Privacy Policy

This Privacy Policy explains how Matera Capital ("Matera Capital," "we," "us," or "our") collects, uses, discloses, retains, and protects personal data in connection with the Coach service (the "Service"). The Service is marketed at our primary address, www.ask-coach.com, together with any successor domain we publish. It applies to all visitors, users, and others who access the Service.

Matera Capital is the Data Controller for personal data processed through the Service. By using the Service, you acknowledge this Policy and our Terms of Service.

The Service is intended solely for users aged 18 years or older. We do not knowingly collect or process personal data of individuals under 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete that data without undue delay. If you believe we may hold information about a person under 18, please contact contact@materacapital.com.

We collect the following categories of personal data:

Identity and account data. The email address you supply to authenticate via magic-link sign-in. We do not collect or store passwords; we never see your email-account credentials.

Report input data. The text of any curriculum vitae (CV) and any job description (JD) you submit, whether by upload or paste. This may include your name, contact details, employment history, education, skills, and any other content you include. You should not upload personal data of third parties unless you are lawfully permitted to share it.

Report output data. The interview-prep reports and cheat sheets we generate, linked to your account.

Prompts and model responses (pipeline_runs ledger). For each Anthropic API call made on your behalf during report generation, we record the input payload sent to Anthropic (parsed CV text, parsed JD text, web-research outputs, prior section drafts, and canonical scaffolding content), the model response, the model identifier, token usage, and computed cost. We use this ledger for quality monitoring, abuse prevention, and cost accounting. The ledger is protected by service-role-only access at the database layer and is notused to train, fine-tune, or evaluate any model - ours or any third party's. See Section 7 for AI processing detail and Section 11 for retention.

Billing data.A Stripe customer identifier and subscription status (subscription identifier, status, current-period end, and cancel-at-period-end flag). Payment-card details, billing address, and payment-method metadata are collected and stored by Stripe; they do not pass through and are not stored on Coach's servers.

Technical data. Your IP address (used for rate limiting and security), request timestamps, request paths, browser type and version, operating system, device type, and referring URL. We do not use device fingerprinting or unique advertising identifiers.

Analytics data.When you visit the Service in production and accept analytics cookies in our cookie banner, Google Analytics 4 records aggregate page-level events. Under GA4's default enhanced-measurement configuration this includes page views, scrolls, outbound clicks, site search, file downloads, and similar interactions, together with device and operating system. Per Google's documentation, IP addresses are not logged or stored by GA4. See Sections 6, 8, and 16 for detail. Analytics is not loaded in localhost or preview environments, and never loads unless you accept it.

Communications. Records of correspondence with us (e.g., support emails to contact@materacapital.com) including the email content, subject, and time sent.

Voluntary feedback. If you rate or annotate a report section, we collect the rating, free-text comments, and the section identifier.

Sensitive personal information.We do not request or knowingly solicit "sensitive personal information" (as that term is defined under California Civil Code §1798.140(ae)) - including precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of communications other than ours with you, genetic data, biometric identifiers, health information, sexual orientation, or sex life. CV and JD content frequently does include information from which such categories can be inferred (for example, religious or ethnic affiliations through education or volunteer history, or health-related information through career gaps). To the extent user-provided CV/JD content includes sensitive personal information, we process it only to generate your prep report and do not use it for any purpose triggering the right to limit under CCPA §1798.121, nor for any purpose under UK-GDPR or EU-GDPR Article 9 beyond the limited generation of your report.

Provision of data. Provision of your email address is a contractual requirement: without it you cannot authenticate or use the Service. Provision of your CV and JD is necessary to generate a report. You are not required to provide any other personal data. If you choose not to provide the required data, we cannot provide the Service.

Where UK-GDPR or EU-GDPR applies, we process your personal data on the following lawful bases under Article 6:

Performance of a contract (Art. 6(1)(b)) - our core processing in connection with the Service relies on this basis. This includes authenticating you via magic-link sign-in, generating, storing, delivering, and re-delivering reports and cheat sheets in response to your inputs (whether on a free first report, during a free trial, on a paid subscription, or via the anonymous flow at your request), maintaining your account, and processing subscription billing when you take up Coach Pro.

Legitimate interests (Art. 6(1)(f)) - we log IP addresses and request metadata for rate limiting, fraud and abuse prevention, and information security; and we maintain the pipeline_runs ledger to monitor model output quality, prevent abuse, and account for cost. We have balanced these legitimate interests against your privacy rights and you may object at any time on grounds relating to your particular situation.

