We do not store passwords. Sign-in is via email magic link or passkey. Magic-link tokens are stored as SHA-256 hashes only and expire 10 minutes after issue. Sign-in metadata (timestamp, region from your IP, device class, success/failure) is retained for 30 days for security review and then deleted.
Your email address; profile inputs you provide during onboarding (industries, target companies, role keywords, optional LinkedIn URL); a per-account list of curated sources we have proposed for your briefings; the briefings we have produced for you; billing metadata from Stripe.
When your briefing surfaces a job pick, we may draft a handoff message that references a publicly identifiable third party (for example, a hiring manager) sourced from public LinkedIn data. You are the custodian of that data once it is shown to you. Do not redistribute drafted messages outside of their intended one-to-one use.
Cloudflare (hosting, D1 database, R2 object storage); Stripe (billing); Microsoft Graph (transactional email); Anthropic (LLM inference); Exa.ai and HarvestAPI (signal sources).