Security & data handling

When you tailor a résumé in Stet, the agent sends prompts to a large-language-model provider through the Vercel AI Gateway. There are two things a provider can do with those prompts: (a) inference — generate a response and forget the input, and (b) training — incorporate the input into a future model.

Stet routes only through providers under contracts that explicitly prohibit (b). Your résumé content, the JDs you paste, the cover-letter drafts, and the chat history are used for inference only. They are not retained by the upstream model provider beyond the duration of the request.

We use the following sub-processors to operate Stet. Each is bound by either their public DPA (Data Processing Agreement) or our own contracted terms.

• Supabase — Primary database, authentication, file storage. Hosted in the United States.
• Vercel — Application hosting and edge runtime, plus Vercel Analytics (cookieless) and Vercel Speed Insights.
• Vercel AI Gateway — Proxy that routes inference requests to upstream model providers under no-training contracts.
• Upstream model providers — [TODO: list specific providers, e.g. OpenAI, Anthropic, Google]. Each is contracted to not train on routed prompts.
• Stripe — Payments. Card data never touches Stet's servers.

How long Stet keeps each type of data:

• Account data (email, hashed password, billing identifier) — kept while your account is active. Deleted within 30 days of account-deletion request.
• Uploaded résumé file + extracted résumé tree — kept while your account is active. Deleted within 30 days of account-deletion request.
• Job description text + parsed JD signals — kept for [TODO: retention window, e.g. 90 days] after creation, then deleted unless attached to a saved Variant.
• Generated Variants (tailored résumés) — kept until you delete them or close your account.
• Chat history — kept while your account is active so you can resume a session. Deleted within 30 days of account-deletion request.
• Interview audio — deleted within 24 hours of the interview ending. Transcripts and feedback summaries persist; the raw audio does not.
• Inference prompts/responses — not retained by the upstream provider beyond the request lifetime; not stored separately by Stet.
• Operational logs — retained for [TODO: retention window, e.g. 30 days], then aggregated or deleted.

• In transit — TLS 1.2+ on every connection. HTTP requests are redirected to HTTPS and HSTS prevents protocol downgrade.
• At rest— database and file storage are encrypted at rest by Supabase’s standard infrastructure (AES-256).

• Each row of user data is scoped to a Supabase row-level-security policy keyed by user ID. Cross-user reads are impossible at the database layer.
• Engineering access to production data is [TODO: describe — e.g. break-glass only, audited, logged].

If you find a security issue, email [email protected]. We’ll acknowledge within two business days and aim to fix or mitigate confirmed issues within 30 days. Please give us a reasonable window before public disclosure.

[TODO: describe current compliance posture. Examples: “GDPR + CCPA aligned; formal SOC 2 work begins Q3 2026” or “SOC 2 Type I report available on request”. Avoid vague language.]

For privacy or data-handling questions, email [email protected]. The full Privacy Policy governs the contractual relationship; this page exists to make the underlying mechanics legible.