Privacy Policy
Effective date: 16 February 2026
DigitalMe is a career twin platform that helps professionals represent their skills and experience through AI, and helps recruiters and hiring managers find and assess talent. We take the privacy of your personal data seriously. This policy explains what data we collect, how we use it, who we share it with, and what rights you have.
1. Who We Are
DigitalMe is operated by NeuralStorm. For the purposes of data protection law, we are the data controller responsible for your personal data.
Contact: info@neuralstorm.io
2. What Data We Collect
The data we collect depends on how you use DigitalMe. There are three types of user.
2.1 Owners (professionals who create a DigitalMe)
- Identity data: Name and email address, obtained through Google or GitHub sign-in
- Authentication tokens: OAuth tokens from Google or GitHub, stored securely on our servers and never exposed to your browser
- Career documents: CVs, experience narratives, project descriptions, publications, and any other professional documents you choose to upload
- AI-generated content: Professional profiles, career summaries, corpus digests, and skill inventories generated from your documents
- Self-assessment data: Skill calibrations you provide (e.g. marking skills as overstated, stale, learning, or to avoid)
- Career coaching outputs: Generated CVs, cover letters, LinkedIn content, and coaching session transcripts
- Job descriptions: Job descriptions you submit for fit analysis
- Usage data: Query counts, LLM token consumption, and associated costs
2.2 Visitors (recruiters and hiring managers)
- Identity data: Name and email address, obtained through LinkedIn sign-in
- Chat messages: Questions you ask when conversing with a DigitalMe
- Job descriptions: Job descriptions you submit for talent matching or job fit analysis
- Discovery searches: Search queries used to find matching professionals
- Usage data: Daily question counts and job fit analysis counts
2.3 Waitlist applicants
- Name and email address
- Reason for interest (free text)
- LinkedIn profile URL (optional)
2.4 Technical data (all users)
- IP addresses: Used transiently for rate limiting only; not stored persistently in any database
- Session identifiers: Signed JWT tokens stored in HttpOnly cookies
- Browser information: User-agent strings, recorded with chat sessions for security auditing
3. How We Use Your Data
| Purpose | Data used | Lawful basis (GDPR) |
|---|---|---|
| Providing the platform service (profiles, chat, discovery, coaching) | All user-provided data | Performance of contract (Art. 6(1)(b)) |
| AI-powered career representation and chat | Career documents, embeddings, visitor questions | Performance of contract |
| Talent discovery and job-fit matching | Profiles, job descriptions, embeddings | Legitimate interest (Art. 6(1)(f)) |
| Career coaching (CV synthesis, cover letters, LinkedIn content) | Career documents, job descriptions | Performance of contract |
| Authentication and access control | OAuth tokens, email, session cookies | Performance of contract |
| Rate limiting and abuse prevention | IP addresses (transient, in-memory only) | Legitimate interest |
| Platform improvement and debugging | Usage logs, error logs | Legitimate interest |
| Waitlist management | Name, email, reason for interest | Consent (Art. 6(1)(a)) |
4. AI and Large Language Model Processing
Your career documents are processed by AI systems. This section explains exactly how, what data is sent, and what safeguards are in place.
4.1 What AI does in DigitalMe
DigitalMe uses AI large language models (LLMs) to generate professional profiles from your career documents, answer visitor questions about your experience, analyse job fit, synthesise tailored CVs and cover letters, and provide career coaching. AI is also used to create vector embeddings of your documents for semantic search.
4.2 What data is sent to AI providers
- Text content of your career documents (for profile generation, chat context, and analysis)
- Visitor questions and job descriptions (for chat responses and job fit analysis)
- Document text (for generating vector embeddings used in semantic search)
We never send authentication tokens, passwords, IP addresses, or payment information to AI providers.
4.3 AI providers used
| Provider | Purpose | Data sent |
|---|---|---|
| Google (Gemini API) | Text generation: chat, profiles, job analysis, coaching, CV synthesis | Career document text, visitor questions, job descriptions |
| Anthropic (Claude API) | Text generation: chat, profiles, job analysis, coaching, CV synthesis | Career document text, visitor questions, job descriptions |
| OpenAI | Text embeddings for semantic search | Career document text |
We alternate between Google Gemini and Anthropic Claude for text generation tasks depending on availability and suitability. OpenAI is used exclusively for generating text embeddings (vector representations used in semantic search).
