PathFin

Privacy Policy

Last updated: 4 May 2026

This privacy policy explains what personal data Pathfin collects when you use our service, why we collect it, how we protect it, and what rights you have over your data.

We've kept this short and plain. If anything is unclear, email us at hello@pathfin.fi.

1. Who we are

Pathfin is a service that helps people apply for jobs in Finland by generating tailored Finnish-style cover letters and tracking applications. The service is operated by Jan Wanjaini, based in Finland.

For data protection law (GDPR), we are the "data controller" of the data described below.

2. What we collect

When you create an account and use the service, we collect:

  • Account data: Your email address, used for sign-in via magic link. We don't store passwords.
  • Profile data you provide: Full name, location, work permit status, education history, work experience, language skills (with CEFR levels), target job roles, and (optionally) a profile photo.
  • Job application data: Job postings you save (URL, text, or uploaded PDF), parsed job details, application status, deadline, and any notes you write.
  • Generated content: Cover letters we produce for you, including all versions.
  • Usage data: Records of AI calls made on your behalf — which model, how many tokens, cost. Used internally for cost tracking and to enforce free-tier limits.
  • Technical data: Server logs (IP address, request times, errors). Standard for any web service.

We don't collect: payment information until you subscribe (handled by Stripe, which has its own policy), location beyond what you tell us, browsing history, or contacts.

3. Why we collect it

  • To run the service: We need your profile and the job posting to generate a cover letter. We need your email to log you in.
  • To track your applications: So you can see your own list of jobs and statuses.
  • To enforce free-tier limits: The usage data lets us count generations per user.
  • To improve the service: Aggregated usage data (no personal content) helps us understand what works.

We do not:

  • Sell your data to anyone
  • Use your data to train AI models
  • Share your data with employers or recruiters
  • Use it for advertising

4. Where your data is stored

Your data is stored in Stockholm, Sweden (EU), on infrastructure operated by Supabase. The database is encrypted at rest, and all connections use TLS encryption.

5. Who we share data with (sub-processors)

We use a small number of trusted services to operate Pathfin:

  • Supabase (Sweden, EU) — our database and authentication provider
  • Vercel (USA, EU edge) — hosts our application code
  • Anthropic (USA) — the AI provider that generates your cover letters. When you generate a letter, your profile and the job posting are sent to Anthropic. Per Anthropic's commercial API agreement, your data is not used to train models and is retained for a maximum of 30 days for safety and abuse purposes, then deleted.
  • Resend (USA) — sends transactional emails (magic-link sign-in, deadline reminders)
  • Jina AI (Germany) — used only to fetch the public content of job posting URLs you paste; no personal data sent
  • Stripe (Ireland) — payment processing, only when you subscribe

For US-based providers, we rely on the EU–US Data Privacy Framework and standard contractual clauses to ensure GDPR-equivalent protection.

6. How long we keep your data

  • Active accounts: We keep your data for as long as your account is active.
  • Inactive accounts: If you don't sign in for 24 months, we may delete your account and data after notifying you by email.
  • Deleted accounts: When you delete your account, we erase your profile, jobs, and cover letters from our database within 30 days. Some anonymized aggregate data (like total letter counts) may be retained.
  • Anthropic processing logs: Up to 30 days, then deleted by Anthropic.
  • Server logs: 30 days.

7. Your rights under GDPR

You have the right to:

  • Access your data — see exactly what we have about you, via Settings → Export data
  • Correct your data — edit your profile any time in Settings
  • Delete your data — Settings → Delete account permanently removes everything
  • Port your data — download a complete copy in JSON format
  • Object to processing — stop using the service
  • Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe we've violated your rights

You don't need to give a reason. Just exercise the right.

8. Cookies

We use only essential cookies (for keeping you signed in). We do not use advertising or tracking cookies. If we add analytics in the future, we'll ask for your consent first.

9. Security

We protect your data with:

  • Row-level security on the database — each user can only access their own data, enforced at the database layer
  • TLS encryption for all network traffic
  • Encryption at rest for stored data
  • Magic-link authentication, so there is no password to leak

No system is perfect. If we ever discover a breach affecting your data, we'll notify you and the Finnish authorities within 72 hours, as required by law.

10. Children

Pathfin is not intended for users under 18. We don't knowingly collect data from minors.

11. Changes to this policy

If we change this policy materially, we'll notify you by email and update the "Last updated" date at the top. Continued use means you accept the changes.

12. Contact

Questions, requests, or complaints? Email hello@pathfin.fi.