Privacy Policy
NovaHunt is an agentic job-search service operated by Novah AI ("we", "us", "Novah AI") at trynovahunt.com. This Privacy Policy explains what personal data we collect when you use NovaHunt, why we collect it, how long we keep it, and how you can exercise your rights over it.
We have written this policy to be readable by humans rather than only by lawyers. If something is unclear, email privacy@trynovahunt.com and we will explain it in plain language.
1. Who the data controller is
Novah AI is the data controller for personal data you provide to NovaHunt as an individual end user. When NovaHunt is provided to your employer under a B2B arrangement, Novah AI acts as a data processor on behalf of your employer (the controller); see our Data Processing Addendum for the details that apply in that case.
- Controller: Novah AI
- Service: NovaHunt (https://trynovahunt.com)
- Privacy contact: privacy@trynovahunt.com
- Legal contact: legal@trynovahunt.com
Novah AI is a pre-Series A US-based company. We do not currently hold SOC 2, ISO 27001, or any other formal third-party security certification, and we will not claim certifications we do not have.
2. What data we collect
The list below is exhaustive — these are every category of personal data NovaHunt's database is designed to hold, mapped to the data models in our source code so that we cannot quietly expand it without updating this policy.
Account and authentication data. Your email address (collected when you sign in via Auth.js magic-link), display name and profile image if you provide one, email-verification timestamp, account role (client or admin), session tokens, and magic-link verification tokens.
Resume and parsed profile data. The resume file(s) you upload (PDF/DOCX), file metadata (filename, MIME type, size), and the structured extraction of that resume produced by our IntakeAgent and MUSE agent: skills, prior roles and dates, education, achievements, and a summary paragraph. We also store a vector embedding of your resume for semantic matching.
Job preferences and intake answers. Target roles, seniority, included and excluded industries, locations, remote preference, compensation floor and target, work-authorization status, availability, must-haves, deal-breakers, tone preferences, top achievements, excluded companies, your free-text intake answers, and your consent settings (auto-apply, notification channels).
Job-search activity. Job postings we have fetched on your behalf from connected sources, your scored matches against those postings (score, rationale, gaps, status), and the local-only re-ranker scores produced by SCOUT once you have labeled enough jobs.
Application records. Per-application stage (sourced, matched, drafted, applied, interviewing, offer, rejected, closed), mode (notify, draft, auto), submission and response timestamps, and the documents drafted for each application (resume tailoring, cover letters, pitches) along with the model that produced them.
Outreach data. Follow-up emails drafted by our DISPATCHER agent and any responses tracked by LISTENER, including recipient address, subject, body, and delivery status. We do not send outreach without your explicit per-action consent.
Operational data. Agent run logs (agent_runs): for each call our agents make, we record which agent ran, which Claude model it used, prompt and response payloads, token counts, cost in USD, latency, and any error. Notifications, briefing items, spend rollups, spend holds, CANARY abuse flags, MCP-call logs (which external service was called, when, whether it succeeded), and consent overrides.
Inferred fingerprints. Aggregated, versioned behavioral fingerprints (skill fingerprint, tone fingerprint, match-pattern fingerprint) used to keep recommendations stable. Each fingerprint is similarity-validated against the prior version and is rollback-capable.
Billing data. If you subscribe to a paid plan, we hold your Stripe customer ID, subscription ID, plan tier, status, current period, cancellation flag, and any credit-pack records. Card numbers, CVCs, and bank details are processed and stored by Stripe — we never see them.
Encrypted credentials. If you connect a personal API key (for example to Greenhouse, Lever, Ashby, Workable, Adzuna, JSearch, or Resend), the key is stored encrypted with AES-GCM using a key derived from our APP_SECRET. Plaintext keys are never written to disk or logged.
Error and request telemetry. If Sentry is enabled, anonymised stack traces and a per-error correlation identifier may be sent to Sentry. We scrub email addresses, resume bodies, and document content from Sentry payloads.