4.4 AI training and your data
Your data is sent to AI providers solely for the purpose of generating responses and embeddings for the DigitalMe service. We use API-based access to these providers, which under their respective terms of service do not use API data to train their models. We do not use your data to train any AI models ourselves.
4.5 Grounding and accuracy
All AI-generated responses in DigitalMe are grounded in your actual career documents. Every answer includes citations pointing to specific source documents. The system is designed to refuse to answer questions that are not supported by the career corpus, rather than fabricating information.
4.6 Human oversight and guardrails
All AI-generated content in DigitalMe is subject to built-in guardrails and verification. Owners have full visibility and control over every AI output — they can review, edit, and delete all generated profiles, CVs, cover letters, and coaching content. Owners control 100% of what their DigitalMe says by managing the underlying career corpus that the AI draws from.
Visitors are clearly informed that they are interacting with AI-generated content. The widget displays a disclaimer stating that responses are AI-generated with guardrails and citation verification built in. Visitors see only AI-synthesised answers with citations to specific source documents, never the owner’s raw career documents.
5. Third-Party Data Processors
| Processor | Location | Purpose | Data processed |
|---|---|---|---|
| Supabase (AWS) | EU (Frankfurt) | Database hosting and file storage | All persistent data |
| Google (Gemini API) | USA | AI text generation | Career text, questions, job descriptions |
| Anthropic (Claude API) | USA | AI text generation | Career text, questions, job descriptions |
| OpenAI | USA | Text embeddings | Career document text |
| USA | Visitor authentication (OAuth) | Name, email, profile URL | |
| Google (OAuth) | USA | Owner authentication | Name, email |
| GitHub (OAuth) | USA | Owner authentication (alternative) | Name, email |
5.1 International data transfers
Your primary data (database and file storage) is held in the European Union (AWS Frankfurt region via Supabase). When data is processed by US-based AI providers (Google Gemini, Anthropic Claude, OpenAI) or US-based authentication providers (LinkedIn, Google, GitHub), these transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-US Data Privacy Framework, where applicable
- Each provider's own data protection commitments
We minimise the data sent to overseas processors — only the specific text required for each operation is transmitted, and we do not transfer authentication tokens, passwords, or infrastructure data.
6. Cookies and Session Management
DigitalMe uses only strictly necessary cookies required for the service to function. We do not use any analytics, advertising, or third-party tracking cookies.
| Cookie name | Purpose | Type | Duration |
|---|---|---|---|
digitalme_owner_session |
Owner authentication session | HttpOnly, Secure, SameSite=Lax | 24 hours |
digitalme_visitor_session |
Visitor authentication session | HttpOnly, Secure, SameSite=Lax | 24 hours |
Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR or the ePrivacy Directive. These cookies cannot be used to track you across websites and are not accessible to JavaScript running in your browser.
7. Data Retention
| Data type | Retention period | How it is deleted |
|---|---|---|
| Owner career documents | Until the owner deletes them or their account | Owner-initiated deletion via dashboard |
| AI-generated profiles and outputs | Until source documents are deleted or account is closed | Cascade deletion when source data is removed |
| Chat messages | Retained for audit integrity; conversations can be soft-deleted by the owner | Soft-delete (metadata marked as deleted; message content retained for data integrity) |
| Visitor accounts | Until the visitor requests deletion | Account deactivation upon request |
| Owner accounts | Until the owner requests deletion | Account deactivation and cascade deletion of all career data |
| Waitlist entries | Until approved or dismissed, then up to 12 months | Automatic cleanup or upon request |
| Session cookies | 24 hours | Automatic browser expiry |
| Rate limiting data (IP addresses) | Transient (in-memory only) | Lost on server restart; never persisted to disk |
8. Your Rights
Depending on where you are located, you have rights over your personal data under applicable data protection law. These include:
- Right of access — Request a copy of all personal data we hold about you
- Right to rectification — Ask us to correct inaccurate personal data
- Right to erasure — Ask us to delete your personal data (“right to be forgotten”)
- Right to restriction — Ask us to limit how we process your data
- Right to data portability — Receive your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interest
- Right to withdraw consent — Where processing is based on consent (e.g. waitlist), you may withdraw at any time
8.1 How to exercise your rights
To exercise any of these rights, please email info@neuralstorm.io with the subject line “Privacy Request: [Right] – [Your Name]”.
We will respond within 30 days of receiving your request, as required by the GDPR (one calendar month under Article 12(3)). For California residents, the CCPA allows up to 45 calendar days — we aim to respond within 30 days in all cases. We may need to verify your identity before processing your request.
