How We Protect
Your Data
Honest disclosure of our security practices, third-party services, and limitations. No overclaiming. Every statement on this page is verifiably true.
Your resume is encrypted in transit and at rest. We never share it with employers or recruiters. You can delete all your data at any time, and we will remove it within 30 days.
You are trusting us with sensitive career information: your resume, employment history, salary expectations, and job search activity. We take that seriously.
Our approach to security is built on one principle: tell the truth about where we are. Most companies fill their security pages with buzzwords and self-assigned ratings. We would rather be honest about what we do, what our vendors provide, and where we have room to grow.
Honest communication about security practices. No marketing language masquerading as technical truth. Prompt notification if something goes wrong. Continuous improvement as we grow.
Data We Store
- Your resume: Stored in our database so you can analyze jobs against it. You can delete it at any time from your dashboard.
- Analysis history: Past job analyses are saved so you can review them and track applications.
- Account information: Email address and a cryptographically hashed password.
- Job pipeline data: Jobs you save, application stages, and notes.
Data We Do Not Store
- Credit card numbers: All payment data is handled entirely by Stripe. Card numbers never touch our servers.
- Social Security numbers or government identification.
- Biometric data: We do not collect fingerprints, facial recognition data, voiceprints, or any biometric identifiers. This includes data covered by the Illinois Biometric Information Privacy Act (BIPA).
- Browsing history outside of MintCareer.
Data Sent to AI for Processing
When you analyze a job, the following is sent to Anthropic's Claude API:
- Your resume text (content only, no metadata or account information)
- The job description text you paste into the analyzer
- System prompts that instruct the AI how to perform the analysis
Your email address, payment information, IP address, device identifiers, and browsing behavior are never sent to the AI.
For complete data retention periods, see Section 9: Data Retention Schedule.
Encryption
- In transit (HTTPS/TLS): All data transmitted between your browser and our servers is encrypted via HTTPS, enforced through Cloudflare. This is the same encryption standard used by banks and government agencies.
- At rest (PostgreSQL on Neon): Your data is stored in an encrypted PostgreSQL database hosted on Neon with SSL/TLS-encrypted connections. The database includes automatic point-in-time recovery, plus AES256-encrypted backup copies stored separately for disaster recovery.
- Passwords (bcrypt): User passwords are hashed using bcrypt with salt rounds. We cannot see your password. Even if our database were compromised, passwords would remain protected.
- API credentials: Our Anthropic API key and Stripe keys are stored as encrypted environment variables in Replit Secrets, never in source code or version control.
Application Security
- Input sanitization: We implement input sanitization practices across all user-facing forms and API endpoints to mitigate common web vulnerabilities including cross-site scripting (XSS) and injection attacks.
- Input validation: All resume and job description inputs are validated for minimum length and content relevance before processing, preventing abuse and reducing unnecessary API calls.
- AI prompt injection defense: All user-submitted content (resumes, job descriptions) is wrapped in untrusted content boundaries before being sent to the AI, preventing prompt injection attacks that could manipulate analysis results.
- Rate limiting: Flask-Limiter protects against abuse and brute-force attacks on all routes.
- Session security: Sessions use cryptographically secure random generation. Sessions expire after 2 hours of inactivity and have a maximum lifetime of 30 days, whichever comes first.
- Common password blocking: We block the 50+ most commonly used passwords at signup to prevent easily guessable credentials.
- Character limits: Input fields are capped to prevent abuse.
- Open redirect prevention: Login redirects are validated to prevent phishing attacks that redirect users to malicious sites after authentication.
Infrastructure
- Hosting: MintCareer runs on Replit, which provides container isolation, automatic security patching, and DDoS protection.
- SSL certificate: Managed by Cloudflare with automatic renewal.
- DNS protection: Cloudflare CDN with built-in threat filtering.
- Structured logging: Application-level logging is implemented across all modules for security event detection and debugging.
We integrate with the following services. Each handles a specific function and has its own security certifications:
Our vendors (Anthropic, Stripe, Cloudflare, Neon) hold security certifications like SOC 2 and PCI DSS. MintCareer itself does not currently hold these certifications. We benefit from our vendors' security infrastructure, but we want to be clear about the distinction.
- We do not sell your data. Not to recruiters, not to employers, not to data brokers, not to anyone, for any price.
- We do not share your resume with employers or recruiters without your explicit consent.
- We do not use your data to train AI models. Anthropic's API terms prohibit training on API data.
- We do not use advertising trackers. No Facebook Pixel, no Google Ads tracking, no retargeting cookies.
- We offer Google Sign-In for convenience. When you log in with Google, we receive only your name and email address. We do not access your Google contacts, calendar, or other Google data.
- We do not make deletion difficult. Delete your account and all data at any time. No questions, no retention tricks, no "are you sure" dark patterns. All data is permanently removed within 30 days of your request.
- We do not require more information than necessary. We ask for what we need to provide the service and nothing more.
- We do not collect biometric data. No fingerprints, facial recognition, voiceprints, or other biometric identifiers are collected or processed.
