Privacy

LAST UPDATED · 2026-05-26

What we collect

Sign-in identity. Email + Google profile (if you use Sign in with Google) via Supabase Auth. Stored as long as your account exists.

The LinkedIn URLs you submit.When you paste a LinkedIn profile URL we hand it to CoreSignal to retrieve the public profile data, then store the compact result alongside your run. We do not store the raw HTML of someone else's profile.

Your own profile data (only the fields you fill in on /account): primary LinkedIn URL, free-form notes to Sunny, and a resume PDF if you upload one. Resumes are stored in a private Supabase Storage bucket with owner-only access.

Run history. Every reading you generate — the 5-axis result, headline, and trace log — is associated with your account if you were signed in. Anonymous runs are stored without user attribution.

Chat with Sunny. Messages are streamed through Anthropic for generation and counted against your free quota. Conversation history is stored per account for context continuity.

Third parties we share data with

  • Supabase — database, auth, file storage (US/EU regions; you can verify yours in the Supabase dashboard)
  • Anthropic — Claude API for question/scoring/chat generation. Anthropic does not train on API traffic.
  • CoreSignal — public LinkedIn profile data retrieval. We send them the LinkedIn URL/slug only.
  • Resend — transactional emails (sign-in magic links).
  • Stripe (when you subscribe) — payment processing. We never see your card number.

We do not sell your data, run ad networks, or share data with advertisers.

How long we keep it

Account data, profile fields, run history, and chat history live for as long as your account exists. Resume PDFs you upload stay until you delete them. The CoreSignal cache holds slug-level payloads for up to 14 days regardless of who first queried them.

Your rights

You can delete your account at any time from /account/security. That action removes your profile, runs, chat messages, resume PDF, and sign-in identity — and revokes the Supabase auth user. We do not retain backups longer than 30 days.

GDPR / CCPA / similar regimes: you can also email us at the address in our footer to exercise access, correction, or portability rights.

Cookies

We use first-party cookies only — Supabase's auth session cookie (7-day rolling window) and your dark/light theme preference. No third-party analytics or ad cookies.

Children

Hedj is not directed at users under 16.

Changes

If we make a material change to this policy we'll notify signed-in users by email before the change takes effect.