Privacy Policy

How WaypointCareer collects, uses, and protects your information. Effective April 23, 2026.

Overview

Information we collect

How we use your information

Your rights & choices

Cookies & similar technologies

Children’s privacy

International users

Changes to this Policy

Contact

1. Overview

WaypointCareer (“WaypointCareer,” “we,” “us,” or “our”) is a personal career intelligence platform operated by UsiaTech LLC. This Privacy Policy explains what information we collect when you create a WaypointCareer account, how we use it, who we share it with, how long we keep it, and the choices and rights you have over it.

WaypointCareer is built as a single-tenant, per-user workspace. Your jobs, notes, resume, AI transcripts, documents, and API keys belong to your account only. There is no shared job pool or cross-user feed.

Effective date: April 23, 2026.

2. Information we collect

We collect only what is needed to run the service you sign up for. Specifically:

Account & profile

Email address, first and last name, optional phone number.
Password — stored as a bcrypt hash (10 rounds). We never store or log your plaintext password.
Career status (e.g. actively looking, passively looking), role preferences, salary expectations.
Failed-login counters and account-lockout timestamps used to slow brute-force attacks.

Resume & search configuration

Your uploaded resume file (PDF / DOCX) and its extracted plain text.
Search keywords, locations, excluded words, and minimum salary thresholds you configure.

Third-party API credentials

WaypointCareer is a bring-your-own-key platform. When you choose to enable a job board, ATS aggregator, or AI provider, you supply your own API key. Keys are encrypted at rest in our database and decrypted only at call-time. Keys are never logged; error messages redact them.

Job & pipeline data

Job postings we fetched on your behalf using your configured keys, or that you imported manually via URL, HTML paste, or the bookmarklet.
Pipeline status, notes, deadlines, filter reasons, status history.
Application Q&A and interview-prep answers you write.
Documents you upload per job (resume variants, cover letters, samples). Stored per-user on the application server outside the public web root, with a SHA-256 integrity hash.
Networking contacts you add (name, title, company, email, phone, LinkedIn URL, last-contacted date, notes).
Daily-plan activity log — time spent on your search, subtype, optional URL, content title and text, optional AI-generated summaries.
AI session transcripts (role tips, draft/tweak answers, interview prep), token usage and model used.

Billing metadata

Upgrades are processed by Stripe. Stripe hosts its own checkout page and customer portal. WaypointCareer never receives or stores your card number, CVC, or full bank details. We store your Stripe customer ID, subscription ID, plan tier, billing period, status, current period end, and cancellation timestamps so we know what plan to grant.

Technical & security data

IP address and user-agent on authentication events.
Session cookies issued by our authentication layer (NextAuth JWT; 30-day cookie, 2-hour idle timeout).
Password-reset tokens — stored as hashes only; the plaintext token is emailed to you and never persisted in our database. Reset links expire 30 minutes after issue and are single-use.
Fetch logs (per-provider counts, errors, timing) so you can troubleshoot your own runs.
Google reCAPTCHA v3 scores on signup, login, and contact-form submissions, to filter automated abuse.

We do not run third-party analytics, advertising pixels, session replay, or cross-site tracking.

3. How we use your information

Operate the service — authenticating you, running scheduled and on-demand job fetches, filtering and deduplicating postings, powering the pipeline, rendering the dashboard.
Deliver AI features — your resume text, job description, and question text are passed to the AI provider you configured (Anthropic, Google, or OpenAI) under your own API key. We pass only what is necessary for the specific feature invoked.
Billing — relaying plan, renewal, and cancellation state with Stripe, and unlocking Pro features.
Transactional email — password resets, security notices, receipts, and admin-initiated messages, sent via our configured SMTP provider.
Security & abuse prevention — detecting brute-force logins, rate-limiting, validating reCAPTCHA, investigating suspicious sessions.
Product improvement— aggregate, de-identified counts (e.g. how many fetches ran, how many users are on Pro). We do not mine your job data, notes, Q&A, or AI transcripts to improve the product.

4. What we do not do

We want this to be unambiguous:

We do not sell your personal information to anyone, under any plan.
We do not rent or share your data with advertisers, data brokers, or recruiters.
We do not use your resume, notes, Q&A, documents, or AI transcripts to train any machine-learning model— ours or anyone else's.
We do not share data between user accounts. Administrators manage catalog content (ATS companies, title aliases, question bank, pricing) but cannot see your jobs, notes, documents, or AI conversations.

5. Third-party services

WaypointCareer relies on a small set of third parties to function. Each receives only the data needed for its role.

Payment processing

Stripe, Inc. processes all payments on its own hosted checkout page. Your card details go directly to Stripe and are governed by Stripe's Privacy Policy.

Transactional email

Password resets, receipts, and contact-form relays are delivered via an SMTP provider configured by our administrators. The provider sees your email address and message body.

Abuse prevention

Google reCAPTCHA v3 scores suspicious form submissions. Its use is governed by Google's Privacy Policy and Terms of Service.

