Legal

What we collect

Only what we need to run the tracker for you:

• Your Google sign-in. Your email address, the display name on your Google account, and the stable identifier Google gives us (your “sub”). We don’t ask for any other Google scopes.
• Your jobs. For each application or saved role you add: company, role, job URL, salary range, location, status, the date you saved it, the date you applied, and any notes you write.
• Your timeline. A per-job event log: status changes, notes, inbound emails matched to the job, and AI suggestions you’ve confirmed or dismissed.
• Inbound email metadata. When you forward something to your @fwd.gethirerewards.com address, we record the sender, subject, message ID, received-at time, and whether we managed to parse it. By default we do not store the raw email body — see “How long we keep it” below.
• Screenshot extractions. When you paste or share a screenshot, we run the image through Claude Haiku to pull out text. We store the extracted text snippet and the structured fields (company, role, status). We do not store the image bytes — they’re processed in memory and discarded.
• Audit log. A row per write you make (or that the system makes on your behalf), so we can answer “what changed and when” if something looks wrong.

What we do not collect: browser fingerprints, third-party analytics, ad tech, location beyond what you type into the location field, contacts, calendars, or any data from other Google services.

Why we collect it

To run the tracker for you. That’s the whole list. We don’t sell data, we don’t share it with advertisers, and we don’t use it to train AI models.

Who sees it

You, and only you. Concretely:

• The Postgres database has row-level security enabled on every table that holds your data. Your sign-in token only unlocks rows tagged with your user ID.
• The service-role key that can bypass row-level security lives only on the server and is used for inbound email processing, scheduled cleanup jobs, and admin operations — never shipped to your browser.
• Juanita can technically read your rows by going through Supabase directly. She doesn’t, except when you’ve reported a bug and asked her to look. There’s no analytics dashboard with your data in it.
• A future “sponsor view” (think workforce programs or cohort funders) is on the roadmap for v2. It does not exist yet. When it does, no data will be shared with any sponsor without an explicit, plain-English consent step from you, per cohort.

Where it lives

• Database and authentication: Supabase (Postgres). Data at rest is encrypted with AES-256 via Supabase’s managed keys. Region: US East (Ohio).
• Hosting: Vercel. Connections to and from the app use TLS, with hybrid post-quantum key exchange (X25519MLKEM768) where the client supports it.
• AI extraction: Anthropic (Claude Haiku). When you forward an email or paste a screenshot, we send the parsed text content to Anthropic so Haiku can extract the structured fields. Under default settings we do not send raw email headers — only the body text we need to extract from. Per Anthropic’s API terms, inputs are not used to train their models.
• Inbound email: Postmark, for receiving forwarded mail.

How long we keep it

• Your account and your jobs: as long as your account exists.
• Inbound email metadata (sender, subject, parse result): as long as your account exists.
• Raw inbound email bodies: by default, not stored at all — we parse and discard. If you turn on “Keep original emails for 7 days” in Settings, we store the encrypted raw body for at most 7 days, then a nightly cleanup job nulls it out. If a parse fails, we keep the raw body for that one failed item for up to 7 days (the rescue window) so you can recover it manually — even if you haven’t opted in.
• Account deletion: when you delete your account, it goes into a 7-day soft-delete window. During those 7 days, signing back in restores everything. After 7 days, a scheduled job hard-deletes your jobs, events, inbound email rows, and profile in a cascade. A small “account deleted” audit record (your former user ID and the deletion timestamp) is kept for 90 days for abuse and dispute handling, then purged.

Your data, your rights

These are real, working buttons in the app — not promises:

• Export. Settings → “Download my data” gives you a ZIP containing jobs.json, job_events.json, profile.json, and a README.txt. Generated on the fly, streamed to your browser, not retained on our side.
• Delete. Settings → “Delete my account” opens a confirmation flow. You type DELETE, confirm, and the 7-day soft-delete starts. Sign back in within 7 days to undo. After 7 days, deletion is permanent.
• Forwarding address rotation. Settings lets you rotate your forwarding slug. The old address goes onto a permanent tombstone list so it can never be reassigned and any future mail to it bounces.

If you live somewhere with a “right to know” or “right to delete” law (CCPA in California, similar laws in other states), the export and delete buttons cover it. If you’d rather we handle the request manually, email privacy@gethirerewards.com.

AI transparency

We use Claude Haiku to read forwarded emails and screenshots and pull out structured fields (company, role, status). A few things we promise:

• You confirm every change. Haiku never silently updates a job status. Anything it suggests shows up on a confirmation screen with the evidence snippet, and you click yes, no, or “let me pick” before it lands.
• Prompt-injection defenses are in place. Haiku gets a fixed system prompt; the email or screenshot content is treated as untrusted data, never as instructions. Output has to fit a strict schema or it’s rejected. If we see suspicious content (things like “ignore previous instructions”), the confirmation screen shows a yellow warning before you save.
• You can decline any extraction. “No, this isn’t a match” or just closing the tab works fine. Nothing extracts itself.

Cookies

One first-party session cookie from Supabase Auth — HttpOnly, Secure, SameSite=Lax. Vercel and Supabase set their own infrastructure cookies for load balancing and region routing. None of these are used for tracking, advertising, or analytics. We don’t use third-party analytics, tracking pixels, or browser-fingerprinting libraries. There’s no cookie banner because there’s nothing to consent to beyond functional storage.

Security incidents

If we suspect a breach affecting your data, we’ll email you within 72 hours of confirming it and put a banner in the app. We’ll tell you what we know, what we’re doing, and what (if anything) you should do. This matches CCPA’s notification requirements and most state breach-notification laws.

Contact

For privacy or legal questions: privacy@gethirerewards.com. [LAWYER_REVIEW] — confirm contact-of-record address for any required regulatory filings.

Short version: be a good guest. This is a closed beta Juanita built for friends.

• It’s invite-only. Sign-in checks your Google email against an allowlist. If your email isn’t on it, sign-in is rejected and no account is created. Don’t try to bypass the allowlist; ask Juanita to add you instead.
• Use it for your own job search. Don’t submit other people’s private data, don’t forward emails that aren’t yours to forward, and don’t use the forwarding inbox to harass anyone.
• Don’t try to break it. No probing for vulnerabilities, no scraping, no spamming the inbound email pipeline, no attempts to access other users’ data. If you find a bug, please tell us — we’ll thank you, not sue you.
• It’s a beta, served as-is. No warranty, no guarantee of uptime, no promise that a feature you like today will exist tomorrow. We may change features, copy, and (eventually) the pricing model with notice. v1 is free.
• We may pause or revoke access at our discretion. We won’t unless someone is abusing the system.
• Disputes are governed by the laws of [LAWYER_REVIEW] state. Juanita’s lawyer should fill this in based on her state of residence.

If something here feels off or unclear, tell us. This is a small product — we can fix it.

We set the bare minimum. No tracking, no advertising, no analytics beyond what our infrastructure providers set for their own operations.

• sb-* (Supabase Auth): one first-party session cookie that keeps you signed in. HttpOnly, Secure, SameSite=Lax. Cleared on sign-out.
• Vercel infrastructure cookies: load-balancing and region routing. Functional only.
• Supabase infrastructure cookies: same — functional only.

What we do not set: tracking pixels, third-party analytics, advertising IDs, or any browser-fingerprinting code. There’s no cookie banner because nothing here requires consent beyond what’s strictly necessary to keep the app working.