Privacy Policy

Persistent Recruiter is a recruiting CRM and content platform. To run the Service we process two categories of personal data: (1) data about you, the account holder, and (2) data about the candidates you track in your pipeline. This policy explains what we collect, why, who we share it with, and how to exercise your rights.

Account data. When you sign up we collect your email, full name, and password (stored as a one-way hash by Supabase Auth — we never see your plaintext password).

Profile and brand data. Information you choose to add — company name, LinkedIn URL, brand colors, logo, industry, tagline.

Candidate data you upload. Names, emails, phones, resumes, LinkedIn URLs, addresses, notes, stage history, and other pipeline information you record about candidates. This data is yours; we process it on your behalf as a service provider.

Billing data. When you subscribe, Stripe processes payment-card details directly. We receive only the customer ID, subscription status, plan, and period end. We do not store full card numbers.

Content data. Discovery Video scripts and audio you generate, forms you build, pages you publish.

Usage analytics. Page views, clicks, and feature interactions captured by PostHog with anonymized IP. We use this to understand which features matter and to fix bugs.

Server logs. Standard request metadata (IP, user agent, timestamp, URL) retained for security and debugging, typically up to 30 days.

• To provide, secure, and improve the Service.
• To process payments and prevent fraud.
• To send transactional email (welcome, billing, password reset, drip notifications you opt into).
• To respond to support requests.
• To enforce our Terms of Service.
• To meet legal obligations (e.g. tax records).

We do not sell your personal data, and we do not use Customer Content to train AI models that benefit other customers.

Customer Content is stored in Supabase(US region), encrypted at rest, and access-scoped using row-level security so that one customer cannot read another’s rows. File uploads (resumes, logos, video MP4s) live in Supabase Storage with the same access scoping.

The Service relies on these sub-processors:

• Supabase — database hosting, authentication, file storage.
• Stripe — payment processing.
• Resend — transactional email delivery.
• OpenAI — Discovery Video script generation and text-to-speech.
• PostHog — usage analytics with anonymized IP.
• Vercel — application hosting and CDN.

Each sub-processor handles data under its own privacy commitments. We share with them only what is needed for them to perform their function — for example, Stripe receives billing data but never your candidate notes.

We keep Customer Content for as long as your account is active. After cancellation, we retain it for 90 days to allow data export, then delete or anonymize it (subject to limited legal retention requirements such as tax records). You can request earlier deletion at any time — see “Your rights” below.

Subject to applicable law, you may request: (a) access to the personal data we hold about you; (b) correction of inaccurate data; (c) deletion of your data; (d) export of your data in a portable format; (e) objection to specific processing.

To exercise any of these rights, email legal@persistentmomentum.com. We respond within 30 days. We may ask you to verify your identity before acting on a request that involves another user’s personal data.

EU / UK residents. Self-service GDPR data portability is queued for a future release. Today, please email us and we will fulfill your request manually. We do not currently process special-category personal data (e.g. health, genetic) and ask that you not upload such data to the Service.

We use first-party cookies for authentication (Supabase session) and product analytics (PostHog with anonymized IP). We do not use third-party advertising trackers. Marketing pages may load Google Fonts; web font requests can be observed by Google but contain no identifying information beyond the request itself.

We use industry-standard practices: TLS in transit, encryption at rest, row-level security in the database, principle-of-least-privilege for service credentials. No system is perfectly secure, and we encourage you to choose a strong unique password and report suspected vulnerabilities to legal@persistentmomentum.com.

Our infrastructure is hosted in the United States. If you are outside the US, your data will be transferred to and processed in the US under standard contractual clauses or similar mechanisms where applicable.

The Service is not directed at individuals under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact legal@persistentmomentum.com and we will delete it.

We may update this policy from time to time. Material changes will be communicated by email to your account address or by an in-app notice at least 30 days before they take effect, except where required for legal or security reasons.

Privacy questions? Email legal@persistentmomentum.com.