§Privacy policyeffective 2026-05-27

What we collect, why we collect it, and how to get it back.

We're a small US-based product. We process your CV, your hunt profile, the sources you point us at, and the application artifacts we generate from them. We don't sell or share your personal information, don't pass it to data brokers or ad networks, and won't use it to train models. Below is the long version, in plain English — with US-specific (CCPA/CPRA) and EU-specific (GDPR) rights sections.

operator: hunt.work (USA)hosting: EU sub-processors (see § 05)contact: [email protected]
01 Who we are

The operator behind this site.

hunt.work is a profile-to-profile matchmaking product for job seekers and employers. The operating entity is US-based (formation: State of Delaware); the marketing site you're reading and the application that runs behind it are operated by the same entity.

Under the California Consumer Privacy Act and the California Privacy Rights Act (collectively CCPA / CPRA), we act as a business with respect to the personal information we collect from California residents. Under the EU General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR), and the UK GDPR, we act as the data controller for the personal data we process about residents of the EU and the UK.

Operator
hunt.work — Delaware, USA. Full registered entity details available on request.
Primary contact
[email protected]
Hosting & sub-processors
Application infrastructure is hosted by EU-based sub-processors today (see § 05); we may add US regions later — material changes are flagged in the changelog (§ 12).
EU / UK representative
An Art. 27 GDPR representative will be appointed before we begin systematic processing of EU personal data outside the scope of the current beta. In the interim, EU and UK users can reach us via the primary contact above and we'll respond inside the statutory windows.
02 What we collect

The exact list — nothing else.

We collect only what the product needs to function. Every field below lives in a database row we can show you on demand via the data-export endpoint (Section 07).

From your account

  • Email address (for sign-in and transactional messages).
  • Account creation timestamp, plan, and subscription status.
  • Authentication factors you configure: optional TOTP (one secret per user), optional WebAuthn passkeys (public-key credentials only — never the private key), backup codes (SHA-256 hashed).
  • Optional profile picture (square WebP up to 5MB), if you upload one.

From your CV and hunt profile

  • The CV file you upload, plus the extracted text we run inference over.
  • Your positioning summary — the richer profile Claude builds from your CV and your answers (encrypted at rest, see Section 08).
  • Your hunts (target roles, jurisdictions, fit rubric) and the listings they match against.

From the application pipeline

  • Tracked jobs (sources, status, fit score, your notes).
  • Application snapshots — the CV and cover letter we draft when you ask, plus the proof-reader trace (the verifier output).
  • Inference call metadata (model used, token counts, latency, cost) — without the prompt body. We do retain a record that the call happened for audit and billing.

From the messaging surface (when implemented)

  • Messages between you and matched parties. Encrypted at rest. Visible only to the conversation participants.

From your browser, automatically

  • Session cookie (Auth.js, strictly-necessary, HttpOnly, Secure).
  • CSRF cookie (strictly-necessary).
  • Server-side request logs (IP, user-agent, path, timestamp, response code) retained 30 days for security forensics, then purged.
  • Audit-log rows for every account-scoped mutation (your own audit trail — see Section 07).
What we do not collect: location beyond IP-level inference, device fingerprints beyond user-agent, ad-network identifiers, social-graph data, contacts. We don't embed third-party trackers on this site — see Section 09.
03 Why we collect it

Each field maps to one specific thing we do.

We don't collect data on the chance it might be useful later. Each row above exists because a specific feature needs it. If we delete the feature, we delete the field — the right-to-deletion endpoint cascades.

  • CV + positioning summary — we build a richer profile so matching is profile-to-profile, not keyword-to-keyword.
  • Hunts + fit rubric — we score listings against your stated criteria.
  • Application snapshots — we draft tailored applications, proof-read them, and let you retrieve them.
  • Auth factors — we authenticate sign-ins and second-factor challenges.
  • Audit log — we let you see every action the system took on your account.
  • Inference metadata — we keep cost ledgers per account for billing and capacity planning.
  • Request logs — we investigate abuse and outages; 30-day rolling window.
05 Who we share it with

The exact list of sub-processors.

We use a small set of trusted infrastructure providers. We do not sell, rent, or trade your data; we do not share it with data brokers, advertising networks, or résumé mills. The export endpoints listed in Section 07 are the only programmatic way data leaves the system — they require your authenticated session.

