Privacy Policy

JobWillow is a two-sided hiring marketplace built for college students and local employers, launching in Knoxville, Tennessee. We operate jobwillow.com.

Contact: privacy@jobwillow.com

Account information

• Your name, email address, and password (stored as a one-way hash)
• Your date of birth. We use it to confirm you are at least 18 at account creation (a requirement under our Terms of Service). It is stored on your account, treated as sensitive personal information, and is not shown on your candidate or employer profile.
• For employers: company name, location, industry, website, and the first name, last name, work email, and phone number of an internal contact person at the company.
• Two-factor authentication is available on every account. If you enroll, we store an encrypted TOTP secret and one-time recovery codes (hashed).

Candidate profile information

• University, major, and (optionally) graduation year and GPA
• Work authorization status
• Skills selected from our curated vocabulary
• Resume content (work experience, projects, clubs, volunteering, writing samples), avatar, and resume PDF uploads. When you upload a resume PDF, we parse it on our own servers to suggest fields (skills, education, contact info) for you to confirm. The parsing is in-process and the PDF contents are not sent to any third party for parsing.
• Demographic information (optional, voluntary, used only in aggregate; see Section 5)

Employer profile information

• Company logo, description, and industry
• Posted listings, custom questions, scorecard templates, talent pools

Employer-submitted intern testimonials

• Employers may publish testimonials on their profile that include intern names, role titles, the season or dates of the internship, an optional photo, and a quoted description of the experience. This content is submitted by the employer and is not verified by JobWillow. Testimonial sections are labeled “Shared by the employer” so candidates understand the source.
• If you are named or pictured in a testimonial on JobWillow, even if you do not have a JobWillow account, you can request removal by emailing privacy@jobwillow.com. We will remove the testimonial promptly and without requiring you to explain why. We do not arbitrate factual disputes between you and the employer about what was said; the removal path is unconditional.

Application and messaging data

• Which listings you applied to and their status over time
• Messages exchanged between candidates and employers
• Interview scheduling, scorecard data, and offer terms
• If an employer initiates a background check through the platform, we store the status the employer records (pending, completed, clear, flagged) and which provider was selected. We do not run the check itself and do not receive the underlying report. See §11 of the Terms of Service.

References you provide

• Candidates may add references to their profile. For each reference we collect the name, email, phone (optional), title, organization, and relationship that the candidate enters.
• We send each reference a confirmation email so they can confirm (or decline) being listed. Unconfirmed references are automatically deleted after a fixed retention window.
• When a candidate submits an application, a snapshot of their confirmed references is attached to that application so the employer can contact them. Subsequent edits to the live reference do not change the snapshot already attached to a prior application.
• If you have been listed as a reference and want your record removed, email privacy@jobwillow.com. We will remove it without requiring a reason.

Connected calendar and video accounts

• Employers (and, where applicable, candidates) can connect a Google, Microsoft, or Zoom account to schedule interviews.
• When you connect an account, we store the OAuth access and refresh tokens issued by the provider and the provider account identifier. Tokens are scoped only to what the integration needs (creating interview events on your calendar, creating meeting rooms tied to your account).
• We use those tokens to push interview events to your calendar, create or remove meeting rooms tied to a specific interview, and read free or busy times to suggest interview slots. We do not read unrelated calendar events, emails, files, or contacts.
• You can disconnect a provider at any time from your account settings. We delete the stored tokens on disconnect.

Location data

• We collect the city and (for candidates) hometown you enter on your profile. We send those city names to Mapbox to convert them into approximate coordinates (latitude and longitude) so we can power proximity search and the Discover Talent map. We do not collect precise device location.
• When the map view loads in your browser, your browser fetches tiles directly from Mapbox, which means Mapbox sees your IP address as part of that request. We do not share your account information with Mapbox.