We do not collect: government identifiers (SSN, passport), payment card numbers (Stripe handles those), location data beyond the city/country you list in your preferences, biometric data, behavioral data outside the product, or data from any source you have not explicitly connected. We do not buy data from data brokers.
3. Why we collect it and the lawful basis (GDPR Article 6)
| Purpose | Categories used | GDPR Article 6 basis |
|---|---|---|
| Create and maintain your account | Account/auth data | Contract (Art. 6(1)(b)) |
| Source and score job matches | Resume, profile, job activity | Contract (Art. 6(1)(b)) |
| Draft tailored resumes, cover letters, and outreach | Resume, profile, application, outreach | Contract (Art. 6(1)(b)) |
| Submit applications on your behalf | Application, asset, profile | Consent (Art. 6(1)(a)) — RED-tier, always re-prompted |
| Send the daily briefing email and per-action notifications | Account/auth, briefing items | Contract (Art. 6(1)(b)) plus our anti-surprise rule |
| Bill you for paid plans and credit packs | Account, billing | Contract (Art. 6(1)(b)) |
| Detect abuse, enforce spend caps, prevent fraud | Agent runs, spend rollups, CANARY flags | Legitimate interest (Art. 6(1)(f)) |
| Diagnose errors and keep the service running | Sentry telemetry, MCP call log | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Any category, on demand | Legal obligation (Art. 6(1)(c)) |
You can withdraw consent for any consent-based purpose at any time from your settings; doing so will pause the corresponding feature (for example, disabling auto-apply consent stops auto-apply but does not affect other features).
4. How AI is used
NovaHunt is an agentic product. We use Anthropic's Claude models to:
- extract a structured profile from your uploaded resume (IntakeAgent + MUSE);
- score how well a job posting matches your profile, with a written rationale (APPRAISER + JUDGE);
- draft tailored resumes and cover letters that you review before anything is sent (SCRIVENER, REDACTOR, OVERTURE, PERSONA);
- summarise the day's signal into a single daily briefing email (VANGUARD).
Human-in-the-loop is mandatory for any externally-visible action. Submitting an application or sending outreach is classified RED-tier in our consent engine, which means the system always re-prompts you, requires re-authentication, and never auto-submits without your explicit confirmation. We do not make solely automated decisions that produce legal effects or similarly significant effects concerning you, and therefore GDPR Article 22 does not apply to NovaHunt as designed. If you ever encounter a flow that feels fully automated, treat it as a bug and email privacy@trynovahunt.com.
We do not use your data to train Anthropic's models. Anthropic processes prompts and responses only to return inference results; their commitments to us are governed by our enterprise agreement with Anthropic.
5. Subprocessors
We use the following third-party processors. Each one is necessary to operate the service; we keep the list short on purpose.
| Subprocessor | Role | Location |
|---|---|---|
| Anthropic | Claude model inference (resume parsing, matching, drafting) | United States |
| Railway | Application hosting, Postgres database, Redis cache | United States |
| Resend | Transactional email delivery (magic link, daily briefing, notifications) | United States |
| Sentry | Error monitoring (optional; off unless SENTRY_DSN is set) | United States |
| Stripe | Payments, subscriptions, credit packs, invoicing | United States |
| Adzuna | Job-board API (public listings) | United Kingdom |
| JSearch (via RapidAPI) | Job-board API (public listings) | United States |
| Greenhouse | ATS job-board API | United States |
| Lever | ATS job-board API | United States |
| Ashby | ATS job-board API | United States |
| Workable | ATS job-board API | Greece / United States |
We will update this list whenever we add, remove, or change a subprocessor. B2B customers will receive 30 days' written notice of material changes.
6. International transfers
Our infrastructure runs in the United States (Railway, Anthropic, Resend, Sentry, Stripe). For users in the European Economic Area, the United Kingdom, or Switzerland, this means your data crosses borders. We rely on the European Commission's Standard Contractual Clauses (the 2021 module-1 controller-to-processor and module-3 processor-to-processor variants) plus the UK International Data Transfer Addendum for transfers to the US-based subprocessors listed above. Adzuna is UK-based; transfers to it are covered by the UK GDPR adequacy regime.
