How we handle your data.

What we collect

• Account — your email (used for magic-link sign-in via Auth.js). No password to leak; you authenticate by clicking a link we send.
• Resume + parsed profile — the files you upload, plus the structured fields IntakeAgent and MUSE extract (skills, target roles, voice fingerprint).
• Job-search history — postings sourced for you, your save/dismiss labels, your applications, your follow-ups.
• Audit log — every Claude call logged with token counts, cost, latency, and agent name. Visible to you in Settings → Spend. Helps you see exactly what your money buys.

What we don't do

• ✗ We do not sell your data. Ever.
• ✗ We do not train models on your data. Anthropic processes resumes under their zero-retention API setting.
• ✗ We do not scrape LinkedIn, Indeed, or any site that prohibits it. LinkedIn / Indeed / Glassdoor / ZipRecruiter postings flow in through licensed aggregators we pay for (Adzuna, JSearch). Company careers pages come through the public ATS endpoints those companies host on (Greenhouse, Lever, Ashby, Workable).
• ✗ We do not run advertising or analytics trackers.

Encryption and storage

• In transit: TLS 1.3 for every connection.
• At rest: Postgres instance on Railway with managed disk encryption. MCP credentials (API keys for Resend, Anthropic, source connectors) are field-level AES-GCM encrypted using a key derived from APP_SECRET via PBKDF2; ciphertext lives inmcp_credentials and plaintext never returns from any API.
• Backups: Railway automatic daily snapshots, 7-day retention.

The safety layer

This is the part most AI products skip. NovaHunt has a deterministic Python safety layer that sits between every agent and the Anthropic API. It is written in pure Python and contains zero LLM imports.

• WARDEN validates every agent action against the Constitution before it runs.
• TURNSTILE authorizes every Claude call against your daily and monthly USD caps. If the next call would exceed your cap, TURNSTILE returns 402 and the agent halts.
• METER records every Claude call with token counts and cost intoagent_runs. This drives both your spend dashboard and our anomaly detection.
• ABACUS runs hourly and daily anomaly sweeps. If an agent suddenly spends 10× its usual rate, ABACUS creates a spend hold that requires explicit user approval to release.
• CANARY + WATCHTOWER enforce per-user rate limits and emit halt-and-approve events on anomalies.

The architectural decision is critical: an LLM cannot reason its way past a deterministic Python validator. The spend caps you set are actually the spend caps.

Your data rights

• Export: one click in Settings → Account; downloads a ZIP of every row tied to your account (GDPR Art. 20).
• Deletion: one click in Settings → Account; cascade-deletes every row across every table and writes an audit entry to the hash-chained log.
• Access + rectification: email privacy@trynovahunt.com; we respond within 30 days.

What we don't have yet

We are pre-Series A. We do not currently hold SOC 2 Type II or ISO 27001 — we'll pursue them when our revenue justifies the cost, and we'll update this page when we do. For enterprise customers who need a DPA today, see /legal/dpa.

Report a vulnerability

Found something? Email security@trynovahunt.com with reproduction steps. We acknowledge within 48 hours. We do not run a paid bug bounty yet, but we always credit responsible disclosure in release notes.