Usage data

• Pages visited, listings viewed, searches performed
• Login timestamps and session info
• Browser, device, and IP address

Cookies and similar technology

• Essential cookies only. We use a session cookie to keep you logged in and a short-lived state cookie to protect sign-in flows against cross-site request forgery. These cannot be disabled without breaking login.
• We do not use analytics, advertising, retargeting, or other third-party tracking cookies. We do not run cross-site behavioral profiling. If we ever add non-essential cookies, we will update this policy and, where consent is required, ask before setting them.

• Operate the marketplace: matching, search, messaging, scheduling
• Enforce platform rules: weekly application caps, response deadlines, employer approval
• Send transactional emails: account verification, application status, deadline alerts, interview confirmations
• Improve the product using aggregate usage patterns
• Detect and prevent fraud, abuse, and policy violations
• Comply with legal obligations

We do not sell your personal information.

Legal bases for processing

Where applicable law requires us to identify a legal basis for processing your information, we rely on one or more of the following:

• Performance of a contract: to provide the services you signed up for (operating your account, processing your applications, delivering messages).
• Legitimate interests: to operate, secure, and improve the platform, prevent fraud, and enforce platform rules, where these interests are not overridden by your rights.
• Legal obligation: to comply with applicable laws and respond to lawful requests.
• Consent: where you have provided it for optional data collection (for example, demographic data for EEO reporting, or marketing emails).

Other users on the platform

• Your candidate profile is visible to approved employers when you apply to their listings, when you appear in candidate search, or when you accept an interest signal.
• Employer profiles and listings are visible to candidates browsing.
• Messages and application data are visible to the specific candidate and employer involved.

Service providers we use

• Supabase: database hosting (PostgreSQL) and file storage (S3-compatible) for resumes, avatars, company logos, writing samples, and offer-letter PDFs.
• Vercel: frontend hosting (jobwillow.com).
• Render: API hosting (api.jobwillow.com).
• Cloudflare: CDN, DDoS protection, and proxy in front of the API. Cloudflare sees request IP addresses and metadata as part of routing traffic.
• Resend: transactional email delivery (verification, application status, deadlines, references, 2FA, password reset).
• Mapbox: map rendering for the Discover Talent view and geocoding of city names entered on your profile.
• Google: when an employer or candidate connects a Google account, we use the Google Calendar API to create interview events on the connected calendar.
• Microsoft: when a Microsoft account is connected, we use Microsoft Graph to create interview events in Outlook and meeting links in Microsoft Teams.
• Zoom: when a Zoom account is connected, we use the Zoom API to create and remove interview meeting rooms on the connected account.
• Sentry: error monitoring (when enabled). DSNs are currently unset, so Sentry does not receive data today.
• Stripe: payment processing for paid employer plans. Stripe is not yet wired into the live product; this entry is forward-looking for when paid plans become active.

These providers process your data on our behalf under their own terms and security commitments.

Aggregated, non-identifying data

We may publish aggregate hiring trends (for example, a “Knoxville Hiring Index”) using anonymized data that cannot identify any individual user.

On individual employer profiles and listings we also surface privacy-protected aggregates of past hires — for example, the median GPA, typical graduation year, most common majors, and median profile depth (projects, experiences, clubs) among candidates the employer has hired. These aggregates are governed by hard floors designed to prevent any single past hire from being identifiable:

• The panel is hidden entirely unless the relevant scope has at least five past hires. Below that threshold no aggregate is shown.
• Any specific value (for example, a particular major) is shown only when it appears in at least two of the past hires. Singleton values are dropped before display.
• GPA statistics are omitted whenever fewer than half of past hires have a GPA on their profile, so a small sample with sparse data does not produce a misleading median.
• We never display the identity, profile, photo, or any other distinguishing detail of any specific past hire in these aggregates.

Legal disclosures

We may disclose information when required by law, in response to valid legal process, or to protect rights, safety, or property.

