The short version
- We collect only what's needed to run the app — your email and your Career Brain data.
- Your Gmail OAuth tokens and AI API keys are encrypted at rest before touching our database.
- We do not sell your data, show ads, or share your information with recruiters or third parties.
- All data is stored in PostgreSQL on AWS US-West-2 (Oregon), isolated per user at the database level.
- You own your data. You can delete it at any time.
1What We Collect
Account Information
When you create an account, we collect your email address. If you sign in with Google, we receive your Google-authenticated email — we never see or store your Google password.
Career Brain Data
The structured record you build over time: work experiences, education, accomplishments, STAR stories, skills, career preferences, and notes added via the Enrichment Agent or Career Advisor. Used exclusively to power features within your account.
Job Data
Job listings you add (via URL paste, site search, or Gmail scanning), plus AI-generated fit scores, interview prep kits, cover letters, and tailored resumes.
Gmail Integration (Optional)
If you connect Gmail, we request read-only access to identify job-related emails. OAuth tokens are encrypted at rest using AES-128 Fernet encryption before storage. We do not read, store, or analyze email content beyond the job lead extraction you explicitly request. No human reads the content of your emails — all processing is automated. Gmail data is never used to develop, improve, or train AI or machine learning models. Revoke access any time in Settings.
AI API Keys (BYOK)
If you provide an Anthropic or OpenAI API key, it is encrypted at rest before storage. Your key is used solely to make AI calls on your behalf — never shared, logged, or used for any other purpose. You are responsible for API usage costs on your key.
Usage Data
Basic server logs (request timestamps, response codes) for reliability and security. No analytics SDKs, no ad-tracking pixels.
2How We Use Your Data
We use your data to provide and operate the Prism Tree service — generating fit scores, interview prep, cover letters, tailored resumes, enrichment sessions, and career advice — and to maintain your account and authenticate your identity.
- We do not sell your data to any third party
- We do not use your Career Brain to train AI models
- We do not display advertising of any kind
- We do not share your data with recruiters, employers, or external parties
Your data is passed to AI providers at call time only. It is not retained by Anthropic or OpenAI under standard API terms. We pass context when you initiate a feature; we don't batch or upload your data.
Google API Data
Prism Tree's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Gmail data is used solely to identify job-related emails within your account and is not transferred to third parties except as strictly necessary to provide that feature.
3Third-Party Services
Each provider receives only the data necessary to perform their function. We do not use advertising networks, data brokers, or analytics platforms.
| Provider | Role | Data shared |
|---|---|---|
| Supabase | Database, auth, row-level security | All stored user data — hosted on AWS US-West-2 |
| Vercel | Frontend hosting (app.prismtree.ai) | No user data stored; serves the React application |
| Railway | Backend API hosting (api.prismtree.ai) | Processes API requests; no persistent data storage |
| Anthropic / OpenAI | AI inference | Career Brain context passed at call time, using your own key |
| OAuth (Sign-In + Gmail) | Email address for sign-in; OAuth tokens for Gmail if connected |
4Data Storage & Security
All user data is stored in a PostgreSQL database hosted by Supabase on AWS US-West-2 (Oregon, USA). No user data is stored outside the United States.
Row-Level Security (RLS) is enforced at the database layer — your data is physically inaccessible to any other user's session, enforced by the database itself, not just application code.
All data in transit is encrypted over HTTPS/TLS. Gmail OAuth tokens and AI API keys are encrypted at rest using AES-128 Fernet encryption before being written to the database.
For a full breakdown of our security posture, see our Security Statement →
5Data Retention
Your data is retained as long as your account is active. If you delete your account, your Career Brain data, job data, and all associated records are permanently deleted. Gmail OAuth tokens and AI API keys are deleted immediately upon disconnection or account deletion.
6Your Rights
You have the right to access your data (it's fully visible in the app), export your data (contact us for a full export), and delete your account and all associated data at any time.
To exercise these rights, contact us at andrewgodlew@gmail.com.
7Children's Privacy
Prism Tree is intended for adults aged 18 and older. We do not knowingly collect data from anyone under 18.
8Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by updating the "Last Updated" date above and, where appropriate, by email. Continued use after changes constitutes acceptance of the revised policy.
9Contact
Questions about this policy? Reach us at andrewgodlew@gmail.com.
Prism Tree · 45 Portland Rd. Ste 7 - 1008 · Kennebunk, ME 04043-6660