Privacy Policy

The short version

We collect what we need to make Covyo work — your email, the résumé and LinkedIn data you upload, the cover letters you generate, and your billing info if you subscribe. We don't sell your data, we don't train AI on it, and you can delete your account at any time.

What we collect

Account data. Your email address and (if you set one) password hash. We use Supabase Auth, which stores passwords hashed with bcrypt — we never see your plain-text password.

Profile data. The text you upload or paste — résumé, LinkedIn export, voice rules, sign-off name, header block. Stored in Postgres on Supabase (US-West region) and tied to your account via row-level security so only you can read it.

Generated letters. Every cover letter you generate is saved to your history so you can re-open or re-export it. Same RLS isolation as profile data.

Billing data. If you subscribe, Stripe processes your payment. We never see your full card number or CVC — Stripe stores those and gives us back a customer ID and the last 4 digits. We store your Stripe customer/subscription IDs alongside your account.

Operational logs. Vercel and Supabase keep short-lived request logs (typically 24 hours to 7 days) for debugging. These contain IP addresses and request paths but not your letter contents.

How we use it

• To generate cover letters tailored to your profile.
• To bill you (only if you subscribe).
• To send you account emails — magic links, password resets, trial reminders. We don't send marketing emails.
• To debug bugs and outages.

We do NOT use your data to train AI models. Anthropic's API does not train on inputs sent through it, per their commercial terms.

Who we share with

Three categories, all under data-processing agreements:

• Anthropic — we send your profile + the job description to Claude to generate the letter. Anthropic retains data per their commercial terms.
• Stripe — payment processing only. Stripe's privacy policy.
• Supabase — database and storage hosting. Supabase privacy.
• Resend — transactional email delivery. Resend privacy.
• Vercel — application hosting. Vercel privacy.

We don't sell your data to advertisers or anyone else. We don't share it for marketing.

Cookies

We use one cookie: the Supabase Auth session cookie. It keeps you signed in. No third-party tracking cookies, no advertising cookies, no analytics cookies.

Your rights

You can email us at hello@covyo.net to:

• Request a copy of all data we hold about you
• Correct inaccurate data
• Delete your account and all associated data
• Export your generated letters

We aim to respond within 7 days. If you're in the EU, UK, or California, you have additional rights under GDPR / CCPA. Same email gets you there.

Data location & transfers

Your data is stored in the US (Supabase US-West-2 region, Vercel iad1 region). If you're outside the US, your data is transferred to the US for processing. We rely on standard contractual clauses for EU transfers.

Security

All data is encrypted in transit (TLS) and at rest (AES-256 via Supabase / Stripe). Database access uses row-level security so even our own server processes can only read the calling user's rows. We do not have a public dashboard that exposes user data.

Changes to this policy

If we change this policy materially, we'll email everyone with an account at least 30 days before the change takes effect. Minor cleanups (typos, clarifications) we just push.

Contact

Questions: hello@covyo.net