Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, password (encrypted)
• Profile Information: Resume text, LinkedIn URL, portfolio URL, GitHub URL, job search preferences
• Contact Data: Names, email addresses, job titles, and companies of people you want to reach out to
• Email Content: Drafts and sent emails generated through our platform
• Payment Information: Credit card details (processed securely through Stripe - we never store your full card number)

1.2 Information We Collect Automatically

• Usage Data: Pages visited, features used, time spent, clicks
• Device Information: Browser type, operating system, IP address
• Cookies: We use cookies to keep you logged in and remember your preferences

1.3 Information from Third Parties

• Google OAuth: When you sign in with Google, we receive your name, email, and profile photo
• Gmail API: We access your Gmail account ONLY to send emails on your behalf
• Hunter.io API: When you use our email finder, we receive publicly available professional email addresses
• Tavily API: We fetch publicly available company news to personalize your emails

2. How We Use Your Information

2.1 Core Services

• Generate AI-powered personalized emails using your resume and profile
• Send emails from your Gmail account (with your explicit permission)
• Track email status (sent, replied, pending)
• Find verified email addresses for hiring managers
• Research company news for email personalization

2.2 What We DON'T Do

• ❌ Sell your personal data to third parties
• ❌ Use your resume or emails to train AI models for other companies
• ❌ Share your contact lists with anyone
• ❌ Send marketing emails without your consent

3. Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Personal data deleted within 30 days of account deletion request
• Sent Emails: Stored indefinitely (you can delete individual emails anytime)
• Payment Records: Kept for 7 years (legal requirement for tax purposes)
• Backup Data: Deleted from backups within 90 days

4. Your Privacy Rights

Rights for Everyone

• Access: Download all your data in JSON format (Settings → Export Data)
• Correction: Update inaccurate information (Settings → Profile)
• Deletion: Delete your account and all data (Settings → Delete Account)
• Portability: Take your data to another service

GDPR Rights (EU Residents)

• Withdraw Consent: Revoke permissions for Gmail access, AI processing, etc.
• Object to Processing: Stop certain data uses (e.g., analytics)
• Restriction: Limit how we process your data

CCPA/CPRA Rights (California Residents)

• Know: See what categories of data we collect and why
• Opt-Out: Opt out of data "sales" (Note: We don't sell data)
• Non-Discrimination: We won't charge you more for exercising your rights

5. Data Security

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: OAuth 2.0 for Google sign-in, bcrypt for password hashing
• Access Controls: Role-based access, 2FA for admin accounts
• Monitoring: 24/7 intrusion detection, automated security scans

6. International Data Transfers

EU to US Transfers: We use Standard Contractual Clauses (SCCs) approved by the EU Commission for transfers to US-based services (Supabase, OpenAI, Stripe).

UK Transfers: We comply with the UK GDPR and use the UK International Data Transfer Agreement (IDTA).

7. Cookie Policy

• session_token (Essential): Keeps you logged in - 30 days
• user_preferences (Functional): Remembers settings - 1 year
• _ga (Analytics): Google Analytics (anonymized IP) - 2 years

You can disable non-essential cookies in Settings → Privacy.

8. Contact Us

Questions about privacy? We're here to help:

Email: hello@smartreached.com