We do not store data in jurisdictions other than the United States and the United Kingdom.
7. Retention
| Category | Retention |
|---|---|
| Account email and profile | For the life of the account; 30 days after deletion request, then purged |
| Resume files and parsed profile | Until you delete them; soft-deleted assets are reversible for 30 days, then hard-purged |
| Job postings fetched on your behalf | 90 days hot, archived for 12 months, then purged |
| Matches | 12 months from creation |
| Applications and drafted documents | 24 months from last activity (so you can come back to a search next year) |
| Outreach records | 24 months from send |
| Agent runs and MCP-call logs | 13 months (one full audit cycle) |
| Spend rollups and billing records | 7 years (US tax + accounting retention) |
| Audit trail (WARDEN hash-chained log) | 7 years; immutable |
| Sentry error telemetry | 90 days |
| CANARY abuse flags | Until acknowledged plus 12 months |
Our deterministic lifecycle engine (Lifecycle_Nightly cron) moves data from hot to warm to cold to archive on this schedule. Deletion at the end of a retention window is unconditional unless you have an active hold (for example, an unresolved legal request).
8. Your rights
Under the GDPR, the UK GDPR, the California Consumer Privacy Act, and similar laws, you have the right to:
- access the personal data we hold about you;
- export it in a portable, machine-readable format (JSON);
- rectify anything that is wrong (your settings page lets you edit most fields directly);
- erase your account and all associated data;
- restrict processing while a dispute is open;
- object to processing based on legitimate interest;
- withdraw consent for any consent-based feature at any time;
- lodge a complaint with your local supervisory authority (in the EU, your national DPA; in the UK, the ICO).
To exercise any of these rights, email privacy@trynovahunt.com from the address on your NovaHunt account. We respond within 30 days. Account deletion is classified RED-tier in our consent engine, carries a 24-hour cooling delay, and requires re-authentication — this is deliberate, so a momentary compromise of your email cannot wipe your search history.
We do not charge for access requests unless they are manifestly unfounded or excessive (GDPR Art. 12(5)).
9. Security
The honest version: we apply industry-standard controls for a product at our stage, and we do not yet hold third-party certifications.
- TLS 1.3 in transit on all routes.
- PostgreSQL on Railway with disk encryption at rest.
- AES-GCM encryption for any third-party credential you store, keyed off
APP_SECRET. The plaintext never touches disk. - Hash-chained audit trail (the WARDEN audit log): every privileged action — every consent change, every credential change, every cap bump — appends a row whose hash incorporates the previous row's hash. Tampering with the past is detectable.
- Spend caps and rate limits enforced before any external call. The CANARY rule engine and ABACUS pattern analyst flag unusual activity automatically; WATCHTOWER applies a halt-and-approve flow before damage compounds.
- Magic-link authentication via Auth.js. We do not handle passwords. RED-tier actions require a fresh re-authentication.
- No customer data in version control, no customer data in our error monitor beyond a correlation ID.
We do not yet offer SAML SSO, hardware-key 2FA on end-user accounts, or a SOC 2 report. These are on our roadmap, not in production today.
10. Children
NovaHunt is for adults seeking employment. We do not knowingly collect personal data from anyone under 16. If you believe a child has used NovaHunt, email privacy@trynovahunt.com and we will delete the account.
11. Changes to this policy
We will post material changes here and email registered users at least 30 days before they take effect. Minor clarifications (typos, formatting, contact-detail updates) can take effect immediately.
12. How to reach us
- Privacy questions: privacy@trynovahunt.com
- Legal questions: legal@trynovahunt.com
- Postmaster: postmaster@trynovahunt.com
Last updated: 2026-05-19
Contact: legal@trynovahunt.com
Questions? Email legal@trynovahunt.com.