Privacy policy
Plain-language version. The legal version is identical in meaning, just longer.
Last updated: 2026-05-16
Plain-language version
We hold your account, your CV materials, your applications, your drafts, your diary, your calendar (if connected), and — if you opt in — a one-shot import of your LinkedIn profile data via the LinkedIn Member Data Portability API (3rd Party). That’s it.
We never sell, share, train, advertise, or expose your data. The full negative list is on the Security page.
You can export everything in a zip, anytime, from settings. You can delete everything, anytime, from settings. Deletion is irreversible and cascades through every backing system within 7 days.
We log every access — by you, by us, by any sub-processor. You can see the log in your settings.
We use a small, fully-disclosed list of sub-processors, listed on the Sub-processors page with country and international-transfer basis for each.
If we ever change anything material in this policy, you get an email and a 30-day notice before it takes effect. You can export and delete during the notice window with no friction.
What “personal data” means here
Per GDPR Article 4(1), personal data is any information relating to an identified or identifiable natural person. For Omoikane, that includes your email, your name, your CV content, your application history, your diary entries, your calendar events, and (if you connect LinkedIn) the subset of your LinkedIn profile data described in the LinkedIn Member Data Portability section below.
Legal basis
- Performance of a contract (Art. 6(1)(b)) — for everything required to deliver the career-coaching service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and audit logging.
- Legal obligation (Art. 6(1)(c)) — for accounting and tax records.
- Consent (Art. 6(1)(a)) — for the optional calendar integration AND for the optional LinkedIn data import. Both are revocable at any time from your account settings, and the LinkedIn one is also revocable from LinkedIn’s Permitted services panel (see below).
Your rights
Under GDPR you have the right to access, correct, delete, port, restrict, and object. The operational realisation of each of these is in your account settings. If anything is broken or unclear, write to privacy@omoikane.coach and we will respond within 30 days.
You also have the right to file a complaint with your national data protection authority. For the Netherlands, that’s the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Data retention
| Category | Retention |
|---|---|
| Active account data | As long as you keep the account |
| LinkedIn-imported data | Only for as long as you have authorised the LinkedIn connection AND your account remains active. Deleted within 7 days of either: account closure on Omoikane, account closure on LinkedIn, or revocation of LinkedIn consent (whichever happens first). |
| Audit log | 90 days hot in DB, 12 months in encrypted off-site backup. The audit log records metadata of access (who accessed what kind of record, when, from where) — it does not contain LinkedIn-sourced field values or other PII payloads. |
| Closed account | 7 days for full deletion (the system runs the cascade async) |
| Billing records | 7 years per Dutch fiscal law (AWR Art. 52); we rely on Stripe as the system of record. The retention obligation is ours; Stripe is the storage mechanism. |
Security
- Transport. All HTTPS endpoints serve TLS 1.2 or higher (TLS 1.3 by default), with HSTS, certificate pinning at the edge, and modern ciphers only.
- At rest. All databases are encrypted at rest; backup archives are encrypted with
age+sopsbefore leaving the host. - Access. Production access is RBAC, least-privilege, MFA-mandatory; every access is logged in the audit trail you can read from your account settings.
- Detection. We run our own log aggregation, intrusion-detection rules, and rate-limiting at the edge.
- Breach notification. If we become aware of a personal-data breach affecting your data, we notify you within 72 hours as required by GDPR Art. 34. For breaches involving LinkedIn-sourced data we additionally notify
security@linkedin.comwithin 24 hours per the LinkedIn API Terms of Use. - No pen-test partner brand to drop here yet — when one is engaged, it will appear on the Sub-processors page.
Things we explicitly do NOT do
- We do not use Omoikane data — including LinkedIn-imported data — to make or inform decisions about credit, insurance, employment eligibility, housing, immigration, or any other consequential third-party determination.
- We do not infer, store, or trade on protected categories (race, ethnicity, religion, political opinion, trade-union membership, sexual orientation, gender identity, disability, health, biometric or genetic data).
- We do not train any model — ours or anyone else’s — on your data.
