Privacy Policy

1. What Data We Collect

We collect exactly the data listed below. Nothing else.

Account Data

When you create an account, we collect:

• —Email address — required for authentication and transactional communication.
• —Full name — displayed in the application.
• —OAuth provider and identifier — if you sign in with Google or LinkedIn, we receive your provider ID and basic profile information. We do not receive or store your OAuth password.
• —Password hash — if you sign in with email/password, we store a one-way cryptographic hash. We never store your plaintext password.

Profile Data

During onboarding and account use, you provide:

• —Current role — your current job title.
• —Target roles — the roles you are pursuing.
• —Years of experience — your career tenure.
• —Target industries — industries you are exploring.
• —Target companies — specific companies you are preparing for.

This data is used to personalize questions, research, and analysis. You can update or delete it at any time in your account settings.

Resume Data

When you upload a resume to The Impact Forge or for interview preparation:

• —Resume files — stored in encrypted cloud storage. File path format: resumes/{userId}/library/{timestamp}_{filename}.
• —Extracted attributes — current employer, current title, years of experience, key skills, and key accomplishments. These are parsed from your resume to generate personalized interview questions and career narratives.

Interview Session Data (The Anvil)

When you use The Anvil for interview practice:

• —Audio recordings — stored in encrypted cloud storage. File path format: audio/{userId}/{sessionId}/{questionIndex}/{timestamp}.{ext}.
• —Audio duration — the length of each recording.
• —Transcripts — generated by OpenAI Whisper from your audio recordings.
• —AI-generated questions and context — the questions generated for your session, including category (behavioral, situational, leadership, technical, strategic, problem-solving, values, career).
• —Verdict — the assessment result (pass, lean pass, or needs work).
• —Detailed feedback — structured feedback on your response.
• —Experience summaries — synthesized summaries connecting your experience to the question context.
• —Session metadata — toughness level selected, session type (standard, job-specific, or foundry), start time, completion time, and status.

Impact Lab Data (The Impact Forge)

When you use The Impact Forge for narrative extraction:

• —Resume analysis results — the structured analysis of your resume.
• —Chat history — the conversational interrogation where we extract quantified accomplishments from your career data.
• —Selected bullets and bullet progress — the impact statements you select and refine.

Job Description Data

When you paste a job description:

• —Raw text — the full text you provide.
• —Company name and job title — extracted from the posting.
• —AI analysis — the structured analysis of role requirements, skills, and priorities.

Company Research Data (The Foundry / Strategic Edge Intelligence)

When we research a company for you:

• —Company profile — overview, leadership, financials, market position, competitors, product and value proposition, news and trends, headwinds and tailwinds, and interview angles.
• —Strategic Edge analyses — hidden needs audit, competitive conquest briefing, experience splice, and greatness plan. These are generated from the intersection of your career data, the job description, and the company research.

Company profiles are shared resources. Multiple users preparing for the same company see the same base company research. Your Strategic Edge analyses are unique to you and are never visible to other users.

Payment Data

• —Stripe customer ID and subscription ID — stored in our database to manage your subscription.
• —Subscription tier, status, and trial dates — stored to enforce access controls.
• —Payment method details — handled entirely by Stripe. We never see, store, or process your credit card number, CVV, or billing address. Stripe is PCI DSS Level 1 certified.

Behavioral and Analytics Data

We track product usage events through PostHog to understand how the application is used and where it breaks. These events include:

• —Session lifecycle events — session created, question answered, question skipped, session completed, session abandoned.
• —Feature adoption events — resume uploaded, impact lab used, job posting added, strategic edge viewed.
• —Conversion funnel events — upgrade prompts shown, trial milestones, paid conversion, churn.
• —Navigation events — dashboard viewed, past session reviewed, onboarding steps.
• —Device and browser information — collected automatically by PostHog.

These events contain session IDs, question counts, durations, and feature flags. They do not contain the content of your resumes, transcripts, interview answers, or job descriptions.

2. How We Use Your Data: The Three-Tier Framework

We organize all data use into three explicit tiers. Each tier has different rules and different consent requirements.

Tier 1: Service Delivery (Required)

What this means: We process your data through AI providers to deliver the features you are using.

Specifically:

• —Your resume text is sent to OpenAI's API to extract accomplishments and generate career narratives (The Impact Forge).
• —Your job descriptions and company names are sent to OpenAI's API to generate company research profiles and strategic analyses (The Foundry / Strategic Edge Intelligence).
• —Your audio recordings are sent to OpenAI's Whisper API for transcription. The transcripts and your career context are sent to OpenAI's API to generate interview questions, assess your responses, and produce feedback (The Anvil).
• —Generated question text is sent to Google Cloud Text-to-Speech to produce the audio voice that reads questions aloud. No user data (resumes, transcripts, answers) is sent to Google Cloud TTS — only the AI-generated question text.

