Back to Home

ApplyOnion Privacy Policy - Your Data Stays Local

Last Updated: May 6, 2025

Local Storage

Your resume and application data stays safely in your browser

No Tracking

We don't track your browsing or monitor your activity

Minimal Data

We collect only what's needed for the service to function

At ApplyOnion, your privacy is paramount. We designed our service with a privacy-first approach, ensuring your sensitive job application data stays under your control.

Information We Do Not Collect or Record

We want to be crystal clear: ApplyOnion does not collect, store, or transmit the sensitive content of your job applications to our servers. Furthermore, the extension does not record or monitor your general browsing activity, keystrokes, or screen content. Its operation is strictly limited to assisting with job application forms based on information you explicitly save locally.

This non-collected data includes:

  • Your Resume content and details
  • Your Cover Letter text
  • Specific details about job descriptions or application fields you fill
  • Any other personal documents managed via the extension

Your Data Stays Local: In Your Browser

To function, ApplyOnion stores your resume details, cover letter templates, and related application info directly in your browser's local storage mechanisms, primarily `localStorage` and potentially `IndexedDB` for more complex data structures.

This explicitly includes sensitive information such as the full content of your resumes, cover letters, and any visa-related information you save within the extension. All this data is managed and contained entirely within your own browser environment.

Your browser is your database

This data never leaves your device and is not sent to us. You maintain full control.

localStorage.setItem('resume', '...'); // Data stays in YOUR browser

Information We Collect (Minimal)

We collect the absolute minimum necessary for the Service to function securely and reliably:

Email Address

For account creation, login, essential communication, and password recovery.

Authentication Tokens

Secure tokens for session management and access to features.

Basic Usage Analytics Optional & Anonymized

To improve ApplyOnion, we may collect aggregated and anonymized statistics. Examples include:

  • Account creation timestamps (without linking to specific email activity beyond the creation event itself)
  • The frequency of API endpoint usage (e.g., how often a specific AI feature like 'resume tailoring' is invoked)
  • General feature popularity

Important: This data is always anonymized, not linked to your personal identity or the content you process, and is used solely for understanding service usage trends and improving our offerings. These anonymized statistics are typically retained for a period of up to 90 days, after which they are deleted or further aggregated into historical trend data.

No other personal data is collected.

How We Use Your Information

The limited data we collect (email, tokens) is used solely for:

Authenticating your account and providing Service access.
Sending important account or Service updates.
Providing customer support.
Maintaining Service security and integrity.

Data Security

We implement industry-standard security measures to protect the email and token data we handle. However, no online service is 100% secure. Your local data's security also depends on your device and browser security. Our server-side security for the minimal data we do store is detailed in a dedicated section.

Data Retention

We keep your email and token data only while your account is active. You can delete your account anytime, removing this data from our active systems (subject to legally required archives). Locally stored data remains until you clear browser data or uninstall the extension.

Third-Party Services

We don't share your email with third parties for marketing. Essential service providers (like hosting) may process data but are obligated to protect it and use it only for the service provided to us.

Changes to This Policy

We may update this policy. Significant changes will be posted here with an updated date. Continued use signifies acceptance.

Contact Us

Questions about this policy? Please contact us atprivacy@trustxmail.com

Data Interaction with Our AI Model (Ollama)

To provide AI-powered features, such as resume tailoring, ApplyOnion interacts with a self-hosted Large Language Model (LLM) powered by Ollama. Here's how we handle your data in this process:

Data Transmission & Processing:

When you use an AI feature, relevant data (e.g., parts of your resume and job description) is sent to our server to interact with the Ollama LLM. While the LLM requires plaintext input to function, all data transmission between your browser and our server is encrypted using HTTPS.The data sent is processed anonymously in the context of the AI task; it is not linked to your user account in the AI processing logs (see "Logging Policy" below).

Data in Memory (RAM):

Ollama processes data in your server's memory (RAM). We acknowledge that if a server were compromised at a very sophisticated level, data in RAM could theoretically be accessed. We mitigate this risk through a multi-layered security approach for our server (detailed in "Server Security & Logging Practices"), including a hardened operating system (Debian Linux), secure reverse proxy (Caddy), and network firewalls. While no system can be 100% immune, these measures provide robust protection. Given our current scale and the nature of the data, we believe these standard, robust security practices are appropriate and continually monitored.

No Logging of AI Interactions:

Crucially, we do not log the prompts sent to, or the responses received from, the Ollama LLM in connection with your specific AI requests. Our focus is on providing the AI service, not retaining the content of these interactions.

Server Security & Logging Practices

We take the security of our infrastructure seriously to protect the minimal data we handle and the integrity of our AI services.

Server Environment:

Our servers run on Debian Linux, a stable and security-conscious operating system. We utilize Caddy as our reverse proxy, which is known for its security features and automatic HTTPS. Standard security measures such as firewalls, strong password policies, and regular software updates are in place to protect server access and integrity.

Logging Policy:

We maintain a strict no-logging policy for user-specific content, prompts, or AI-generated responses.

The Caddy reverse proxy generates default HTTPS request logs. These logs are stateless and do not contain any personal data or content from your requests. They typically include metadata such as:

  • Timestamp of the request
  • The API endpoint accessed (e.g., `/api/tailor-resume`)
  • HTTP status code (e.g., 200 OK, 404 Not Found)
  • Originating IP address (standard for web server logs, used for security monitoring and abuse prevention)

This metadata is essential for monitoring server health, diagnosing issues, and ensuring security. These logs are periodically reviewed for operational purposes and are subject to retention policies designed to minimize storage of non-essential data.

Our Commitment to Code Quality & Future Transparency

We believe that robust security and privacy practices are built on a foundation of quality software development.

Code Development and Review:

Our backend services are developed with a focus on simplicity, security, and reliability. The codebase is carefully written and reviewed. While we leverage modern tools for UI development, the backend logic that handles data and AI interactions is structured and methodically implemented. We write unit tests to verify the correctness of our functions and ensure the stability of our services.

Open Source Status:

Currently, the ApplyOnion codebase is not open source. We understand the value of open source for transparency and community collaboration, and it is something we may consider in the future as the project matures.

Future User Control & LLM Flexibility:

We appreciate the desire for greater user control over data, including the possibility of using personal LLM API keys (e.g., OpenAI, Gemini) or connecting to a user's own Ollama setup. Our current approach of using a self-hosted Ollama instance is designed to provide a seamless experience for all users, especially those less familiar with setting up complex AI infrastructure, and is practical for our current user base.

As ApplyOnion evolves and based on user feedback, we are open to exploring options for greater LLM flexibility. This would require careful consideration of security, privacy, and user experience to ensure that any integration with third-party LLMs maintains our commitment to data protection.

Contact Us

Questions about this policy? Please contact us atprivacy@trustxmail.com