← YoungNug

Privacy Policy

Last updated 12 July 2026

YoungNug Privacy Policy

Last updated: 14 July 2026

YoungNug helps UK students find jobs and build tailored CVs and cover letters. That means we hold information about you, including your education record, and we take that seriously. This notice explains what we collect, why, what we do with it, and the rights you have over it. It is written to be read, not skimmed past. If anything is unclear, ask us through the in-app Feedback form.

1. Who we are

YoungNug is the data controller for the personal data described in this notice. The service is operated by its developer in the United Kingdom and is registered with the Information Commissioner's Office under registration number C1986274. The full registered controller details appear on the ICO's public register of data controllers under that number. You can contact us about anything in this notice through the Feedback form inside the app (Settings, then Feedback).

2. Who this service is for (age 15 and over)

YoungNug is for students aged 15 or over. We check your date of birth at sign-up and refuse accounts below 15. UK law sets 13 as the age at which a young person can consent to online services themselves (UK GDPR Article 8), so users aged 15 to 17 can hold a YoungNug account without parental permission.

Because many of our users are under 18, we follow the ICO's Age Appropriate Design Code: privacy-protective settings are the default for everyone, optional analytics are off unless you turn them on, we do not profile you for advertising, and we never sell your data. Your date of birth is used only for the age check and to suggest a sensible starting study level. It is stored encrypted and is never printed on a CV, cover letter, or any document.

3. What we collect

We only collect what the service needs to work:

- Account data: email address, password (stored only as a one-way argon2 hash, we cannot read it), full name, date of birth, your consent record. - Profile data you add: education history (schools, colleges, university, GCSE, A-level, BTEC and degree results, modules and grades), work experience, volunteering, projects, skills, achievements, certifications, links you choose to share (for example GitHub or LinkedIn), and your job preferences. - Home address (optional): if you add it, it is used only as the sender block on your cover letters. It never appears on a CV. - Home location (optional, off by default): if you switch on the Location setting, we store your postcode and the single map position (latitude and longitude) that postcode resolves to. That is postcode-level only, never GPS, and never movement tracking (data minimisation under the Children's Code). It is used for two things: centring your job map on home, and showing how far each job is from you as one labelled part of its suitability score. Switching the setting off deletes the stored postcode and coordinates immediately. - Job-search activity: jobs collected for you, saved and skipped jobs, applications and their stages, interview notes, generated CVs and cover letters and your edits to them. - Optional usage events: if (and only if) you accept optional analytics in the cookie banner, we record first-party counts of which pages and features you use and job interaction events, to improve the product and your job matching. This includes coarse time-on-page buckets (for example "under 30 seconds" or "2 to 10 minutes"); we never record exact timings, keystrokes, or what you type. Nothing is ever recorded for advertising. Today these counts stay on our own systems and go to no one else. We have not switched on any third-party analytics tool; if we ever do, we will name the provider (for example Google Analytics) as a processor in section 7, describe the cookies it sets in section 12, and ask for your consent again before it starts. - Technical data: IP address and request logs, used for security, abuse prevention and rate-limiting; short-lived session tokens.

We do not ask for and do not want special category data (such as health, religion, or ethnicity). Please do not put it in free-text fields.

4. Why we can use it (lawful bases)

| Purpose | Lawful basis (UK GDPR Art. 6) | |---|---| | Running your account, storing your profile, generating your documents, tracking your applications | Contract (6(1)(b)): this IS the service | | Age checks and privacy-protective defaults for under-18s | Legal obligation and legitimate interests (Children's Code compliance) | | Security logs, rate-limiting, abuse prevention | Legitimate interests (6(1)(f)): keeping the service safe | | Optional usage analytics and behavioural job-matching signals | Consent (6(1)(a)): off by default, withdraw any time | | Optional home location (postcode and its coordinates) for the job map and commute distance | Consent (6(1)(a)): off by default; switching it off deletes the stored data | | Optional imports (LinkedIn, GitHub) | Consent (6(1)(a)): each import is an explicit action you take |

5. What we never do

- We never sell your personal data. Not with your consent, not with an opt-out, not to anyone. This is a permanent commitment, not a current setting. - We never share it with data brokers. - We never use it to train models for anyone else. - We never post or submit anything on your behalf without your explicit per-job approval (the Approve step is the only way an application happens). - We never take a payment you have not seen and agreed to first (see the Terms, section 7). Under-18s cannot buy a plan at all, so if you are 15 to 17 we hold no payment details for you.

