Last updated: May 2026
This Privacy Notice explains how Orfali (the "Seller", "we", "us"), operator of ApplyFlow, collects, uses, and shares personal data when you use our website and service. Orfali is the data controller responsible for your personal data.
1. Categories of Personal Data We Collect
- Account data: name, email address, password (hashed), language preference.
- Application data: the job applications, notes, reminders, and files you create in ApplyFlow.
- Support data: messages you send us via email or support forms.
- Usage and device data: log data, IP address, browser type, device identifiers, and basic telemetry.
- Billing data: collected and processed by our payment provider Paddle (see "Sharing" below). We receive limited information such as country, subscription status, and last 4 digits of the card.
2. Purposes of Processing
- Creating and managing your account and authentication.
- Providing the ApplyFlow service (storing applications, reminders, calendar).
- Processing payments and managing subscriptions.
- Security, fraud prevention, and abuse detection.
- Customer support and service communications.
- Improving the product and fixing bugs.
- Complying with legal obligations.
3. Legal Basis for Processing (GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the service you signed up for, process payments and manage your subscription.
- Legitimate interests (Art. 6(1)(f) GDPR) — to secure the service, prevent fraud, and improve the product.
- Consent (Art. 6(1)(a) GDPR) — for optional cookies and marketing communications, where applicable.
- Legal obligation (Art. 6(1)(c) GDPR) — for tax, accounting, and other statutory requirements.
4. Sharing Your Data
We share personal data only with the following categories of recipients:
- Paddle.com Market Limited ("Paddle") — our Merchant of Record. Paddle processes all payments, manages subscriptions, handles refunds, calculates and remits sales tax/VAT, and issues invoices. When you check out, your billing information is collected and processed by Paddle under its own privacy notice (paddle.com/legal/privacy).
- Infrastructure providers — hosting, database, email delivery, and authentication providers acting as our processors.
- Professional advisers — legal, accounting, and tax advisers, where necessary.
- Authorities — where required by law, court order, or to protect our rights.
5. International Transfers
Some of our service providers (including Paddle) may process data outside the EEA/UK. Where this occurs, transfers are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.
6. Data Retention
- Account and application data: retained while your account is active; deleted within 30 days of account closure (except where we must keep it longer to comply with law).
- Billing and tax records: retained by Paddle and by us for up to 10 years to meet statutory accounting obligations.
- Support correspondence: retained for up to 2 years.
- Log and security data: retained for up to 12 months.
7. Security
We apply appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest for the database, hashed passwords, role-based access controls, audit logging, and regular backups. No system is 100% secure, but we work to minimise risk and respond promptly to incidents.
8. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data; to object to processing based on legitimate interests; to withdraw consent at any time; and to lodge a complaint with your local supervisory authority. To exercise these rights, contact us at the address below. We will respond within one month.
9. Cookies
We use strictly necessary cookies to keep you signed in and remember your preferences. We do not use advertising cookies. Where analytics cookies are used, you will be asked for consent.
10. Contact
Orfali — privacy questions: support@applyflow.app. See our Impressum for full contact details.