The rules:

• —OpenAI's API data usage policy (for API customers) states that data sent through the API is not used to train OpenAI's models. Our usage is covered under this policy.
• —We send only the minimum data necessary for each API call. We do not send your full account profile to every API request.
• —No consent toggle is needed for Tier 1 because this is the core service delivery. If you use The Anvil, your audio is transcribed. If you use The Impact Forge, your resume is analyzed. The product does not function without this processing.

Tier 2: Aggregated Product Improvement (Anonymized)

What this means: We analyze de-identified, aggregate patterns to improve how the product works.

Specifically:

• —Which question categories (behavioral, technical, leadership) produce the most "needs work" verdicts across all users — so we can improve question calibration.
• —Average audio duration by toughness level — so we can set better time guidance.
• —Which Strategic Edge sections users spend the most time reading — so we can improve the research output structure.
• —Conversion and retention patterns — so we can understand where the product delivers value and where it falls short.
• —Feature adoption rates — so we can prioritize development.

The rules:

• —Tier 2 data is genuinely de-identified. We strip user IDs, email addresses, names, company names, and any content that could identify an individual.
• —We do not analyze individual resumes, transcripts, or narrative content under Tier 2. We analyze counts, durations, categories, and verdicts.
• —This is standard product analytics. PostHog processes these aggregate patterns.

Tier 3: Direct Training Contribution (Explicit Opt-In Only)

What this means: Using your actual career content — resume text, transcripts, interview responses, feedback pairs — to train or fine-tune Vauric's own models or evaluation systems.

The current state: We do not do this today. We have not built this feature. No user data has been used for model training.

When we build this, here is exactly how it will work:

• —A dedicated toggle in your account settings, clearly labeled, OFF by default.
• —Plain-language explanation of exactly which data types would be included: resume analysis outputs, transcript-feedback pairs, and/or impact narrative drafts.
• —You will choose which data types to include. It is not all-or-nothing.
• —You can turn the toggle off at any time. When you opt out, your data is excluded from future training batches. Data already incorporated into a trained model cannot be individually extracted (this is a technical limitation of how machine learning works, and we will state that clearly in the opt-in screen).
• —We will consider offering a tangible benefit (such as a subscription discount) for users who opt in. We will disclose any such benefit at the time of the opt-in.
• —We will never retroactively enroll your data. Turning this toggle on applies going forward from the moment you activate it.

3. Our Subprocessors: Every Service That Touches Your Data

We do not use any additional subprocessors beyond those listed above. If we add a new subprocessor, we will update this policy before routing any user data to the new service.

4. What We Do NOT Do

These are absolute statements, not hedged possibilities:

5. Data Retention and Deletion

While Your Account Is Active

After Account Deletion

When you delete your account:

1. 1.Database records — all data associated with your user ID is permanently deleted via cascading deletion. This includes: session records, transcripts, feedback, Impact Lab sessions, chat history, job descriptions, analyses, Strategic Edge analyses, profile data, and account data.
2. 2.Resume files — deletion requests are issued to AWS S3. Files are removed within 24 hours.
3. 3.Audio recordings — deletion requests are issued to AWS S3. Files are removed within 24 hours.
4. 4.Stripe — we do not delete your Stripe customer record because Stripe requires retention for tax and legal compliance. Your Stripe record contains your email and payment history. You can contact Stripe directly to request deletion of your Stripe data.
5. 5.PostHog — analytics events associated with your user are anonymized. PostHog does not retain identifiable data after we issue a deletion request.
6. 6.Loops — your email address and profile are deleted from Loops within 24 hours.
7. 7.OpenAI — per OpenAI's API data retention policy, API inputs and outputs are retained for up to 30 days for abuse monitoring, then deleted. We cannot accelerate this timeline, but OpenAI does not use API data for model training.

Inactive Accounts

We do not automatically delete inactive accounts. If we ever implement an inactivity-based deletion policy, we will notify you by email at least 30 days before any deletion occurs.

6. Your Rights

Regardless of where you live, we honor these rights for all Vauric users:

Right to Access

You can request a copy of the personal data we hold about you. This includes your account information, profile data, resume text, audio recordings, transcripts of your responses, and job descriptions you provided. We will provide it in a structured, machine-readable format (JSON) within 30 days of your request.

Vauric's proprietary analytical outputs — including feedback scoring models, Strategic Edge methodology, Impact Forge narrative frameworks, and the structured analyses generated by our systems — are Vauric's intellectual property and are not included in data access requests. You have access to these outputs through the application while your account is active.