Anthropic (PBC)
Claude inference for matching, scoring, and drafting. Anthropic's enterprise terms prohibit training on inputs. Scoped to a single call per task. Anthropic privacy policy.
Cloudflare, Inc.
TLS termination + WAF + DNS for the marketing site and the application surface. EU traffic is routed via EU-region edges. Cloudflare privacy policy.
OpenRouter (a13z Labs, Inc.)
Inference routing across model providers (we send the same scoped slice to OpenRouter that we'd send to Anthropic directly). OpenRouter privacy policy.
Sentry (Functional Software, Inc.)
Error monitoring. Exceptions, stack traces, and the context tags we attach (account ID, request path, model ID). We scrub message bodies before reporting. Sentry privacy policy.
Resend, Inc.
Transactional email (sign-in codes, notifications). Email address + the message body. Resend privacy policy.
Stripe, Inc. (and regional affiliates)
Payment processing for paid plans. Stripe stores card details and tokens; we store the customer ID and subscription metadata only. Stripe routes payments through its regional entities (Stripe Payments Europe Ltd. for EEA cardholders, Stripe Payments Inc. for US cardholders, etc.). Stripe privacy policy.
PostHog Inc.
Product analytics — planned, not yet active on the marketing site. When enabled, it's gated behind the consent banner (Section 09). Server-side funnel metrics use the same provider and are operator telemetry, not user device telemetry. PostHog privacy policy.

A Data Processing Agreement (DPA) is available on request for business customers. Sub-processor changes are date-stamped in the changelog (Section 12). If we add a new sub-processor that handles your personal data, we'll email the address on your account and give you a window to object before the change takes effect.

International transfers. We're a US-based operator with sub-processors in both the US and the EU. For EU → US data transfers, we rely on the EU–U.S. Data Privacy Framework (where the provider is certified — Anthropic, Cloudflare, OpenRouter, Sentry, Resend, Stripe, PostHog are or will be) and the European Commission's 2021 Standard Contractual Clauses (SCCs) as a fallback. For US → EU transfers (when EU hosting receives data from US sources), the SCCs run in the reverse direction. UK transfers use the UK International Data Transfer Addendum (IDTA).

06 How long we keep it

The shortest period the feature needs.

Account data
Until you delete your account. Deletion is real (Section 07) — cascades from the account row.
Sessions
30 days from last use, then revoked.
Audit log
Free tier: 30 days. Paid tier: 12 months. Hash-chained — see security model.
Server request logs
30 days rolling, then purged. Used only for security forensics and outage investigation.
Inference call records
Retained for billing reconciliation; account-tied records are deleted with the account. Anonymous aggregates may be retained for capacity planning (Section 07 right to object).
Application snapshots
Retained for as long as the parent tracked-job row exists, or until you delete the snapshot, whichever is sooner.
Backups
Encrypted daily snapshots retained for 30 days. Deletion requests are honored against the live database immediately; backups age out within 30 days.
Billing records
Retained as long as required by tax / accounting law in the operator's jurisdiction (typically 6–10 years for invoices).
07 Your rights (US + EU)

What you can do, and how.

We do not sell or share your personal information. Under the California Consumer Privacy Act (CCPA, as amended by the CPRA), “sale” and “sharing” have specific meanings — including certain cross-context behavioral advertising. We do neither. There is therefore no opt-out of sale or sharing link to surface; the answer is “already off, for everyone.”

For everyone (US, EU, UK, RoW)

We've built each right below into the product so exercising it doesn't require an email round-trip.

Right to know & access your data
Settings → Security → Export my data. A signed JSON bundle covering all 22 personal-data tables, including your audit-chain verdict. Live endpoint: GET /api/seeker/me/export. (CCPA § 1798.110 right to know · GDPR Art. 15 right to access.)
Right to delete
Settings → Security → Delete my account. Requires typing DELETE-MY-ACCOUNT as an irreversible-action gate. Cascades from the account row. Anonymous inference metadata has the account_id SET NULL — see § 02 caveat. (CCPA § 1798.105 · GDPR Art. 17.)
Right to correct
Settings → Profile, Settings → Email change, Settings → Security. Most fields are user-editable; for the few that aren't (audit-log immutability, snapshot artifacts), email us. (CCPA § 1798.106 · GDPR Art. 16.)
Right to portability
The export endpoint above is machine-readable JSON, suitable for moving to another service. (GDPR Art. 20; CCPA gives a parallel data-portability right via the right to know.)
Right to non-discrimination
We will not deny you the service, charge you a different price, or provide a different quality of service because you exercise any privacy right above. (CCPA § 1798.125.)

