Privacy Policy

The short version

We collect what you share with us so we can generate resumes, cover letters, and interview prep on your behalf. We do not sell or share your personal information for advertising. We do not use your content to train AI models, and our processor (Anthropic) has stated the same. You can access, correct, or delete your data at any time.

1. Who we are

Caliber Career (“The Career Journal”; referred to as “Caliber” throughout this Policy) is operated by Elevated Development LLC (“Elevated,” “we,” “us,” or “our”). For the purposes of the EU and UK GDPR, Elevated is the data controller for personal information you provide to the service. For the purposes of the California Consumer Privacy Act / Privacy Rights Act (“CCPA/CPRA”), Elevated is the business that collects your personal information.

2. Scope

This policy describes how we collect, use, share, and protect personal information when you use Caliber via our website, web application, and email-forward inbox. It does not cover third-party sites you may reach by clicking links from generated documents (e.g., a job posting on a company site).

3. Information we collect

We collect the following categories of personal information. The CCPA category labels appear in parentheses where relevant.

• Account information (Identifiers, Customer Records): your email address, full name, password (managed by Firebase Authentication and never visible to us), professional credentials you choose to add, and a randomly generated inbound email ID for forwarding job postings.
• Career substrate (Customer Records, Professional Information, potentially Sensitive Personal Information): resumes, LinkedIn exports, job descriptions, performance reviews, and other documents you upload; journal entries you type or speak; tracked jobs you save; notes and reflections; and the structured roles, experience entries, education records, and skills we extract from your uploads. Career substrate may include information about your employment history, salary, references, education, and personal reflections that you choose to share.
• Generated content: tailored resumes, cover letters, interview guides, organization research, scoring rationales, and elevator pitches we produce on your behalf.
• Payment information (Commercial Information): we do not store your card details. Stripe collects and processes payment data directly; we receive only your subscription tier, customer ID, subscription status, and billing-period dates.
• Usage and operational telemetry (Internet/Network Activity): server-side request logs, error reports, generation costs and counts (used for accounting and rate-limit enforcement), and request IDs.
• Device and connection data: IP address, browser user-agent, and approximate region, captured in request logs and security event records to detect abuse.

We do not knowingly collect government identification numbers, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, union membership, or health information. If you upload a document that contains such information, we will treat it as part of your career substrate; we recommend you redact it before uploading.

4. Sources of personal information

We collect personal information from three sources: (a) directly from you, when you sign up, upload documents, type into the journal, or fill out a form; (b) from your forwarded emails, when you send a job posting to your inbound email address; and (c) automatically from your device and browser when you use the service (request logs, IP, user-agent).

5. How and why we use your information

The purposes for which we process personal information are:

• Service delivery — generating resumes, cover letters, interview prep, and other outputs on your behalf; extracting structure from your uploaded documents; storing your substrate so it remains available across sessions. (GDPR lawful basis: performance of a contract.)
• Account management and billing — authenticating you, managing your subscription, processing payments, sending transactional emails. (GDPR lawful basis: performance of a contract; legal obligation for tax records.)
• Service improvement — debugging, error analysis, rate-limit enforcement, and aggregate cost accounting. (GDPR lawful basis: legitimate interests in operating a reliable service.)
• Security — detecting and preventing abuse, credential stuffing, and other malicious activity. (GDPR lawful basis: legitimate interests in protecting our users and service.)
• Legal compliance — responding to lawful requests and enforcing our Terms of Service. (GDPR lawful basis: legal obligation; legitimate interests.)

6. AI processing and automated decision-making

Caliber uses third-party large language models (operated by Anthropic) to read your career substrate and produce generated documents. To do this, we send portions of your substrate (typically a focused subset relevant to a specific job description) to the Anthropic API along with prompts that instruct the model what to produce.

Anthropic has publicly stated that API data is not used to train their models. We do not use your content to train any model ourselves. We do not allow Anthropic or any other subprocessor to use your content for their own commercial purposes.

Generated documents are drafts. Caliber does not make any decision that produces legal effects on you or significantly affects you in a similar way (we don't hire, fire, or score you for employers — we draft content for you to use). You remain the decision-maker on whether and how to use any generated output.

7. How we share your information

We share personal information only with subprocessors that help us run the service and only for the purposes described above. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not done so in the twelve months preceding this policy's effective date.

Our current subprocessors are:

• Anthropic, PBC (United States) — large language model API. Receives prompts and the portions of your career substrate needed to generate the document you requested.
• Google LLC / Firebase (United States) — user authentication. Receives email, hashed password, and Firebase user ID.
• Google LLC / Google Cloud Platform (United States) — application hosting (Cloud Run), database (Cloud SQL for PostgreSQL), file storage (Cloud Storage), and asynchronous task scheduling (Cloud Tasks). Stores all account data, career substrate, generated documents, and uploaded files.
• Stripe, Inc. (United States) — payments, subscription management, and Customer Portal. Receives your email, card details (collected by Stripe directly, not by us), and subscription metadata.
• Resend, Inc. (United States) — transactional email delivery (account-deletion confirmations, welcome emails, subscription notifications). Receives recipient email addresses and message contents.
• Inbound email parsing — when you forward a job posting to your personal Caliber inbox address, the inbound parsing service (provider currently being finalized) receives the forwarded message contents (sender, subject, body, URLs).
• Sentry / Functional Software, Inc. (United States) — error monitoring (when enabled). Receives stack traces, request IDs, and limited request metadata. Configured with PII scrubbing.
• PostHog, Inc. (United States) — product analytics. Receives pseudonymous usage events (page views, feature clicks), your account identifier, and session replays in which all typed input and on-screen text are masked before leaving your browser — the contents of your career journal, resumes, and documents are never transmitted. Separately, we also record a small number of server-side billing events (checkout completed, plan changed, payment failed) keyed to your account identifier, which we process on the basis of our legitimate interest in fraud prevention and accurate billing records.
• Google LLC (United States) — website analytics (Google Analytics 4). Receives pseudonymous usage events such as page views and traffic source. We do not enable Google Signals or link Google Analytics to Google Ads, so this data is not used for advertising or ads personalization. You can opt out of all analytics at any time (see Section 7), which disables this on your browser.