Consent (Art. 6(1)(a)) - Google Analytics 4 analytics cookies load only after you accept them in our cookie banner; and where you provide voluntary feedback (e.g., section ratings and annotator email) and similar non-essential inputs, processing relies on the consent you give by submitting that input. You may withdraw consent at any time (for analytics, by declining or clearing the cookie) without affecting the lawfulness of prior processing.

Legal obligation (Art. 6(1)(c)) - we may process data to comply with applicable law, court orders, or lawful requests by public authorities.

Special-category data (Art. 9). To the extent your CV or JD voluntarily includes special-category personal data within the meaning of Article 9 (for example, information revealing racial or ethnic origin, religious or philosophical beliefs, trade-union membership, or data concerning health), processing relies on your explicit consent given by submitting that content for report generation under Article 9(2)(a), and, where applicable, on the fact that you have manifestly made such information public under Article 9(2)(e). You may withdraw that consent by deleting your account or by emailing us; withdrawal does not affect the lawfulness of prior processing.

We use personal data only for the following purposes:

• to provide, operate, maintain, and improve the Service;
• to authenticate users via magic-link sign-in and to maintain account security;
• to generate, store, deliver, and re-deliver reports and cheat sheets to you;
• to process subscription payments through Stripe and manage your access to paid features;
• to detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms;
• to enforce rate limits and other technical access controls;
• to maintain the pipeline_runs ledger of prompts and model responses for quality monitoring, abuse prevention, and cost accounting (service-role-only access; never used for model training);
• to serve aggregated page-level analytics via Google Analytics 4 in production only (page views, scrolls, outbound clicks, and similar enhanced-measurement events; device and operating system) - explicitly not for advertising, not for behavioral profiling, and not for data sale;
• to perform analytics on anonymized or aggregated data to monitor cost, latency, quality, and reliability;
• to communicate with you about your account, service updates, and changes to our policies, and to make notifications where required by applicable law;
• to respond to your requests, feedback, and support inquiries;
• to comply with legal and regulatory obligations.

We do not use your personal data for advertising, behavioral tracking, or profile-building for marketing purposes. We do not sell your data.

The Service uses third-party large-language-model technology, provided by Anthropic, PBC, to process your CV and JD text and generate report content. Specifically:

• Data sent to Anthropic to fulfill your report includes: the parsed text of your CV, the parsed text of your JD, web-research outputs (the results of Anthropic-hosted web_search and web_fetch tool calls), prior section drafts produced earlier in the same pipeline run, and canonical scaffolding content.
• Web research.Coach uses Anthropic's built-in web_search and web_fetch tools to enrich your report. A derived query string - typically the employer name, the role title, and tokens drawn from the parsed JD - is sent to Anthropic's hosted search infrastructure, which in turn invokes third-party search providers. Search results and fetched page content are returned to Coach and incorporated into the report. We do not persist these results outside the resulting report.
• Under Anthropic's standard commercial terms, your inputs are notused to train Anthropic's models. Coach has notopted into Anthropic's training program.
• We have not authorized any sub-processor listed in Section 8 to use your content to train, fine-tune, or evaluate AI models.
• Coach does not use your content to train, fine-tune, or evaluate our own models. We use anonymized aggregate signals (e.g., number of reports per role family, average cost, average latency, classifier confidence distribution) to improve service quality.
• Pipeline_runs ledger. Coach retains the input payload and model response of every Anthropic API call in our pipeline_runs ledger for quality monitoring, abuse prevention, and cost accounting (see Sections 3 and 11). The ledger is protected by service-role-only access at the database layer and is not used to train any system.

Meaningful information about the logic involved. Each report is generated by a deterministic pipeline that (1) parses your CV and JD text, (2) classifies the role family and loads canonical scaffolding content from our content library, (3) performs web research as described above, (4) drafts each of the report's sections via successive Claude Haiku 4.5 calls using the scaffolding, your inputs, and the research bundle as context, and (5) arbitrates and finalizes the assembled output. The pipeline does not score, rank, or otherwise evaluate you against any candidate pool, and it does not make a decision about you. The output is informational text intended to help you prepare for an interview. You retain full discretion over how to use it.

