← Back to Home

Privacy Policy

Effective: April 16, 2026

Luminos Career Intelligence ("Luminos," "we," "us") builds tools that help people navigate their careers. This policy explains what data we collect, why, how we protect it, and what rights you have. We wrote it in plain language on purpose.

Contents

  1. What We Collect
  2. Gmail Integration
  3. AI Processing
  4. Data Storage and Encryption
  5. Cookies and Analytics
  6. Data Retention
  7. Your Rights
  8. Third-Party Services
  9. Children
  10. Changes to This Policy
  11. Contact

1. What We Collect

We collect only what we need to generate your career intelligence reports and track your applications.

  • Name and email address -- required to create your account and deliver reports.
  • Phone number -- optional. Used only if you opt in to SMS notifications.
  • LinkedIn URL -- optional. Helps us tailor resume optimization to your public profile.
  • Uploaded resume (PDF) -- we parse the text to generate your personalized report, then delete the original file. We retain only the extracted text while your account is active.
  • Job URLs -- the links you paste into the report generator. We scrape the public job listing to build your intelligence package.

We do not purchase data from brokers, scrape your social media, or collect information from any source you have not explicitly provided.

2. Gmail Integration

If you connect your Gmail account to use the Application Tracker, here is exactly what happens:

  • We request the gmail.readonly OAuth scope. This means read-only access. We cannot send, delete, or modify any email in your inbox.
  • We scan for job-related keywords only: application confirmations, rejection notices, interview invitations, and recruiter follow-ups.
  • We never store full email bodies. We store metadata only: sender address, subject line, and timestamp.
  • We do not use your Gmail data to serve ads, train AI models, or for any purpose other than updating your application tracker.
  • We do not transfer Gmail data to any third party except our hosting provider (Render.com), which processes it solely to deliver the service.

Google API Limited Use Disclosure

Luminos's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. No human reads your email data unless you give explicit consent, it is needed for security investigation, or it is required by law.

You can revoke Gmail access at any time through your Google Account permissions or your Luminos account settings. We delete all stored email metadata within 72 hours of revocation.

3. AI Processing

To generate career intelligence reports, we send job description text and your resume text to Anthropic's Claude API. This is how the AI-powered analysis, resume optimization, and cover letter generation work.

  • Anthropic does not train its models on data sent through their API. This is stated in Anthropic's data policy.
  • API data is retained by Anthropic for up to 30 days for safety and abuse monitoring, then deleted.
  • We send only the minimum data needed: job description text, your parsed resume text, and your name. We do not send your email, phone number, or Gmail metadata to Anthropic.

4. Data Storage and Encryption

Where your data lives

  • Development: SQLite database stored locally.
  • Production: PostgreSQL on Render.com, US-East region. All data is encrypted at rest.
  • All connections use TLS 1.2+ (encrypted in transit).

Token encryption

OAuth tokens (like your Gmail authorization) are encrypted at the application level using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) before being stored in the database. Even if someone gained database access, they could not read your tokens without the separate encryption key.

Passwords

Account passwords are stored as salted bcrypt hashes. We never store or log plaintext passwords.

5. Cookies and Analytics

We keep this simple:

  • Session cookie -- a single cookie to maintain your login state and CSRF protection. Strictly necessary; no opt-out needed because the site does not work without it.
  • No tracking cookies. None. Zero.
  • Plausible Analytics -- we use Plausible for basic traffic analytics. Plausible is privacy-first: no cookies, no tracking pixels, no fingerprinting, no personal data collected. It is GDPR-compliant by design.

We do not use Google Analytics, Facebook Pixel, or any other tracking technology.

6. Data Retention

  • Career intelligence reports are cached for 24 hours to avoid redundant API calls, then automatically purged.
  • Application tracking data (companies, statuses, notes) is retained until you delete your account.
  • Parsed resume text is retained while your account is active. Deleted within 30 days of account deletion.
  • Gmail metadata (sender, subject, timestamp) is deleted 90 days after collection, or within 72 hours if you disconnect Gmail.
  • Payment records are retained for 7 years as required for tax and accounting purposes. Full payment details are held by Stripe, not by us.

When you delete your account, all personal data is permanently erased within 30 days.

7. Your Rights

Regardless of where you live, we believe you should have control over your data. Here is what you can do:

  • Access -- request a full copy of the personal data we hold about you.
  • Erasure -- request deletion of your account and all associated data.
  • Portability -- export your data in a machine-readable format via our /api/compliance endpoints.
  • Rectification -- correct any inaccurate personal data.
  • Withdraw consent -- disconnect Gmail or revoke any optional permissions at any time.
  • Object -- object to processing based on legitimate interests.

For GDPR (EEA, UK, Switzerland)

If you are in the EEA, UK, or Switzerland, you have all the rights above under the General Data Protection Regulation, plus the right to lodge a complaint with your local supervisory authority. We respond to GDPR requests within 30 days.

For CCPA/CPRA (California)

California residents have the right to know what data we collect, request deletion, and opt out of any sale. We do not sell personal information. We have never sold personal information. We do not share data for cross-context behavioral advertising. We respond to CCPA requests within 45 days.

To exercise any right, email privacy@luminoscareer.com. We will verify your identity and respond promptly.

8. Third-Party Services

We share data with these services only as needed to operate Luminos:

  • Anthropic (San Francisco, CA) -- AI processing for report generation. Receives job text and resume text.
  • Google (Mountain View, CA) -- Gmail OAuth for application tracking. We access metadata only via the read-only scope.
  • Stripe (San Francisco, CA) -- payment processing for paid subscriptions. We never see your full card number.
  • Plausible (EU) -- privacy-first website analytics. Collects no personal data.
  • Render.com (United States) -- application and database hosting.

We do not sell, rent, or trade your data. We do not work with data brokers or advertising networks.

9. Children

Luminos is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it immediately.

10. Changes to This Policy

If we make material changes, we will update the effective date at the top of this page and notify you by email at least 30 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance.

11. Contact

Questions about this policy or your data? Reach us at:

Luminos Career Intelligence
Email: privacy@luminoscareer.com

We aim to respond within 5 business days.