Privacy Policy

This Privacy Policy explains how Matera Capital ("Matera Capital," "we," "us," or "our") collects, uses, discloses, retains, and protects personal data in connection with the Coach service (the "Service"), made available at coach-seven-nu.vercel.app and any successor domain we publish. It applies to all visitors, users, and others who access the Service.

Matera Capital is the Data Controller for personal data processed through the Service. By using the Service, you acknowledge this Policy and our Terms of Service.

The Service is intended solely for users aged 18 years or older. We do not knowingly collect or process personal data of individuals under 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete that data without undue delay. If you believe we may hold information about a person under 18, please contact contact@materacapital.com.

We collect the following categories of personal data:

Identity and account data. The email address you supply to authenticate via magic-link sign-in. We do not collect or store passwords; we never see your email-account credentials.

Report input data. The text of any curriculum vitae (CV) and any job description (JD) you submit, whether by upload or paste. This may include your name, contact details, employment history, education, skills, and any other content you include. You should not upload personal data of third parties unless you are lawfully permitted to share it.

Report output data. The interview-prep reports and cheat sheets we generate, linked to your account.

Billing data.A Stripe customer identifier and subscription status. Payment-card details, billing address, and payment-method metadata are collected and stored by Stripe; they do not pass through and are not stored on Coach's servers.

Technical data. Your IP address (used for rate limiting and security), request timestamps, request paths, browser type and version, operating system, device type, and referring URL. We do not use device fingerprinting or unique advertising identifiers.

Communications. Records of correspondence with us (e.g., support emails to contact@materacapital.com) including the email content, subject, and time sent.

Voluntary feedback. If you rate or annotate a report section, we collect the rating, free-text comments, and the section identifier.

Sensitive personal information.We do not knowingly collect "sensitive personal information" (as that term is defined under California Civil Code §1798.140(ae)) — including precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of communications other than ours with you, genetic data, biometric identifiers, health information, sexual orientation, or sex life — unless you voluntarily include such information in your CV. If you do, that content is processed solely to generate your prep report and is subject to all rights and protections described in this Policy. We do not use sensitive personal information to infer characteristics, for advertising, or for any other purpose that would trigger a right to limit under CCPA §1798.121. We do not use special-category personal data under UK-GDPR or EU-GDPR Article 9 for any purpose beyond the limited generation of your report.

Provision of data. Provision of your email address is a contractual requirement: without it you cannot authenticate or use the Service. Provision of your CV and JD is necessary to generate a report. You are not required to provide any other personal data. If you choose not to provide the required data, we cannot provide the Service.

Where UK-GDPR or EU-GDPR applies, we process your personal data on the following lawful bases:

Consent (Art. 6(1)(a)) — you give consent by requesting a magic-link and submitting Your Content. You may withdraw consent at any time by deleting your account, without affecting the lawfulness of processing carried out before withdrawal.

Performance of a contract (Art. 6(1)(b)) — when you subscribe to Coach Pro, we process billing and report data to deliver the service you have purchased and to enforce our Terms.

Legitimate interests (Art. 6(1)(f)) — we log IP addresses and request metadata for rate limiting, fraud and abuse prevention, and information security. We have balanced these legitimate interests against your privacy rights.

Legal obligation (Art. 6(1)(c)) — we may process data to comply with applicable law, court orders, or lawful requests by public authorities.

We use personal data only for the following purposes:

• to provide, operate, maintain, and improve the Service;
• to authenticate users via magic-link sign-in and to maintain account security;
• to generate, store, deliver, and re-deliver reports and cheat sheets to you;
• to process subscription payments through Stripe and manage your access to paid features;
• to detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms;
• to enforce rate limits and other technical access controls;
• to perform analytics on anonymised or aggregated data to monitor cost, latency, quality, and reliability;
• to communicate with you about your account, service updates, security incidents, and changes to our policies;
• to respond to your requests, feedback, and support enquiries;
• to comply with legal and regulatory obligations.

We do not use your personal data for advertising, behavioural tracking, or profile-building for marketing purposes. We do not sell your data.

The Service uses third-party large-language-model technology, provided by Anthropic, PBC, to process your CV and JD text and generate report content. Specifically:

• Your content is transmitted to Anthropic's API and processed solely to fulfil the report you have requested.
• Under Anthropic's standard commercial terms, your inputs are notused to train Anthropic's models.
• We do not authorise any other third party to train, fine-tune, evaluate, or otherwise develop AI models using your content.
• Coach does not use your content to train, fine-tune, or evaluate our own models. We use anonymised aggregate signals (e.g., number of reports per role family, average cost, average latency) to improve service quality.

Reports are generated by automated means based on the canonical interview library, your CV, and the JD. The Service does not make legal, employment, hiring, financial, medical, or other decisions that produce legal effects or similarly significantly affect you.

We rely on the following sub-processors to deliver the Service. Each is bound by contractual data-protection obligations under GDPR Article 28 or equivalent.

Supabase Inc. (United States) — hosts our authentication database, application database, and object storage for CV/JD files. Privacy policy · DPA.

Stripe, Inc. (United States) — processes payments. Card data and full billing details are held by Stripe and never reach Coach. Stripe retains billing records as required by financial-compliance law (typically 7 years). Privacy policy · DPA.

