No. We do not sell your personal data. We share information only in limited circumstances required by law, or with service providers who operate under strict data processing agreements. Our business model is subscriptions, not data brokering. See our Privacy Policy for full details.

Can other users see my information?

No. Row-Level Security on every database table ensures your data is isolated to your account. There is no shared workspace or collaborative access. Your career data is visible only to you.

Is my coaching conversation private?

Yes. Coaching conversations are accessible only through your authenticated account. Our support assistant (Sage) operates in a completely separate context and cannot access your coaching history, assessment results, or career documents.

Do you use my data to train AI?

No. Your resumes, conversations, and career data are never used for AI model training. Neither Anthropic nor Google, our AI providers, trains on data submitted through their commercial APIs.

Where is my data stored?

Your data is stored in the United States through Supabase's cloud infrastructure.

Do you comply with GDPR and CCPA?

Yes. We support data access, correction, and deletion requests under both GDPR and CCPA. Contact privacy@moderncompass.ai for any data-related requests.

Your Career Data Deserves Serious Protection

Q: What happens to my data if I cancel my subscription?

Your account and all your data remain intact. You revert to free-tier access. If you choose to delete your account, personal data is permanently removed within 30 days. Encrypted backups are purged within an additional 30 days. Payment records are retained only as required by tax and financial regulations.

You're sharing resumes, performance reviews, and career goals with Modern Compass. Here's exactly how we protect that information.

Data Ownership

Your Data Is Yours

Modern Compass processes sensitive career information every day: resumes, performance reviews, coaching conversations about whether to leave a job. We take that responsibility seriously. Here's what that means in practice.

Performance review text is never stored. When you paste a performance review into the analyzer, we extract achievement bullets and coaching insights in real time. The original review text is discarded immediately. We keep only the structured insights, never the raw feedback from your manager.

Coaching conversations are yours to delete. Every coaching conversation you have with Maya, Campbell, Morgan, or Juno is tied to your account and only your account. If you delete your account, every conversation, goal, assessment result, and document is permanently removed within 30 days. Encrypted backups are purged within an additional 30 days. Payment records are retained only as required by tax regulations. See our Privacy Policy for full retention details.

Your resume is parsed, not warehoused. When you upload or import a resume, we extract the structured data (job titles, skills, dates, education) to build your profile. The parsing happens in real time, and only the structured output persists.

AI coaching stays in its lane. Our support assistant, Sage, cannot access your coaching conversations, assessment results, or career data. The boundary between support and coaching is enforced architecturally, not just by policy.

We do not use your data to train AI models. Your resumes, conversations, and career information are never used to train or fine-tune the AI models that power Modern Compass. Neither Anthropic nor Google (our primary and fallback AI providers) trains on data submitted through their commercial APIs. See our AI Disclosure for details.

Security

How We Protect It

Every table is access-controlled. Our database has 41 tables, and every single one enforces Row-Level Security (RLS). This means one user's data is invisible to every other user at the database level, not just the application level. Even if application code had a bug, the database itself would block unauthorized access.

Authentication you can trust. Sign in with email through Supabase Auth. Your credentials are handled by a compliant, independently audited authentication provider. We never see or store your password.

Encryption everywhere. All data is encrypted at rest and in transit via TLS. Whether your resume is sitting in our database or traveling between your browser and our servers, it's encrypted.

Defense in depth. Our security posture includes HTTP Strict Transport Security (HSTS), Content Security Policy with nonce-based script loading, strict referrer policy, and fail-closed rate limiting backed by a database function. Every API endpoint validates input using schema validation. There is no raw SQL anywhere in the codebase.

Automated security checks on every code change. Every pull request runs through automated security audits before it can be merged. Security checks that fail block the merge entirely. This isn't a periodic review. It runs on every single change to the codebase.

Transparency

Who We Work With

We're transparent about the services that handle your data. Each one was chosen for its security track record and compliance posture.