We may also disclose personal information (a) to comply with a lawful subpoena, court order, or government request; (b) to enforce our Terms of Service or protect our rights, property, or safety, or that of our users or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case the acquiring entity will be bound by this policy or will provide notice and an opportunity to delete data before it transfers.

8. International data transfers

Our subprocessors are located in the United States. If you access Caliber from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-export restrictions, your personal information will be transferred to and processed in the United States. Where required, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) as the transfer mechanism.

9. Data retention

• Active accounts: we retain your account information, career substrate, and generated documents for as long as your account is active.
• Deactivated accounts: when you request account deletion, your account is deactivated immediately and your data is permanently removed within 30 days. You can reactivate during this 30-day window by signing back in.
• Backups: deleted data may persist in encrypted backups for up to 90 days before backup rotation overwrites it.
• Operational logs: request logs and error reports are retained for up to 90 days.
• Billing records: we retain payment records as required by tax law (typically up to 7 years).
• Security events: records of failed logins, abuse detection, and similar events may be retained for up to 12 months.

10. Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest (managed by Google Cloud), row-level security on the database to enforce per-user isolation, short-lived signed URLs for file downloads, and signed-event verification for incoming webhooks. No system is perfectly secure; we cannot guarantee absolute security. We will notify you and any regulators as required by law in the event of a breach affecting your personal information.

11. Your rights

11.1 Rights available to all users

• Access: view your account, substrate, generated documents, and uploaded files inside the app.
• Correction: edit or flag any extracted entry, update your profile, and delete uploaded documents.
• Deletion: request account deletion from Settings. Your account is deactivated immediately and your data is permanently removed within 30 days.
• Cancellation of deletion: sign back in within the 30-day window to cancel a deletion request.

11.2 Rights for residents of the EEA, UK, and Switzerland

Under the GDPR / UK GDPR, you have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal information; the right to withdraw consent where processing is based on consent; and the right to lodge a complaint with your local supervisory authority. We do not engage in solely automated decision-making that produces legal or similarly significant effects on you.

11.3 Rights for California residents (CCPA/CPRA)

• Right to know what personal information we have collected about you, the sources, the purposes, and the categories of third parties we have shared it with.
• Right to delete personal information we have collected (subject to limited exceptions).
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of, but we honor Global Privacy Control signals where applicable.
• Right to limit use of sensitive personal information — we use sensitive personal information you provide (e.g., career content that may include health, religion, or other sensitive details) only to deliver the service you have requested, which is within the permitted uses under CPRA.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised your privacy rights.
• Authorized agents: you may authorize an agent to make a request on your behalf; we will require written authorization and verify your identity.

11.4 Rights for residents of other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those above (access, deletion, correction, and opt-out of targeted advertising and sale). The same access and deletion mechanisms apply.

11.5 How to exercise your rights

For most rights you can act directly in the app (Settings → Profile, Settings → Delete account). For requests we cannot fulfill in-app, contact us using the address in Section 15. We will respond within the timeframe required by law (typically 30–45 days depending on jurisdiction). We may need to verify your identity before fulfilling certain requests.

12. Children's privacy

Caliber is intended for adult users. We do not knowingly collect personal information from children under 18. We do not target our service to children under 13 (US) or 16 (EEA/UK), and we do not process such children's personal information. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Cookies and similar technologies

We use a small number of strictly necessary cookies and local storage entries to keep you signed in (Firebase auth tokens), maintain your session, and remember UI preferences. We do not use third-party advertising cookies, and we do not sell or share your information for cross-context behavioral advertising.

For analytics we use PostHog and Google Analytics (see Section 7). We collect pseudonymous usage events and fully-masked session replays from your first visit to understand how Caliber is used and to improve it, on the basis of our legitimate interest in operating and improving the service. All typed input and on-screen text is masked in your browser before any replay is sent, so the contents of your career journal, resumes, and documents are never transmitted to analytics. We show a brief notice describing this on your first visit.

14. Changes to this policy

If we make material changes to this policy, we will notify you by email or by an in-app notice before the changes take effect, and we will update the “Last updated” date above. Non-material changes (clarifications, formatting, contact updates) may be made without notice. Your continued use of the service after a change takes effect constitutes acceptance of the updated policy.

15. Contact us

For questions about this policy, to exercise your rights, or to report a privacy concern, email the address listed on the signup page. (We will publish a dedicated privacy contact address before public launch; until then, the same inbox routes to the team.)