Privacy Policy

Welcome to Plyphr ("we," "us," "our," or the "Company"). We operate the web application available at plyphr.vercel.app (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

By accessing or using Plyphr, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

2.1 Information You Provide Directly

When you create an account and use our Service, we collect the following categories of information:

• Account Information: Name, email address, and encrypted password.
• Profile and Career Data: Resume/CV content, professional skills, work experience, education history, and career goals that you input into the platform.
• Interview Data: Company names, job descriptions, role details, and interview-specific information you provide for coaching sessions.
• AI Interaction Data: Your responses during mock interviews, practice sessions, and any text or voice inputs during coaching exercises.
• Feedback Data: Ratings, thumbs up/down feedback, and any comments you provide about the Service's outputs.
• Payment Information: When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full billing details on our servers. We only receive a confirmation of your subscription status and a truncated card identifier for your reference.

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

• Usage Data: Pages visited, features used, session duration, and interaction patterns within the application.
• Device and Technical Data: Browser type, operating system, IP address, device identifiers, and general location (country/region level only).
• Log Data: Server logs including access times, error logs, and API request metadata.

2.3 Information Generated by the Service

Our AI systems generate the following data based on your inputs:

• Intelligence reports, battle plans, predicted interview questions, and personalized answers.
• CV rewrites, LinkedIn optimization suggestions, follow-up email drafts, and salary negotiation guidance.
• Performance scores, speech analytics, and debrief summaries from practice sessions.

• Service Delivery: To provide AI-powered Plyphr coaching, generate personalized content, and deliver the core features of the platform.
• AI Processing: To send relevant portions of your data to our AI providers (Anthropic Claude API, OpenAI Embeddings API) strictly for generating coaching outputs. These providers process data according to their enterprise API terms and do not use your data to train their models.
• Service Improvement: To analyze aggregated, anonymized usage patterns to improve our algorithms, features, and user experience.
• Account Management: To manage your account, authenticate your identity, and communicate with you about your account or the Service.
• Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We follow the principle of data minimization — we only collect and process the minimum amount of personal data necessary to provide the Service. Specifically:

• We only send to AI providers the specific portions of your data relevant to the current coaching task, not your entire profile.
• We do not collect demographic data beyond what is needed for account creation.
• Temporary processing data (e.g., intermediate AI outputs) is discarded after the final result is delivered to you.

• We do not sell your data to advertisers, data brokers, or any third party.
• We do not share your data with marketing companies.
• We do not allow third parties to access your personal data for their independent use.
• We do not use your data for targeted advertising by third parties.

5.1 Limited Service Providers

We use the following service providers strictly to operate the Service. These providers act as data processors under our instruction and are contractually obligated to protect your data:

These providers only process data as necessary to provide their services to us and are prohibited from using your data for any other purpose.

6.1 Storage

Your data is stored on secure servers provided by Supabase (AWS infrastructure). All data is stored in encrypted databases with access controls.

6.2 Security Measures

We implement industry-standard security measures including:

• Encryption of passwords using bcrypt hashing.
• HTTPS/TLS encryption for all data in transit.
• Rate limiting to prevent abuse (30 requests per minute).
• Input validation and sanitization at all system boundaries.
• Access controls and authentication for all API endpoints.
• Regular security reviews and monitoring.
• Automatic session expiration after periods of inactivity.

6.3 Security Limitations

While we take commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

• Account Data: We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except as required by law.
• AI-Generated Content: Plyphr coaching outputs are retained as part of your account data and are deleted when you delete your account.
• Usage Logs: Anonymized usage and technical logs may be retained for up to 12 months for security and service improvement purposes.
• Payment Records: Transaction records are retained as required by financial regulations (typically up to 7 years), even after account deletion.

8.1 General Rights (All Users)

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated personal data.
• Data Export: Request a portable copy of your data in a commonly used format (JSON or CSV).

8.2 European Economic Area (EEA) / UK Residents — GDPR

If you are located in the EEA or UK, you additionally have the right to:

• Restrict or object to certain processing of your data.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.
• Request information about automated decision-making processes that affect you.

Legal Basis for Processing: We process your data based on: (a) performance of a contract (providing the Service), (b) legitimate interests (security, service improvement), and (c) your consent where applicable.

8.3 California Residents — CCPA/CPRA

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information.
• Opt out of the sale of personal information (note: we do not sell personal information).
• Non-discrimination for exercising your privacy rights.
• Limit the use of sensitive personal information.

8.4 How to Exercise Your Rights

To exercise any of these rights, contact us at: leonallendel@gmail.com

We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

We use the following cookies and similar technologies:

• Essential Cookies: Required for authentication and basic functionality (session tokens, CSRF protection).
• Functional Cookies: To remember your preferences and settings within the application.

We do not use third-party advertising cookies or cross-site tracking technologies.

Do Not Track Signals

Our Service respects "Do Not Track" (DNT) browser signals. Since we do not engage in cross-site tracking, no additional action is taken when a DNT signal is detected.

Plyphr is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

Your data may be processed in the United States (where our servers are located). If you are located outside the United States, by using the Service you consent to the transfer of your data to the United States. We ensure appropriate safeguards are in place for international data transfers as required by applicable law, including Standard Contractual Clauses (SCCs) where required by GDPR.

Our Service may contain links to third-party websites or services (e.g., LinkedIn, company career pages). We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party service you access through our platform.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date.
• Sending an email notification to the address associated with your account (for material changes).

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: