Privacy Policy

Purecraft (“we”, “us”, “our”) operates the Orbyt Job Search CRM application at orbytjobs.ai. This Privacy Policy describes how we collect, use, and protect your information.

1. Information We Collect

Account information: When you create an account, we collect your email address and an encrypted password. If you use passkey authentication, we store public key credentials associated with your device.

Application data: Data you enter into Orbyt: jobs, contacts, activities, calendar events, resume content, wellness entries, financial runway data, and preferences. This data is stored in your browser's localStorage for instant access and synchronized to our cloud backend (Supabase) for persistence and cross-device sync.

Profile images: Uploaded profile and contact images are stored in Supabase Storage, scoped to your user account.

Usage analytics: We use Vercel Analytics and PostHog to understand how Orbyt is used. Vercel Analytics collects anonymized, aggregated data (page views, Web Vitals). PostHog collects page views, feature usage, and session replays to help us improve the product. All text and inputs in session replays are masked—we never see your actual data on screen. PostHog data is associated with your user ID but is used solely for product improvement and is never sold or shared with third parties.

Audit logging: We maintain a server-side audit log that records authentication events (login, logout, password changes), billing actions (subscription changes, refunds), and data exports for security and compliance purposes. Audit log entries are retained for 90 days and then automatically purged. This log does not contain your application data (jobs, contacts, etc.).

2. AI Features

Orbyt offers AI-powered features (resume tailoring, job description parsing, Scout chat assistant, contact parsing, voice capture). On Free, Pro, and Ultra plans, AI is hosted by Orbyt with no API key setup needed. The Unlimited plan is for power users who bring their own API keys (BYOK) for zero caps and full data privacy.

3. Hosted AI (Free, Pro, Ultra Tiers)

Free, Pro, and Ultra subscribers have access to hosted AI features powered by Orbyt's server-side API keys. When you use hosted AI, your CRM data (such as job titles, company names, contact names, and activity notes) is included in AI prompts sent to Anthropic and OpenAI to provide personalized results.

No data is stored by AI providers beyond standard API usage. Prompts are processed in real time and are not used to train AI models. AI providers retain data only as described in their respective data processing agreements.

Unlimited plan (BYOK): The Unlimited plan is designed for power users who bring their own API keys (BYOK) for zero caps and full data privacy. On the Unlimited plan, your API keys are stored exclusively in your browser's localStorage and are never transmitted to or stored on our servers. They are stripped from any data synced to the cloud. AI requests are routed directly to your chosen provider via our server-side proxy (to protect the key from exposure in client-side network traffic), and keys are not retained after the request completes.

Autonomous agents run server-side on a daily schedule using hosted AI. They analyze your pipeline data to generate suggestions. You can opt out of individual agents at any time by disabling them in Settings → Preferences.

4. Voice & Audio Features

Orbyt offers optional voice capture for hands-free input. Voice features work as follows:

• Microphone access: Your browser will request microphone permission only when you click the mic button. Permission can be revoked at any time through your browser settings. Orbyt never accesses the microphone in the background.
• Audio recording: Audio is recorded locally in your browser in WebM format and sent to OpenAI's Whisper API via Orbyt's server-side proxy route for transcription only.
• No audio storage: Recordings are not saved on our servers. Audio is transcribed in real time and discarded immediately after the transcription response is returned.
• Transcription text: The resulting text is processed by AI to extract structured data. Transcription text is never stored on Orbyt servers.

On Free, Pro, and Ultra, voice data is processed through Orbyt's hosted OpenAI key. On the Unlimited plan, voice data flows through your own OpenAI API key for Whisper transcription. In all cases, audio is transcribed in real time and discarded immediately.

5. How We Use Your Data

We use your data to:

• Provide and maintain the Orbyt application
• Sync your data across devices
• Authenticate your account
• Generate embeddings for semantic search (when enabled)
• Send you transactional notifications (follow-up reminders, offer alerts)

We do not sell your data, use it for advertising, or share it with third parties except as described in this policy.

6. Data Storage & Security

Your data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) enforced. Your data is only accessible to your authenticated account. Supabase infrastructure is hosted on AWS.

All data in transit is encrypted via TLS. Supabase encrypts data at rest. Our application enforces comprehensive security headers including Content Security Policy, HSTS, and X-Frame-Options.

7. Cookies & Local Storage

We use cookies for authentication (Supabase session cookies prefixed sb-) and product analytics (PostHog). PostHog also stores an anonymous device identifier in localStorage. We do not use advertising or third-party tracking cookies.

8. Third-Party Services

• Supabase: database, authentication, file storage, real-time sync
• Vercel: application hosting and anonymized analytics
• PostHog: product analytics and session replay (all text and inputs masked)
• Upstash: rate limiting (Redis, stores only hashed IP addresses with short TTL)
• OpenAI / Anthropic: AI features (via Orbyt's hosted API keys on Free, Pro, and Ultra; via your own API keys on the Unlimited plan)
• Stripe: payment processing and subscription management (PCI DSS Level 1 compliant)
• Resend: transactional email delivery (welcome emails, billing notifications)
• Sentry: error monitoring (all text masked, no personal data captured)

9. Data Retention & Deletion

Your data is retained as long as your account is active. You may export all your data at any time from Settings → Your Data. You may delete your account from Settings → Account, which permanently removes all cloud-stored data, including database records and uploaded images. localStorage data remains on your device until you clear it.

10. Your Rights

You have the right to access, export, correct, and delete your data at any time through the application's built-in tools. For additional requests, contact us at the email below.

11. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via the application. The “Last updated” date at the top reflects the most recent revision.

12. Data Processing Agreement (DPA)

This section serves as our Data Processing Agreement for users who require one under GDPR or similar data protection regulations.

Personal Data Processed

• Account identifiers: email address, display name
• Job search data: jobs, contacts, activities, calendar events, resume content, financial runway data
• Wellness data: mood check-ins, journal entries, exercise logs
• Usage metadata: login timestamps, device info (for session management only)

Data Storage Locations

• Supabase: PostgreSQL database and file storage hosted on AWS infrastructure (US region). Encrypted at rest (AES-256).
• Vercel: Application hosting on their global edge network. No persistent user data stored at the edge.
• Browser: localStorage is used as the primary runtime store on the user's device.

Data Retention

• Active account: Data is retained for the lifetime of your account. You can export or delete at any time.
• Deleted account: Account deletion triggers an immediate cascade delete of all database records, storage files, and credentials. Backups are purged within 30 days.

Sub-Processors

Breach Notification

In the event of a data breach that affects your personal data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Notification will include the nature of the breach, categories of data affected, and remediation steps taken.

Data Portability

You can export all of your data as a structured JSON file at any time from Settings → Your Data. The export includes all jobs, contacts, activities, templates, calendar events, wellness data, resume content, and preferences.

Right to Erasure

You can delete your account at any time from Settings → Account. Deletion triggers a cascade that permanently removes all database records, uploaded files (avatars, contact images), passkey credentials, and subscription data. The operation is irreversible.

DPA Contact

For DPA-related inquiries, data subject requests, or to request a signed copy of this agreement, contact us at privacy@orbytjobs.ai.

13. Contact

If you have questions about this Privacy Policy, please contact us at privacy@orbytjobs.ai.