Nxtreach
Terms of ServiceGet started free

Legal

Privacy Policy

Last updated: 24 April 2026

1. Introduction

Nxtreach ("we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding it — in plain language.

This policy applies to the Nxtreach web application, the Nxtautofiller browser extension, and all related services.

2. Data We Collect

We collect the following categories of data:

2.1 Account Data

  • Full name and email address (at signup)
  • Profile details you provide: phone number, location, skills, work experience, education, target roles, salary expectations
  • Resume and cover letter content you create or upload
  • Profile photo (optional)

2.2 Usage Data

  • Jobs you viewed, saved, or applied to
  • AI credits consumed per session
  • Application status updates (applied, interview, offer, rejected)
  • Feature interactions (which tools you use, how often)

2.3 Extension Data

  • Portal session tokens stored locally in chrome.storage.local — never transmitted to our servers
  • Job listings scraped from portals you visit (sent to our servers to build your job feed)
  • Form fields auto-filled on your behalf (not stored beyond the session)

2.4 Technical Data

  • IP address, browser type, device type
  • Error logs and crash reports (via Sentry) — PII is scrubbed before transmission
  • Session cookies for authentication (HttpOnly, Secure, SameSite=Lax)

2.5 Payment Data

We use Razorpay for payment processing. We do not store your card number, CVV, or bank details. We only store: plan type, billing period, and transaction IDs provided by Razorpay.

2.6 Email Data (Optional — Explicit Consent Required)

If you choose to enable the Job Status Monitor feature, Nxtreach reads a narrow subset of your email inbox to automatically detect job application status updates. Specifically:

  • We access only emails that match job-application patterns (sender domains of employers and portals; subject-line keywords such as "interview", "offer", "application received", "next steps").
  • Personal correspondence, financial emails, newsletters, and all other emails are never accessed.
  • Raw email body text is never stored on our servers. Only the extracted status signal (e.g., "Interview — 28 May 2026") is saved to your Application Tracker.
  • We use OAuth 2.0 with read-only scope. We cannot compose, send, or delete emails on your behalf.
  • You can revoke email access at any time from Settings → Connected Accounts. Revocation immediately terminates all inbox access.

This feature is entirely opt-in. It is never enabled by default. You will be shown a clear permission dialog before any email access is granted.

3. How We Use Your Data

We use your data to:

  • Provide and personalise the Service (job matching, resume tailoring, auto-fill)
  • Authenticate your identity and secure your account
  • Process payments and manage subscriptions
  • Send transactional emails (signup confirmation, password reset, billing receipts)
  • Send service emails (trial expiry warnings, weekly job digest) — you can opt out in Settings
  • Detect and prevent fraud, abuse, and security incidents
  • Automatically detect job application status updates from your inbox (only if you opt in to the Job Status Monitor feature)
  • Improve the Service through aggregated, anonymised analytics
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your resume content or job applications for advertising purposes.

4. Data Sharing

We share your data only with:

  • Appwrite — database, authentication, and file storage provider
  • Razorpay — payment processing (name, email, phone for billing)
  • Google (Gemini AI) — AI text generation; your resume/job data is sent to generate responses. Google's data retention policies apply.
  • Sentry — error tracking; PII is scrubbed before events are sent
  • Law enforcement — only when required by a valid legal order

5. Data Retention

  • Active accounts: Data is retained as long as your account exists.
  • Deleted accounts: Personal data is purged within 30 days of account deletion. Anonymised, aggregated data (usage statistics) may be retained longer.
  • Backups: Data in encrypted backups is purged within 90 days.
  • Extension storage: Portal session tokens in chrome.storage.local are stored only on your device and can be cleared via the extension popup at any time.

6. Cookies and Tracking

We use the following cookies:

  • Session cookie (a_session_*) — HttpOnly, Secure, SameSite=Lax. Required for authentication. Expires after 30 days of inactivity.
  • Onboarding cookie (nx_ob) — Tracks whether onboarding is complete. No PII.
  • Verification cookie (nx_ev) — Tracks email verification status. No PII.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies that identify you personally.

7. Security

We implement industry-standard security measures including:

  • All data in transit encrypted via TLS 1.2+
  • Session tokens stored in HttpOnly cookies (not accessible to JavaScript)
  • Passwords hashed using bcrypt — we never store plaintext passwords
  • Payment data never touches our servers (handled by Razorpay PCI-DSS)
  • Admin access restricted by role-based access control
  • Extension portal tokens stored only in encrypted chrome.storage.local on your device

8. Your Rights

Under applicable data protection laws (including India's DPDP Act and GDPR where applicable), you have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate data from your profile settings
  • Deletion: Delete your account and all associated data from Settings → Account → Delete Account
  • Portability: Export your resume and profile data (available in Settings)
  • Opt-out: Unsubscribe from marketing emails via the unsubscribe link or Settings → Notifications

To exercise any right not covered by self-service settings, email privacy@nxtreach.tech. We will respond within 30 days.

9. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the Service at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance.

11. Contact Us

For privacy questions, data requests, or concerns, contact our Data Protection contact at: privacy@nxtreach.tech

← Back to NxtreachTerms of Service →