Anthropic, PBC(United States) — processes your CV and JD text to generate reports. Per Anthropic's standard commercial terms, customer inputs are NOT used to train their models. Privacy policy.

Vercel Inc.(United States, with global CDN) — hosts the Coach application. Standard request logs (IP, path, status, timestamp) are retained per Vercel's terms. Privacy policy · DPA.

We do not engage any other sub-processor. We do not sell personal data and we do not share personal data for cross-context behavioural advertising. We will give reasonable advance notice before engaging a new sub-processor, where reasonably practicable, by updating this Policy and the "Last updated" date below.

We may disclose personal data:

• to our sub-processors, as described in Section 8, strictly to deliver the Service;
• to professional advisers (lawyers, accountants, auditors) under duties of confidentiality;
• to a successor entity in connection with any merger, acquisition, financing, reorganisation, sale of assets, or other similar transaction, subject to standard confidentiality protections;
• to law-enforcement, regulators, courts, or other public authorities where required by law, valid legal process, or where disclosure is reasonably necessary to protect the safety, rights, or property of any person, or to investigate suspected violations of our Terms;
• with your consent or at your direction.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, and for as long as is required to deliver the Service to you.

Active accounts: report data is retained for as long as your account exists.

Account deletion: when you request deletion via Settings → Danger zone, we delete your auth user, your subscription record, and your view history immediately, and complete the anonymisation of any reports you generated (removing the email association) within 30 days of your request. Anonymised report content may remain in our database without any link to your identity to preserve aggregate analytics.

Per-category retention:

• Email address (account identifier): until account deletion
• Magic-link OTP / session tokens: ~24 hours (access) / ~1 week (refresh)
• CV / JD text and generated reports: while account is active; anonymised within 30 days of deletion
• Billing records: retained by Stripe for approximately 7 years per financial-record compliance law
• IP and request logs (rate limit and security): 30 days
• Voluntary section ratings: indefinite, anonymised post-deletion
• Support correspondence: up to 3 years to satisfy potential consumer-protection obligations

We may retain some information for longer where required to establish, exercise, or defend legal claims.

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including (i) Transport Layer Security (TLS) for data in transit; (ii) encryption at rest for stored data via our hosting providers; (iii) least-privilege access controls for our personnel; (iv) row-level security policies on databases storing personal data; (v) magic-link authentication with no stored passwords; (vi) rate limiting and abuse-detection mechanisms; and (vii) regular review of our security posture.

No method of transmission or storage is completely secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security. You are responsible for keeping your email account credentials secure and for notifying us promptly of any compromise.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, where required by applicable law, and will notify affected individuals without undue delay.

If you are in the United Kingdom or the European Economic Area, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure(the "right to be forgotten") — request deletion of your personal data, subject to lawful exceptions.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to restrict processing — ask us to limit how we use your data in specified circumstances.
• Right to object — object to processing based on our legitimate interests, on grounds relating to your particular situation.
• Right not to be subject to solely automated decision-making — our pipeline generates a prep report from your inputs; the report does not produce a legal or similarly significant decision about you.
• Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with your local data-protection authority (UK: ico.org.uk; EU: your national supervisory authority).

To exercise these rights:

• Self-service deletion is available at Settings → Danger zone.
• For access, rectification, portability, restriction, objection, or any other request: email contact@materacapital.com with "Data Subject Request" in the subject line.

We will respond within 30 days of receipt. If your request is complex or we receive a high volume of requests, we may extend the response window by up to a further 60 days, with notice to you. We may need to verify your identity before fulfilling your request.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the following rights:

• Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete — request deletion of personal information, subject to statutory exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale or sharing — Coach does not sell or share personal information for cross-context behavioural advertising, so this right does not apply to our processing.
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is permitted under CCPA Section 1798.121(d).
• Right to non-discrimination — we will not discriminate against you for exercising your rights, including by denying service, charging different prices, or providing a different level of quality.

We do not sell or share personal information as those terms are defined under CCPA. We have not sold or shared personal information for cross-context behavioural advertising in the preceding 12 months. We do not use sensitive personal information for any purpose that requires opt-out under CCPA.

To exercise CCPA rights, email contact@materacapital.com with "CCPA Request" in the subject line. We will respond within 45 days; we may extend by a further 45 days where reasonably necessary with notice to you.

Verification. To protect against fraudulent requests, we will verify your identity before fulfilling a CCPA request. We will typically do so by asking you to confirm the email address on your Coach account and to provide additional information sufficient to match against information we already hold. For requests to delete sensitive categories of data, we may require additional verification.

Authorised agents. You may designate an authorised agent to make a request on your behalf. The agent must provide us with (i) written permission signed by you, and (ii) sufficient information to verify the agent's identity. We may also separately verify your identity directly.

Records of requests. We maintain records of CCPA-related requests as required by 11 CCR §7100 et seq.

Coach uses only strictly necessary cookies — for authentication and for the Stripe Checkout flow. We do not use analytics, advertising, or behavioural-tracking cookies. You can disable cookies in your browser, but the sign-in flow will not work without them.

Matera Capital is the Data Controller for personal data processed in connection with the Service.

For any privacy question, to exercise your rights, or to submit a complaint regarding our handling of personal data, contact:

contact@materacapital.com

Please include "Privacy Request", "Data Subject Request", "CCPA Request", or another descriptive subject line so we can route your enquiry promptly.