Cookies We Use
MintCareer sets the following cookies:
- Session cookie: Required for login functionality. Expires after 30 days or 2 hours of inactivity. Cannot be used to track you across other websites.
- Theme preference: Remembers your light/dark mode choice. Stored locally in your browser, not on our servers.
- Google Analytics (_ga, _gid): Used to understand how the site is used in aggregate. IP addresses are anonymized. We do not use this data to identify individuals or serve ads.
We do not set advertising cookies, social media tracking pixels, or third-party marketing cookies.
We use Google Analytics 4 with IP anonymization to understand site usage patterns. Analytics data retention is set to 14 months. We do not use this data to identify individuals or sell it to third parties.
For more details, see our Privacy Policy.
We build the infrastructure. You protect your access. Here is your part:
- Use a strong, unique password. Do not reuse passwords from other sites. Use a password manager (1Password, Bitwarden, or similar).
- Enable two-factor authentication on your email. Your email is the key to password resets. If your email is compromised, your MintCareer account could be too.
- Log out on shared devices. Always log out if using a public or shared computer.
- Review your resume before uploading. Remove sensitive information you do not want processed (Social Security numbers, detailed home addresses, etc.).
- Keep your browser and operating system updated. Most breaches exploit known vulnerabilities in outdated software.
- Report suspicious activity. If you see anything unusual in your account, contact us immediately.
We will never ask for your password via email, text, or phone. If you receive a message claiming to be from MintCareer asking for your password, it is a scam. Forward it to security@mintcareer.ai and delete it.
If We Experience a Breach
In the unlikely event of a security incident affecting your data:
- Prompt notification: We will notify all affected users via email as quickly as possible and no later than required by applicable law (CCPA requires notification without unreasonable delay; GDPR requires notification within 72 hours).
- Full transparency: We will disclose what data was affected, how the breach occurred, and what steps we are taking. No corporate spin.
- Regulatory notification: We will notify relevant authorities as required by CCPA, GDPR, and other applicable laws.
- Remediation: We will implement fixes, conduct forensics, and share what we are doing to prevent future incidents.
If You Suspect Unauthorized Access
- Change your password immediately.
- Review your analysis history for unfamiliar activity.
- Email security@mintcareer.ai with details. We will respond as quickly as possible.
- If concerned, you can delete your account and all data from your dashboard.
We believe transparency about limitations builds more trust than overclaiming. Here is where we are:
Current State
- Solo founder operation. MintCareer LLC currently has a single operator with access to production systems. This means fast response but limited 24/7 coverage.
- No independent security audit. We have not yet undergone a formal third-party security audit or penetration test. Our vendors have, but we have not.
- No SOC 2 certification. Our vendors (Anthropic, Stripe, Neon) are SOC 2 certified. MintCareer itself is not. We follow SOC 2 principles but have not completed the certification process.
- No two-factor authentication yet. We do not currently offer 2FA for user accounts. We rely on strong password requirements, common password blocking, and session security.
What We Are Working Toward
- Two-factor authentication for user accounts
- Independent security audit once we reach scale
- SOC 2 Type I certification (scoping in progress)
- Role-based access controls as the team grows
- Automated security monitoring and alerting
- Data export functionality so you can download a copy of all your data
Most startups at our stage do not have SOC 2, independent audits, or dedicated security teams. That is normal. What is not normal is admitting it. We would rather earn your trust through honesty than lose it through overclaiming.
We retain your data only as long as needed to provide the service. Here is the complete schedule:
| Data Type | Retention Period | Notes |
|---|---|---|
| Resume text | While account is active | You can delete your resume at any time from your dashboard |
| Analysis history | While account is active | Includes match scores, ghost detection results, and recommendations |
| Job pipeline data | While account is active | Saved jobs, application stages, notes, and follow-up history |
| Account information | While account is active | Email address and hashed password |
| All data after account deletion | Permanently deleted within 30 days | Resume, analyses, pipeline, and account info. Anonymized aggregate statistics (total analysis counts) may be retained |
| AI processing data | Up to 30 days (Anthropic) | Managed by Anthropic per their API terms. Used for safety monitoring only. Not used for training. |
| Payment data | Managed by Stripe | Card numbers never touch our servers. Stripe retains data per their policies and PCI DSS requirements. |
| Session tokens | 2 hours (inactivity) / 30 days (maximum) | Automatically cleared after 2 hours of inactivity or 30 days from creation, whichever comes first |
| Application logs | 90 days | Used for debugging and security investigation. Auto-deleted after 90 days. |
| Database backups | 30 days (rolling) | AES256-encrypted. Overwritten on a rolling 30-day cycle. |
| Analytics (GA4) | 14 months | IP-anonymized. No personally identifiable information. Set to minimum GA4 retention period. |
Under the California Consumer Privacy Act (CCPA) and similar state laws, you have the right to request deletion of your personal data. We honor all deletion requests within 30 days, which is faster than the 45-day maximum required by CCPA. To delete your data, use the delete option in your account settings or email privacy@mintcareer.ai.