Security

What we actually do with your data — and what we don't claim to do.

Plainly

We would rather tell you exactly what we do than dress it up. Everything below describes how the application is actually built — not an aspiration, and not a certification we don't hold.

We hold no security certifications. We are not SOC 2 audited and not ISO 27001 certified. If that's a requirement for you, we're not the right tool yet, and you should know that now rather than later.

Your data in transit

Every request to ProfyleAI is served over HTTPS, so what travels between your browser and our servers is encrypted on the way. We also send strict transport security headers, which tell your browser never to talk to us over a plain connection again.

Your data at rest

Your résumés, cover letters and interview answers are stored in MongoDB Atlas, which encrypts its storage at rest.

We can technically read your documents in that database. Anyone who offers to rewrite your résumé and also claims they can't see it is not being straight with you — the rewriting requires reading. We don't go looking, but we're not going to pretend it's impossible.

Passwords

If you sign up with an email and password, that password is hashed with bcrypt before it's stored. We never keep it in a form we could read — which is why we can help you set a new one, but can never tell you what your old one was.

If you sign in with Google, we never see a password at all.

Payments

Card details never touch our servers. Checkout is hosted by Stripe: you enter your card on Stripe's page, and we're told only that a payment succeeded. We store what you bought and when. We never store a card number.

What the AI providers see

To tailor a résumé, write a cover letter, or run an interview, the relevant text is sent to the provider doing the work — Google, OpenAI, or ElevenLabs for the voice interview. That means your résumé and the job description you paste leave our servers and reach theirs.

We send what the task needs and nothing more. We don't sell your data, and we don't hand it to advertisers.

Taking your data out — or deleting it

You can download everything you've written here as a single JSON file, and you can delete your account outright, both from Settings. Deletion is real deletion — the account and its documents are removed and it cannot be undone, so export first if you want a copy.

Found a problem?

If you find a security issue, tell us before you tell anyone else and we'll fix it. Write to us through the contact page with enough detail to reproduce it. We won't pursue anyone who reports a vulnerability in good faith and gives us a fair chance to fix it.

Questions about any of this? Ask us.