- We do not target advertising.
- We do not disclose your data to recruiters, employers, or any third party except the strictly-named sub-processors on our Sub-processors page.
- We do not use Google Analytics, GTM, Facebook Pixel, Mixpanel, Segment, or any commercial analytics vendor. The aggregate page-view count we keep comes from a self-hosted, cookieless Umami instance on a domain we own — details on the Cookie policy page.
Children
Omoikane is intended for users 18 and older, or for users with the explicit consent of a parent or guardian. We do not knowingly collect personal data from anyone under 18 without that consent.
We enforce this at sign-up: the first time you complete OIDC sign-in, the app blocks the rest of the workspace behind a one-time age-confirmation gate. The gate stores a single timestamp on your account — we do not ask for, collect, or store your date of birth, government ID, or any other age-related document.
If you are a parent or guardian and believe a minor has provided us with personal data without your consent, please contact us at privacy@omoikane.coach and we will delete it.
LinkedIn Member Data Portability
Omoikane integrates with the LinkedIn Member Data Portability API (3rd Party) under the EU Digital Markets Act (Regulation (EU) 2022/1925). The (3rd Party) variant means Omoikane offers this integration to its own customers — not just to one developer for personal use. The integration is optional and can be revoked at any time.
What we request
When you choose to connect LinkedIn, you authorise Omoikane to request a one-shot snapshot of the following Member Data Portability domains from your LinkedIn profile:
- Account history (work history, education, certifications, skills)
- Profile content (headline, summary, location, languages)
- Posts and articles you authored (text only — used only as voice samples for cover-letter drafting; never re-published)
We do not request: connections list, messages, search history, ad-engagement, payment data, or any field outside the explicit list above.
Why we request it
A career coach needs to know your work history, education, skills, and writing voice to draft a CV / letter / email tailored to a specific posting. Importing from LinkedIn is faster and less error-prone than asking you to re-type or PDF-upload everything. The data is used only to ground the AI drafts (every claim cited to its source) — never to message anyone, never to inform recruiters, never to train models.
How LinkedIn-imported data flows to our LLM provider
Drafting requires sending the relevant subset of your imported posts and CV-equivalent fields to Anthropic Claude (our LLM provider — see Sub-processors) as part of the prompt. The subset is selected per-draft by our server-side retrieval layer (we send only what the model needs to produce that one draft, not your whole imported corpus). Anthropic’s API processes the prompt and returns the draft; Anthropic does not retain prompts beyond the request, does not train any model on the data, and is contractually bound by EU Standard Contractual Clauses for any US-region traffic. The transferred subset is the same data flow whether you uploaded a CV PDF or imported from LinkedIn — there is no LinkedIn-specific deviation in how we route it.
How we store it
LinkedIn-imported data is stored in our primary application database (a YugabyteDB cluster — Postgres-protocol distributed SQL, replicated 3x across our gigahost.no Norway hosts and a Leiden DMZ witness — see Sub-processors for hosting locations). At-rest encryption is enabled on all replicas. Transit between hosts is via IPsec. Vector embeddings of your data live in Qdrant on the same infrastructure. Per the Security page, TLS protects every leg of the data path.
How long we keep it
See Data retention above. The short version: only while your LinkedIn connection is authorised AND your Omoikane account is active.
LinkedIn’s OAuth implementation expires the Portability access token automatically 12 months after authorisation, meaning Omoikane must obtain fresh consent from you to continue the integration past one year. If you do not re-consent within 7 days of token expiry, our system treats it as a revocation and runs the deletion cascade. We do not silently extend, and we do not retain LinkedIn-imported data past expiry without your fresh consent.
Per LinkedIn DMA Portability API Terms §3.1, deletion begins immediately upon your request — by revoking the connection from your Omoikane settings, or by closing your Omoikane account: the data is removed from active production systems (database, vector store, AI-generated drafts that referenced the imported data) within minutes, and the cascade through replicas, encrypted backups, and audit-log archive markers completes within 7 days. No LinkedIn-imported data remains queryable by Omoikane or any sub-processor past the immediate-removal step.
