Legal
Privacy Policy
Last updated: June 7, 2026
This policy describes how Implikare collects, uses and protects your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of January 6, 1978 as amended. Our approach in one sentence: we process the strict minimum needed to run the service, you stay in control, and you can exercise your rights at any time.
1. Data controller
Who is responsible for your data
Iliès Mahoudeau, sole proprietor trading under the name “Implikare”, SIRET 942 715 046 00010, 8 rue Georges Lechartier, 35700 Rennes, France. For any question regarding your data or the exercise of your rights: contact@implikare.com.
No Data Protection Officer (DPO) has been appointed to date: appointment is not mandatory in our case (GDPR article 37), as our processing activities are neither large-scale, nor high-risk, nor carried out by a public authority. The contact email above remains the single entry point for all your GDPR requests.
2. Data collected
What we collect and why
Account data
- Email address (mandatory), password hashed with bcrypt (cost 12, never stored in plaintext).
- First name, last name, locale (French or English) — optional.
- Account creation, update and login dates.
- Google identifier (
google_id) if you choose Google sign-in — we never receive your Google password.
Job-search content
- Uploaded CVs (PDF / DOCX files) and data extracted by parsing (education, experience, skills).
- ATS analysis history: CV concerned, offer concerned (snapshot), score, matching and missing keywords, summary.
- AI-rewritten cover letters and CV sentences, kept until you delete them.
- Tracker applications: job title, company, status, dates, personal notes.
Technical data
- IP address (server logs and Redis rate limiting), browser user-agent — kept for 12 rolling months.
- An authentication cookie
refresh_token(httpOnly, Secure, SameSite=Strict, 30-day lifetime). - A LocalStorage entry
consentstoring your choice on the cookie banner (12 months). - Error reports sent to Sentry (page name, technical error message, anonymized session identifier) — legal basis: legitimate interest (maintaining service quality), no prior consent required.
- If you have accepted analytics cookies: PostHog events (pages visited, clicks, conversions) linked to a random identifier
distinct_id, and a session replay. Your CVs, cover letters, profile and email address are never recorded in sessions — see Cookie Policy.
Analytics data (if you consent)
When you accept cookies via the banner, we enable PostHog (EU Cloud) to understand how the service is used: pages visited, interactions, conversions, and session replay. Your CVs, cover letters, profile and email address are masked and never appear in recorded sessions. PostHog is disabled by default and no analytics data is collected before your consent.
Advertising data (if you consent)
Some public pages of the site display advertising through Google AdSense. Dashboard areas and the Boost subscription remain ad-free. Ad serving and the reading of related trackers only trigger after your explicit consentvia Implikare's own cookie banner. Until you consent, no advertising data is collected.
- Technical identifiers set by Google (cookies
__gads,__gpi,IDE,NID) and associated advertising identifiers. - Technical data transmitted to Google for targeting and measurement: IP address, user-agent, URL of the page visited, timestamp, ad interactions (impressions, clicks).
- If personalized advertising is declined, Google serves non-personalized ads relying only on the page context and limited technical data.
You can withdraw your consent at any time via the cookie banner. Trackers are detailed in the Cookie Policy.
3. Purposes and legal bases
Why we process this data
| Processing | Legal basis (GDPR) | Retention |
|---|---|---|
| Account creation and management | Contract performance (art. 6.1.b) | As long as the Account is active |
| Storage and processing of CVs, analyses, letters, rewrites | Contract performance (art. 6.1.b) | As long as the Account is active |
| Billing and Boost subscription (upcoming) | Contract performance + legal obligation (art. 6.1.b and c) | 10 years after last transaction (French Tax Procedure Book art. L102 B) |
| Technical and security logs | Legitimate interest (art. 6.1.f) | 12 rolling months |
| Error reports (Sentry) — service quality monitoring | Legitimate interest (art. 6.1.f) | 90 days (Sentry policy) |
| Product analytics and session replay (PostHog) | Consent (art. 6.1.a) | 12 months after last visit |
| Google AdSense advertising display (personalized or not) on public pages | Consent (art. 6.1.a) | As per AdSense cookie lifetimes (up to 13 months for IDE, 6 months for NID) |
| Transactional emails (email verification, password reset, notifications) | Contract performance (art. 6.1.b) | Account lifetime |
4. Recipients and processors
Who we share your data with
Your data is never sold or transferred to third parties for commercial purposes. It is accessible to Iliès Mahoudeau and, strictly for the needs of the service, to the following processors bound by contracts compliant with GDPR article 28:
| Processor | Purpose | Location |
|---|---|---|
| OVH SAS | Server hosting | France (EU) |
| Cloudflare, Inc. | Object storage (CVs, avatars, backups) | United States — EU bucket (Western Europe) |
| Mistral AI SAS | AI models: ATS analyses, sentence rewriting, profile enrichment | France (EU) |
| Anthropic, PBC | AI models: cover letters, CV generation | United States |
| Stripe Payments Europe Ltd | Boost subscription payment | Ireland (EU) — US sub-processing |
| Sentry (Functional Software, Inc.) | Error monitoring — legitimate interest, no prior consent required | United States (DPF) |
| PostHog Inc. (EU Cloud) | Product analytics and session replay, only with consent | Germany (EU) |
| Google LLC (AdSense) | Ad serving on public pages, only with consent | United States (DPF) |
5. Transfers outside the European Union
Safeguards for EU → US transfers
Cloudflare (storage), Anthropic (AI models for cover letters), Google LLC (AdSense, only with consent) and Sentry (error monitoring) are based in the United States. Transfers to these providers are governed by:
- The Standard Contractual Clauses (SCC) adopted by the European Commission (decision 2021/914), included in the data-processing agreements.
