Privacy Policy

Your privacy is critically important to us. This Privacy Policy explains how Professional Vault collects, uses, and protects your personal information.

Information We Collect

We collect information you provide directly, including:

  • Account information (name, email, password)
  • Documents you upload to our service
  • Information extracted from your documents by our AI
  • Usage data and preferences

How We Use Your Information

We use your information to:

  • Provide and improve our services
  • Process and analyze your documents
  • Send you notifications about your account
  • Ensure the security of our platform

Google Drive Integration

When you connect your Google account to Professional Vault, we may request access to your Google Drive to enable document import functionality.

What We Access

  • Your Google Drive files and folders (read-only access for importing)
  • File metadata including names, types, and modification dates
  • Your Google account email address and profile information

How We Use Google Data

  • To display your Google Drive files for selection and import
  • To import selected files into your Professional Vault account
  • To authenticate your identity when signing in with Google

We do NOT modify, delete, or share your Google Drive files. Access is read-only and used solely for importing documents you explicitly select.

Google Data Storage

  • Google OAuth tokens are encrypted using industry-standard encryption and stored securely
  • Imported files are copied to your Professional Vault storage; original Google Drive files remain unchanged
  • You can disconnect Google Drive access at any time from your account settings

Limited Use Disclosure

Professional Vault's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for:

  • Serving advertisements or retargeting
  • Selling or transferring data to third parties
  • Training AI models (except for features you explicitly use within our app)
  • Any purpose other than providing our document management services to you

Chrome Extension

The Professional Vault Chrome extension helps you auto-fill job application forms using your profile data. This section explains how the extension handles your information.

Data Collected by the Extension

  • API Token - Your authentication token is stored locally in Chrome's secure storage to keep you logged in
  • Form Field Information - When you click "Fill Form", the extension reads form field labels, names, and types from the current page to match them with your profile data
  • Page URL and Title - Used to provide context for AI-powered form filling (e.g., company name, job title)
  • Cached Results - Previously filled form data is cached locally to save credits on repeat visits

How Extension Data Is Used

  • Form field information is sent to Professional Vault servers to match fields with your profile data
  • Our AI analyzes form questions and generates appropriate answers from your stored profile
  • Matched data is returned to the extension and filled into the form fields
  • Page context helps the AI tailor responses (e.g., customizing cover letter content for the specific company)

Extension Data Storage

  • Local Storage - Your API token and cached form results are stored only in Chrome's local storage on your device
  • Server Storage - Form field data is processed in real-time and is not permanently stored on our servers
  • Cache Expiration - Locally cached form results are automatically deleted after 7 days

Extension Permissions

The extension requires certain permissions to function:

  • Storage - To save your API token and cached results locally
  • Active Tab - To read and fill form fields on the current page
  • Scripting - To inject the form-filling functionality into web pages
  • Host Permissions - Access to job application sites (Greenhouse, Lever, Workday, etc.) to fill forms on those platforms

What the Extension Does NOT Do

  • Does NOT collect browsing history or track your activity across websites
  • Does NOT access form data unless you explicitly click "Fill Form"
  • Does NOT submit forms automatically - you always review and submit manually
  • Does NOT share your data with advertisers or third parties (except OpenAI for AI processing)
  • Does NOT store your passwords or sensitive financial information

Removing Extension Data

You can disconnect your account by clicking "Disconnect" in the extension popup. This removes your API token from local storage. Uninstalling the extension removes all locally stored data. To delete your profile data from our servers, use the account deletion option in your Professional Vault settings.

Social Media Publishing

Professional Vault publishes its own blog articles and product announcements to social media accounts that we own and operate. This section describes how that integration works and what data leaves our servers when it does.

Accounts We Publish To

We publish only to social media accounts that belong to Professional Vault: @profvault on X (Twitter), Facebook, LinkedIn, Pinterest, and Instagram. We do not publish on behalf of any user other than our own brand. We do not read user timelines, follow accounts, send direct messages, or engage with comments through these integrations.

What Data Is Sent

When we publish to a social platform, only the following content leaves our servers:

  • The blog article's title and excerpt
  • The canonical URL of the article on myprofvault.com
  • The article's cover image, when one is set

No user data of any kind is included in these posts. Your profile information, documents, applications, account email, and identity are never sent to any social platform.

Credentials and Tokens

To publish on our own behalf, we authorize Professional Vault once with each social platform through that platform's standard OAuth flow. The resulting access tokens are stored encrypted at rest using Rails' built-in attribute encryption. They are scoped to the minimum permissions required (typically: list our own Pages, post to our own Pages, read our own account details). We can revoke them at any time from each platform's developer or account settings, which immediately invalidates them on our side.

Per-Platform Permissions We Request

  • Facebookpublic_profile, pages_show_list, pages_read_engagement, pages_manage_posts. Used to post to our own Page.
  • Instagraminstagram_business_basic, instagram_business_content_publish (via the Instagram API with Instagram Login). Used to post a single image and caption to our own Instagram professional account.
  • LinkedInw_member_social, w_organization_social, r_organization_admin. Used to post to our own Company Page.
  • X (Twitter)tweet.read, tweet.write, users.read, offline.access. Used to post to our own account.
  • Pinterestpins:write, boards:read, user_accounts:read. Used to create Pins on our own Business account.

Retention and Deletion

Encrypted access tokens are retained only for as long as the integration is connected. When we disconnect a platform from our admin panel, the corresponding token and any associated metadata are deleted from our database. Posts that have already been published on the platform are not retroactively deleted by disconnection — they remain on the platform until deleted manually through that platform's tools.

Limited Use

Data obtained through any social platform's API is used solely to publish our own blog and announcement content on our own brand accounts. We do not transfer this data to third parties, use it for advertising, or use it for any purpose unrelated to publishing.

Third-Party Service Providers

We use the following third-party services to provide our functionality:

  • Google - Authentication and Google Drive integration
  • OpenAI - AI-powered document analysis and extraction
  • Anthropic - AI-powered document analysis and AI Career Coach responses
  • Amazon Web Services - Cloud infrastructure and storage
  • Stripe - Payment processing
  • Meta (Facebook, Instagram) - Publishing our own blog content to our own brand Pages and Business account (see Social Media Publishing above)
  • LinkedIn - Publishing our own blog content to our own Company Page
  • X (Twitter) - Publishing our own blog content to our own brand account
  • Pinterest - Publishing our own blog content as Pins on our own Business account

Each provider processes only the minimum data necessary for their specific function and is bound by their respective privacy policies and our data processing agreements.

Data Security

We implement bank-level encryption and security measures to protect your documents. All data is encrypted in transit and at rest. We never share your documents with third parties without your explicit consent.

Your Rights

Under GDPR and CCPA, you have the right to:

  • Access your personal data
  • Request deletion of your data
  • Export your data
  • Opt-out of data processing

Contact Us

If you have questions about this Privacy Policy, please contact us at admin@myprofvault.com.

Last updated: June 22, 2026

Back to Home