When a deletion trigger reaches us asynchronously from LinkedIn’s side (you revoke from LinkedIn’s Permitted services panel, you close your LinkedIn account, or the OAuth grant expires without renewal), the same cascade runs from the moment we detect the signal: immediate removal from production, full cascade complete within 7 days.
How to revoke
You can revoke the LinkedIn connection from two places, and either is sufficient:
- From Omoikane — Settings → Integrations → LinkedIn → Disconnect
- From LinkedIn — Profile photo (Me) → Settings & Privacy → Data Privacy → Other applications → Permitted services → remove Omoikane.Coach
Revoking from either side triggers immediate removal of all LinkedIn-imported data from production systems, with the full cascade through replicas, encrypted backups, and audit-log archive markers completing within 7 days.
Display of imported data
Per LinkedIn DMA Portability API Terms §2.1, we make no claim that LinkedIn has “verified” or “confirmed” the accuracy of any imported data. When we display LinkedIn-imported fields back to you, or use them in a draft, we present them as data you provided to LinkedIn — surfaced via the portability channel — and you remain the source of truth.
Compliance commitments
Omoikane processes LinkedIn data under, and acknowledges:
- The LinkedIn API Terms of Use (linkedin.com/legal/l/api-terms-of-use)
- The LinkedIn DMA Portability API Additional Terms (linkedin.com/legal/l/portability-api-terms)
- The LinkedIn BD Data Processing Agreement (legal.linkedin.com/bd-dpa) incorporated by reference into the DMA Portability Terms via §3.3 thereof
Controller/processor characterisation
For the LinkedIn-imported data subset, Omoikane acts as the sole data controller in the GDPR sense once the data leaves LinkedIn under the user’s portability right (Art. 20 GDPR / DMA Art. 6(9)). LinkedIn is the source channel and remains controller for the data they continue to hold on you.
We acknowledge that the LinkedIn BD Data Processing Agreement, which the DMA Portability Terms incorporate by reference, places a number of processor-style obligations on the receiving party regardless of the formal controller/controller framing — including (i) industry-standard security obligations, (ii) 24-hour breach notification to LinkedIn, (iii) cooperation with audit requests, and (iv) sub-processor disclosure. We treat those obligations as binding on Omoikane and have built them into our security posture, our breach-response playbook (see Security above), and the Sub-processors register. The sole-controller framing applies to the GDPR-rights side (you exercise GDPR rights against us, not against LinkedIn, for the imported subset); the BD DPA framing applies to the technical-security and breach-cooperation side.
Voice samples (paste, file upload, optional Gmail import)
Beyond the LinkedIn import described above, Omoikane lets you contribute voice samples — pieces of writing in your own voice (cover letters, blog posts, sample emails, posts) — to help the letter-coach mirror your natural register instead of producing generic AI output.
You upload voice samples via copy-paste, file upload (.txt / .docx / .pdf / .rtf / .eml / .md), or — only when you opt in at the moment of import — a one-shot drag from Gmail (Gmail’s incremental-auth flow grants gmail.readonly for the duration of that import dialog only; revoked the moment the dialog closes). Tika (runs on Omoikane infrastructure — no third-party sub-processor) extracts plain text from binary files; we store the extracted text plus the original file in our object store (Sub-processors for hosting locations).
Voice samples are subject to the same retention, deletion, and breach-notification rules as the rest of your account data. They are sent to your LLM provider only as part of the prompt grounding for letter / email drafts (alongside the matching posting and your CV); never published, never shared with recruiters, never used for any purpose outside drafting your own applications.
Reply tracker (per-application CC alias)
When you send an application email through Omoikane, we offer to CC a per-application alias address (app-<token>@omoikane.coach) so replies from the recruiter land back in your application-tracker view inside Omoikane instead of getting buried in your personal inbox. The tracker is opt-in per application — default ON, with a toggle on the email-coach preview to turn it off per draft.
