Privacy Policy

Last updated: 23 May 2026

ThanksImHired is a tool that helps you find work by reaching out to local businesses that might not have a job ad live yet. This policy explains how we handle your data and the data we find about businesses you might want to work for.

We operate in the UK and follow the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

ThanksImHired is an online service. You can get in touch with us through the app's support features or by emailing our team directly.

Data we collect about you

When you use the app, we need certain information to make things work. This includes:

Google account details: We use Google OAuth for sign-in, so we receive your name, email address, and profile picture.
Your resume: If you upload a CV to help the AI write better emails, we store that file.
Campaign details: Information you provide about the roles you want, like job titles, industries, and locations you're targeting.
Email content: The drafts and sent messages you create using our AI tools.
Usage analytics: Basic data on how you move through the app so we can fix bugs and make it easier to use.

Data we collect about businesses

Our app pulls publicly available information to help you find potential employers. This is data about business entities, not private individuals. We collect:

Business name and description
Physical address and website
Publicly listed phone numbers and email addresses
Business category (e.g., "Architecture Firm" or "Bakery")

We only pull this from publicly available sources to help you find a way to get your foot in the door.

Why we process this data

We have a few legal reasons for handling this information:

Contract performance: We need your Google details and campaign info to provide the service you've signed up for.
Legitimate interests (Article 6(1)(f) UK GDPR): We process public business contact data because it's necessary for our core service. This is standard B2B outreach practice and does not override the rights of the businesses involved.
Legitimate interests: We use product analytics to monitor reliability, fix bugs, and improve the service.

Who else sees your data

We don't sell your data. We use the following third-party services to run ThanksImHired:

Convex — hosts our database (US-based). They are our primary data processor.
OpenAI — provides the AI that generates your personalised emails (US-based). Please note that OpenAI may use prompts submitted through their API to improve their models unless you have opted out via their data controls. The content of your emails and your resume may be included in these prompts.
Google — handles your sign-in and powers email sending through your own Gmail account (US-based).
PostHog — handles our product analytics (EU-based), including usage and session-quality signals that help us operate and improve the app.
Serper — the search API we use to find local business listings (US-based).

For data sent outside the UK, we rely on the UK-US Data Bridge and Standard Contractual Clauses to ensure your data stays protected to UK standards.

How long we keep things

We keep your account information while your account is active. If you stop using the app, we retain your campaign data for 12 months after your last activity in case you return. If you delete a campaign, the business data scraped for that campaign is deleted immediately.

Your rights

Under the UK GDPR, you have the right to:

Access the data we hold about you
Rectification if anything is inaccurate
Erasure of your data
Restriction of processing in certain circumstances
Data portability

To exercise any of these rights, reach out through the app. If you're not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), though we'd appreciate the chance to put things right first.

Cookies

We use strictly necessary cookies to keep you logged in. We also use PostHog to understand how people use the site and monitor product health. If we need explicit analytics-cookie consent, we can enable the consent banner before collecting those analytics cookies.

Your responsibility

ThanksImHired is a tool. When you use it to send emails, you are the "data controller" for the business contact data you choose to process. You must ensure your campaigns comply with the law, including the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR.

Don't spam people. Keep your outreach professional, relevant, and targeted. We provide the platform, but you're responsible for how you use it.

Security

Everything runs over HTTPS. We use strict access controls and industry-standard authentication. Your data is stored on secured infrastructure managed by our third-party providers.

Account deletion & data retention

You can delete your account at any time from Settings → Account → Delete my account. Deletion happens in two phases so we can simultaneously honour your right to erasure under UK GDPR Article 17 and meet our own legal obligations to keep transactional records.

Right now (Phase A)

Your account is locked and you are signed out everywhere.
The Gmail app password you stored with us is permanently erased. No further emails can be sent on your behalf.
Any uploaded resume and email attachments are deleted from storage.
Free-text fields containing personal information (your name in our profile record, support ticket bodies, your job-role description) are wiped.
Your Google account link is removed — the next time you sign in with the same Google account it will register as a brand-new account and your previous data does not come back.
Any active campaign is paused so no in-flight email is sent after deletion.

In 90 days (Phase B)

We retain campaign metadata, send history, billing references, and notification history for 90 days after you delete the account. This is not an "erasure window" — it is a retention window with a specific legal basis:

Accounting records: the Companies Act 2006 and UK tax law require us to keep records of paid transactions. We retain only the minimum needed and rely on Stripe for the long- form billing record.
Defending legal claims: if a recipient or regulator raises a complaint about a message you sent, we may need to retrieve the send log to respond (UK GDPR Art. 17(3)(e)).
Reversing accidental deletion: if you change your mind within the 90-day window, you can email us and we will restore the account. This is a courtesy, not a contractual right, and the immediate erasure in Phase A still applies — your Gmail credentials and uploaded files do not come back.

At day 90, every remaining record keyed to your old account is permanently deleted from our database. We keep an anonymous proof- of-erasure entry (a one-way hash of your old user ID, the deletion timestamps, and per-table row counts) so we can demonstrate compliance to a future regulator query without re-introducing the identifier we just erased.

Immediate erasure (UK GDPR Art. 17)

If you want every piece of your personal data erased without the 90-day retention window, email privacy@thanksimhired.com with the subject line "Article 17 erasure request". We will action it within 30 days, in line with ICO guidance.

Changes to this policy

We may update this policy from time to time as we add features or the law changes. Check back here to stay in the loop.