User-configured AI providers

If you add an Anthropic, Google, or OpenAI key, WaypointCareer calls those providers on your behalf, under your account. The provider sees the prompts we send — which for AI features include your resume text, the target job description, and (for interview prep) your existing answers. Each provider's privacy policy and data-retention rules apply to those calls. Review them before enabling a provider.

User-configured job boards & ATS feeds

Similarly, job-board API calls are issued under your own credentials where required (Adzuna, The Muse, USAJobs, JSearch, Reed, Jooble, Careerjet, Findwork, ZipRecruiter Partner), and public ATS feeds (Greenhouse, Lever, Ashby, Workable, SmartRecruiters, Recruitee, Personio, BambooHR, Workday, iCIMS) are queried for the companies you enable. Each provider receives your search keywords and locations. We do not share your identity, email, resume, or notes with any job-board provider.

Hosting & infrastructure

Our application servers and database are hosted on commercial cloud infrastructure in the United States. Providers may change; we'll update this policy if the hosting region materially changes.

6. Security

No system is perfectly secure, but we take these concrete measures:

Passwords hashed with bcrypt (10 rounds).
Account lockout after 5 failed login attempts in a rolling window.
Password-reset tokens hashed server-side (plaintext never stored), 30-minute expiry, single-use.
Provider API keys encrypted at rest; decrypted only at call-time; never logged.
Uploaded documents stored per-user outside the public web root, served only through an authenticated API route. SHA-256 hashes detect tampering.
NextAuth session cookies are HTTP-only and SameSite; sessions idle out after 2 hours with a warning modal.
All traffic is served over HTTPS.
Per-user query scoping — every database read is filtered by your user ID at the API layer.

If you suspect your account is compromised, change your password immediately and contact us.

7. Retention & deletion

Job posting retention

Free plan — job postings are automatically deleted after 30 days. Notes, Q&A, and documents attached to those jobs are removed with them.
Pro plan — unlimited retention for as long as your subscription is active. If you downgrade to Free, the 30-day cap resumes and older jobs are trimmed.

Account deletion

You can delete your account at any time from Settings → Account → Delete account. A soft-delete flag locks the account out immediately. A scheduled hard-purge then removes your jobs, activity log, documents, AI sessions, interview-prep answers, networking contacts, and provider API keys.

Some records may be retained in limited form for legal, accounting, or abuse-prevention reasons — for example, Stripe billing records tied to a completed transaction, or security logs of confirmed abuse. These are kept only for as long as legally required.

8. Your rights & choices

Regardless of your location, you have the following rights over the data we hold about you:

Access — most of your data is visible in the product itself (Settings, Manage Jobs, Pipeline, Documents, Activity).
Correction— edit your profile, resume, search preferences, API keys, job details, notes, and Q&A directly in Settings and the job detail view.
Export / portability — Pro users can export their jobs to CSV from Manage Jobs. Free users (and anyone needing a broader export) can contact us and we will provide a machine-readable export of the data associated with your account.
Deletion — via the self-serve account deletion described above, or by contacting us.
Withdraw consent — remove a configured API key at any time and the associated provider stops being called.
Complaint — if you believe we have mishandled your data, contact us first; you also have the right to complain to a data-protection authority in your jurisdiction.

We will honour verified requests within a reasonable timeframe, typically within 30 days.

9. Cookies & similar technologies

WaypointCareer uses a small, functional set of cookies — no advertising or analytics trackers.

Session cookie (NextAuth JWT) — keeps you signed in. HTTP-only, SameSite. 30-day cookie lifetime; the idle clock runs independently and expires sessions after 2 hours of inactivity.
CSRF token — protects state-changing form submissions.
reCAPTCHA — Google may set cookies on signup, login, and contact pages to compute its bot score.
UI preferences — small values in localStorage such as your preferred sidebar state.

You can clear cookies in your browser at any time; doing so will sign you out.

10. Children’s privacy

WaypointCareer is a professional-use service and is not directed to children. You must be at least 16 years old to create an account; in jurisdictions where the applicable minimum is higher (e.g. 18), the higher bar applies. If you believe a child under the applicable age has created an account, contact us and we will delete it.

11. International users

Our application and database servers are located in the United States. If you access WaypointCareer from outside the US, your information will be transferred to, stored, and processed in the US. By using the service you consent to that transfer. We apply the safeguards described in this Policy regardless of where you are located.

12. Changes to this Policy

We may update this Privacy Policy as the product evolves. When we make material changes we will update the effective date at the top of this page and, for logged-in users, surface an in-app notice. Non-material clarifications (typos, rewording) may be made without notice.

13. Contact

WaypointCareer is operated by UsiaTech LLC. For privacy questions, data-subject requests, or complaints, please use our contact form.

We will reply from the same address the contact form relays to, so you can continue the conversation by reply.

Have a privacy question?

We read every message. Contact usand we'll respond directly.