Select purposes you consent to. Strictly Necessary cannot be disabled. Legal basis: GDPR Art.6(1)(a) .
Authentication sessions, security tokens, fraud prevention, and core platform functionality.
Session ID Auth Tokens Security Hashes
Session / 1 year
Page views, feature usage, portfolio completion rates, error tracking, session recordings, heatmaps, and funnel analysis.
Page Views Click Events Session Recordings IP (anon) Device Type
Show vendors Google Analytics 4, Hotjar, Microsoft Clarity, Mixpanel, Segment, PostHog, Sentry, LogRocket
14 months
NapAI career recommendations, skill-gap analysis, and adaptive UI based on your career level and tool usage.
Career Profile Skills Data Tool Activity Job Preferences
Show vendors NapAI (proprietary), OpenAI API, Anthropic API, AWS Personalise, Algolia, LinkedIn API
Until account deletion
Targeted ads, custom audiences, conversion tracking, and email campaigns based on usage behaviour.
Email Ad Click IDs UTM Params Remarketing Lists
Show vendors Google Ads, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, Twitter/X Ads, Mailchimp, HubSpot, Intercom, Clearbit, Apollo.io, Customer.io
13 months
Anonymised portfolio data and NapAI interaction logs used to train ML models. Data is de-identified before training.
Anonymised Portfolio AI Chat Logs (anon) Skill Progression
36 months
Share activity data with connected platforms (GitHub, Kaggle, Figma, Notion + 25 others) to pull verified project data.
OAuth Tokens GitHub Repos Figma Projects Kaggle Notebooks
Show vendors GitHub, GitLab, Kaggle, Google Analytics, Figma, Notion, Jira, Slack, YouTube, Webflow, Shopify, Stripe, AWS, GCP, Vercel, npm
Until disconnected
Experiment groups for testing features, UI layouts, pricing, and AI recommendation variations.
Experiment Group ID Feature Flags Variant Assignment
Show vendors Optimizely, LaunchDarkly, GrowthBook, PostHog Feature Flags
90 days
Link activity across devices. Probabilistic device fingerprinting may be used when logged out.
Device Fingerprint IP Address Browser Metadata Geolocation
Show vendors Segment Personas, Amplitude Identity, Clearbit Reveal
24 months
Legitimate Interest (Art.6(1)(f)): You may object at any time using the toggles below.
Monitor fraudulent activity, bot traffic and abuse. Log security events for incident response.
IP Address Login Logs Request Frequency
12 months
Account confirmations, password resets, billing receipts, and critical product updates.
Email Address Name Account Status
Account + 7 years
Aggregated, anonymised reports on skills trends and hiring benchmarks. Individuals are never identifiable.
Aggregated Skills Industry Category Tool Popularity
Indefinite (anonymised)
Make your verified portfolio discoverable to recruiters via the Nap OS CRM. Control visibility in your profile settings.
Public Portfolio Verified Skills Availability Status
Until set to private
All data Nap OS collects and with whom it is shared. International transfers use Standard Contractual Clauses per GDPR Chapter V .
Data Category Purpose Recipients Safeguard Identity Data Name, email, photo Account, auth, comms Auth0, SendGrid, AWS SCCs Career Profile Skills, experience, tools Portfolio, AI, CRM OpenAI, Algolia, Clearbit SCCs+DPAs Integration Data GitHub repos, GA, Figma Portfolio verification GitHub, Google, Figma OAuth/SCCs Usage Data Clicks, sessions, features Analytics, A/B, AI training Mixpanel, Hotjar, PostHog SCCs Device Data IP, browser, fingerprint Security, cross-device Cloudflare, Sentry, Segment SCCs Marketing Data Ad clicks, UTMs Advertising, CRM Google Ads, Meta, LinkedIn SCCs+DPAs Financial Data Plan, subscription Subscription management Stripe (PCI DSS L1) SCCs AI Interactions NapAI prompts, responses AI improvement OpenAI, Anthropic (anon) SCCs+DPA
Controller: Napblog Limited, UK · DPO: privacy@napblog.com · Authority: UK ICO
Under UK & EU GDPR you have the following rights. Contact privacy@napblog.com . We respond within 30 days .
Right to Access Request a full copy of all personal data including your career profile and processing history.
Right to Rectification Correct inaccurate data. Update your profile and contact details at any time.
Right to Erasure Request deletion. Account deletion removes your portfolio within 30 days.
Right to Restriction Request we restrict processing while a dispute is being resolved.
Right to Portability Export portfolio, skills, and project history in JSON or CSV from your account settings.
Right to Object Object to legitimate interest processing via the toggles in the Legitimate Interest tab.
Automated Decision Rights Request human review of any NapAI recommendation that significantly affects you.
Withdraw Consent Withdraw consent at any time via the Privacy Settings widget. Does not affect prior lawful processing.
Complaints: UK ICO or local EU authority. Contact us first at privacy@napblog.com .