Privacy Policy

ScoutAI ("we," "us," or "our") is a job search platform that helps job seekers discover opportunities, generate application materials, and streamline the application process using AI. We are committed to protecting the personal information you share with us. This Privacy Policy explains what data we collect, how we process and store it, which third-party services receive your data, and what rights you have over your information.

By creating an account or using ScoutAI, you agree to the practices described in this policy. If you do not agree, please do not use the service.

Account Information

• Google OAuth: When you sign in with Google, we receive your email address, display name, profile image, and OAuth authentication tokens from Google.
• Email/password registration: When you register with email and password, we store your email address and a securely hashed version of your password (bcrypt, 12 rounds). We never store your password in plain text.

Resume Data

• When you upload a resume (PDF or DOCX), the file is stored as base64 in our database. The full text content is extracted and stored for AI processing, search, and matching.

LinkedIn Data (Chrome Extension)

• When you use the ScoutAI Chrome extension to import your LinkedIn profile, we collect your work history, skills, education, and contact information. This data is only collected when you explicitly click the import button.

Job Application Data

• Records of jobs you apply to, jobs you remove from your list, cover letters generated for you, and tailored resumes created for specific job applications.

Profile DNA

• An AI-generated summary of your professional profile, created from your resume data to improve job matching and application material generation.

User Preferences

• Job function preferences, QuickFill form fields (name, phone, location, LinkedIn URL, portfolio URL), notification settings, and update frequency preferences.

Referral Data

• If you participate in our referral program, we store referral codes and the IDs of users you have referred.

Feedback

• Bug reports, feature requests, and other feedback you submit through the platform.

We use your data to:

• Authenticate your identity and manage your account.
• Match you with relevant job listings based on your skills, experience, and preferences.
• Parse, assess, and rewrite your resume using AI.
• Generate personalized cover letters and tailored resumes for specific job applications.
• Build your Profile DNA for improved job matching.
• Power the auto-apply feature to submit job applications on your behalf.
• Track your job applications and search progress.
• Send you email notifications including job digests, welcome emails, and re-engagement emails.
• Process payments and manage your subscription.
• Analyze usage patterns to improve the product (via anonymized analytics).
• Respond to your feedback and support requests.
• Detect and prevent fraud, abuse, and security incidents.

ScoutAI uses Anthropic's Claude AI models to power core features. The following data is sent to Anthropic's API for processing:

• Resume parsing: Your full resume text or PDF content is sent to Claude Sonnet for structured data extraction.
• Resume assessment: Parsed resume data is sent to Claude Haiku for quality scoring and improvement suggestions.
• Resume rewriting: Parsed resume data and assessment results are sent to Claude Sonnet to generate an improved version of your resume.
• Cover letter generation: Your resume content and the target job description are sent to Claude Sonnet to create a personalized cover letter.
• Tailored resume generation: Your resume content and the target job description are sent to Claude Sonnet to create an ATS-optimized version of your resume.
• Profile DNA: Your resume data is sent to Claude to generate a professional profile summary.

Anthropic's data policy: Per Anthropic's API terms of service, inputs and outputs sent through their API are not used to train their AI models. Data is processed in transit and is not retained by Anthropic beyond what is necessary for abuse monitoring, in accordance with their data retention policy.

ScoutAI's auto-apply feature uses server-side browser automation (Playwright) to submit job applications on your behalf. This is an important section to understand, as your data leaves our systems and is submitted to third-party job sites.

Data submitted to third-party job application forms

• Your name, email address, and phone number
• Your location (city, state)
• Your LinkedIn URL and portfolio URL (if provided)
• Your resume file
• A generated cover letter

Important: Once your data is submitted to a third-party job application form, that employer's or platform's own privacy policy governs how they handle your information. ScoutAI cannot control what third-party job sites do with your submitted application data.

CAPTCHA solving

When auto-apply encounters a CAPTCHA, the page URL and CAPTCHA sitekey are sent to 2Captcha for solving. No personally identifiable information (PII) is shared with 2Captcha.

Proxy routing

Auto-apply traffic is routed through Bright Data residential proxies to avoid rate limiting. Bright Data handles IP routing only and does not store any user PII.

The ScoutAI Chrome extension provides two features: LinkedIn profile import and job application form filling. Key privacy details:

• The extension only accesses LinkedIn profile data when you explicitly click the import button. It does not run in the background or scrape data automatically.
• The extension does not access data from websites other than LinkedIn (for import) and supported job application sites (for form filling).
• Data collected via the extension (work history, skills, education, contact info) is transmitted to and stored by ScoutAI under the same protections described in this policy.
• The form filler pre-populates job application fields using your stored QuickFill data. It does not collect additional data from the forms.

ScoutAI's Network Vault feature uses the Google People API to help you discover warm-introduction paths to companies you're researching. ScoutAI's use and transfer to any other app of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

• .../auth/contacts.readonly — read-only access to contacts you have saved in Google Contacts. We read names, email addresses, organization (company), and job title to match your contacts against companies behind the job listings you view in ScoutAI.
• .../auth/contacts.other.readonly — read-only access to your “Other contacts” (people Google auto-collects from your email correspondence but that you have not explicitly saved). We read only names and email addresses from this list; company is inferred from the email domain. Most users save very few contacts manually, so this scope is what makes warm-intro matching actually useful.

We do not read your email content. We do not request gmail.readonly or any other Gmail scope, and we do not request any restricted scopes.

How we use Google user data

• We persist each contact as a row in your private Network Vault: name, company, title (if available), email (encrypted at rest), and source.
• We compute matches between your contacts and the companies behind the job listings you view, so we can surface “Sarah at Anthropic could intro you here”-style suggestions.
• Your contacts are scoped strictly to your own ScoutAI account. They are never shown to other users, mixed into anyone else's Network Vault, or used to generate aggregate product signals.

Limited Use — what we will never do

• We will not transfer Google user data to third parties except as necessary to provide or improve the Network Vault feature itself, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
• We will not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
• We will not sell, rent, or trade Google user data.
• We will not allow humans to read your Google user data unless we have your affirmative consent for specific records, doing so is necessary for security purposes (such as investigating abuse), or to comply with applicable law.
• We will not use Google user data to train generalized AI models. Specifically, contacts imported from Google are never sent to Anthropic Claude, OpenAI, or any other AI provider.

Storage & encryption

• Email addresses and contact metadata are encrypted at rest in our PostgreSQL database (Neon, US region) using authenticated symmetric encryption. OAuth refresh tokens are encrypted with the same scheme.
• All API traffic to Google is over TLS. The authorization code is exchanged for tokens server-side; OAuth tokens never reach your browser.

Revocation & deletion

• You can disconnect Gmail at any time from your Network Vault settings. Disconnecting deletes your stored OAuth tokens and stops further syncs.
• You can additionally revoke ScoutAI's access from your Google Account permissions page. This invalidates the refresh token immediately on Google's side.
• When you delete your ScoutAI account, all contacts imported from Google are permanently deleted within 30 days, alongside the rest of your data.

We use the following third-party services to operate ScoutAI. Each service receives only the data necessary for its function:

We send the following types of emails via Resend:

• Job digest: Regular emails with new job matches based on your preferences.
• Welcome series: A 5-email onboarding sequence when you create an account.
• Re-engagement: Up to 3 tiers of emails if your account becomes inactive.
• Transactional: Password reset, admin welcome, and feedback reply emails.

Email tracking

We track email opens, link clicks, bounces, and spam complaints to maintain email deliverability and improve our communications. If you file a spam complaint, you will be automatically unsubscribed from all marketing emails.

Your email controls

• You can toggle email notifications on or off in your account settings.
• You can adjust your update frequency preference (daily, weekly, etc.).
• All marketing emails include an unsubscribe link.

ScoutAI uses the following cookies:

• NextAuth session cookies: httpOnly, secure, JWT-based cookies that keep you signed in. These are strictly necessary for the service to function and expire when your session ends or after a set period.
• PostHog analytics cookies: Used to collect anonymized usage data such as page views and feature interactions. These help us understand how people use ScoutAI so we can improve the product.
• Microsoft Clarity cookies: Used for session recording, heatmaps, and click pattern analysis to help us identify usability issues and improve the interface.

We do not use any third-party advertising cookies. ScoutAI does not serve ads or participate in advertising networks.

We take the security of your data seriously:

• Database: All user data is stored in a PostgreSQL database hosted by Neon, encrypted at rest with TLS encryption for all data in transit.
• Passwords: Hashed with bcrypt (12 rounds). We never store or have access to your plain text password.
• API keys: All API keys and secrets are stored server-side only and are never exposed to your browser.
• Resume files: Stored as base64-encoded data in our encrypted database.
• Serverless architecture: Application code runs on Vercel serverless functions, which are ephemeral and do not retain persistent storage between invocations.

• Active accounts: Your data is retained for as long as your account remains active.
• Deleted accounts: When you delete your account, all personal data, resumes, generated content, and application history are permanently deleted within 30 days.
• Error logs: Retained for 90 days, then automatically purged.
• Email event data: Retained for 12 months for deliverability analysis.
• Analytics data: Subject to PostHog and Microsoft Clarity's respective retention policies.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access: Request a copy of all personal data we hold about you.
• Right to rectification: Correct inaccurate data by editing your profile and resume directly, or by contacting us.
• Right to erasure: Request deletion of your account and all associated data.
• Right to data portability: Request your data in a structured, commonly used format.
• Right to restrict processing: Request that we limit how we process your data.
• Right to object: Object to certain types of data processing.
• Right to opt-out of sale (CCPA): We do not sell your personal data. There is nothing to opt out of.

To exercise any of these rights, contact us at sonny@sonny-steele.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

ScoutAI is based in and operates from the United States. All data is processed and stored in the United States. If you are accessing ScoutAI from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using ScoutAI, you consent to this transfer.

ScoutAI is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from individuals under 16. If we become aware that we have collected data from a person under 16, we will delete their account and data promptly. If you believe a minor has provided us with personal data, please contact us at sonny@sonny-steele.com.

We never sell your personal data. We do not rent, trade, or otherwise share your information with third parties for their marketing purposes.

We may disclose your information in the following limited circumstances:

• Service providers: With the third-party services listed in Section 7, solely to operate and improve ScoutAI.
• Job applications: When you use auto-apply, your application data is submitted to third-party job sites as described in Section 5.
• Legal compliance: If required by law, subpoena, or valid legal process.
• Safety: To protect the rights, safety, or property of ScoutAI, our users, or the public.
• Admin access: A limited admin team may access user data for the purpose of providing support, troubleshooting issues, and maintaining the platform.

Data breach notification

In the event of a confirmed data breach that affects your personal information, we will notify you via email within 72 hours of confirming the breach, along with details of what data was affected and what steps we are taking.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make significant changes, we will notify you via email or through a prominent notice on the platform. We encourage you to review this page periodically. Your continued use of ScoutAI after changes are posted constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your data is handled, contact us at:

Email: sonny@sonny-steele.com

Website: scoutai.site