8.2 Self-service data management
Owners can manage most of their data directly through the DigitalMe dashboard:
- View, edit, and delete career documents at any time
- Review and regenerate all AI-generated profiles and outputs
- Manage skill calibrations and self-assessments
- View and archive visitor conversations
- Control which visitors have access to their DigitalMe
9. Children
DigitalMe is a professional career platform and is not intended for use by children. We do not knowingly collect personal data from anyone under 16 years of age (or under 13 in the United States). If you believe a child has provided personal data to us, please contact us immediately at info@neuralstorm.io and we will delete it promptly.
10. How We Protect Your Data
We implement the following technical and organisational measures to protect your data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
- Encryption at rest: All data stored in our database and file storage is encrypted at rest using industry-standard AES-256 encryption
- Secure session management: Authentication uses signed JWT tokens in HttpOnly, Secure, SameSite=Lax cookies, preventing cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks
- Multi-tenant data isolation: Every database query is scoped by your unique identifier, ensuring no user can access another user’s data
- Database-level security: Row-Level Security (RLS) policies are enabled on all data tables
- No password storage: We use OAuth-only authentication (Google, GitHub, LinkedIn), so we never store your passwords
- Access control: Authentication and authorisation are separate concerns. Being authenticated does not automatically grant access to anyone’s data — explicit owner approval is required
- Rate limiting: All sensitive endpoints are rate-limited to prevent abuse
- Career document protection: Visitors never see your raw career documents. They interact only with AI-synthesised answers that cite specific sources
- OAuth tokens stored server-side: Authentication tokens are stored on the server and are never exposed to client-side code
11. Opt-In Model and Data Sharing
DigitalMe is built on explicit opt-in at every stage. No data is collected without your action, and no data is shared without your approval.
11.1 Owner opt-in
As an owner, you choose to create a DigitalMe and upload your career documents. You control what documents are included in your corpus. You can add, edit, or remove documents at any time. Your career data is processed by AI only because you have opted in by uploading it.
11.2 Sharing with visitors
Visitors must authenticate with LinkedIn before they can interact with any DigitalMe. Even after authentication, a visitor can only access your DigitalMe if you have explicitly approved their access. You can revoke a visitor’s access at any time.
Visitors never see your raw career documents. They see only AI-generated, citation-backed answers to their questions, and structured job fit analyses derived from your corpus.
11.3 Strict owner isolation
No owner can view, access, or interact with another owner’s data. Each owner can only see their own career documents, their own visitor conversations, their own coaching outputs, and their own profile data. An owner can view conversations that visitors have had with their own DigitalMe, but cannot see any other owner’s conversations, documents, or data. This isolation is enforced at every level of the system — in application code, database queries, and database-level security policies.
11.4 No data is sold or shared for advertising
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Data is shared with third-party processors (listed in Section 5) only to the extent necessary to provide the DigitalMe service.
12. International Regulatory Coverage
12.1 European Economic Area (GDPR)
If you are in the EEA, you have all the rights described in Section 8. The lawful bases for processing are set out in Section 3. You have the right to lodge a complaint with your local data protection supervisory authority.
12.2 United Kingdom (UK GDPR)
If you are in the UK, you have the same rights and protections as under the EU GDPR. The relevant supervisory authority is the Information Commissioner’s Office (ICO).
12.3 California, USA (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information
- Right to opt out of the “sale” or “sharing” of personal information — DigitalMe does not sell or share personal information for cross-context behavioural advertising
- Right to non-discrimination for exercising your privacy rights
- Right to limit the use of sensitive personal information — we do not use or disclose sensitive personal information for purposes beyond providing the service
12.4 Australia (Privacy Act 1988)
If you are in Australia, the Australian Privacy Principles (APPs) apply. You have the right to access and correct your personal information. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Cross-border disclosures are detailed in Section 5 — your data is stored in the EU and processed by US-based AI providers.
13. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will update the “Effective date” at the top of this page and, where practicable, notify logged-in users through the platform.
We encourage you to review this page periodically. Your continued use of DigitalMe after changes are posted constitutes your acceptance of the updated policy.
14. Contact Us
If you have any questions about this privacy policy, your personal data, or wish to exercise any of your rights, please contact us:
- Email: info@neuralstorm.io
- Subject line for privacy matters: “Privacy: [topic]”