How your data is protected
You bring us the most personal document you own and the stories behind it. This page says exactly what protects them, in engineering terms, with nothing aspirational stated as current. Every claim here is verifiable in how the product is built.
Encrypted, twice for the sensitive parts
Everything is encrypted in transit and at rest. Resumes, postings, transcripts, and memories carry a second, application-level encryption layer.
Never used to train anything
A single enforcement point refuses to send personal content down any unverified path, on every request and at every boot.
Your card never touches us
Payments are tokenized by Square in your browser. Our servers see a one-time token and a signed confirmation, never card numbers.
Deletion that means it
Short retention windows enforced by an automated daily job, plus self-serve export and full account erasure in Settings.
Encryption, honestly layered
All traffic runs over HTTPS. Everything stored in our database and file storage is encrypted at rest by the infrastructure provider. On top of that, the fields with the most personal weight are encrypted a second time by our own application before they are written: uploaded resumes, job postings, emphasis notes, practice-interview transcripts, anonymous preview inputs, and your saved memories. That layer is AES-256-GCM with versioned keys, so keys can rotate without re-encrypting history and a stolen database dump does not expose those fields.
To be precise about the boundary: some working data (for example story titles and structured writing-style descriptors) is protected by the at-rest layer and strict per-account access rules rather than by the second application layer, because the product has to search and filter it. We state that plainly instead of rounding it up to a blanket claim.
One account, one wall
Every stored row is bound to an account and guarded by database-level row isolation: a request can only ever read the rows of the verified account making it. Identity comes exclusively from a verified sign-in session, never from an id a browser sends. Administrative access paths run only on the server, never in anything shipped to a browser.
There is no employer portal, no school integration, and no public profile. The only outward-facing artifact is a share card you create deliberately, which contains a summary of your communication style, zero stories and zero personal details, and can be revoked at any time.
The no-training enforcement
The promise that your content never trains anything is enforced in code, not in a paragraph. Every generation request carrying personal content passes through a single chokepoint that checks the processing path it is about to use. If the path is not explicitly verified as no-retention and no-training, the request is refused. The check fails closed: unknown means no.
The same verification runs at startup. A production deploy whose active processing paths are not attested no-training refuses to boot, so a misconfiguration cannot silently ship. Public text you paste, like a job posting, may be parsed on a standard tier; anything personal never is.
Built to refuse, not to invent
A prep tool that invents experience is a security problem in a different costume. Generation here is grounded in the stories you actually provided: when there is no real evidence for a claim, the system refuses and asks you for a story instead of fabricating one. Every draft is verified against your source material before you see it, numbers the product cannot know are left as bracketed slots for you to fill, and a draft that fails verification is regenerated or refused, never shipped quietly.
Payments
Checkout is handled by Square. Card details are entered into Square's fields and tokenized in your browser; our servers receive a single-use token, never a card number, and charge a fixed server-side price so a tampered request cannot change what you pay.
- Signed webhooks: payment notifications are authenticated with an HMAC-SHA256 signature compared in constant time. Unsigned or mis-signed events are rejected before anything is read from them.
- Amount validation: a grant only fires when the paid amount and currency match the configured price exactly.
- Idempotent unlocks: grants are keyed to the payment id, so delivery retries can never double-credit and a once-failed grant heals itself.
- Refund symmetry: a full refund automatically revokes the credits that payment granted and the paid access with them, exactly once, even if the refund event is delivered multiple times.
Retention, enforced by a job, not a promise
An automated purge runs daily and erases on schedule: prep inputs 30 days after delivery, anonymous previews within 1 day, raw voice clips within 30 days, practice transcripts with their pack inputs. The windows below are rendered from the same constants the purge job executes, so this page cannot drift from the code.
- Uploaded resumes and job postings: Deleted 30 days after your pack is delivered (45 days after submission if an order never completes). Encrypted before storage; a daily job erases the encrypted content on schedule. Email us to delete sooner.
- Practice-interview transcripts: Cleared when the matching pack inputs are purged, or after 45 days at the latest. Encrypted before storage. Your scorecard (the numbers and feedback) is kept for you.
- Anonymous previews tried before signing up: Deleted within 1 day. Encrypted before storage and erased by the same daily job.
- Raw voice recordings (spoken answers): Deleted within 30 days. Stored in a private bucket only your account can reach. A delete-now button in Settings removes them immediately.
- Your stories, writing-style profile, and saved memories: Kept while your account is active. They are the product: your prep is built from them. Review, edit, or delete any of them at any time; deleting your account removes them all.
- Order and payment records (email, amount, date): Kept as long as accounting and tax law requires. A financial record, not profile data. The sensitive content inside an order is encrypted and purged on the schedule above.
Voice, without surveillance
Speaking is consent-gated, and the consent is revocable in Settings. Analysis is limited to delivery: pace, pauses, filler words, steadiness against your own baseline. Emotion and mood inference are deliberately excluded, and the exclusion is enforced where voice metrics are stored, not just promised. Live practice audio is streamed for transcription rather than kept as audio; the short onboarding clips that are kept live in private storage with a delete-now control and a 30-day ceiling.
Analytics without tracking
We use Plausible, a cookieless analytics service: no cookies, no cross-site tracking, no personal identifiers, aggregate counts only. Session and document ids are scrubbed out of URLs before events are sent, and the private surfaces of the product are excluded from measurement entirely.
Controls you hold yourself
- Export: download everything we hold about you, decrypted into a readable file, from Settings.
- Erase: delete your account and everything in it, including your sign-in identity. A deletion that partially fails reports failure instead of pretending.
- Pause: a memory-capture switch stops anything new from being saved, enforced server-side.
- Delete recordings: remove raw voice clips immediately, ahead of the automatic purge.
- Inspect: your saved stories and memories are reviewable, editable, and individually deletable inside the product.
Reporting a vulnerability
If you believe you have found a security issue, email hello@offerreadyapp.com with “SECURITY” in the subject line. Reports go straight to the people who can fix the issue, we will acknowledge yours, and we will not take legal action against good-faith research. Please do not access data that is not yours; a proof of concept against your own account is enough.
What we do not claim yet
Honesty cuts both ways, so here is the other side. We are a small team, not a certified enterprise vendor: we do not yet hold a SOC 2 report or ISO 27001 certification (our providers publish their own). Formal data-processing paperwork with each provider is being catalogued for enterprise use. If your evaluation needs specifics beyond this page, ask at hello@offerreadyapp.com and you will get engineering answers, not sales answers.