Service	What It Does	Security
Supabase	Database, authentication, data storage	SOC 2 Type 2 compliant. Hosts our database with row-level security, daily backups, and point-in-time recovery.
Stripe	Payment processing	PCI Service Provider Level 1 (the highest certification in the payments industry). We never see, store, or process your credit card number.
Anthropic	AI coaching and document generation	Powers our coaching conversations and resume generation. Does not use API inputs for model training. Data processed in the US.
Google Gemini	Voice coaching and AI fallback provider	Powers voice coaching sessions and serves as fallback during Anthropic outages. Does not use API inputs for model training. Data processed per Gemini API terms.
Vercel	Application hosting	SOC 2 Type 2 compliant. Handles deployment and serving of the application.
Resend	Transactional email	Delivers coaching follow-up emails, subscription confirmations, and password resets.
Sentry	Error monitoring	Tracks application errors so we can fix issues quickly. No personally identifiable information is sent to error logs.
Google Analytics (GA4)	Usage analytics	Consent-gated. Only activated after you accept cookies. Used to understand how people use the platform so we can improve it.

Supabase

What it does: Database, authentication, data storage

Security: SOC 2 Type 2 compliant. Hosts our database with row-level security, daily backups, and point-in-time recovery.

Stripe

What it does: Payment processing

Security: PCI Service Provider Level 1 (the highest certification in the payments industry). We never see, store, or process your credit card number.

Anthropic

What it does: AI coaching and document generation

Security: Powers our coaching conversations and resume generation. Does not use API inputs for model training. Data processed in the US.

Google Gemini

What it does: Voice coaching and AI fallback provider

Security: Powers voice coaching sessions and serves as fallback during Anthropic outages. Does not use API inputs for model training. Data processed per Gemini API terms.

Vercel

What it does: Application hosting

Security: SOC 2 Type 2 compliant. Handles deployment and serving of the application.

Resend

What it does: Transactional email

Security: Delivers coaching follow-up emails, subscription confirmations, and password resets.

Sentry

What it does: Error monitoring

Security: Tracks application errors so we can fix issues quickly. No personally identifiable information is sent to error logs.

Google Analytics (GA4)

What it does: Usage analytics

Security: Consent-gated. Only activated after you accept cookies. Used to understand how people use the platform so we can improve it.

Commitments

Our Commitments

Daily backups with point-in-time recovery. Your data is backed up every day through Supabase's automated backup system. If something goes wrong, we can restore to a specific point in time.

Cookie consent that means something. Analytics tracking only activates after you explicitly consent. We use a cookie consent banner that gates GA4 entirely. No consent, no tracking.

Comprehensive legal documentation. Our Terms of Service, Privacy Policy, AI Disclosure, and Cookie Policy are written to be read, not to be buried. They explain in plain language what we do and don't do with your information.

Insurance coverage. Modern Compass carries cyber liability and errors & omissions (E&O) insurance through Hartford, providing financial protection in the unlikely event of a data incident.

Responsible disclosure. If you discover a security concern, contact us at security@moderncompass.ai. We take every report seriously and aim to respond within 48 hours.

FAQ

Common Questions

Service

What It Does

Security

Supabase

Database, authentication, data storage

SOC 2 Type 2 compliant. Hosts our database with row-level security, daily backups, and point-in-time recovery.

Stripe

Payment processing

PCI Service Provider Level 1 (the highest certification in the payments industry). We never see, store, or process your credit card number.

Anthropic

AI coaching and document generation

Powers our coaching conversations and resume generation. Does not use API inputs for model training. Data processed in the US.

Google Gemini

Voice coaching and AI fallback provider

Powers voice coaching sessions and serves as fallback during Anthropic outages. Does not use API inputs for model training. Data processed per Gemini API terms.

Vercel

Application hosting

SOC 2 Type 2 compliant. Handles deployment and serving of the application.

Resend

Transactional email

Delivers coaching follow-up emails, subscription confirmations, and password resets.

Sentry

Error monitoring

Tracks application errors so we can fix issues quickly. No personally identifiable information is sent to error logs.

Google Analytics (GA4)

Usage analytics

Consent-gated. Only activated after you accept cookies. Used to understand how people use the platform so we can improve it.