The Service does not make legal, employment, hiring, financial, medical, or other decisions that produce legal effects or similarly significantly affect you within the meaning of UK-GDPR / EU-GDPR Article 22 or analogous provisions.

We rely on the following sub-processors to deliver the Service. Each is bound by data-protection obligations consistent with GDPR Article 28 or equivalent through the agreements published below, and each is subject to the cross-border transfer framework described in Section 9.

Supabase Inc. (United States) - hosts our authentication database, application database, and object storage for CV/JD files. Privacy policy · DPA.

Stripe, Inc. (United States) - processes payments. Card data and full billing details are held by Stripe and never reach Coach. Stripe retains billing records as required by financial-compliance law (typically 7 years). Privacy policy · DPA.

Anthropic, PBC (United States) - processes your CV and JD text to generate reports, and operates the hosted web_search and web_fetchtools described in Section 7. Per Anthropic's standard commercial terms, customer inputs are not used to train their models, and Coach has not opted into any training program. Privacy policy.

Vercel Inc.(United States, with global CDN) - hosts the Coach application. Request logs are retained per Vercel's terms. Privacy policy · DPA.

Google LLC (United States) - provides Google Analytics 4 (measurement ID G-B3ZVGTRTE1). The analytics script is loaded only after you accept analytics in our cookie banner, and only when NODE_ENV === "production"(see Section 16); localhost and preview environments do not load it. Data sent to Google is limited to aggregate page-level events under GA4's default enhanced-measurement configuration (page views, scrolls, outbound clicks, and similar interactions; device and operating system). Per Google's documentation, IP addresses are not logged or stored by GA4. We do not use Google for advertising, ad personalization, profile-building, or data sale. Privacy policy.

We do not engage any other sub-processor. We do not sell personal data and we do not share personal data for cross-context behavioral advertising.

Change notification. Where reasonably practicable, we will announce material new sub-processors via this Policy and by email to active accounts before engagement, providing a meaningful window in which you may object. Users who object may terminate their account during that window and request anonymization of their reports by emailing contact@materacapital.com.

Our sub-processors are based in the United States. Where personal data of UK, EEA, or Swiss residents is transferred to the United States, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum and the Swiss-FADP equivalent(the SCCs as adapted by the Swiss FDPIC), as incorporated into each sub-processor's Data Processing Agreement. Supabase, Stripe, Anthropic, Vercel, and Google each maintain SCC-backed contractual protections for cross-border transfers. Where a sub-processor is certified under the EU-US Data Privacy Framework - Google is so certified - that certification may serve as an additional transfer mechanism alongside the SCCs.

UK and EU representatives.Matera Capital is established in the United Kingdom, so no UK-GDPR Article 27 representative is required. We have not appointed an EU-GDPR Article 27 representative at this time on the basis that our processing of EEA residents' data is occasional and limited in scope; we will publish a representative if and when our processing crosses the Article 27(2) threshold.

We may disclose personal data:

• to our sub-processors, as described in Section 8, strictly to deliver the Service;
• to professional advisers (lawyers, accountants, auditors) under duties of confidentiality;
• to a successor entity in connection with any merger, acquisition, financing, reorganization, sale of assets, or other similar transaction, subject to standard confidentiality protections;
• to law-enforcement, regulators, courts, or other public authorities where required by law, valid legal process, or where disclosure is reasonably necessary to protect the safety, rights, or property of any person, or to investigate suspected violations of our Terms;
• with your consent or at your direction.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

We retain personal data only for as long as necessary to fulfill the purposes set out in this Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, and for as long as is required to deliver the Service to you.

Active accounts: report data is retained for as long as your account exists.

Account deletion and the anonymization model. When you request deletion via Settings → Danger zone, we attempt to cancel your Stripe subscription on a best-effort basis (deletion continues even if the Stripe call fails), then delete your auth user, which cascades the deletion of your subscription record and your report-view history. In the same flow we set user_id and requester_email to NULL on any reports you generated. We aim to complete that anonymization in the same call, and in any event within 30 days of your request. Reports you have generated remain in our database after you delete your account, but with all identifying associations removed: there is no remaining link to your auth identity. Anonymized reports and the corresponding pipeline_runs ledger entries are retained indefinitely for product-quality, cost-monitoring, and abuse-prevention purposes. This is a deliberate anonymization-not-deletion model; if you require full erasure of anonymized records, please contact contact@materacapital.com and we will assess your request under applicable law.

