Privacy Policy
Last updated: April 7, 2026
This Privacy Policy explains how Incognito ("Service"), operated by Nobu Kaizen / Iboga Ventures LLC ("we", "us"), collects, uses, and protects your personal information. We are committed to protecting your privacy and handling your data transparently.
1. Data We Collect
| Category | Data | Purpose |
|---|
| Account | Name, email, username, password (hashed) | Authentication, communication |
| Profile | Location, target roles, phone (optional) | Job matching, personalization |
| Resumes | Resume text, parsed sections, keywords | Matching, tailoring, PDF generation |
| Job Data | Job descriptions, URLs, companies | Analysis, matching, scanner |
| Applications | Company, role, status, timeline, notes | Tracking, analytics, follow-ups |
| Usage | Features used, match scores, timestamps | Service improvement, plan limits |
| Payment | Processed by Stripe (we don't store cards) | Subscription billing |
2. How We Use Your Data
- Core Service: Resume parsing, keyword extraction, match scoring, AI tailoring, cover letter generation, auto-apply, job scanning
- AI Processing: Your resume and job description text is sent to Anthropic (Claude) for tailoring, analysis, and content generation. Anthropic processes this data per their privacy policy and does not use API data for training.
- Auto-Apply: When you use auto-apply, your resume and profile data is sent to Jobo to submit applications to employer ATS platforms on your behalf.
- Communication: Account notifications, application confirmations, job alerts (with your consent)
- Analytics: Aggregated, anonymized usage data to improve the Service
3. Third-Party Data Sharing
We share your data only with:
- Anthropic — AI processing (resume text, job descriptions) via API
- Jobo — Auto-apply service (resume, profile data) when you initiate an application
- Stripe — Payment processing (we never see your card number)
- Employer ATS platforms — Only when you apply (Greenhouse, Lever, Ashby, etc.)
We do not sell your data. We do not share your data with advertisers. We do not use your data for AI model training.
4. Data Storage & Security
- Data stored on secure servers with encrypted connections (HTTPS/TLS)
- Passwords hashed with scrypt (timing-safe comparison)
- Session tokens are cryptographically random, expire after 7 days
- Per-user data isolation — users cannot access each other's data
- CSRF protection, rate limiting, input validation on all endpoints
5. Data Retention
- Active accounts: Data retained while account is active
- Deleted accounts: All personal data deleted within 30 days of account deletion
- Backups: Removed from backups within 90 days
- Legal holds: Data may be retained longer if required by law
6. Your Rights (GDPR)
If you are in the European Economic Area (EEA), you have the right to:
- Access — Request a copy of all data we hold about you
- Rectification — Correct inaccurate personal data
- Erasure — Request deletion of your data ("right to be forgotten")
- Portability — Export your data in a machine-readable format (JSON/CSV)
- Restriction — Limit how we process your data
- Objection — Object to processing based on legitimate interests
To exercise these rights, use the data export and account deletion features in Settings, or email privacy@yabacademy.com.
Legal basis for processing: Consent (account creation), contract performance (providing the Service), legitimate interests (security, improvement).
7. Your Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it's used
- Delete your personal information
- Opt-out of the sale of personal information (we do not sell data)
- Non-discrimination for exercising your privacy rights
To exercise these rights: email privacy@yabacademy.com or use in-app Settings.
8. Cookies
We use a single essential cookie (inc_session) for authentication. It is:
- HttpOnly (not accessible to JavaScript)
- SameSite=Lax (CSRF protection)
- Expires after 7 days
- Secure flag in production (HTTPS only)
We do not use tracking cookies, analytics pixels, or third-party advertising cookies.
9. Children's Privacy
The Service is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us to have it removed.
10. International Transfers
Data may be processed in the United States. By using the Service, you consent to this transfer. We implement appropriate safeguards for cross-border data transfers.
11. Changes to This Policy
We may update this Privacy Policy with 30 days' notice via email. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy questions or data requests: