Legal
Privacy Policy
01Introduction
This Privacy Policy (“Policy”) describes how Revectro (“we,” “us,” or “our”) collects, uses, stores, and discloses information in connection with the operation of revectro.com and any related services (collectively, the “Service”). By accessing or using the Service, you (“User,” “you”) consent to the practices described in this Policy. If you do not agree, do not use the Service.
This Policy should be read in conjunction with our Terms of Service.
02Information we collect
2.1Account information. When a User creates an account, we collect the User's email address, an optional display name, and a cryptographic hash of the User's chosen password. We do not store passwords in plain text and cannot recover them.
2.2User content. When a User uses the Service, we store the content the User creates or uploads, including but not limited to: job application records, contact records, notes, email messages saved by the User, uploaded résumés (including original file contents), and artifacts produced by the AI features such as analyses, revisions, and recommendations.
2.3Operational logs. We maintain a per-User log of invocations of each AI-powered feature for the purposes of enforcing usage limits, detecting abuse, and operational diagnostics.
2.4Usage, analytics, and diagnostic information. We use third-party product-analytics, session-replay, and error-monitoring services (described in Section 3) to understand how the Service is used, to diagnose problems, and to improve the product. These services may collect: pages viewed and features used; clicks and other interactions; a session recording (a “replay”) of how the interface is used, which may include content you view and enter, such as your résumés; browser and device type; an approximate location derived from your IP address; and error and diagnostic data. We mask password fields from these recordings. We do not use advertising identifiers and do not collect this information for advertising purposes.
2.5Forwarded email. Each account includes a private, randomly generated ingest address to which the User may forward (or blind-copy) email. For each message received at this address we store: the plain-text content of the message; the extracted text of supported attachments (PDF, Word, plain-text, and Markdown documents); the sender address and subject line; and attachment metadata (file names, types, and sizes). We do not store original attachment files, and we never store or render the message's HTML form. This content is processed, as described in Section 3.3, to extract career-related information — contacts, applications, and notes — which is presented to the User for review; nothing is added to the User's records without the User's explicit per-item confirmation. Raw forwarded content is retained only on the limited schedule described in Section 5.4.
03Processing, hosting, and our access
3.1Storage. All persistent information described in Section 2 is stored in a managed PostgreSQL database operated by Neon Inc. (“Neon”) in the AWS US-East-1 region (Virginia, United States). Neon encrypts data at rest and maintains SOC 2 Type 2 certification.
3.2Application runtime. The Service's application code is hosted by Vercel Inc. (“Vercel”). During the lifecycle of an individual request, Vercel's runtime reads, processes, and returns information on behalf of the User. Vercel does not retain a copy of the information outside of the request lifecycle.
3.3AI processing. The Service uses third-party large language model services provided by Anthropic, PBC (“Anthropic”) for analytical and generative features. When a User invokes such a feature, the relevant content is transmitted to Anthropic's API for processing. Email forwarded to a User's ingest address (Section 2.5) is processed the same way, automatically upon receipt — forwarding a message there is the User's instruction to extract from it. If extraction cannot run at receipt (for example, because the User's monthly AI allowance is exhausted), the Service retries it automatically after the allowance resets. Per Anthropic's current data policy, API inputs are not used to train Anthropic's models and are retained for up to thirty (30) days for trust and safety purposes, after which they are deleted. We do not control Anthropic's retention practices.
3.4Captcha and DNS. We use services provided by Cloudflare, Inc. (“Cloudflare”), specifically the Turnstile bot-prevention service on authentication pages and DNS services for revectro.com. Cloudflare processes connection metadata and captcha challenge tokens in the ordinary course of providing these services.
3.5Email delivery and receiving. Email the Service sends — transactional messages (e.g., account verification, password reset) and, for Users who have them enabled, periodic summary emails reflecting the User's own activity — is delivered by Resend, Inc. (“Resend”). Transactional emails contain only the information necessary to complete the relevant action. Resend also operates the inbound side of the forwarded-email feature described in Section 2.5: email sent to a User's ingest address is received by Resend and delivered to the Service for processing. In the course of providing these services, Resend processes each message as sent, including any attachments.
3.6Source code. The Service's source code is hosted on GitHub (GitHub, Inc., a subsidiary of Microsoft Corporation). The source code does not contain User information.
3.7Product analytics and error monitoring. We use PostHog, provided by PostHog, Inc. (“PostHog”), hosted in the United States, for product analytics, session replay, and error monitoring. PostHog processes the usage, replay, and diagnostic information described in Section 2.4 on our behalf to help us understand and improve the Service. Session recordings may include content you view and enter within the Service; password fields are masked.
3.8No sale; no advertising. We do not sell User information for monetary consideration, and we do not share it with third parties for cross-context behavioral advertising. We disclose User information only to the service providers described in this Section 3, who process it on our behalf to operate and improve the Service, or where required by law.
3.9Our access to your content. Personnel of Revectro may access User Content, operational logs, and session recordings in order to provide support, diagnose and resolve technical problems, investigate suspected abuse or violations of the Terms of Service, comply with legal obligations, and develop and improve the Service. Such access is limited to these purposes and to personnel who need it to carry them out. While Revectro is operated by a small team, we treat your information as confidential and access it only as described here.
3.10Subprocessor list. The service providers named in Sections 3.1 through 3.7 — Neon, Vercel, Anthropic, Cloudflare, Resend, GitHub, and PostHog — are the subprocessors that process User information on our behalf. We maintain this list current and, for material changes to our use of subprocessors, will update this Policy and its Effective date.
04Security
4.1We employ commercially reasonable technical and organizational measures to protect User information, including: bcrypt password hashing with a cost factor of 12; TLS encryption of all traffic between Users, the Service, the database, and third-party processors; per-User authorization checks at the database query layer to prevent cross-account data access; HttpOnly and Secure session cookies; and storage of credentials and secrets in environment configuration rather than in source code.
4.2No method of transmission or storage is one hundred percent secure. While we strive to protect User information, we cannot guarantee its absolute security.
4.3Breach notification. In the event of a confirmed breach of security that compromises a User's personal information, we will notify affected Users without undue delay and as required by applicable law, by email to the address on file and, where appropriate, by a notice posted within the Service.
05Retention and deletion
5.1We retain information for as long as the User maintains an active account. Upon a User's request to close their account, we will delete the User's account and all associated content from the Service's primary database within fourteen (14) days. Cascading deletion removes all derived records.
5.2Backups of the database may persist for additional time as part of routine operational practice. We do not access backup data except to restore from operational failure.
5.3We have no control over information retained by Anthropic, Cloudflare, Resend, Vercel, GitHub, or Neon under their respective policies. We direct Users to the published policies of those processors for further detail.
5.4Raw forwarded email. The raw content of forwarded email (the stored message text and extracted attachment text described in Section 2.5) is kept on a shorter schedule than other User content. A forwarded message the User has not acted on expires thirty (30) days after receipt. The raw text of every forward is then cleared automatically: for messages whose extracted information the User accepted into their records, thirty (30) days after acceptance; for all others (discarded, expired, or failed), thirty (30) days after receipt. After clearing, we retain the record that the forward occurred — sender address, subject line, attachment metadata, dates, and disposition — and the extracted information that was presented for review, but no longer the raw message text. Account deletion under Section 5.1 removes these records entirely.
06User rights
6.1A User may at any time: (a) review the information associated with their account by signing in; (b) edit or correct information through the Service's interface; (c) export materials they have created (e.g., revised résumés); (d) request export or deletion of their account by contacting us at the address in Section 12.
6.2Where applicable law grants Users additional rights with respect to their personal information, we will honor such rights to the extent required by law upon Users' written request.
6.3Notice at collection (California). We collect the categories of personal information described in Section 2: identifiers (such as your email address and display name); account credentials in hashed form; commercial and professional information that you create, upload, or forward (such as job applications, contacts, notes, résumés, and forwarded email); internet and electronic activity information (such as usage, interaction, and session-replay data); and inferences or derived content produced by the AI features. We collect this information for the business purposes described in Section 3 — to provide, secure, support, and improve the Service. We retain it as described in Section 5. We do not sell or share personal information.
6.4California privacy rights. If you are a California resident, you have the right, subject to verification and to the exceptions permitted by the California Consumer Privacy Act as amended: (a) to know and access the personal information we have collected about you and how we use and disclose it; (b) to request deletion of your personal information; (c) to request correction of inaccurate personal information; and (d) to opt out of the sale or sharing of personal information — which does not apply to us, because we do not sell or share it. We will not discriminate against you for exercising any of these rights.
6.5How to exercise your rights. To exercise any right described in this Section, contact us at the address in Section 12. We will verify your request against the account information we hold and respond within the timeframe required by applicable law. You may use an authorized agent to submit a request on your behalf, in which case we may require proof of the agent's authorization and verification of your identity.
07Age restriction
The Service is intended for adults and is offered only to individuals who are at least eighteen (18) years of age, as stated in our Terms of Service. The Service is not directed to minors, and we do not knowingly collect information from anyone under eighteen. If we learn that we have inadvertently collected information from a person under eighteen, we will delete it promptly.
08Cookies and similar technologies
The Service uses cookies strictly necessary to operate the authentication system: a session-token cookie set upon sign-in and cleared upon sign-out, and a CSRF-protection cookie. In addition, the product-analytics and error-monitoring services described in Sections 2.4 and 3.7 may set cookies or use similar browser storage to measure how the Service is used. The Service does not use cookies for advertising.
09International users
The Service is operated from the United States. By using the Service, Users located outside the United States acknowledge and agree to the transfer of their information to, and processing within, the United States.
10Changes to this Policy
We may modify this Policy at any time at our sole discretion. We will indicate revisions by updating the “Effective date” at the top. For material changes, we will provide reasonable notice to signed-in Users prior to the changes taking effect. Continued use of the Service after such notice constitutes acceptance of the revised Policy.
11No warranty
The Service is provided on an “AS IS” and “AS AVAILABLE” basis. We make no representations or warranties with respect to the Service or the information processed thereby, except as expressly stated in this Policy.
12Contact
For questions about this Policy or requests under Section 6, contact: privacy@revectro.com
13Entire Policy
This document, together with the Terms of Service, constitutes the entire understanding between Users and Revectro with respect to the collection and use of information by the Service. Where any provision of this Policy is found unenforceable, the remaining provisions remain in full force.
Also read our Terms of Service — they govern how you may use the Service.