Privacy Policy
What data we collect, why, how long we keep it, and your rights under GDPR / India DPDP.
The short version
- We collect: the assessment answers, resume text, and profile info you enter, plus basic analytics (which pages you visit).
- We use it to: generate your career report. That's the only purpose.
- We don't sell your data to third parties. Ever.
- You can delete everything from your account page in one click.
- Data retention: as long as you have an account, plus 30 days after deletion for backup rotation, then gone.
1. What we collect
- Account info: email address, name, password (stored hashed with bcrypt).
- Profile info: whatever you enter — education, work history, interests, skills, career preferences.
- Assessment results: your answers on Holland, Big-5, MBTI, and other psychometric tests you take on the platform.
- Resume data: if you upload a resume, we extract the text and store the parsed structured data. We do not store the raw PDF.
- Test scores: SAT, ACT, JEE, NEET, GRE, GMAT, etc., if you enter them.
- Activity logs: which pages you visit and which features you use, for product-quality analytics.
- Cookies: a session cookie for authentication. We also use Google Analytics for aggregate usage patterns (this drops third-party cookies you can block in your browser).
2. What we DON'T collect
- We don't ask for government IDs (Aadhaar, PAN, SSN, etc.).
- We don't ask for phone numbers (unless you volunteer one).
- We don't collect biometric data.
- We don't scrape social media profiles or third-party sites.
- We don't collect information about people other than the account holder.
3. How we use your data
Exclusively for generating your career report and running the platform's features. Specifically:
- Computing your Ikigai composite score across the four axes
- Matching your profile against occupation profiles
- Generating the AI narrative on your report
- Powering the chat-based career counselling with your context loaded
- Running the resume analysis
- Sending you occasional product update emails (opt-out any time)
4. Sharing your data
We don't sell your data. We share it only in these limited cases:
- AI inference providers: When you use the AI-powered chat or narrative generation, your prompt (which may include profile context) is sent to our LLM provider. We use Ollama (self-hosted on our own VM) for most inference. No third-party AI provider ever retains your data.
- Analytics: Google Analytics receives aggregate pageview data. It does not receive your assessment answers or profile.
- Legal compliance: If required by a valid court order, we may share account information with authorities.
That's it. No advertising partners, no data brokers, no third-party enrichment.
5. Data retention + deletion
As long as you have an active account, we keep your data so the report stays useful. When you delete your account (Account page → Delete account), we:
- Immediately remove your login and mark all your data for deletion
- Purge from live database within 24 hours
- Purge from encrypted backups within 30 days as backups rotate
Deletion is permanent. We cannot restore an account after it's been deleted.
6. Your rights
Under GDPR (if you're in the EU/UK) and India's DPDP Act, you have the right to:
- Access — request a copy of all data we hold on you
- Rectification — correct data that's wrong (or edit it yourself on the Profile page)
- Erasure — delete your account and all associated data
- Portability — request your data in a machine-readable format
- Object — opt out of any processing you disagree with
Email privacy@whattnext.ai or use the contact page to exercise any of these rights.
7. Children
Our platform is designed for students aged 13+. If you're under 13, please don't sign up. If you're between 13 and 18, you should have a parent or guardian aware of your use. We collect no more data from minor users than from adult users, and honour all the same rights above.
8. Security
- All data in transit is encrypted via HTTPS (TLS 1.2+)
- Passwords stored using bcrypt with per-user salts
- Database at rest is encrypted (Cloud SQL default encryption)
- Access to production systems restricted to the technical team
If you believe you've discovered a security vulnerability, please email security@whattnext.ai.
9. Changes to this policy
If we materially change how we handle your data, we'll update this page and notify active users by email before the changes take effect.
Last updated: 2026-07-14