MyPersona (“we”, “us”, “our”) is a career document generation service. This policy explains what data we collect, why we collect it, how we use it, and what rights you have over it. We have written it to be read, not just filed away.
1. What we collect
We collect only what is necessary to provide the service:
Account information: Your name, email address, and hashed password (or, if you sign in with Google, your Google profile). We never store your password in plain text.
Career data (your Brain): Everything you add to your Brain — work experience, education, skills, certifications, projects, and personal details. This is the core data the product is built around. You own it entirely.
Uploaded documents: When you upload a CV or Word document, we extract the text from it immediately and discard the file. We do not store the original binary. What remains is the extracted text, which we use to populate your Brain and is then removed from our active processing pipeline.
Generated applications: The CV and cover letter output we produce for each job application, along with the job description or URL you provided.
Billing information: Subscription status and Stripe customer IDs. We do not store card numbers or payment details — those are held by Stripe.
Usage data: Generation counts, upload counts, and timestamps. No behavioural tracking, no advertising pixels, no fingerprinting.
Gmail (optional, Pro only): If you choose to connect Gmail for automated application tracking, we store an encrypted OAuth refresh token and a Gmail history checkpoint. We do not read your full inbox and we do not store email content. See Section 5 for the full breakdown of exactly how Gmail access works.
2. How we use your data
To provide the service: Your career data is sent to AI generation providers to generate CVs and cover letters. We currently use Anthropic (Claude) as our primary provider, with OpenAI (GPT-4.1) as an automatic fallback during periods of high demand. Your data may be processed by either provider and is subject to their respective data processing terms.
To send transactional emails: We use SendGrid to send email verification and password reset emails. We do not send marketing emails without your explicit consent.
To process payments: Stripe handles all payment processing. We receive webhook events to update your subscription status.
To notify ourselves of key events: We use a private Slack webhook to notify our team of signups, upgrades, and errors. No personal data beyond your email is included in these notifications.
To automate application tracking (optional): If you connect Gmail, we periodically fetch emails relevant to your tracked applications and pass the subject and body to our AI provider to determine if your application stage has changed. “Relevant” means: emails sent from a tracked company's own domain, emails whose Reply-To address matches a tracked company, or emails from a known applicant tracking system (ATS) like Greenhouse, Lever, or BambooHR — which is how most companies actually send job application updates. Email content is never stored after classification. See Section 5 for full detail.
3. What we do not do
We do not sell your data to third parties.
We do not use your career data to train AI models.
We do not store your uploaded CV files after parsing.
We do not track you across other websites.
We do not show you advertising.
We do not read your full Gmail inbox. If you connect Gmail, we only process emails that look like updates to applications you have explicitly added to your tracker — either because the sender domain matches a tracked company, the Reply-To address matches a tracked company, or the sender is a known applicant tracking system (ATS) and the email's content references one of your tracked applications.
We do not store email content. Emails are fetched, classified, and discarded immediately — nothing is written to our database.
We do not process emails unrelated to your tracked applications. Personal email, newsletters, social, marketing — none of it ever enters our processing pipeline.
4. Third-party services
The following third-party services process your data as part of delivering MyPersona:
Anthropic (Claude API)
Primary AI provider — CV generation, document parsing, and email classification
Notification routing — Gmail publishes a small message containing your email address and a Gmail history checkpoint when new mail arrives, so we know when to fetch updates. No email content travels through Pub/Sub. Only used when Gmail is connected.
This section explains exactly how Gmail access works when you choose to enable it. We are being deliberately specific because this is your inbox and you deserve a complete picture.
CASA Tier 2 verified
MyPersona's Gmail integration has completed Google's Cloud Application Security Assessment (CASA) Tier 2 — the independent security review Google requires for apps that handle restricted-scope data like Gmail. The flows below have been audited against this framework.
The short version
We only read emails about applications you are actively tracking — either from the company directly, or from the applicant tracking system (ATS) routing email on the company's behalf. We never read your personal or unrelated emails. We never store email content. You can disconnect at any time and all access is immediately revoked.
What access we request
When you connect Gmail, we request read-only access to your inbox via Google OAuth. This is the minimum scope required to fetch emails. We do not request permission to send, delete, modify, or manage your emails in any way.
How we know when there's new mail
In addition to checking periodically on a fixed schedule, we ask Gmail to notify our system when new mail arrives in your inbox. The notification contains only your email address and a Gmail checkpoint number — no email content. We then fetch the new messages via the same filtered process described below.
What we actually read
We do not scan your inbox broadly. We process an inbound email only when it matches an application you have explicitly added to your tracker, via one of three paths:
Sender domain match. If you are tracking an application to a company at stripe.com, we process emails where the sender address ends in @stripe.com.
Reply-To match. If the sender is a generic noreply address but the Reply-To header points to your tracked company (e.g. From: [email protected], Reply-To: [email protected]), we process the email under that tracked application.
Applicant tracking system (ATS). Most companies route job application emails through ATS providers — Greenhouse, Lever, BambooHR, Workable, Ashby, SmartRecruiters, Jobvite, Recruitee, Teamtailor, iCIMS, Oracle Taleo, SAP SuccessFactors, and Workday. When an email arrives from one of these providers, we use the email's content to determine whether it relates to one of your tracked applications. If it does not — for example, recruiter sourcing from a company you have not applied to — we discard it and take no further action.
