Pitch Like ThisLogin

Privacy Policy — Pitch Like This

Version: 1.0.0
Published On: May 5, 2026
Last Updated On: May 5, 2026

This document explains what we collect, why, how we protect it, who can see it, and how you can control it.

1 — Quick overview

  • You create projects and campaigns.
  • You can build a library of reusable experience case studies (titles, summaries, highlights, proof URLs, and related fields) under your account and attach them to draft campaigns; the same experience can be referenced from more than one campaign you own.
  • Live (Active) campaigns are accessible to anyone with the common "project link" (or UUID). Drafts are private. Paused campaigns stop being served but may have been copied while live.
  • Attached experience content: For an Active campaign in a non-archived project, attached experience case studies are served publicly with the campaign (including to anonymous visitors). For Draft, Paused, or archived projects, attached experience content is not served publicly and is visible only to you when signed in.
  • We store verified user emails and sign-in metadata; anonymous visitors get a browser JWT and are not personally identified.
  • You can sign up or log in using LinkedIn OAuth or magic link email authentication. You may optionally connect LinkedIn to an existing account; if you dismiss that prompt, we store a preference so we do not keep showing it.
  • Leads (people who voluntarily fill forms on your campaign) are visible only to you in your dashboard.
  • We provide a server-led onboarding and agent-assist experience. That workflow stores flow state, step state, UI action state, and conversation/task metadata needed to resume your progress and operate the feature reliably.
  • We use Supabase (DB), Vercel/Netlify (hosting), Google Analytics (usage), Vercel Speed Insights (anonymous performance metrics), LinkedIn (OAuth authentication), and Upstash Redis (short-lived queues and rate limiting).
  • No LLM trains on your data in the current live version of the app.
  • For data deletion or privacy requests, email: pranavdotexe@gmail.com (from the email tied to your Pitch Like This account).

2 — Information we collect

  • Verified users (magic link or LinkedIn OAuth via Supabase):

    • Email (verified)
    • Account creation date
    • Last sign-in date
    • Authentication cookie/JWT for session management
    • LinkedIn OAuth users (when using LinkedIn sign-in):
      • LinkedIn profile data: name, given name, family name, profile picture URL, locale (country, language)
      • LinkedIn unique identifier (sub)
      • Verified email (if provided by LinkedIn)
      • Temporary encrypted cookie storing LinkedIn identifier (expires in 15 minutes, used only when email verification is pending)
    • Account preferences: A boolean flag indicating whether you have dismissed the optional prompt to connect LinkedIn to an existing account (manual_linking_rejected), used only so we do not repeatedly show the same prompt.

  • Anonymous visitors (public campaign viewers):

    • Browser JWT for session continuity (no personal identifier stored)

  • Usage & analytics:

    • Page views, click events (Google Analytics)
    • Session analytics (internal schema):
      • Random session identifier (UUID) for each visit to a campaign link.
      • Campaign and project identifiers associated with that session.
      • Session timestamps: when the session started and when it ended.
      • Active time spent on the campaign page (in seconds), calculated from heartbeat pings while the tab/window is actively in view.
      • Session classification flags (for example: new_session, actual_session, engaged_session) derived from time spent and number of interactions.
      • Hashed user agent: a one-way hash (for example, SHA-256) of the browser user agent string, used to deduplicate sessions without storing the raw user agent.
    • Event analytics (internal events table):
      • Random event identifier (UUID) for each tracked event.
      • The session identifier that the event belongs to.
      • Event type (for example, link_open, button_click).
      • Event metadata in structured form (for example, page step, button name, or whether an external link was clicked); this does not include lead form message contents.
      • Event timestamp.

