Privacy Policy

1. What we collect

When you sign in with Apple, we receive a stable user identifier and, if you allow it, an email address (Apple users may substitute a private relay address, which we accept as-is). We do not request your real name.

When you use Phaeto we store the content you provide: the resume text you paste or upload, the job descriptions you enter, the tailored outputs you generate, and the settings you configure (for example, your plan tier, your selected variants, your fidelity preference). We store these so your work persists across sessions and devices.

Phaeto's Insider Access feature is optional. If you choose to turn it on, Phaeto can read specific data sources to surface warm introductions to the companies you're targeting: your iPhone contacts, your iPhone calendar, and/or CSV exports you upload (for example, LinkedIn Connections or LinkedIn messages). Section 2 explains exactly what is read from each source, what is uploaded, and what never leaves your device.

2. Contacts, calendar, and messages — what we actually read

Phaeto's warm-introduction features require touching data that most apps would over-collect. We don't. Each source below is handled with a specific, narrow contract that lives in the code.

iPhone Contacts (iOS only)

Phaeto reads your iPhone contacts in a strictly read-onlyway through Apple's Contacts framework. The app never writes to, modifies, or deletes entries in your iPhone address book. This is a hard architectural guarantee, not a setting — there is no code path in the app that writes to the iPhone contact store.

If you choose to enable warm-signal matching on iPhone, Phaeto will also create a copyof the contact fields it needs (name, email, phone, company, job title) in our cloud database so the same matches are available when you use Phaeto on the web. The copy is tagged “iPhone Contacts” and you can delete it at any time from within the app — deleting the copy does not touch your iPhone address book. If you never enable the warm-signal feature, no copy is created.

iPhone Calendar (iOS only)

When you opt in to calendar-based warm signals, Phaeto reads your calendar through Apple's EventKit framework to detect how recently and how often you've met with people from a given company. We read only the date of each event and the email domains of the attendees and organizer.

We do not read:

• Event titles
• Event notes or descriptions
• Event locations
• Attachments
• Attendee names (only their email domain)

The aggregated per-domain signal (“5 meetings with people at acme.com, most recent April 2”) is stored so it can “follow the person” across your devices. Individual calendar events are never uploaded, and no event detail leaves your device.

CSV imports (LinkedIn Connections, other exports)

When you upload a CSV file — such as a LinkedIn Connections export — the rows are parsed locally and the parsed contact records are stored in our cloud database linked to your account, so the import is available across your devices. You can delete any import, or every import, from the app. Deletes are scoped by import source — we will never blanket-delete imports you didn't ask to remove.

LinkedIn messages.csv

When you upload a LinkedIn messages export, Phaeto reads the file as aggregates only. For each counterpart in the export we compute how many messages you've exchanged and the first and last timestamps. That's it.

We do not read:

• Message content or bodies
• Message subject lines
• Attachments

You can clear your uploaded message-signal data at any time from the Insider Access settings.

What never leaves your device

• The native iOS contact store itself — read only, never modified.
• Individual calendar events (titles, notes, locations, attendee names, attachments).
• The bodies and subjects of any message file you upload.

3. How we use what we collect

We use your content to deliver the features you request: tailoring your resume, computing your Fit Score, matching contacts to target companies, and returning results to you. We do not use your content to train models. We do not sell your content.

Tailoring requires sending your resume text and the job description to an AI provider (OpenAI or Anthropic, depending on your settings). The provider processes the request and returns a tailored result. If you use Bring Your Own Key (BYOK), your request goes through your own provider account under your own terms with that provider. Either way, we do not retain the request on the provider side beyond what the provider's own policies specify.

4. Where your data lives

We use the following third-party services:

• Supabase — database and authentication. Data is encrypted in transit and at rest.
• OpenAI and Anthropic — AI tailoring providers. Your resume text and job description are sent at request time.
• Apple — Sign in with Apple authentication.
• Vercel — web hosting for the phaeto.com site and its API routes.

