Privacy Policy — HighFit

HighFit (“we,” “us”) provides a job-fit scoring and outreach-drafting service for individual job seekers, available as a web dashboard and Chrome extension. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information we collect

You provide directly

Account information. Name, email address, and a password (stored as a salted hash, never in plain text).
Resume content. Either an uploaded PDF (we extract its text and discard the PDF for analysis), or text you paste directly. The resume text is stored in our database so we can score new jobs without re-uploading.
Optional “About you” context. Any additional notes you enter about your target roles, preferences, or background.
Pipeline data. Job postings you score and save, your notes on each job, status updates (Saved, Applying, Applied, etc.), and generated outreach drafts (cover letters, LinkedIn messages, talking points, interview questions).

Collected automatically

Job-posting content. When you click the HighFit extension on a supported job-board page, the visible job title, company, location, and description are extracted from the page and sent to our API for scoring.
Usage analytics.Page views, button clicks, and high-level event data (e.g. when you generate a cover letter) via Google Analytics 4. We do not collect IP addresses for behavioral profiling; GA4's default IP anonymization applies.
Technical metadata. Browser type, device type, and approximate region (country/state) inferred from your IP, used for security and aggregate analytics.

2. How we use it

To run the product. Authenticate you, score job postings against your resume, generate outreach drafts, manage your pipeline, and process payments.
To improve the product. We aggregate usage analytics to understand which features get used and where users drop off. We do not train AI models on your data.
To communicate with you. Transactional emails such as password resets and purchase receipts. We do not send marketing emails without your explicit opt-in.
For security and fraud prevention. Detect abuse, investigate suspicious activity, and enforce our Terms of Service.

3. Third parties we share with

We use a small number of well-known service providers (“sub- processors”) to operate the service. We share only what they need to do their job, and we never sell your data to anyone.

Anthropic(Claude AI). When you score a job or generate outreach, we send the relevant resume text, job description, and your “About you” context to Anthropic to produce the result. Anthropic does not retain or train on this data per their commercial API terms.
Stripe. Processes payments for credit packs and subscriptions. We receive a Stripe customer ID and payment status; Stripe holds the actual card and billing details.
Resend. Sends transactional email (password reset, receipts).
Google Analytics 4. Aggregate web and extension analytics, including pageviews and high-level events. We do not send Google any resume or job-posting content.
Railway. Hosts our backend (Postgres database, Redis queue, Laravel API, Next.js dashboard). All data is encrypted in transit (HTTPS) and at rest.

We may also disclose information if required by law, to respond to valid legal requests, or to protect the rights, property, or safety of HighFit, our users, or others.

4. The Chrome extension

The HighFit extension requests three Chrome permissions:

storage— stores your authentication token locally in the browser so you don't have to sign in repeatedly.
activeTab— reads the current tab's content only when you click the extension icon. The extension does not listen to your browsing in the background.
scripting— runs the scraper that extracts the visible job-posting content on supported job boards (LinkedIn, Lever, Greenhouse, Workday, Ashby).

The extension does not access non-job pages. It does not read your browsing history, passwords, cookies, or any data outside the currently active job-posting page when you explicitly trigger scoring.

5. Data retention

We retain your account data, resume text, pipeline, and outreach drafts for as long as your account is active. You can delete individual items (jobs, resume) at any time from the dashboard. If you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g. payment records for tax purposes, which we retain per applicable regulations).

6. Your rights

Regardless of where you live, you can:

Accessyour data — everything we store about you is visible in the dashboard, except internal logs.
Correctyour data — you can edit your name, resume, additional context, notes, and outreach drafts directly.
Delete your data — email support@highfit.io and we will delete your account and associated data within 30 days.
Exportyour data — we can provide a JSON export on request; email us.

If you are in the EEA, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA, including the right to object to processing and the right to lodge a complaint with your local data protection authority.

7. Children

HighFit is for users 16 years old and over. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, please email us and we will delete the account.

8. Security

All traffic is encrypted with HTTPS (TLS). Passwords are stored as salted hashes. Authentication uses short-lived bearer tokens which you can revoke by signing out or by changing your password (which invalidates all existing tokens).

No system is perfectly secure. If you believe your account has been compromised, email support@highfit.io immediately.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and update the “Effective date” above. Continued use of HighFit after a change constitutes acceptance of the updated policy.

10. Contact

Questions about this policy or your data? Email support@highfit.io.