Privacy notice · July 16, 2026
What stays local, what is encrypted, and what advertising may process.
This notice separates job-application records from advertising data because they run on different web origins. The public guides at jobtracker.ilendev.com may show advertising. The private workspace at app.jobtracker.ilendev.com does not load advertising or other third-party scripts.
Data stored on your device
By default, company names, roles, links, locations, salary text, sources, dates, resume versions, and notes are stored in IndexedDB on the private app origin. The public guide origin cannot read that separate browser storage, and the service does not receive these fields merely because you add or edit an application.
Browser storage belongs to the browser profile and device. Private browsing, storage restrictions, clearing site data, or browser removal can delete it. Use Backup JSON to keep a portable copy.
Encrypted sync data
If you choose “Use on another device,” the browser creates a random vault identifier, an AES-GCM encryption key, and a sync token. The complete tracker is encrypted in your browser before it is sent to the sync API.
The Cloudflare D1 database stores the encrypted payload, vault identifier, a SHA-256 hash of the sync token, version number, update time, and expiry time. It does not store the encryption key. The private connection link contains the credentials in its URL fragment; fragments are not included in HTTP requests.
Anyone who receives that private link can access the synced tracker. Treat it like a recovery key. The service cannot recover a lost encryption key or decrypt the payload for you.
Retention and deletion
A synced vault becomes eligible for deletion 365 days after its last successful create or update. Expired encrypted data is removed when that vault is accessed or while new vaults are created, so a dormant row may remain longer until the service receives later activity. Remote expiry does not delete records stored locally in your browser.
Choose Delete synced copy in the sync dialog to remove the remote encrypted vault while keeping the current device’s local records. Clear this site’s browser data to remove the local copy. Download a JSON backup first if you may need the records later.
Technical requests and security
Cloudflare processes normal web-request information needed to deliver Pages, Workers, Pages Functions, and D1, such as IP address, request time, route, user agent, and security signals. To limit storage abuse, encrypted-vault creation uses a secret-keyed, daily-rotating value derived from the Cloudflare-provided client address. D1 stores that rotating value and a counter, not the original address, and removes expired counters during later creation attempts. People sharing the same public network also share this creation limit. API responses use no-store caching rules. The site does not add a separate analytics product at launch.
Advertising and consent
The site may use Google AdSense when production publisher and ad-slot settings are enabled. Google and its partners may process identifiers, cookies, IP address, device information, ad interactions, and consent choices to deliver, measure, or limit advertising.
For visitors in the European Economic Area, United Kingdom, and Switzerland, the site operator intends to use Google’s certified consent management tooling configured through AdSense Privacy & Messaging. Available choices and ad behavior depend on region and consent.
Advertising code is not loaded on the private app origin. The public guide links to the private app, but its advertising scripts cannot access the app origin’s IndexedDB, URL fragment, or decrypted tracker state through same-origin browser APIs.
Contact and changes
For privacy questions, use the existing contact route linked from the contact page. This notice may change when storage, advertising, or operating practices change; the effective date at the top will be updated.