Privacy Policy

Last updated: February 2, 2026

1. Who we are

CareerNotesAI ("we," "us," "the Service") is an AI-powered career storytelling platform that helps users generate STAR responses and improve their interview preparation. This privacy policy explains what data we collect during the beta, why we collect it, how we store it, and how you can control it before we invite you into the public product.

2. What data we collect

Account & identity data – name, email, company/role (if provided), billing address (when payment functionality is enabled), and any identity proofs you supply through Clerk or similar providers so you can sign in and receive beta updates.
AI usage data – STAR responses, scoring, prompts, and supplemental notes you generate using the beta experience so we can improve suggestions and debug issues.
Behavioral telemetry – timing/feature usage, session activity, diagnostic logs, IP addresses, browser/device details, and session duration from the web app to help us understand adoption and quality.
Support/feedback data – messages you send via email, Slack, or in-app forms that include your feedback, discovery interview notes, and any attachments you provide.
Invite data – when you use the invite-a-friend feature, we collect the email address of the person you invite and use it to send the invite email on your behalf. We store the recipient email, send status, and (if you are signed in) your account identifier for operational and analytics purposes.
Billing & payment data (when payment functionality is enabled) – transaction IDs, subscription status, and payment processor tokens provided by Stripe or other payment partners. We do not store full credit card numbers or sensitive payment details locally.

3. Why we collect it

Deliver and improve our core AI-powered STAR response generation, scoring, and career storytelling features.
Manage payment subscriptions, invoices, trials, and refunds through our payment processor (when payment functionality is enabled).
Understand what works and what's confusing during this beta so we can optimize the onboarding, guidance, and instructions.
Provide quick support for discovery testers, including responses to questions, debugging data, and follow-ups.
Send invite emails on your behalf when you use the invite-a-friend feature (we share the recipient’s email with our email delivery provider so the invite can be delivered).
Monitor analytics, behavior, and performance to stabilize and expand the beta experience.
Comply with legal obligations, protect the Service, and detect misuse or fraud.
Maintain the security and reliability of the service by logging errors and infrastructure events.

4. How we share and protect it

Third-party services

We store and process data using trusted service providers in the following categories:

Authentication providers – for user sign-in and session management
Database and storage services – for securely storing your account data and content
Hosting and infrastructure – for running the Service
AI service providers – for generating STAR responses and scoring (OpenAI, Google Gemini, or similar)
Payment processors (when billing is enabled) – for processing payments, managing subscriptions, and handling transaction records
Email delivery provider – for sending invite emails on your behalf (e.g. Mailgun); the recipient’s email address is shared with this provider so the invite can be delivered
Analytics and monitoring tools – for understanding usage patterns, improving the Service, and detecting errors

Each service is governed by its own privacy and security commitments. We do not sell your personal data to third parties.

Law enforcement & compliance

We may disclose your information if required by law, to comply with legal obligations, respond to government requests, protect our rights, or prevent fraud or security threats.

Security measures

Data is encrypted in transit using HTTPS/TLS
Sensitive data is encrypted at rest where applicable
Access to production data is restricted to a small team with role-based permissions
Credentials and API keys are rotated on a regular schedule
We monitor infrastructure for suspicious activity and maintain backups
Beta access is by invitation only, and we require authentication for all environments

5. Cookies & tracking

5.1 Types of cookies we use

We use the following types of cookies:

Essential cookies (required)

Purpose: Session management, authentication, security (CSRF protection), and maintaining your login state
Duration: Session-based (deleted when you close your browser) or persistent (expires after a set period)
Can you opt out?: No – these are necessary for the Service to function securely
Examples: Authentication tokens, session IDs, security tokens

Analytics and performance cookies (optional)

Purpose: Understanding how you use the Service, identifying errors, improving performance, and measuring feature adoption
Duration: Varies (typically 30 days to 2 years)
Can you opt out?: Yes – you can disable these through your browser settings or cookie preferences
Examples: Page views, feature usage, error tracking, performance metrics

Functional cookies (optional)

Purpose: Remembering your preferences, settings, and choices to personalize your experience
Duration: Varies (typically 30 days to 1 year)
Can you opt out?: Yes – you can disable these through your browser settings
Examples: Language preferences, UI customization, feature toggles

5.2 Third-party cookies

Some cookies may be set by third-party services we use (such as analytics providers). These are governed by the third party's privacy policy. We do not control these cookies directly.

5.3 Managing cookies

You can control cookies through:

Browser settings: Most browsers allow you to refuse or accept cookies, delete existing cookies, or set preferences for specific websites
Cookie consent banner: When you first visit, you may see a cookie consent banner where you can accept or reject non-essential cookies
Service settings: Some cookie preferences may be adjustable within your account settings

Note: Disabling essential cookies may prevent the Service from functioning properly. Disabling analytics cookies will not affect core functionality but may limit our ability to improve the Service.

5.4 Cookie policy updates

Beta analytics instrumentation may evolve as we add more features and monitoring capabilities. We will update this section if we introduce new types of cookies or change how we use them.

6. Data retention

User content and account data – we retain your beta data for the duration of your account and for at least 90 days after account deletion for audit and backup purposes.
Billing records (when payment functionality is enabled) – invoices, receipts, and transaction records are retained according to standard accounting needs (typically 7 years) once payment functionality is live.
Usage analytics – retained in aggregated or anonymized form for as long as needed to improve CareerNotesAI.
Invite records – recipient email and send status are retained for operational and analytics purposes, in line with our general retention practices.
You can request deletion of your data at any time (see section 8).

7. Your privacy rights (GDPR, CCPA, and other regulations)

7.1 Rights under GDPR (European users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access – request a copy of the personal data we hold about you and information about how we process it
Right to rectification – request correction of inaccurate or incomplete personal data
Right to erasure ("right to be forgotten") – request deletion of your personal data when it's no longer necessary, you withdraw consent, or it was unlawfully processed
Right to restrict processing – request that we limit how we use your data in certain circumstances
Right to data portability – request your data in a structured, commonly used, machine-readable format
Right to object – object to processing of your personal data for certain purposes (e.g., direct marketing)
Right to withdraw consent – withdraw consent for processing that relies on consent (without affecting processing that occurred before withdrawal)
Right to lodge a complaint – file a complaint with your local data protection supervisory authority

7.2 Rights under CCPA (California users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to know – request information about what personal information we collect, use, disclose, and sell
Right to delete – request deletion of your personal information (subject to certain exceptions)
Right to opt-out – opt out of the sale of personal information (we do not sell personal information)
Right to non-discrimination – we will not discriminate against you for exercising your privacy rights

7.3 Legal basis for processing (GDPR)

We process your personal data based on the following legal bases:

Consent – when you provide explicit consent (e.g., for analytics cookies, marketing communications)
Contract performance – to provide the Service and fulfill our Terms of Service
Legitimate interests – to improve the Service, ensure security, prevent fraud, and comply with legal obligations
Legal obligation – to comply with applicable laws and regulations

7.4 How to exercise your rights

Submit privacy requests to careernotesai@gmail.com with:

Your full name and email address associated with your account
A clear description of the right you wish to exercise
Any additional information needed to verify your identity

Response time: We will respond within 30 days (or as required by applicable law). We may require verification of your identity to protect your privacy and prevent unauthorized access.

No fee: Exercising your privacy rights is free, unless requests are manifestly unfounded or excessive.

7.5 Supervisory authority (GDPR)

If you are in the EEA, UK, or Switzerland and have concerns about how we handle your data, you have the right to lodge a complaint with your local data protection supervisory authority. Contact information for supervisory authorities can be found at:

EEA: https://edpb.europa.eu/about-edpb/board/members_en
UK: https://ico.org.uk/
Switzerland: https://www.edoeb.admin.ch/edoeb/en/home.html

8. Your choices

Review or delete – email careernotesai@gmail.com to request a copy of your records or have them deleted.
Opt-out of marketing – reply "unsubscribe" to any update email or set preferences in your account settings.
Data portability – ask for your exported STAR responses or notes in a structured format; we will respond within 30 days.
Cookie preferences – adjust your browser settings to control non-essential cookies and tracking.

9. AI-generated content & beta notice

Every STAR response, letter grade, and scoring signal is generated by AI. These outputs may contain errors or inconsistencies; you are responsible for reviewing and editing the content before use.
The beta is experimental: features may change, degrade, or be removed, and support is limited to the channels listed on the beta landing page.
By continuing to use the beta, you acknowledge that the product is not yet fully polished and agree to share feedback/discovery findings when asked.
During beta, data export tools may take extra time as we build supporting infrastructure.

10. International data transfers

10.1 Data location

CareerNotesAI is operated from the United States. If you access the Service from outside the U.S., your data will be transferred to, stored on, and processed by servers located in the United States. By using the Service, you consent to this transfer.

10.2 GDPR and international transfers

If you are located in the EEA, UK, or Switzerland, we transfer your personal data to the U.S. based on:

Standard Contractual Clauses (SCCs) – we use EU-approved standard contractual clauses with our service providers to ensure adequate protection
Adequacy decisions – where applicable, we rely on adequacy decisions by the European Commission
Your consent – by using the Service, you consent to the transfer of your data to the U.S.

10.3 Safeguards

We implement appropriate safeguards to protect your data during international transfers, including:

Encryption in transit and at rest
Standard contractual clauses with service providers
Regular security assessments
Compliance with applicable data protection laws

10.4 Your rights regarding transfers

If you have concerns about international data transfers or wish to exercise your rights, please contact us at careernotesai@gmail.com.

11. Updates to this policy

We may update this policy as CareerNotesAI evolves. We'll post the revised date at the top of this document and notify users via the beta dashboard or email as needed. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Support and contact information

12.1 General inquiries

For general questions about the Service, beta program, or features:

Email: careernotesai@gmail.com
Subject line: "Beta Inquiry" or "General Question"
Response time: We aim to respond within 2-3 business days during beta

12.2 Privacy and data requests

For privacy-related requests (access, deletion, portability, etc.):

Email: careernotesai@gmail.com
Subject line: "Privacy Request" or "Data Request"
Response time: We will respond within 30 days as required by law
Required information: Your name, email, and a clear description of your request

12.3 Security and bug reports

For security vulnerabilities or bug reports:

Email: careernotesai@gmail.com
Subject line: "Security Issue" or "Bug Report"
For security issues: Please report responsibly and do not publicly disclose vulnerabilities until we have addressed them

12.4 Feedback and feature requests

For product feedback, feature requests, or discovery conversations:

Email: careernotesai@gmail.com
Subject line: "Feedback" or "Feature Request"
We welcome your input to improve the Service

12.5 Data protection officer (if applicable)

If you are located in the EEA, UK, or Switzerland and need to contact a Data Protection Officer, please email careernotesai@gmail.com with "DPO Inquiry" in the subject line.

12.6 Changes to data practices

If we collect any additional categories of data in the future (payments, expanded analytics, integrations, etc.), we will notify you by email and post the changes here.

Note: This is a beta version of our Privacy Policy. Some features (like payment processing) may not be active yet, but we've included relevant language to prepare for when they are. We will update this policy as the product and our data practices evolve.