Privacy Policy

1. Who we are

PivotPath ("we", "us", "our") is an AI-powered career transition platform that helps professionals understand how their existing skills translate into new roles and industries. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable data protection law.

2. Data we collect

We collect the following categories of personal data:

• Account data — your name and email address, provided directly or via Google OAuth.
• CV / career background — text you paste or upload. We extract the text content only; we never store the original file.
• Target role information — the job title and industry you are pivoting toward.
• Analysis outputs — your Translation Map, rewritten resume content, and career strategy brief generated during a pivot session.
• Usage data — anonymised logs for debugging (e.g. error traces). We do not use third-party analytics trackers.
• Session data — a secure session cookie (JWT) to keep you signed in.

3. How we use your data

4. AI processing and third-party providers

Your CV text and target role information are sent to one of the following AI providers to generate your pivot analysis:

• Anthropic (Claude) — your text is processed under Anthropic's API terms. Anthropic does not use API inputs to train models by default. See anthropic.com/privacy.
• xAI (Grok) — your text is processed under xAI's API terms. See x.ai/privacy-policy.

We send only the minimum data required for analysis (career background text + target role). We do not send your email, name, or account details to AI providers.

5. Data storage and security

Your data is stored in a Postgres database hosted by Neon (neon.tech) on infrastructure in the United States with SOC 2 Type II certification. Data in transit is encrypted using TLS. Data at rest is encrypted by the hosting provider.

We use password hashing (bcrypt, 12 rounds) for credentials-based accounts. Passwords are never stored in plain text.

6. Data retention

We retain your account data and pivot sessions for as long as your account is active. If you delete your account, all associated data is permanently erased within 30 days. Anonymised aggregated usage statistics (no personal data) may be retained indefinitely.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Access — request a copy of your data (available via Settings → Export my data).
• Rectification — correct inaccurate data (available via Settings → Edit name).
• Erasure — delete your account and all associated data (available via Settings → Delete account).
• Portability — download your data in a machine-readable format (JSON export).
• Restriction — request we limit processing of your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — opt out of marketing emails at any time in Settings.

To exercise any right not available in-app, contact us at privacy@pivotpath.co. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use one session cookie (next-auth.session-token or __Secure-next-auth.session-token) that keeps you signed in. This is a strictly necessary cookie — it is not used for advertising or tracking. No third-party tracking cookies are set.

9. Children

PivotPath is intended for adults in professional contexts. We do not knowingly collect data from anyone under the age of 16. If you believe a minor has created an account, contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy questions or data requests, contact us at privacy@pivotpath.co.