Per-category retention:

• Email address (account identifier): until account deletion
• Magic-link OTP: 1 hour
• Session tokens: ~24 hours (access JWT) / ~1 week (refresh token)
• CV / JD text and generated reports: while account is active; anonymized within 30 days of deletion; anonymized record retained indefinitely
• Prompts and model responses (pipeline_runs ledger): indefinite (anonymized post-deletion); service-role-only access
• Stripe customer identifier and subscription metadata (Coach-side): retained while your account exists; deleted or anonymized on account deletion
• Stripe webhook idempotency ledger (stripe_webhook_events): retained indefinitely for payment-reconciliation integrity
• Billing records: retained by Stripe for approximately 7 years per financial-record compliance law
• IP and request logs (rate limit and security): 30 days
• Voluntary section ratings: indefinite, anonymized post-deletion
• Support correspondence: up to 3 years

Uploaded source files. CV and JD files you uploaded are stored in Supabase object storage and currently follow the same retention as the parent report - they remain available while the parent report exists, including after anonymization. Scheduled cleanup of orphaned storage files following anonymization is on our roadmap; we will update this Policy when that workflow ships.

We may retain some information for longer where required to establish, exercise, or defend legal claims.

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction, including (i) Transport Layer Security (TLS) for data in transit; (ii) encryption at rest where provided by our hosting providers; (iii) least-privilege access controls for our personnel; (iv) row-level security policies on databases storing personal data, with the pipeline_runs ledger protected by service-role-only access; (v) magic-link authentication with no stored passwords; (vi) rate limiting and abuse-detection mechanisms; and (vii) periodic informal review of our security posture.

No method of transmission or storage is completely secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security. You are responsible for keeping your email account credentials secure and for notifying us promptly of any compromise.

In the event of a personal-data breach, we will notify the competent supervisory authority and, where the breach is likely to result in a high risk to your rights and freedoms under UK-GDPR / EU-GDPR Article 34, will notify affected individuals, in each case as and within the time frames required by applicable law (including, where relevant, the 72-hour authority-notification window under Article 33 and US state-specific breach-notice statutes such as California Civil Code §1798.82).

If you are in the United Kingdom or the European Economic Area, you have the following rights:

• Right of access - request a copy of the personal data we hold about you. Our access response will include the categories of recipients of disclosure (and, where you so request, the specific recipients) in accordance with Article 15(1)(c).
• Right to rectification - request correction of inaccurate or incomplete data.
• Right to erasure(the "right to be forgotten") - request deletion of your personal data, subject to lawful exceptions. Please note that Coach operates an anonymization-not-deletion model for generated reports and the associated pipeline_runs ledger (see Section 11): identifying associations are removed, but the anonymized records are retained indefinitely for product-quality and abuse-prevention purposes. If you object to anonymized retention on grounds relating to your particular situation, please email contact@materacapital.com and we will assess your request under applicable law.
• Right to data portability - receive your data in a structured, commonly used, machine-readable format. A dedicated export endpoint is on our roadmap; in the interim, you can download a PDF of any report you can view directly from the report page, and you can copy the markdown source of any report you can view from the same page. For account-level data not exposed by these workflows, email contact@materacapital.com and we will fulfill the request manually.
• Right to restrict processing - ask us to limit how we use your data on any of the grounds in Article 18(1), namely (a) where you contest the accuracy of the data, (b) where the processing is unlawful and you oppose erasure, (c) where we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or (d) where you have objected pending verification of overriding grounds. During a valid restriction we will flag the relevant records - including any pipeline_runs ledger entries - and limit processing to storage only.
• Right to object - object to processing based on our legitimate interests, on grounds relating to your particular situation. Objections to the pipeline_runs ledger or to indefinite anonymized retention should be sent to contact@materacapital.com.
• Right not to be subject to solely automated decision-making - our pipeline generates a prep report from your inputs; the report does not produce a legal or similarly significant decision about you (see Section 7 for the logic involved).
• Right to withdraw consent - where processing relies on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with your local data-protection authority (UK: ico.org.uk; EU: your national supervisory authority).

To exercise these rights:

• Self-service deletion is available at Settings → Danger zone.
• For access, rectification, portability, restriction, objection, or any other request: email contact@materacapital.com with "Data Subject Request" in the subject line.

