Privacy Policy

Last updated: April 2026

ThreeArrow Inc. ("ThreeArrow", "we", "us", or "our") operates the ThreeArrow.ai platform — an AI-powered career tool that helps you tailor resumes, discover jobs, and track applications. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it.

By using ThreeArrow.ai you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Data Controller

ThreeArrow Inc. is the data controller for personal data processed through the Service. You can reach us at privacy@threearrow.ai for any privacy-related requests.

2. What We Collect and Why

2.1 Account Data

• Email address and full name — collected at registration to identify your account and communicate with you. Required to use the Service.
• Google OAuth tokens — if you sign in with Google, we receive an access token from Supabase Auth. We use it only to verify your identity and never store it beyond the session exchange.
• Password hash — if you register with email and password, we store a bcrypt hash (cost factor 10). We never store or transmit your plain-text password.

2.2 Resume and Career Data

• Resume files — PDFs or Word documents you upload are stored in Supabase Storage (encrypted at rest, AES-256). Files are processed by our AI service to extract structured profile data.
• Structured profile — work history, education, skills, certifications, and contact information extracted from your resume. Stored in our database and editable by you at any time.
• Tailored resume content — when you request AI tailoring against a job description, we send your profile and the JD to our AI provider. The tailored output is stored linked to your account for download.
• Career roadmap inputs — if you use the Career Roadmap feature, we send your stated role, skills, and goals to our AI provider and store the generated roadmap for your reference.

2.3 Job Search and Application Data

• Job preferences — titles, locations, salary range, and sources you configure in Settings. Used to personalise the job feed and search ranking.
• Application history — jobs you apply to through the platform, including status updates. Used to power your Applications tracker.
• Scraped job descriptions — URLs you paste for tailoring are fetched by our server and immediately discarded after extraction.

2.4 Usage Analytics

• Anonymous page-view counts and feature-usage events (e.g. "tailor requested", "PDF exported"). These contain no personally identifiable information and are used to understand which features are most useful.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area, UK, or Switzerland, we process your data on the following legal bases:

• Contract — processing necessary to provide the Service you signed up for (account management, resume storage, job tailoring).
• Legitimate interests — anonymous analytics and product improvement, provided these do not override your privacy interests.
• Consent — where we ask for optional permissions (e.g. email notifications).

4. AI Processing

We use the following AI providers to process your data:

• Groq (Llama 3.3 70B) — used for resume parsing, tailoring, career roadmap generation, and job matching. Your resume content and job descriptions are sent to Groq's API. Groq processes data under their Privacy Policy. Data is not used to train Groq's models.

We do not use your resume content to train any of our own models. AI outputs may contain errors — you are responsible for verifying all content before submitting it to employers.

5. Data Storage and Security

• Database — PostgreSQL hosted on Supabase (AWS ap-northeast-1). Encrypted at rest and in transit (TLS 1.3).
• File storage — Supabase Storage with AES-256 encryption at rest. Access requires a signed URL valid for 60 minutes.
• Passwords — bcrypt hashed, never stored in plain text.
• API keys — admin-managed AI API keys are encrypted using AES-256-GCM before storage.
• Authentication tokens — short-lived JWTs (7-day expiry) stored in your browser's localStorage and a Secure cookie. They are never logged server-side.

6. Data Retention

• Account data — retained until you delete your account.
• Resume files — retained until you delete them or your account.
• Application history — retained until you delete your account.
• Anonymous analytics — retained for 12 months, then aggregated.

7. Third-Party Processors

We share data with the following sub-processors to operate the Service:

• Supabase (database & storage) — Privacy Policy
• Groq (AI inference) — Privacy Policy

We do not sell, rent, or share your personal data with any third parties for advertising or marketing purposes.

8. Cookies

We use a minimal set of cookies:

• ta_token — a session cookie storing your authentication token for server-side route protection. Expires in 7 days. No third-party cookies.

We do not use tracking cookies, ad pixels, or analytics cookies.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of your data. Email privacy@threearrow.ai.
• Correction — update your profile at any time from the Profile page.
• Deletion — delete your account from Settings. This permanently removes all your data within 30 days.
• Portability — request a machine-readable export of your data. Email privacy@threearrow.ai.
• Objection / restriction — object to or restrict processing where our legal basis is legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time via Settings or by contacting us.

We will respond to all requests within 30 days. For EEA/UK users, you also have the right to lodge a complaint with your local supervisory authority.

10. Children

The Service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notification at least 7 days before they take effect. The "last updated" date at the top will always reflect the most recent version.

12. Contact

For any privacy-related questions, requests, or complaints, contact us at:

• Email: privacy@threearrow.ai
• Contact form: /contact