Emails from any other domain — your personal contacts, subscriptions, services unrelated to your tracked applications — are never fetched, never seen, and never processed by our system.
What we store
OAuth refresh token: Stored encrypted. This allows us to authenticate with Gmail on subsequent sync cycles without requiring you to re-authorise. It cannot be used to do anything other than what you authorised.
Gmail history ID: A checkpoint value (a number) that tells us where we last synced up to, so we only fetch new emails. This contains no email content.
What we do not store
Email subject lines.
Email body text.
Sender names or addresses (beyond confirming the domain matches).
Attachments or any other email metadata.
When we fetch an email that matches one of your tracked applications via any of the three paths above, we pass the subject and body to our AI provider to identify which tracked application it relates to (in the case of ATS-routed mail) and to classify whether it indicates a change in your application status (e.g. “interview request”, “rejection”, “offer extended”). After classification, the email text is discarded. Only the resulting status update (e.g. “stage changed to Interview”) is written to your application tracker.
Disconnecting
You can disconnect Gmail at any time from Settings → Integrations. When you disconnect, we immediately delete your OAuth refresh token and history checkpoint from our database. Google also revokes access at the OAuth level, which you can verify in your Google account permissions. After disconnection, we have zero access to your Gmail account.
6. Coach Mode (B2B coaching workspaces)
Coach Mode is an optional B2B feature for career coaches, recruiters, and outplacement consultants. If you are using Coach Mode — either as a coach or as a coach's client — additional data flows apply.
If you are a coach
You are responsible for obtaining your client's consent before adding them to your workspace, especially if you upload their CV or other documents on their behalf.
Acting on a client profile means our system processes that client's career data (Brain, applications, CVs, cover letters) under your account session. We treat coaches as a “data processor” for client data; MyPersona is the “controller”.
If you upload a logo for branded PDF exports, the logo is stored in our R2 storage and applied to documents your clients receive.
If you are a client of a coach
Your coach can build a profile for you in two modes: managed-only (no login required from you) or invited (you receive an email and can sign in to view their work).
If you accept an invite and already have a personal MyPersona account, you choose at acceptance time whether to share your existing profile with your coach or have them work on a separate fresh profile. We default to the privacy-first option (separate profile).
You can revoke a coach's access at any time from your account, even after accepting. Your data remains yours.
When coaching ends and your coach archives your profile, we transfer your career facts (work history, skills, education) to your personal MyPersona account as a snapshot. The coach retains a record of the work they did. You retain copies of all CVs they generated for you.
Right of erasure (always overrides coach ownership)
Even when a coach is the contractual customer holding your data, you (the data subject) retain the GDPR/CCPA right to request deletion of personal data about you. We will comply with such requests directly — your coach's ownership of the workspace does not block you from deleting data that is about you. Email [email protected].
What we do NOT do in Coach Mode
We do not let coaches connect or read their clients' Gmail. Gmail integration is per-User and personal.
We do not share client lists, profiles, or data between different coaching workspaces.
We do not let one coach see another coach's clients.
We do not auto-create accounts for clients. Account creation always requires the client's explicit signup.
7. Data retention
Free accounts: Generated applications are deleted after 30 days of inactivity.
Pro accounts: Applications are retained indefinitely while the subscription is active.
Brain data: Retained until you delete it or close your account.
Uploaded documents: The original file is discarded immediately after text extraction. The extracted text is processed in the background and not retained as a raw text store after Brain parsing completes.
Gmail credentials: Retained only while Gmail is connected. Deleted immediately upon disconnection or account deletion.
Coach Mode profiles: Active client profiles are retained while the coach's subscription is active. Archived clients are kept indefinitely as read-only history (don't count toward seat cap). On subscription lapse, profiles are locked but not deleted; deletion requires manual action with 90-day grace period.
8. Your rights
You have the right to:
Access your data: Everything we hold about you is visible in your Brain and application history.
Correct your data: You can edit your Brain at any time from the Brain page.
Delete your data: You can delete your account from Settings → Danger Zone. This permanently deletes your Brain, all applications, and your account. There is no undo.
Reset your Brain: You can wipe all career data while keeping your account from Settings → Danger Zone → Reset Brain.
Revoke Gmail access: Disconnect at any time from Settings → Integrations, or directly via your Google account settings.
Portability: Your generated CVs can be exported as PDF or Word documents at any time.
For requests related to GDPR, CCPA, or other data protection regulations, contact us at the address below.
9. Security
Passwords are hashed with bcrypt before storage. OAuth tokens (including Gmail credentials) are encrypted at rest using AES-256-CBC with a random IV per token. All data is transmitted over HTTPS. MongoDB and Redis are bound to localhost only and are not accessible from the public internet. Database backups are encrypted and stored in Cloudflare R2. The Gmail OAuth flow is protected against cross-site request forgery (CSRF) — we generate a cryptographically random nonce at flow initiation, store it in a short-lived httpOnly cookie, and reject any callback where the returned state does not match. We follow responsible disclosure principles and encourage security researchers to contact us directly.
10. Cookies
We use a single session cookie set by NextAuth to keep you signed in. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
11. Changes to this policy
If we make material changes to this policy, we will update the date at the top and, where appropriate, notify you by email. Continuing to use MyPersona after changes are posted constitutes acceptance of the updated policy.