We will respond within one month of receipt as required by Article 12(3). Where the request is complex or numerous, we may extend by up to two further months, with notice to you within the first month. We may need to verify your identity before fulfilling your request.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the following rights:

• Right to know - request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete - request deletion of personal information, subject to statutory exceptions.
• Right to correct - request correction of inaccurate personal information.
• Right to opt-out of sale or sharing - Coach does not sell or share personal information for cross-context behavioral advertising, so this right does not apply to our processing.
• Right to limit use of sensitive personal information - we do not use sensitive personal information beyond what is permitted under CCPA Section 1798.121(d).
• Right to non-discrimination - we will not discriminate against you for exercising your rights, including by denying service, charging different prices, or providing a different level of quality.

Notice at Collection. Consistent with CCPA §1798.100(a), the following table summarizes the categories of personal information we collect, the sources, the business purposes, the categories of third parties to whom each was disclosed in the preceding 12 months, and retention. The information in Sections 3, 6, 8, and 11 of this Policy supplements this summary.

• Identifiers (Civ. Code §1798.140(v)(1)(A)) - email address, Stripe customer identifier, IP address. Sources: directly from you; automatically from your interaction with the Service; from Stripe. Business purposes: account authentication, service delivery, billing, security, rate limiting. Disclosed to: Supabase, Stripe, Vercel. Retention: per Section 11 (email until deletion; Stripe IDs while account exists; IP ~30 days).
• Commercial information (§(v)(1)(D)) - subscription status, current-period end. Sources: Stripe. Business purposes: managing access to paid features. Disclosed to: Stripe. Retention: per Section 11 (while account exists Coach-side; ~7 years at Stripe).
• Internet or other electronic network activity information (§(v)(1)(F)) - request paths, timestamps, browser/OS/device, referer; GA4 page-level events in production. Sources: automatic. Business purposes: security, rate limiting, aggregate analytics. Disclosed to: Vercel, Google (GA4). Retention: per Section 11 (~30 days for logs; ~13 months for GA cookies).
• Professional or employment-related information (§(v)(1)(I)) - content of your CV and JD; generated report; pipeline_runs ledger entries. Sources: directly from you; generated on the Service. Business purposes: report generation, quality monitoring, abuse prevention, cost accounting. Disclosed to: Supabase, Anthropic. Retention: per Section 11 (while account active; anonymized within 30 days of deletion; anonymized records and ledger retained indefinitely).
• Inferences (§(v)(1)(K)) - limited role-family classifications and aggregate signals used internally for quality and cost monitoring; not used to build a consumer profile reflecting preferences, characteristics, behavior, or attitudes for marketing purposes. Retention: anonymized; indefinite.
• Sensitive personal information (§1798.140(ae)) - not requested or solicited; to the extent voluntarily included in CV/JD content, used only to generate your report (see Section 3). Disclosed only to Supabase and Anthropic as part of the report-generation pipeline. Retention: as for report content, per Section 11.

The criteria we use to determine each retention period are: the duration of your account; the operational lifetime of records required to deliver, secure, and bill the Service; statutory retention obligations (e.g., Stripe's financial-record retention); the need for indefinite anonymized retention to support product quality, cost monitoring, and abuse prevention; and our obligation to retain data necessary to establish, exercise, or defend legal claims.

No sale or sharing. We do not sell or share personal information as those terms are defined under CCPA. We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months. We do not use sensitive personal information for any purpose that requires opt-out under CCPA.

Financial incentives. The 7-day free trial described in our Terms of Service is not a financial incentive offered in exchange for personal information within the meaning of CCPA §1798.125(b). Coach pricing is not contingent on data sharing beyond what is necessary to deliver the Service.

To exercise CCPA rights, email contact@materacapital.com with "CCPA Request" in the subject line. We will confirm receipt within 10 business days as required by 11 CCR §7021 and substantively respond within 45 days; we may extend by a further 45 days where reasonably necessary with notice to you.

Verification. To protect against fraudulent requests, we will verify your identity before fulfilling a CCPA request. We will typically do so by asking you to confirm the email address on your Coach account and to provide additional information sufficient to match against information we already hold. For requests to delete sensitive categories of data, we may require additional verification.

Authorized agents.You may designate an authorized agent to make a request on your behalf. The agent must provide us with either (i) written permission signed by you, or (ii) a valid power of attorney under California Probate Code §§4000-4465 (in which case we will not separately verify your identity directly), together with sufficient information to verify the agent's own identity.

