Privacy Policy

Last updated: May 20, 2026

This Privacy Policy explains what data JobScout collects, how we use it, who we share it with, and the controls you have. We tried to write it in plain English. If anything is unclear, email us at cory.salisbury@gmail.com.

1. Data we collect

To run the Service for you, we collect and store:

  • Account data: email, display name (from Firebase Auth or Google sign-in), Firebase UID, last-seen timestamp.
  • Profile data: what you enter into Settings — salary floor, location preferences, keywords, career story, growth goals, what to avoid, calibration prompts.
  • Resumes: the markdown/text content of every resume you upload or paste, plus the original filename.
  • Job-search data: scored jobs, your saved/applied/dismissed status on each, your interview stories, your uploaded assessment results, your Upwork leads pre-drafted by the inbox watcher.
  • Gmail data (Pro/Boost only, opt-in): when you connect Gmail, we read messages matching narrow queries (typically from:upwork.com newer_than:2d). We extract job listings from those emails, score and pre-draft proposals, and apply a JobScout/Processed label so the same message isn’t processed twice. We do not read your inbox broadly. We never send, modify, or delete email on your behalf. Your OAuth refresh token is stored encrypted in our database.
  • Billing data (paid tiers): Stripe Customer ID and Subscription ID. Card numbers are stored only by Stripe and never touch our servers.
  • Usage telemetry: per-user counters of metered actions (jobs scored, tailors run, etc.) used for free-tier rate-limiting and product analytics. Coarse IP-based geographic data from server logs.

2. How we use it

We use the data above only to:

  • Operate the Service for you — score jobs against your profile, generate tailored resumes and cover letters, draft Upwork proposals, look up comp benchmarks.
  • Enforce free-tier quotas and paid-tier access.
  • Send transactional emails — welcome, password reset, billing receipts, weekly digest if you opt in.
  • Diagnose bugs and improve the Service (aggregated only).
  • Comply with legal obligations (billing records, fraud prevention).

We never sell your data. We never share your resume or career details with third parties for marketing. We do not use your content to train general AI models.

3. Service providers

JobScout runs on third-party infrastructure. These providers process data strictly on our behalf:

  • Google Cloud / Firebase — auth, database (Firestore), hosting (Cloud Run), scheduling.
  • Anthropic — the Claude API generates scores, tailored resumes, cover letters, and proposals. Anthropic’s API privacy policy states inputs and outputs are not used to train models for API customers.
  • Stripe — payment processing; PCI-DSS compliant.
  • Google Workspace / Gmail API — only if you opt in to the inbox watcher; the scope is gmail.modify on your account.
  • SMTP relay for transactional email.

4. Data location and retention

Servers are hosted in Google Cloud’s us-west1 region. Firestore data is replicated within that region for durability. We retain your data while your account is active. On account deletion we remove your resumes, profile, applications, leads, stories, and assessments within 30 days. Billing records (Stripe-side) and aggregated, anonymized usage logs may be retained longer for legal and analytical purposes.

5. Your rights

You can at any time:

  • Access your data — Settings exposes everything we store.
  • Correct it — same place.
  • Export it — resumes download as Markdown/PDF/DOCX; we’ll provide a JSON dump of the rest on request.
  • Delete your account — Settings → Account → Delete. This is irreversible.
  • Revoke Gmail access from your Google account permissions page.
  • Cancel billing from Settings → Billing → Manage (Stripe Billing Portal).

California (CCPA), EU (GDPR), and other residents have additional rights including data portability and the right to object to processing. Email cory.salisbury@gmail.comwith “privacy request” in the subject line and we’ll respond within 30 days.

6. Security

We use HTTPS for all traffic, Firebase Auth for session management, server-side admin SDK for Firestore writes (no client-side direct DB access), bcrypt-equivalent hashing for stored secrets (extension tokens are sha-256 hashed; we never store plaintext). No system is perfectly secure. If you discover a vulnerability, please emailcory.salisbury@gmail.comwith “security” in the subject.

7. Children

JobScout is not directed to children under 18. We do not knowingly collect data from minors.

8. Cookies

We use one essential cookie (jobscout_session) to keep you signed in. We do not use tracking, advertising, or analytics cookies.

9. Changes

Material updates to this Policy will be announced via email and an in-app banner at least 30 days before they take effect.

10. Contact

Privacy questions, exports, or deletions: cory.salisbury@gmail.com.

This Policy is a baseline tailored to JobScout’s current data flows. Have an attorney review before scaling internationally or onboarding enterprise customers.