MatchKo is an AI-powered job application assistant. Paste a job URL and get a tailored, ATS-optimized resume, a non-generic cover letter, and a draft application email in under 30 seconds.

How is MatchKo different from Teal, Simplify, EarnBetter, or AiApply?

MatchKo writes cover letters that actually sound human. Every letter uses one of seven opening patterns (micro-story, concept, observation, contrarian, problem-with-receipt, parallel, specific question) and one of three macro structures (Hook-Proof-Bridge-Ask, Observation-Connection-Offer, Problem-Receipt-Stakes) chosen per role. A post-generation reader-focus scorer enforces Wes Kao's diagnostic: at least 40% of pronoun tokens must address the reader, not the candidate. No competitor does this.

Does MatchKo pass AI-detection tools like GPTZero?

Yes. Generated documents are post-processed for sentence-length variance, banned-phrase filtering (30+ phrases including 'I am writing to apply', 'proven track record', 'perfect fit'), and structural irregularity. Average GPTZero score is under 20% AI probability.

Which job sites does MatchKo support?

Direct URL scrape works on Greenhouse, Lever, Ashby, Workday, Workable, SmartRecruiters, BambooHR, iCIMS, and most company careers pages. Indeed, LinkedIn, Glassdoor, and ZipRecruiter block automated scrapers — for these MatchKo opens the posting in a new tab and lets you paste the description in one click.

What does MatchKo cost?

Free plan: 5 applications per month, 1 resume slot, PDF export. Pro: $19/month or $190/year — unlimited applications, 3 resume slots, Gmail integration, PDF + DOCX export, priority AI generation. 14-day money-back guarantee on the first Pro subscription.

Is the Harvard-style resume ATS-compliant?

Yes. MatchKo generates Harvard-style resumes in DOCX and PDF formats with US Letter dimensions, 1-inch margins, Arial 10pt body / 14pt name / 11pt headings, right-aligned date tabs, and bullet markers using LevelFormat.BULLET (never unicode bullets that break ATS). Tested against Workday, Greenhouse, Lever, iCIMS, Taleo, and SmartRecruiters parsers.

How long does it take to generate one application?

Average end-to-end generation time is 28 seconds. Job scrape and analysis runs in 5-10 seconds. Tailored resume + cover letter generation runs in 15-20 seconds. Gmail draft creation runs in 2-3 seconds.

MatchKo is built by Emmanuel Umoh, founder of Chimney Studios. It launched in 2026 and is operated from Oshawa, Ontario, Canada.

Trust

How we keep your data safe.

Your resume is personal. We treat it that way. Here's exactly how we protect your account, your files, and everything in between.

Last updated: April 19, 2026

1Our security posture

MatchKo is early stage and we are transparent about that. We're actively working toward SOC 2 Type II — the certification is in progress, not yet awarded. Until it's done, here is everything we are doing today, so you can judge for yourself.

2Encryption

TLS 1.3 for all traffic between your browser and our servers.
AES-256 encryption at rest for the database and file storage (managed by Supabase).
OAuth tokens for Gmail and other integrations are encrypted before being stored.
HTTPS-only access with HSTS preload enabled on matchko.com.

3Authentication

Supabase Auth with JWT-based sessions.
Passwords hashed using industry-standard algorithms (bcrypt). We never see, log, or store raw passwords.
Google OAuth available for single-sign-on.
Session cookies are HttpOnly, Secure, and SameSite=Lax.
Two-factor authentication (2FA) is on the roadmap.

4Access controls

Row-Level Security (RLS) enforced on every table in our database — your data is queryable only by your own authenticated session.
Role-based access for any future team members, with the principle of least privilege.
Admin access to production systems is limited, logged, and reviewed.

5Infrastructure

Hosting and edge network: Vercel (US-East primary region).
Database: Supabase managed Postgres.
File storage: Supabase Storage with signed, time-limited URLs.
Background jobs and rate limiting: Upstash Redis.
All subprocessors are listed in our privacy policy.

6Rate limiting

We apply per-IP and per-user rate limits on API endpoints via Upstash Redis. This protects your account from brute force attempts and keeps the service responsive for everyone.

7Content Security Policy

Strict Content Security Policy (CSP) headers to block unauthorized scripts.
HSTS with preload to force HTTPS.
X-Frame-Options: DENY and frame-ancestors 'none' to prevent clickjacking.
X-Content-Type-Options: nosniff to prevent MIME confusion.
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy locked down for camera, microphone, geolocation.

8Vulnerability disclosure

Found a security issue? We appreciate responsible disclosure and will respond to every report.

Email security@matchko.com with a clear description and reproduction steps.
We acknowledge reports within 48 hours.
Please do not publicly disclose the issue until we have had a reasonable chance to investigate and patch.
We do not currently run a paid bug bounty program but will credit researchers who report in good faith.

9Incident response

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, per GDPR Article 33. Notifications will describe what happened, what data was affected, and what we're doing about it.

10Third-party security

Stripe — PCI DSS Level 1 certified.
Google — SOC 2 Type II, ISO 27001.
Supabase — SOC 2 Type II, HIPAA-eligible.
Vercel — SOC 2 Type II.
Anthropic — SOC 2 Type II.

11What you can do

Use a strong, unique password. A password manager is worth it.
Enable 2FA as soon as we ship it.
Don't share your account credentials with anyone.
If you use Google sign-in, enable 2FA on your Google account.
Review connected integrations regularly in Settings > Integrations.

12Contact

Security reports: security@matchko.com

Privacy questions: privacy@matchko.com