This policy explains what data Promap collects, why, how it is processed, and your rights. We follow GDPR and CCPA principles globally — not only for users in those jurisdictions.
1. What we collect
Account data
- Name, email address, optional LinkedIn handle
- Authentication metadata (sign-in events, IP address at signup)
- Subscription tier, billing history (via Stripe — see below)
Profile + practice data
- Career context: resume text, projects, work history, skills you provide
- Practice session transcripts, audio recordings, optional video recordings
- AI-derived evidence: skills demonstrated, story summaries, scores
- Packet preferences (slug, visibility state, top clips)
Visitor data on public packets
For each visit to a public packet we record a hashed IP, hashed user-agent, country code (from the request edge), and an optional ?ref= attribution token. We do not store raw IPs or browser fingerprints.
Cookies
See the Cookie Policy for the full list. We use a session cookie for auth, an analytics cookie when you consent, and an error-monitoring cookie that only activates after an error.
2. How we use it
- To run the service (practice sessions, packet rendering, billing)
- To improve the product (aggregate usage analytics; we never train models on your Content without explicit consent)
- To send transactional emails (welcome, payment, security, account changes)
- To prevent fraud and enforce the Terms
3. Third-party processors
| Processor | Purpose | What it sees |
|---|---|---|
| Supabase | Database, auth, storage | Account + profile + practice data |
| Stripe | Payments, billing portal | Email, payment method, subscription |
| Google Gemini | Live voice + AI scoring | Practice session audio + transcript |
| OpenAI / Anthropic | AI extraction, summarisation, Echo chat | Transcript text + profile context |
| Vercel | Hosting + edge analytics | Page views (anonymised) |
| PostHog (optional) | Product analytics | Funnel events tied to user id |
| Sentry (optional) | Error monitoring | Error stack traces (text masked) |
4. Data location + retention
All structured data is hosted in the United States via Supabase / Vercel. Practice videos are stored in Supabase Storage. AI providers may process inputs in the United States or EU.
Default retention:
- Account + profile: indefinitely while your account is active
- Practice transcripts + reports: indefinitely while your account is active
- Practice video chunks: 90 days for free accounts, 180 days for Pro/Student
- Final assembled video: indefinitely while your account is active (Pro/Student)
- Stripe events: indefinitely (legal record-keeping)
- Packet view analytics: 24 months
5. Your rights
You have the right to:
- Access: download a copy of your data via Settings → Account → Export my data
- Delete: delete your account and all associated data via Settings → Account → Delete account
- Correct: edit your profile, summary, and skills at any time
- Object: opt out of analytics tracking via the cookie banner; opt out of non-essential email via the unsubscribe link
Requests are processed within 30 days. Some data (Stripe transaction records, fraud signals) may be retained as required by law.
6. Security
All connections use HTTPS. Authentication is handled by Supabase Auth. Sensitive database tables enforce row-level security. Storage buckets containing personal data (practice videos, resume uploads) restrict access to the file owner. Passwords are checked against known-leaked databases at signup.
7. Changes
Material changes are announced via email and in-app at least 14 days before they take effect.
8. Contact
Privacy questions: privacy@promap.ai