Records of requests. We maintain records of CCPA-related requests as required by 11 CCR §7100 et seq.

Residents of certain other US states - including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) - may have similar rights to access, correct, delete, and obtain a copy of their personal information, and to opt out of sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise these rights, email contact@materacapital.com. We respond within the statutory window (typically 45 days, extendable by a further 45 days where reasonably necessary).

No sale, targeted advertising, or qualifying profiling. We do not engage in the sale of personal data, in targeted advertising, or in profiling in furtherance of decisions that produce legal or similarly significant effects within the meaning of these state statutes. The pipeline_runs ledger and the aggregate classifier-confidence signals described in Section 7 are used for service quality, cost monitoring, and abuse prevention - not to make decisions about you.

Sensitive data - opt-in consent. Under CPA §6-1-1308(7), CTDPA §6(a)(6), and analogous provisions, the processing of sensitive personal data requires opt-in consent. To the extent CV or JD content you voluntarily submit contains sensitive data, your deliberate act of submitting that content for report generation constitutes the required opt-in consent.

Texas residents. As required by Texas Business and Commerce Code §541.102, we do not sell sensitive personal data and we do not sell biometric personal data. Texas residents have the rights set out above and may contact us at the email above.

Universal opt-out signals (GPC). Because Coach does not sell or share personal data and does not engage in targeted advertising or qualifying profiling, there is no processing for which a Global Privacy Control or other universal opt-out signal would change our behavior. Where such a signal is received, we treat it as an affirmation of your opt-out status for the processing described in this section.

Appeals. If we decline a request you have made under VCDPA, CPA, CTDPA, or analogous laws, you may appeal by replying to our response email or by emailing contact@materacapital.com with "Privacy Appeal" in the subject line. We will respond to the appeal within the statutory window (60 days for Virginia and Connecticut; 45 days for Colorado, with up to a further 60 days where reasonably necessary). If your appeal is denied, you may contact your state attorney general - Virginia: oag.state.va.us; Colorado: coag.gov; Connecticut: portal.ct.gov/AG; Texas: texasattorneygeneral.gov.

Coach uses essential cookies (Supabase auth session JWT, Supabase PKCE code verifier, Supabase refresh token, Stripe Checkout, and a record of your cookie-consent choice) and, only if you accept them, Google Analytics 4 cookies for aggregate page-level analytics. We do not use advertising cookies, we do not build user profiles, and we do not sell data.

Google Analytics 4 loads only after you click "Accept" in our cookie banner, and only when NODE_ENV === "production". If you decline or have not yet chosen, no GA cookies are set; localhost and preview environments never load GA either. Declining analytics has no functional impact on the Service. Disabling the Supabase auth or Stripe cookies will break sign-in or billing respectively.

If you generate a report without signing in (the anonymous flow), the resulting report is accessible to anyone who has its URL. The URL contains a randomly generated 36-character UUID and is not gated by sign-in: anyone who comes into possession of the URL - by you sharing it, by a link leaking through a browser extension or messaging app, or by any other means - can view the report and the CV and JD content summarized within it.

This public-by-URL behavior is contingent on your deliberate decision to use the anonymous flow. The recommended default, consistent with data-protection-by-default principles under UK-GDPR / EU-GDPR Article 25, is to sign in before uploading a CV that contains sensitive information you do not want shareable. When you sign in before generating a report, the report is bound to your account and is gated by the entitlement rules described in our Terms of Service. You can sign in from the sign-in page.

Some browsers transmit "Do Not Track" (DNT) signals. Coach itself does not collect personal data for advertising or behavioral-tracking purposes, so we do not modify our own processing in response to such signals - the data we collect is limited to what is described in this Policy regardless of any signal.

Where Google Analytics 4 receives a Do Not Track signal from your browser, it honors that signal per Google's published behavior. Coach has not configured Google Analytics to override DNT.

Matera Capital is the Data Controller for personal data processed in connection with the Service.

For any privacy question, to exercise your data-subject rights, to object to processing, or to submit a complaint regarding our handling of personal data, the single mailbox is:

contact@materacapital.com

Please include "Privacy Request", "Data Subject Request", "CCPA Request", "Privacy Appeal", or another descriptive subject line so we can route your inquiry promptly. A registered office postal address is available on request from the same mailbox.