Right to Deletion

You can delete your account at any time from your account settings. This triggers the full deletion process described in Section 5. If you want to delete specific data (e.g., a single session or a single resume) without deleting your entire account, you can do so from within the application.

Right to Correction

You can update your profile data, delete and re-upload resumes, and delete specific sessions at any time within the application.

Right to Data Portability

You can request an export of your personal data (account information, profile data, resume text, transcripts, and job descriptions you provided) in a structured format. Contact us to request an export.

Proprietary analyses, scoring models, and strategic intelligence generated by Vauric's systems are not included in portability exports. These outputs are derived works produced by Vauric's intellectual property and are available to you through the application during your subscription.

Right to Opt Out of Tier 3 Training

If and when we implement Tier 3 (direct training contribution), the toggle is OFF by default. You do not need to take any action to opt out. If you opt in and later change your mind, turn the toggle off. Your data will be excluded from future training batches.

Right to Restrict Processing

If you believe we are processing your data incorrectly, you can contact us to request that we restrict processing while we investigate.

Right to Object

You can object to any processing described in this policy. Contact us, and we will either stop the processing or explain the specific legal basis that requires it.

To exercise any of these rights, email privacy@vauric.com.

7. Cookies and Analytics

Essential Cookies

We use session cookies to keep you logged in. These are strictly necessary for the application to function. They do not track you across other websites.

Analytics (PostHog)

We use PostHog for product analytics. PostHog collects:

• —Pages visited within Vauric.
• —Feature usage events (as described in Section 1).
• —Device type, browser type, and operating system.
• —Approximate location (country/region level, derived from IP address).

PostHog does not collect the content of your resumes, transcripts, or interview responses. PostHog sets cookies to identify returning sessions.

What We Do Not Use

• —We do not use Google Analytics.
• —We do not use Facebook Pixel, LinkedIn Insight Tag, or any social media tracking pixels for retargeting.
• —We do not use third-party advertising cookies.

We use Google Tag Manager for deployment management of our analytics scripts. GTM itself does not collect personal data; it is a container that loads PostHog.

8. Children's Privacy

Vauric is designed for mid-career professionals. We do not knowingly collect data from anyone under the age of 16. If we learn that a user is under 16, we will delete their account and all associated data immediately.

9. International Data Transfers

Vauric's infrastructure is hosted in the United States (AWS us-east-2, Vercel US regions, PostHog US cloud). If you access Vauric from outside the United States, your data is transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers. Our subprocessors (AWS, Vercel, OpenAI, Stripe, PostHog, Google Cloud, Loops) each maintain their own SCC commitments.

10. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to Know

You have the right to know what personal information we collect, how we use it, and who we share it with. This policy is our disclosure. You can also request a specific accounting of your data by contacting us.

Right to Delete

You can delete your account and all associated data as described in Section 5.

Right to Opt Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. There is nothing to opt out of because we do not engage in these practices.

Under the CPRA's broad definition of "sale" (which includes sharing data for valuable consideration): we confirm that no data exchange with any of our subprocessors constitutes a sale. Our subprocessors process data solely to provide their services to us, under contractual terms that prohibit them from using it for their own purposes.

Right to Correct

You can correct your personal information at any time through your account settings.

Right to Limit Use of Sensitive Personal Information

We treat all career data (resumes, transcripts, interview recordings) as sensitive. We use it solely for the service delivery purposes described in Tier 1. We do not use it for profiling, advertising, or any purpose outside the three tiers described in this policy.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. Exercising your rights will not affect your pricing, service quality, or access.

11. European Economic Area Residents (GDPR)

If you are in the EEA, UK, or Switzerland, the following applies:

Legal Bases for Processing

Data Controller

Vauric is the data controller for all personal data processed through the service.

Data Protection Officer

For GDPR-related inquiries, contact: privacy@vauric.com

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we are processing your data unlawfully.

Data Minimization

We collect only the data listed in Section 1. We do not collect data speculatively. Each data field serves a specific, named purpose in service delivery.

Storage Limitation

We retain data only while your account is active and for the specific post-deletion periods described in Section 5. We do not retain data indefinitely after you leave.

12. Changes to This Policy

When we update this policy:

• —We will post the updated policy at this URL with a new "Last Updated" date.
• —If the changes are material (new subprocessors, new data uses, changes to the three-tier framework), we will notify you by email at least 14 days before the changes take effect.
• —We will not retroactively apply new terms to data already collected under previous terms.
• —We will maintain a changelog at the bottom of this policy summarizing what changed and when.

13. Contact Us

For privacy questions, data requests, or to exercise any of your rights:

We respond to all privacy requests within 14 days. For complex requests (full data export), we respond within 30 days and will notify you if we need additional time.

Changelog