6. Automated decision-making

YoungNug computes a suitability score (0 to 100) between your profile and each job, and shows you the full breakdown with reasons for and against. This is advisory only: you decide where to apply, and no decision with legal or similarly significant effect is ever made about you solely by automation (UK GDPR Article 22). The score never uses protected characteristics.

7. Who else sees data (processors and recipients)

- Job listing sources (Adzuna, Reed, public employer career sites, Companies House): when we collect jobs for you, we send only search terms (for example role keywords and a location), never your identity. - Postcode lookup (postcodes.io): if you switch on the optional Location setting, we send only your postcode to this free UK service to find its map coordinates. Your identity is never sent with it, and nothing is sent at all while the setting is off. - Document generation runs on the service's own infrastructure. Your profile is not sent to third-party AI services. - Email: we send you transactional emails such as address verification and password reset. These may be handled by our own system; when a third-party email provider is switched on to deliver them (SMTP2GO, with Brevo as a fallback), that provider acts as our processor and receives only your email address and first name. We do not send you marketing email. - Analytics: we currently use no third-party analytics service, so no analytics provider receives your data. If we ever switch on a third-party analytics tool (for example Google Analytics), we will name it here as a processor, describe the cookies it sets in section 12, and ask for your consent again first. - If we are legally required to disclose data (for example by a court order), we will, and where lawful we will tell you.

Your data is stored in the United Kingdom. The one exception is that our email provider, when it is enabled, may store a verification or reset message on servers in the EU; the EU has UK adequacy status, so that transfer is lawful and your data stays within an adequate jurisdiction. We do not otherwise transfer your data outside the UK.

8. How we protect it

- Passwords are hashed with argon2; we can never read them. - Personal profile data, your name, date of birth and home address are encrypted at rest (Fernet/AES). - Every account's data is isolated: the server checks ownership on every request, so no other user can ever read your rows. - Sessions use short-lived tokens and httpOnly cookies; all auth endpoints are rate-limited; the production service runs over HTTPS only.

9. How long we keep it (retention)

- Account and profile data: kept while your account exists. When you delete your account, every row you own (profile, jobs, applications, documents, events, messages) is deleted immediately and permanently. There is no soft-delete copy. - Generated documents: kept while your account exists so your application history stays complete; deleted with the account. - Security logs: kept for a short rolling window for abuse prevention. - Consent-gated usage events: kept while your account exists, deleted with it, and you can withdraw consent at any time to stop new recording. - Home location: kept only while your Location setting is switched on. Switching it off deletes the stored postcode and coordinates immediately (deleting your account does too).

10. Your rights (and the buttons that actually do them)

You have every UK GDPR data-subject right, and the two big ones are wired directly into the app:

- Access and portability: Settings, then "Export my data" downloads everything we hold about you as readable JSON, decrypted. - Erasure: Settings, then "Delete my account" permanently removes your account and everything in it, immediately, after a password confirmation. - Rectification: edit anything in your Profile at any time. - Withdraw consent: change your cookie choice from the banner or footer at any time; analytics recording stops immediately. For home location, switch the Location setting off in Settings, and the stored postcode and coordinates are deleted there and then. - Restriction and objection: contact us via the Feedback form and we will action it within one month.

We respond to any data-protection request within one calendar month, free of charge.

11. Complaints

From 19 June 2026 UK law gives you a formal right to complain to us first and have it handled properly (Data (Use and Access) Act 2025). Raise a complaint through the in-app Feedback form marked "privacy complaint" and we will acknowledge it within 30 days and respond without undue delay.

You also always have the right to complain directly to the UK regulator:

> Information Commissioner's Office (ICO) > Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF > Helpline: 0303 123 1113 | [ico.org.uk/make-a-complaint](https://ico.org.uk/make-a-complaint/)

12. Cookies

YoungNug uses one essential cookie: the session cookie that keeps you signed in. It also stores your cookie choice itself in a small first-party cookie so we remember it. Essential cookies do not require consent (PECR). Optional first-party analytics are controlled by the consent banner and are declined by default. Today there are no advertising cookies and no third-party cookies at all. If we ever switch on a third-party analytics tool such as Google Analytics, it would set its own cookies (for example the `_ga` cookies); we would list them in the cookie notice and ask for your consent again before that happened. The full breakdown is in our cookie notice inside the consent banner.

13. Changes to this notice

If we change what we collect or why, we will update this notice, change the date at the top, and flag material changes in the app before they take effect.

See also Privacy Policy · Terms of Use · Ads