Privacy Policy

1. Who we are

Shortlisted ("Shortlisted", "we", "us", or "our") is operated by [YOUR_LLC_NAME], a limited liability company registered in [YOUR_STATE]. We provide an AI-powered resume tailoring, career coaching, and employer matching service accessible at shortlisted.io and related subdomains.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have. If you have questions, contact us at privacy@shortlisted.io.

2. Information we collect

Information you provide directly

• Account information: name, email address, password (hashed — we never see it in plain text)
• Resume content: work history, education, skills, and any other content you paste or upload for tailoring
• Job postings: job descriptions and URLs you submit for matching
• LinkedIn profile content: any LinkedIn sections you paste into our rewriting or audit tools
• Profile preferences: target industry, experience level, job search status, and other onboarding responses
• Employer information: company name, role details, and hiring preferences (employer accounts only)
• Communications: messages you send to our support team
• Feedback: thumbs up/down ratings and comments you submit after generations

Information collected automatically

• Usage data: pages visited, features used, generation history, time spent (via Posthog)
• Device information: browser type, operating system, screen resolution
• IP address: used for fraud prevention and approximate location (country/region only)
• Cookies: session cookies for authentication, analytics cookies with your consent

Information from third parties

• Google OAuth: if you sign in with Google, we receive your name, email, and profile picture from Google
• Stripe: we receive confirmation of payment status and the last 4 digits of your card — we never see or store full card numbers
• Referral source: if you were referred by another user, we record the referral code used

3. How we use your information

• To provide the service: processing your resume content through our AI system to generate tailored documents
• Account management: authentication, subscription management, credit tracking
• AI generation: your resume content and job postings are sent to Anthropic's API to generate tailored output (see Section 5)
• Employer matching: if you opt in to the talent pool, your anonymized profile is made searchable to verified employers
• Communications: transactional emails (signup confirmation, password reset, weekly digest, billing receipts)
• Product improvement: aggregated, anonymized usage analytics to improve features
• Fraud prevention: detecting and preventing abuse, unauthorized access, and billing fraud
• Legal compliance: complying with applicable laws, responding to valid legal requests

What we do NOT do: We do not sell your personal data. We do not use your resume content to train AI models. We do not share your personal data with third-party advertisers. We do not send marketing emails without your consent.

4. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, our legal basis for processing your data is:

• Contract performance: processing necessary to deliver the service you signed up for (resume generation, billing, account management)
• Legitimate interests: fraud prevention, security, improving our product using aggregated analytics
• Consent: analytics cookies, marketing communications — you can withdraw consent at any time
• Legal obligation: complying with applicable laws and valid legal requests

5. Third-party services we use

We share data with the following third-party services to operate Shortlisted. Each is a data processor acting on our behalf:

AI data handling note: Resume content sent to Anthropic's API is processed to generate your tailored output and is subject to Anthropic's usage policies. Anthropic does not use your data to train their models under their standard API terms. We do not permanently store the raw content of your generations on Anthropic's systems — only in your Shortlisted account in Supabase.

6. Cookies

We use the following categories of cookies:

• Strictly necessary: authentication session cookies — required for the service to function. No consent needed.
• Analytics: Posthog cookies that help us understand how people use the product. We ask for consent before setting these.

You can manage cookie preferences at any time via the cookie settings link in the footer. Rejecting analytics cookies does not affect your ability to use the service.

7. Data retention

• Active accounts: we retain your data for as long as your account is active
• Cancelled accounts: data is retained for 90 days after cancellation, then permanently deleted — this gives you time to re-activate and recover your documents
• Deleted accounts: when you request account deletion, we permanently delete all personal data within 30 days
• Billing records: Stripe transaction records are retained for 7 years as required by financial regulations — these contain only transaction metadata, not full card numbers
• Feedback and analytics: anonymized aggregate data may be retained indefinitely

8. Your rights

Depending on your location, you may have the following rights:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your personal data ("right to be forgotten") — use the Delete Account option in Settings or email us
• Portability: request your data in a machine-readable format
• Objection: object to processing based on legitimate interests
• Restriction: request we restrict processing of your data
• Withdraw consent: withdraw consent for analytics cookies or marketing at any time

To exercise any of these rights, email privacy@shortlisted.io with "Privacy Request" in the subject line. We will respond within 30 days. We may need to verify your identity before processing the request.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to delete it, to opt out of sale (we do not sell data), and to non-discrimination for exercising your rights. To submit a CCPA request, use the contact above.

9. Data security

We implement the following security measures:

• All data transmitted over HTTPS/TLS
• Passwords hashed using bcrypt via Supabase Auth — we never see your password
• Database access restricted via Row Level Security (RLS) — users can only access their own data
• API keys stored as environment variables, never in client-side code
• Stripe handles all card processing — card data never touches our servers
• Regular security monitoring via Sentry

No system is 100% secure. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law within 72 hours of becoming aware.

10. International data transfers

Shortlisted is operated from the United States. If you are located in the EEA, UK, or Switzerland, your personal data is transferred to and processed in the US. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) with our EU-based data processors. Supabase offers EU-region hosting which we use to minimize data transfers where possible.

11. Children's privacy

Shortlisted is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) and by updating the effective date at the top of this page. Your continued use of the service after changes take effect constitutes acceptance.

13. Contact us

For privacy questions, data requests, or concerns:
Email: privacy@shortlisted.io
[YOUR_LLC_NAME]
[YOUR_STATE], United States