Additional rights for EU and UK residents (GDPR)

Right to restrict processing (Art. 18)
Email us. We can pause specific processing pending review.
Right to object (Art. 21)
Email us at [email protected] if you want to object to processing based on legitimate interests (§ 04). We'll respond within 30 days.
Right to withdraw consent (Art. 7(3))
For anything we rely on consent for (analytics, marketing emails), revoke via the cookie preferences link in the footer or by replying to a marketing email. Withdrawal doesn't affect lawfulness of processing before withdrawal.
Right to lodge a complaint (Art. 77)
Your local supervisory authority is the right venue. The full list is maintained by the European Data Protection Board at edpb.europa.eu. UK residents: the ICO at ico.org.uk.

Additional notices for California residents

In the 12 months before this policy's effective date, we collected the categories of personal information listed in § 02 (identifiers; internet-or-network activity; professional-or-employment information; inferences from the above) for the business purposes listed in § 03. We disclosed those categories only to the sub-processors listed in § 05, for the operational purposes described there. We did not sell or share any personal information.

An authorized agent may submit a CCPA request on your behalf with written, signed authorization. We'll verify the relationship before acting on the request.

How to exercise any of these

Where the product has a button for it, use the button — it's faster and authenticated. Otherwise email [email protected] from the address on your account, or with enough identifying detail for us to verify the request. We respond inside the statutory windows (45 days for CCPA requests, extendable once by 45 days for genuinely complex requests; 30 days for GDPR requests, extendable by 60 days for complex requests).

08 Encryption & security

How we hold what we hold.

Two modes ship today. Standard mode: sensitive columns (CV text, hunt narratives, snapshot bodies, messages) are encrypted at rest with AES-256-GCM, server-keyed.Max-Privacy mode: the data-encryption key is derived from a passphrase in your browser via PBKDF2-SHA256 (200,000 iterations); the server stores ciphertext only and cannot decrypt your data — including under legal compulsion.

Tenant isolation is enforced by PostgreSQL row-level security: a query running as the application role returns zero rows for accounts other than the one bound to the request. Every account-scoped mutation writes an audit row via a database trigger, so application bugs can't skip the log.

Full architecture, threat model, and FAQ: /security.

09 Cookies

The minimum — and the choice we ask of you.

Strictly-necessary (always on)

  • __Secure-authjs.session-token / authjs.session-token — Auth.js session identifier. HttpOnly, Secure, SameSite=Lax. Required for sign-in.
  • __Host-authjs.csrf-token / authjs.csrf-token — CSRF protection for sign-in forms. HttpOnly, Secure, SameSite=Lax.
  • hunt_consent — your cookie-preferences choice (this is the cookie that remembers your answer to this question; it's strictly necessary because the banner needs to know not to ask again). SameSite=Lax, 365 days.

Analytics (consent-gated)

We don't ship analytics cookies today. When PostHog or an equivalent goes live on the marketing site, it will only initialize after you click Accept all on the cookie banner. If you click Reject, no analytics cookie is set. You can revisit your choice via the footer link at any time.

What we don't use

  • No advertising cookies.
  • No third-party tracking pixels, embedded social media widgets, or fingerprinting.
  • No cross-site identifiers.
10 Children

Not for minors.

hunt.work is a job-search tool intended for working-age users. We don't knowingly collect personal information from children under 13 in the United States (the COPPA threshold), or from anyone under 16 in the European Union and the United Kingdom (the GDPR / UK GDPR age of digital consent). If you believe we hold data about a minor, email [email protected] and we'll delete the account.

11 Contact

How to reach us.

Privacy questions, data-rights requests, or to report a suspected breach:

General privacy
[email protected]
Support (general)
[email protected]
Security disclosures
[email protected] — PGP available on request.

We respond to all data-rights requests inside the statutory windows: 45 days for California (CCPA, § 1798.130) and 30 days for the EU and UK (GDPR Art. 12(3)). Both can be extended once for genuinely complex requests; we'll tell you inside the initial window if we need to.

12 Updates

The changelog.

We'll update this policy when our processing materially changes. The current effective date is shown in the hero; every change lands in the table below. If a change reduces your privacy meaningfully (e.g., a new sub-processor that processes personal data, expanded retention), we'll email the address on your account before the change takes effect.

2026-05-27Initial publication. Pre-launch baseline ahead of the hunt.work public release.
hunt.work — privacy policy