Privacy

Data about you

• Account email — used to sign you in via a magic link (no passwords).
• Profile — the universities and employers you enter during onboarding, used to find people you have an affinity with.
• Your CV — the PDF you upload, stored in a private bucket scoped to your account so only you can read it.
• Sessions & messages — the roles you research, the targets we rank, and the drafts generated for you.
• Billing details — if you buy a plan or a refill pack, your card details are handled directly by Stripe; we never see or store your full card number. We keep a record of your plan, subscription status, and purchase history.

We use this to operate the service for you. We do not sell it or use it for advertising.

Data about third parties

To surface who to contact about a role, SideDoor retrieves professional contact data about individuals at the target company from Apollo: name, job title, employment history, LinkedIn URL, and — only when you choose to reveal a contact — a work email address. This is business-context professional data, not special-category data.

Legal basis for third-party data

We rely on legitimate interests under Article 6(1)(f) UK GDPR: enabling a candidate to make a relevant, individual, professional approach about a specific open role. We have weighed this against the interests of the people surfaced — the data is limited to professional context, used for a one-to-one job-search approach (not bulk marketing), and any individual can ask us to erase their data using the contact below. We consider this a proportionate use that a working professional would reasonably expect. We have carried out and recorded a legitimate interests assessment, and will share a summary on request. (The Data (Use and Access) Act 2025 amended UK data protection law from February 2026; this remains an ordinary legitimate-interests basis under Article 6(1)(f), not a “recognised legitimate interest”, so the balancing test above still applies.)

Processors & sub-processors

• Apollo — source of professional contact data on outreach targets.
• Anthropic — drafts your outreach messages. Your profile, the role, and the selected target's professional details are sent as context; this data is not used to train models.
• Tavily — web search used by the agents to research context for a draft.
• Supabase — hosts the database, authentication, and your CV storage.
• Upstash — Redis used for transient progress and budget state.
• Stripe — processes payments for plans and refill packs. Stripe receives the payment and contact details it needs to take payment; SideDoor never receives your full card number.

International transfers

Some of these providers are based outside the UK, including in the United States. Where your data — or a target's data — is transferred abroad, we rely on an appropriate safeguard under UK GDPR: either the provider's certification under the UK Extension to the EU–US Data Privacy Framework, or an International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses).

Your rights & deletion

You can delete your own account at any time from Settings, which permanently erases your account, profile, CV, and session history. You — and any third party whose data we have surfaced — can also request access to or deletion of that data by emailing team@sidedoor.site. You have the right to access, correct, erase, restrict, or port your data, and to object to processing carried out under legitimate interests. We will action verified requests without undue delay.

Complaints

If you are unhappy with how we handle your data, please tell us first at team@sidedoor.site — we will acknowledge your complaint within 30 days and respond without undue delay. You also have the right to complain to the UK supervisory authority, the Information Commission (formerly the Information Commissioner's Office).

Retention

We keep your account and profile data while your account is active. Cached third-party contact data is refreshed periodically and is deleted on request. When you delete your account from Settings — or email the address above — we remove your personal data within 30 days.

Cookies

SideDoor uses only strictly-necessary cookies to keep you signed in (set by our authentication provider, Supabase). We do not use advertising or third-party tracking cookies, so there is no consent banner to dismiss.