- Certification under the Data Privacy Framework (DPF) EU-US, which establishes an adequate level of protection recognized by the European Commission's adequacy decision of July 10, 2023. Cloudflare, Anthropic, Google LLC and Sentry are all DPF-certified.
For the other processors (OVH, Mistral AI, Stripe Europe, PostHog EU Cloud), processing takes place entirely within the European Union.
6. Your rights
What you can require
Pursuant to GDPR articles 15 to 22, you have the following rights over your data at any time:
- Access — obtain a copy of the data concerning you.
- Rectification — have inaccurate or incomplete data corrected.
- Erasure (“right to be forgotten”) — request deletion of your data, except for legal retention obligations.
- Objection — object to processing based on legitimate interest.
- Restriction — request freezing of processing during a verification.
- Portability — retrieve your data in a structured, machine-readable format.
- Withdrawal of consent — for processing based on consent (notably analytics cookies), at any time and without justification.
- Post-mortem instructions — define what happens to your data after your death.
To exercise a right, contact contact@implikare.com with a way to prove your identity (Account email, or ID document in case of doubt). We commit to responding within one month at most (GDPR article 12.3).
If you believe your rights are not being respected, you can also lodge a complaint with the French Data Protection Authority (CNIL): cnil.fr/fr/plaintes.
7. Security
Technical and organizational measures
We implement measures proportionate to the risk, including:
- Password hashing with bcrypt (cost 12), in line with OWASP recommendations.
- Authentication via signed JWT RS256 tokens (15 minutes for the access token, 30 days for the refresh, with rotation on each use to detect theft).
- Communications encryption in TLS 1.2+, HSTS enabled.
- Security headers (Helmet, CSP, X-Frame-Options, Referrer-Policy).
- Daily database backups, encrypted in transit (TLS) and stored off-site on Cloudflare R2 with 14-day retention.
- Data access limited to what is strictly necessary and restricted to Iliès Mahoudeau.
8. Cookies
See the dedicated policy
The detail of the cookies used, their purpose and how to manage them is described in the Cookie Policy.
9. Browser extension
Data processed by the Chrome extension
If you install the Implikare Chrome extension, the following processing is added to what is described above.
- Session data: after you sign in, the extension stores in your browser's local storage an (opaque) refresh token and a copy of your name and email address, to keep you signed in and show your status in the extension popup. This token can be revoked at any time (sign out from the extension or from your account).
- Application data: when you submit an application on a supported job board (LinkedIn, Indeed, France Travail, HelloWork, Welcome to the Jungle, JobTeaser, La Bonne Alternance), the extension reads, on that offer page, the job title, company name and offer URL, then saves them to your Implikare tracker. No other page, no browsing history and no keystrokes are collected.
- Purpose and legal basis: the sole purpose of this processing is to populate your application tracker (performance of the service, GDPR art. 6.1.b). Data is neither sold nor shared with third parties for advertising.
- Control: no data is transmitted until you sign in. You can delete any application anytime from your dashboard, and uninstalling the extension clears the local session data.
10. Minors
Minimum age of use
The service is open to people aged 15 years or older (article 45 of French Law of January 6, 1978 as amended, which transposes GDPR article 8). Users under 15 must obtain prior consent from the holder of parental authority, who must be able to demonstrate it on request.
11. Changes to the policy
Document evolution
In case of substantial changes to this policy, we will notify you by email at least 30 days before the new provisions enter into force. The last-updated date, shown at the top of this page, prevails to identify the applicable version.