5. Legal basis for processing (GDPR / UK-GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract — to deliver the service you signed up for (resume tailoring, storing your account, syncing data between your devices). This covers Article 6(1)(b) of the GDPR.
• Consent — for optional features that require it, including iPhone contacts access, iPhone calendar access, CSV imports of contacts or messages, and sending your resume content to a third-party AI provider for tailoring. You may withdraw consent at any time by turning the feature off or deleting the data. This covers Article 6(1)(a).
• Legitimate interest— for limited operational telemetry (error reporting, login events) used to keep the service secure and working. We only rely on this where it doesn't override your rights. This covers Article 6(1)(f).

6. Your rights

Depending on where you live, you have some or all of the following rights over the personal data we hold about you. You can exercise any of them by writing to mike@modernsoftware.me. We'll respond within 30 days (GDPR) or 45 days (CCPA), and we won't charge for a reasonable request.

• Access / Know — ask us what personal data we hold about you and how we use it.
• Correction — ask us to fix inaccurate personal data.
• Erasure / Delete— ask us to delete your account and personal data. We'll remove your record and its data from primary systems within 30 days; backup copies are purged on the standard backup rotation (typically within 90 days).
• Portability— receive your data in a structured, machine-readable format. You don't need to ask us — open Settings in Phaeto and tap Download my data. The export is a single JSON file containing your account identifier, your resume history, saved resumes, imported contacts, custom companies, and followed companies. Calendar signals and message aggregates can be included on request.
• Restriction / Objection — ask us to pause or stop certain processing.
• Withdraw consent — turn off any feature you previously opted into (contacts, calendar, message imports, BYOK), at any time.
• Opt out of sale or sharing — we do not sell your personal data and do not share it for cross-context behavioral advertising. You have nothing to opt out of, but we note this right for clarity (CCPA / CPRA).
• Non-discrimination — we will not deny service or charge a different price because you exercised a privacy right.
• Complain to a supervisory authority — EU/EEA residents may lodge a complaint with their national data protection authority. UK residents may complain to the ICO.

If you signed in with Apple, you can also revoke Phaeto's access at any time from your Apple ID settings, which prevents new data from being associated with your account.

7. International transfers

Phaeto is operated from the United States. Our vendors (Supabase, OpenAI, Anthropic, Apple, Vercel) process data in the United States and, in some cases, other jurisdictions. When personal data of EEA, UK, or Swiss residents is transferred to the United States or other countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, plus each vendor's supplementary technical and organizational measures (encryption in transit and at rest, access controls, vendor-side audit logs).

8. Retention

We keep your account data for as long as your account is active. When you delete your account, we remove primary-system records within 30 days; backup copies are purged within the backup rotation (typically 90 days). Some records may be retained longer where required by law (for example, payment records for tax purposes) or to resolve disputes; these are kept in restricted, access-logged storage and are not used for product features.

9. Automated decision-making

Phaeto uses AI models to rewrite resumes and to compute matching suggestions. These outputs are advisory — they are reviewed by you before you use them, and they do not produce legal or similarly significant decisions about you. The Fit Score is computed by deterministic rules on your device or server, not by an AI model.

10. Children

Phaeto is not directed at children under 16 (or the relevant age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us data, write to mike@modernsoftware.me and we will delete it.

11. Security

Data is encrypted in transit (TLS) and at rest (provider-side). We limit access to production data to team members who need it, and we log access. No system is perfectly secure; if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority within the 72-hour window required by GDPR Article 33.

12. Changes to this policy

If we make material changes to this policy, we will note the update on this page with a new “Last updated” date and, for significant changes, notify you in the app.

13. Data controller and contact

For the purposes of GDPR and UK-GDPR, the data controller is Phaeto, operated by Mike Verinder. You can reach us — including to exercise any right described above — at mike@modernsoftware.me. We do not currently have a designated EU/UK representative under Articles 27 GDPR / UK-GDPR because Phaeto's EU/UK processing is not yet above the thresholds that require one. If that changes, we will appoint a representative and update this policy.