Demographic information (race, gender, veteran status, disability status) is optional and voluntary. It is used only in aggregate reporting protected by k-anonymity: we never display demographic breakdowns for groups smaller than five respondents. Individual employers never see your demographic information attached to your identity.

• Active accounts: as long as your account is active
• Deactivated accounts: retained for a reasonable period to allow restoration and to satisfy legal obligations, then deleted or anonymized
• Application records: may be retained for audit and legal-compliance purposes even after account deletion

You can:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account from your account settings; deletion cascades to your profile and your application history, subject to limited retention for legal or fraud-prevention purposes.
• Export your data as a JSON file from Settings → Privacy → Export my data (candidates) or Settings → Export my data (employers). The export includes your account, profile, applications or listings, messages you have sent, and other records we hold about you.
• Opt out of non-essential marketing emails (transactional emails about your applications cannot be disabled while your account is active)
• Withdraw consent for optional data collection, including demographic data

We honor the Global Privacy Control (GPC) signal where it applies to a JobWillow data flow. JobWillow does not currently run analytics, advertising, retargeting, or sale-of-data pipelines, so the GPC signal has nothing to opt out of today; the handler is in place so that the moment any of those launch, GPC-on visitors will be excluded from them.

Depending on where you live (for example, California or the EU), additional rights may apply under CCPA, GDPR, or similar laws. Contact privacy@jobwillow.com to exercise any of these rights. We aim to respond to verifiable requests within 30 days, or as required by applicable law.

California residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights with respect to personal information we collect:

• Right to know: the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete: request deletion of personal information we have collected, subject to legal exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information: we only use sensitive personal information (such as EEO demographics) for the purposes you consented to.
• Right to non-discrimination: we will not deny you service, charge you a different price, or provide a different quality of service because you exercised your CCPA rights.

You may also use an authorized agent to exercise these rights on your behalf. We will require reasonable verification of the agent’s authority and your identity.

JobWillow is intended for users 18 and older. Users between 13 and 17 may use the platform only with parental consent. We do not knowingly collect personal information from children under 13. If we learn that we have, we will delete it.

• All data is encrypted in transit (HTTPS / TLS)
• Passwords are stored using one-way cryptographic hashing (bcrypt)
• Two-factor authentication is available on every account
• Access to production systems is limited and audited

No system is completely secure. We encourage you to use a unique, strong password and enable two-factor authentication.

Security incidents

If we discover a security incident that affects your personal information, we will notify affected users without unreasonable delay and in accordance with applicable law. State and federal laws may require specific notification timelines, methods, and content; we will follow those requirements. You can report suspected security issues to security@jobwillow.com.

JobWillow is operated from the United States. Some of our service providers may process data in other jurisdictions. If you access JobWillow from outside the United States, you consent to the transfer of your information to the United States for processing.

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the platform before the changes take effect. Your continued use of JobWillow after changes take effect indicates acceptance of the updated policy.

Recent material changes

• May 31, 2026: Added new disclosures covering references that candidates submit (§2), resume parsing (§2), connected calendar and video accounts via Google, Microsoft, and Zoom (§2 and §4), location data sent to Mapbox (§2 and §4), date of birth captured at signup to confirm age (§2), and an expanded service provider list adding Cloudflare, Mapbox, Google, Microsoft, and Zoom and correcting the file-storage provider to Supabase Storage (§4). Also clarified that JobWillow uses only essential cookies (session and sign-in CSRF protection) and does not use functional, analytics, advertising, or third-party tracking cookies (§2). Added a self-service data export at Settings → Privacy → Export my data for candidates and Settings → Export my data for employers, and documented our Global Privacy Control (GPC) handler (§7).
• May 18, 2026 — Added handling for employer-submitted intern testimonials (§2) and described the privacy guards on per-employer aggregate hiring data shown on listings (§4).

Questions, requests, or concerns about your privacy:

• Email: privacy@jobwillow.com
• JobWillow, Knoxville, TN