Privacy Policy

This Policy applies to all users of the Services worldwide. Where a specific national or state law gives you additional rights — for example the DPDP Act (India), the GDPR (EEA/UK), or the CCPA/CPRA (California) — the relevant section below describes those rights and they apply to you in addition to the rest of this Policy.

If you access the Services on behalf of an organisation, you do so under that organisation's authority and this Policy applies to you individually as a user.

We collect the following categories of personal data:

a) Account and authentication data. Your name, email address, and password (stored only as a salted hash, never in plain text). If you sign in with Google or LinkedIn, we receive basic profile information (such as name and email) from that provider to create or access your account. If you join via an invite, we process the email and the magic-link token used to sign you in.

b) Profile data. Information you add to your profile, such as your professional headline, location, phone number, pronouns, work-authorisation status, profile photo, links you choose to add (e.g. GitHub, LinkedIn, personal website), and the dates you indicate you are open to opportunities.

c) Career content. The heart of the Services. This includes free-text “brain-dump” entries you write; the individual achievements (“activities”) we extract from them; your work and education history (companies, roles, institutions, dates, degrees); metrics, context and outcomes you provide; the resumes, bullet points, summaries, and skills you create or generate; and job descriptions you paste in to tailor a resume.

d) Job and opportunity data. Opportunities you save, add manually, or that are captured by the nxtleap browser extension from sites you visit (such as job postings and recruiter messages on LinkedIn), including company, role, location, salary, recruiter contact details you record, your notes, and the stage you move each opportunity to.

e) Communications and preferences. Messages you send us, your email-notification preferences (product updates, digests, security alerts), and your language and theme preferences.

f) Device and usage data. Limited technical and usage information collected automatically when you use the Services — for example performance metrics and aggregate page-view/route data via Vercel Analytics and Vercel Speed Insights. See “Cookies, analytics & local storage” below.

Stored only on your device: your theme preference, your authentication tokens, and — if you use the optional Bring-Your-Own-Key (BYOK) AI feature — your AI provider API key are kept in your browser's local storage. Your BYOK key is never transmitted to or stored on nxtleap's servers.

We use your personal data to:

• Provide, operate, and maintain the Services — including building your activity bank, generating and tailoring resumes, and powering the opportunity radar;
• Power AI features you choose to use (see the dedicated section below);
• Create and secure your account, authenticate you, and prevent fraud and abuse;
• Communicate with you about the Services, including transactional emails (verification, password reset, magic links) and — per your preferences — product updates and digests;
• Understand and improve the Services, fix bugs, and measure performance and reliability;
• Comply with legal obligations and enforce our Terms & Conditions.

We do not sell your personal data, and we do not use your account or career content for third-party advertising.

Several features use artificial intelligence to help you, including: turning your brain-dump into structured achievements; suggesting questions to quantify your impact; parsing job descriptions; ranking and rewriting your achievements to fit a specific role; auditing resumes (recruiter, ATS, and strategic reviews); and generating professional summaries and skills sections.

To provide these features, the relevant content you submit (such as your achievement text, resume content, and the job descriptions you paste) is processed by our systems and may be sent to trusted third-party AI/LLM providers solely to generate the output you requested. We require these providers to maintain appropriate security and confidentiality safeguards and to use your data only to provide the service to us.

We do not use your personal documents or career content to train general-purpose AI models for other users. Your content is processed to generate output for you, not to build models that benefit anyone else.

Optional on-device and BYOK options. Some features can run using Chrome's built-in on-device AI (Gemini Nano) or your own API key (BYOK). When you use these, the relevant content is processed on your device or sent directly to your chosen AI provider under that provider's terms — it is not routed through nxtleap's servers for that operation, and your API key stays in your browser.

AI output may be inaccurate. AI can produce content that is incorrect, incomplete, or out of context. You are responsible for reviewing and verifying any AI-generated content — and ensuring it is truthful — before you use it. AI features do not guarantee any interview, job offer, or employment outcome. See the AI disclaimers in our Terms & Conditions.

We use browser local storage to make the Services work — for example to keep you signed in (authentication tokens), remember your theme, hold your in-progress drafts, and store your optional BYOK key locally.

We use Vercel Analytics and Vercel Speed Insights to understand aggregate usage (such as page views and route changes) and to measure performance (Core Web Vitals). These are privacy-friendly and do not build advertising profiles of you. We do not currently use third-party advertising or cross-site tracking cookies. If this changes, we will update this Policy and, where required, ask for your consent.

