapfix.app/contact.