The alias rotates per application. Replies arrive at our Protonmail-bridge inbound infrastructure (Sub-processors for the mail layer), get parsed for the alias token, and posted back into your application’s inbound thread within the Omoikane workspace. We do not use inbound replies as training data, do not forward them to third parties, do not auto-reply on your behalf without your explicit click-through.
You can disable the tracker on a per-application basis (toggle off at draft time) or globally (Settings → Integrations → Reply tracker). Disabling globally rotates and invalidates every active alias.
Diary at-rest encryption (per-user envelope key)
The diary feature uses per-user envelope encryption for body text at rest. Each account gets a unique data-encryption key (DEK) generated at signup. The DEK is wrapped (encrypted) with our operator-held key-encryption key (KEK), which is sops-encrypted at rest in our infrastructure secrets bundle. The wrapped DEK is stored alongside your user record; the plaintext DEK never persists.
When you read your own diary entries via the Omoikane UI, the wrapped DEK is unwrapped server-side, used to decrypt the entries, then dropped from memory. Operator access to your diary requires going through an audited route (/admin/users/:id/diary) that writes an entry to the operator_actions audit log before any decryption. You can see this audit log from your account settings.
This pattern is intentional: even an attacker who obtains a database snapshot cannot read diary bodies without also obtaining the operator KEK from sops; even an operator (with KEK access) cannot read a diary entry without leaving an audit-log trace you can see.
Bring Your Own Model (BYOM) + per-provider data residency
Omoikane’s default tier is BYOM-Free: you bring your own LLM API key from one of seven supported providers and we route your AI requests through your account, so the LLM cost lands on your bill (typically $0–$5/month for active job-search use). Your API key is stored encrypted with the same Fernet + operator-held KEK pattern described under Diary at-rest encryption above.
When you supply a BYOM key, your CV / posting / coaching / draft data is sent to your chosen provider’s API per the provider’s own privacy policy (not Omoikane’s). At provider-add time, we surface a clear data-residency banner so you can make an informed choice:
| Provider | Data residency |
|---|---|
| Anthropic Claude | United States |
| OpenAI | United States |
| NVIDIA NIM | United States |
| Mistral | European Union |
| DeepSeek | People’s Republic of China |
| Ollama Cloud | provider-stated (per their documentation) |
openai_compatible (custom endpoint) | user-verified — you set the base URL |
Omoikane’s ai_audit log records the provider, model, surface (gate / cv / letter / email), token counts, and our cost imputation (for budget-cap enforcement); it does not record the message bodies sent upstream. The provider’s own privacy policy governs what they do with those bodies.
If you’d rather we route AI calls through our managed pool (so Omoikane pays the LLM cost, not you), choose Managed-Lite or Managed-Pro in /profile/tier. Those tiers route through Anthropic Claude as our managed provider; data residency is United States.
You set monthly budget caps per provider in /profile/ai-budget. We enforce a hard block at 100% of your cap and never silently fall back to our operator-paid LLM keys when a BYOM key fails — that would surprise-charge our account on a tier where you are meant to pay. Failed BYOM requests return a structured error and surface a banner in your workspace.
Controller and contact
Controller: Omoikane.Coach (sole-trader registered in Amsterdam, the Netherlands). General contact: privacy@omoikane.coach Data protection contact: privacy@omoikane.coach. Under GDPR Art. 37 a sole-trader at our scale is not required to appoint a formal Data Protection Officer (no large-scale systematic monitoring, no large-scale special-category processing); we have therefore designated a data protection contact who handles GDPR requests, breach response, and supervisory-authority liaison. We will appoint a formal DPO if/when our processing scale crosses the Art. 37 threshold and will notify you here. Postal address: Available on request via privacy@omoikane.coach — sole-trader registered in Amsterdam, the Netherlands.
Changes to this policy
If we change anything material in this policy you get an email at least 30 days before the change takes effect, and a complete diff of what changed. You can export and delete during the notice window without friction. Non-material changes (typo fixes, link updates, restructuring without semantic change) take effect immediately and are reflected in the Last updated timestamp at the top of this page.