Most browsers let you control or clear local storage and cookies. Because some items (like authentication tokens) are essential, clearing them will sign you out and may break parts of the Services.

We share personal data only as needed to run the Services, and with parties bound to protect it. Our categories of recipients (“subprocessors”) include:

• Hosting and infrastructure — cloud providers that host our application and database (e.g. our backend host and Vercel for the frontend);
• AI/LLM providers — to power the AI features described above;
• Authentication providers — Google and LinkedIn, where you choose to sign in with them;
• Email and communications — providers that deliver transactional and preference-based emails;
• Analytics and performance — Vercel Analytics and Speed Insights;
• Professional advisers and authorities — where reasonably necessary to comply with law, respond to lawful requests, or protect our rights, users, or the public;
• In a business transfer — if nxtleap is involved in a merger, acquisition, or sale of assets, your data may be transferred, subject to this Policy.

This subprocessor list may change as our stack evolves; we keep it current here and will tell you about material changes. We do not sell your personal data or share it for cross-context behavioural advertising.

Under the DPDP Act, we process your personal data based on the consent you give when you create an account and use features, and for certain legitimate uses permitted by the Act. You can withdraw consent at any time (see “Your rights” below); withdrawing consent does not affect processing already carried out.

If the GDPR applies to you, our legal bases are: performance of a contract (to provide the Services you request); consent (e.g. for optional communications and certain AI processing); our legitimate interests (to secure, maintain, and improve the Services), balanced against your rights; and compliance with legal obligations.

We keep your personal data for as long as your account is active or as needed to provide the Services. You can edit or delete content within the Services, and you can request deletion of your account.

We recommend you export any resumes or data you want to keep before deleting your account, as deletion is permanent. After deletion or after your consent is withdrawn, we will delete or anonymise your personal data within a reasonable period, except where we must retain certain records to comply with legal, accounting, or security obligations, or to resolve disputes and enforce our agreements.

We use technical and organisational measures designed to protect your personal data, including encryption in transit, access controls, and hashed passwords. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. Please keep your account credentials confidential and notify us promptly if you suspect unauthorised access.

nxtleap is based in India and uses service providers that may process data in other countries. This means your personal data may be transferred to, and processed in, countries other than the one you live in, which may have different data-protection laws. Where we transfer personal data internationally, we take steps to ensure it remains protected — for example, for transfers of EEA/UK data we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

a) India (DPDP Act). As a Data Principal, you have the right to: access a summary of your personal data and how it is processed; request correction, completion, updating, or erasure of your personal data; nominate another individual to exercise your rights in case of death or incapacity; readily access a means of grievance redressal; and withdraw your consent at any time. To exercise these rights, contact our Grievance Officer (below).

b) EEA / UK (GDPR). You have the right to access, rectify, erase, restrict, or object to processing of your personal data, and the right to data portability. Where processing is based on consent, you may withdraw it at any time. You also have the right to lodge a complaint with your local supervisory authority.

c) California (CCPA/CPRA). You have the right to know what personal information we collect and how we use and disclose it; to request access to and deletion of your personal information; to correct inaccurate personal information; and to opt out of any “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under California law. We will not discriminate against you for exercising your rights.

You can exercise many choices directly in the Services — update your profile and content, change your email preferences in Settings, or delete your account. To make a formal request, email us using the contact details below. We will verify your identity before acting and respond within the timeframes required by applicable law.

The Services are intended for users aged 18 and over and are not directed to children. We do not knowingly collect personal data from children. Where the DPDP Act or other law requires verifiable parental consent for processing a child's data, we will not process such data without it. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

If a personal data breach occurs that affects your data, we will notify the relevant authorities — including the Data Protection Board of India under the DPDP Act, and any supervisory authority required under the GDPR — and affected users, in the manner and within the timeframes required by applicable law.

In accordance with the DPDP Act and applicable rules, you can reach our Grievance Officer for any questions, concerns, or to exercise your rights:

• Grievance Officer: [Name], [Designation]
• Email: grievance@nxtleap.in
• Postal address: [Registered Office Address]

We will acknowledge and address grievances within the timeframes required by applicable law.

We may revise this Policy from time to time. When changes are material, we will notify you via email and/or an in-app notice and update the version and “Last updated” date above. Earlier versions are superseded on the effective date of the new version. We encourage you to review this Policy periodically.

For privacy questions or requests, email privacy@nxtleap.in. For general support, email support@nxtleap.in. You can write to us at [Legal Entity Name Pvt. Ltd.], [Registered Office Address].