  • Agent and onboarding operational data (authenticated users):

    • Flow records (for example: flow type/key, active/completed state, start/end timestamps, optional metadata)
    • Step and UI action records (for example: target, message/tooltip text delivered by the feature, completion/skipped state, timestamps, optional metadata)
    • Agent conversation and message records required to render and resume onboarding and assistant interactions
    • Task execution metadata (task type/status, timestamps, request/response payloads, error and worker metadata)
    • Notification records tied to tasks
    • Token usage telemetry (model name and token counts) for operational monitoring and cost control

  • Resume and job-description feature data (authenticated users):

    • Resume metadata (file name, storage URL, language/pages where available, active/deleted flags)
    • Hashes for deduplication and idempotency (for example, content hash and extracted text hash)
    • Extracted resume chunks/sections and embedding metadata used by the feature pipeline
    • Job-description inputs and derived fields (for example source type/URL, parsed company and role fields, fingerprint hash, keyword groups)
    • Resume-to-job scoring results and report metadata (including score dimensions and flags)

  • Performance & errors:

    • Hosting and platform logs (Supabase, Vercel, Netlify)
    • Vercel Speed Insights: anonymous web performance signals (for example, Core Web Vitals) associated with page loads, used to improve speed and reliability.

  • Service-specific / User-generated content (UGC):

    • Projects, campaigns, reusable experience case studies you create, attachments of those experiences to your campaigns (including display order), services and case studies where legacy campaign-scoped content is still used, CTAs (may include PII you enter)

  • Lead submissions (optional; provided by leads):

    • Name, company, email, optional phone number — visible only to the project owner
    • Abuse and rate limiting metadata: IP address and request metadata (such as timestamp and request path) may be stored for a short period in an in-memory store (for example, Upstash Redis) to enforce rate limits (for example, 5 requests per minute per IP) and protect forms from automated abuse.

3 — How we use information

  • Verify users and enable authenticated features
  • Authenticate users via LinkedIn OAuth or magic link email
  • Enrich user profiles with LinkedIn data (name, profile picture, locale) when provided and when profile fields are empty
  • Link LinkedIn accounts to existing magic link accounts when email addresses match
  • Respect your choice when you dismiss optional LinkedIn linking prompts (stored preference only for UX)
  • Provide, operate, and improve the service (including reusable experiences and campaign attachments)
  • Operate onboarding and assistant workflows, including state resumption across sessions
  • Generate and deliver resume/job-description insights requested by you
  • Maintain security and debug performance/errors
  • Analyze aggregate usage and campaign performance (for example, sessions, engaged sessions, active time spent, event counts) for product improvement
  • Measure anonymous page performance (Vercel Speed Insights)
  • Detect and prevent abuse, such as repeated or automated lead submissions, by using technical protections including rate limiting based on IP address and request frequency
  • Send email updates for information that is necessary to be provided for continual of service or necessitated to be shared by the privacy and terms of service
  • We do NOT: sell data, pool UGC into third-party datasets, or train LLMs on your data in the current live version of the app

4 — Publishing, campaigns, and public data — exact rules

  • Projects: private by default. Only you (authenticated owner) can see your full project list.
  • Campaign states — Draft, Active, Paused:
    • Draft: never public.
    • Active: publicly accessible to anyone with the "project" UUID or link. Content can include your CTAs and attached experience case studies when the project is not archived.
    • Paused: removed from live serving; prior viewers may have cached/copied contents.
  • Experience case studies and attachments:
    • Your experience library is account-scoped; drafts and edits are visible only to you.
    • Attached experiences on a campaign follow the same visibility as the campaign: when the campaign is Active and the project is not archived, attachment data is returned for public campaign pages (including anonymous viewers). When the campaign is not Active in that sense (for example Draft or Paused) or the project is archived, attachment data is not exposed publicly and is available only to you when authenticated.
  • Legacy campaign-scoped case studies (where still present) follow the same Active/Draft/Paused rules above.
  • Leads are optional and visible only to the owner of the project in the dashboard.
  • We do not track lead behavior (clicks/views) in the current version.

5 — Third-party services we use

  • Supabase — database, authentication, and private operational schemas (including agent/onboarding data storage).
  • Vercel / Netlify — hosting, CDN, edge runtime.
  • Google Analytics — page view and click analytics.
  • Vercel Speed Insights — anonymous performance and Core Web Vitals collection for reliability and speed improvements.
  • LinkedIn — OAuth authentication provider (when you choose to sign in with LinkedIn).
  • Upstash Redis — in-memory data store used for short-lived analytics queues and for enforcing rate limits on repeated lead submissions based on IP address and request metadata.

6 — Data retention, deletion timeline & breach notification

  • We retain data as needed to provide the service.
  • Deletion timeline:
    • Account or project deletion requests are processed within 30 days of verified request (earlier where feasible).
    • Requests must be sent from the email associated with your Pitch Like This account.
  • Campaign caching reality: Paused campaigns are unserved, but third-party or user-side cached copies may persist outside our control.
  • Breach notification:
    • If a confirmed security incident meaningfully risks user data, affected users will be notified at their verified email within 72 hours of confirmation, subject to legal constraints. The notice will include scope, impact, and remediation steps.

7 — Security practices

  • Row Level Security (RLS) on Supabase tables with least-privilege access where applicable.
  • Role-based access control is implemented for data access and governed under the Internal Database Querying Rules.
  • Sensitive operational schemas are not publicly accessible; broad access for public, anon, and authenticated roles is revoked where not needed, with privileged access restricted to service roles.
  • Secure cookies and CSRF protection for client-DB communication.
  • Data in transit is encrypted using TLS 1.3.
  • LinkedIn OAuth temporary identifiers are stored in encrypted cookies (AES-256-CBC) with 15-minute expiration when email verification is pending.
  • No LLM (including Supabase AI) is permitted to read or train on table contents in the current live version of the app.

Incident reporting follows the breach-notification terms above.

8 — Sharing & disclosure

  • We do not sell personal data.
  • Disclosure occurs only as necessary for:
    • Hosting/infra operations
    • Analytics
    • Legal requirements (with notice where not prohibited)

9 — Your rights & choices

  • Access or copy your data.
  • Correct inaccurate information.
  • Delete account or specific projects (processed within 30 days).
  • Opt-out of analytics (contact us).

Requests: email pranavdotexe@gmail.com from your verified account email.

10 — Cookies & tracking

  • Secure authentication cookies.
  • Google Analytics cookies.
  • Anonymous browser JWT for anonymous sessions.
  • Analytics session cookie (for example, a random UUID) used to associate multiple page views and events within a single campaign visit and compute metrics such as engaged sessions and time spent. This cookie is linked only to technical identifiers (session ID, campaign and project IDs, hashed user agent) and does not store your name, email, or lead message contents.
  • Temporary encrypted cookie for LinkedIn OAuth (when email verification is pending): stores LinkedIn identifier in encrypted form, expires in 15 minutes, automatically deleted after use or expiration.
  • Vercel Speed Insights may use first-party cookies or similar browser storage to attribute anonymous performance samples to page views, without identifying you by name or email.

Blocking cookies may break features, including authentication and analytics used to show you campaign performance metrics.

11 — Minors

  • Not directed to children under 13. Contact us for removal if such data was submitted.

12 — International transfers

  • Data may be processed by providers in other jurisdictions. Details available on request.

13 — Changes to this policy

  • Updates may occur when features change. New and old versions of the policy are available in our public github repo Pitch Like This Repository.

14 — Contact

15 — Internal Database Querying Policy

Purpose: prevent unauthorized access, misuse, and accidental leakage of user data.
Principles: least-privilege access, need-to-know, accountability, auditability, and separation of duties.

Access rules

  • Role-based access control governs all privileged access.
  • Temporary elevated access requires documented justification and approval under the internal rules.
  • Contractors and future employees do not receive production data access unless explicitly approved and documented.

Querying & operations

  • Queries are executed in staging unless a production operation is required and approved.
  • Production queries must serve a documented product or support purpose under the internal rules.
  • Exports of PII require explicit approval, documented purpose, and secure transfer consistent with the internal rules.

Logging & monitoring

  • Privileged actions and production queries are logged with actor, time, and purpose.
  • Logs are retained for an appropriate period to support accountability and investigations.

Prohibited actions

  • Downloading or storing lead/user data on personal devices.
  • Using data for non-product business purposes.
  • Sharing PII over informal channels without authorization and appropriate protection.

Emergency & incident handling

  • Break-glass access requires post-event justification and logging.
  • Suspected incidents are escalated, contained, investigated, and notified per breach-notification terms.

Review

  • Policy reviewed periodically and when major product changes occur.
  • Continued use of product or services implies all users have acceptance towards the policy.
← Back to HomeReview Policy Versions