Privacy Policy
Last updated: May 2, 2026
1. Introduction
Vantaso (SMC-Private) Limited, a single-member private limited company registered in the Islamic Republic of Pakistan ("Vantaso," "we," "us," or "our"), operates JobMason. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform. By using JobMason, you consent to the practices described in this policy.
2. Information We Collect
We collect the following categories of information:
Information You Provide
- Account information: name, email address, and password when you create an account
- Profile information: professional experience, education, skills, certifications, contact details, and social links you enter to generate application materials
- Job information: job titles, company names, and job descriptions you provide for Mason Pack generation
- Payment information: billing details processed securely through our third-party payment provider (we do not store your full card number)
- Communications: messages you send to us via email or support channels
Information Collected Automatically
- Usage data: pages visited, features used, actions taken, and timestamps
- Device information: browser type, operating system, device type, and screen resolution
- Log data: IP address, referral URLs, and error logs
- Cookies: session cookies for authentication and analytics cookies to understand usage patterns
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the JobMason platform
- Generate tailored application materials (resumes, cover letters, emails, questionnaire answers) from your profile data and job descriptions
- Process payments and manage your subscription
- Send important service notifications (account confirmations, security alerts, billing updates)
- Respond to your support requests and inquiries
- Analyze usage trends to improve our features and user experience
- Prevent fraud, enforce our Terms, and comply with legal obligations
4. Data Sharing and Sub-processors
We do not sell your personal information to third parties. We share your data with vetted sub-processors only as needed to provide the Service. Each is bound by a written data-processing agreement and processes your data on our instructions.
Current sub-processors
- Vercel AI Gateway (USA) - routes AI generation and extraction requests to the model providers below. Receives candidate profile fields, job descriptions, and prompts/outputs in transit.
- Google / Gemini (USA) - primary AI model for resumes, cover letters, emails, Q&A answers, and profile/job structuring. Receives candidate profile fields and job descriptions you submit.
- OpenAI (USA) - content moderation on user-submitted text; fallback AI generation when the primary model is unavailable. Moderation receives text snippets; generation fallback receives profile fields and job descriptions via the gateway. Not used for foundation-model training under the OpenAI API data-use policy.
- Xiaomi / MiMo (China, via gateway) - fallback AI generation when primary and secondary models are unavailable. Receives candidate profile fields and job descriptions.
- Apify (EU / Czech Republic) - LinkedIn job-posting scraping when you submit a LinkedIn job URL. Receives the job URL and returns title, company, and description from the listing.
- Exa (USA) - fetches public page text when you import a profile from a LinkedIn profile URL. Receives the profile URL and returned page text.
- Firecrawl (USA) - scrapes public non-LinkedIn job-posting URLs you submit. Receives the URL and public page content retrieved from it. LinkedIn job URLs are handled by Apify instead.
- PostHog (USA) - product analytics and error/exception tracking. Receives usage events, pseudonymous user identifier, email and name on sign-in, IP address, device/browser metadata, and exception payloads.
- Polar (USA) - payments, subscription management, and invoicing. Receives email, billing/payment metadata, and subscription identifiers.
- Resend (USA) - transactional email (verification, password reset, notifications). Receives recipient email address and message contents.
- Neon (USA / EU) - managed Postgres database hosting. Stores all primary application data.
- Cloudflare R2 (Global) - object storage for profile photos and document assets.
- Vercel (USA) - application hosting, edge delivery, request logs, and observability.
- Better Auth (self-hosted) - authentication library running on our infrastructure (no separate vendor data flow).
- Google (OAuth) - only when you choose to sign in with Google. Receives the standard OAuth handshake data and returns the profile fields you authorize.
- Upstash (USA / EU) - Redis for rate-limiting and ephemeral storage. Receives hashed user / IP identifiers used as rate-limit keys.
An always-current list lives at /policies/sub-processors. We will update this list and notify subscribed customers before adding a new sub-processor that processes personal data.
Other disclosures
- Legal requirements: when required by law, regulation, legal process, or governmental request.
- Business transfers: in connection with a merger, acquisition, or sale of assets.
For business customers requiring a Data Processing Agreement (DPA), see /policies/dpa.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will remove your personal data within 30 days, except where retention is required for legal, accounting, or compliance purposes.
Generated application materials (Mason Packs) are stored in your account until you choose to delete them or your account is closed.
6. Data Security
We implement industry-standard security measures to protect your information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure, access-controlled database infrastructure
- Regular security assessments and monitoring
- Strict access controls limiting employee access to personal data
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: request a copy of the personal information we hold about you
- Correction: request correction of inaccurate or incomplete data
- Deletion: request deletion of your personal data (subject to legal obligations)
- Portability: request an export of your data in a structured, machine-readable format
- Objection: object to certain processing activities, such as direct marketing
- Withdraw consent: where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at contact@vantaso.org.
8. Cookies
We use cookies and similar tracking technologies to maintain your session, remember preferences, and (with your consent) measure how you use the Service. Categories and a full list are described in our Cookie Policy. You can change your preferences at any time from the cookie banner.
9. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.
10. Children's Privacy
JobMason is not directed to children. You must be at least 16 years old to use the Service, and at least 18 (or the age of majority in your jurisdiction) to purchase a paid subscription; you confirm that you meet these requirements when you register, as set out in our Terms & Conditions. Consistent with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected personal data from a child below the applicable minimum age, we will take steps to delete it promptly.
11. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page with a new "Last updated" date. For significant changes, we may also send an email notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at contact@vantaso.org.