Privacy Policy

1. Who We Are

Katalyst is a web platform operated at getkatalyst.dev. We provide tools for job seekers and freelancers, including an AI-powered CV/resume builder, job application tracker, interview preparation tools, invoice generator, expense tracker, tax calculator, and proposal generator.

For the purposes of applicable data protection laws, including the UK GDPR, EU GDPR, and the Data Protection Act 2018, Katalyst is the data controller responsible for your personal data.

2. What Data We Collect

We collect and process the following categories of personal data:

Account Information

• Name, email address, and profile picture, provided when you create an account via our authentication provider (Clerk)

CV/Resume and Career Data

• Personal details you enter into your CV/resume (name, address, phone number, professional links)
• Work experience, education history, skills, and certifications
• Cover letters and professional summaries

Job Application Data

• Companies and roles you are tracking, application status, and interview notes
• STAR stories and interview preparation materials

Financial and Business Data

• Invoice details, expense records, client contact information, and proposal content
• Bank details for display on your invoices (sort code/routing number, account number, account name)
• Business name, address, VAT/Tax number, and related settings

AI Usage Data

• Content sent to our AI features (such as CV/resume bullet points, job descriptions, and proposal briefs) in order to generate suggestions
• Usage counts and feature usage records

Usage Analytics

• Pages visited, features used, and interactions within the platform, collected via PostHog analytics

Payment Information

• Payment processing is managed entirely by Stripe. We never see, receive, or store your payment card numbers. Stripe provides us with your subscription status, billing email, and transaction history.

3. Why We Collect Your Data

We process your personal data for the following purposes:

• To provide the service: Creating and storing your CVs/resumes, tracking job applications, generating invoices, managing expenses, and all other platform functionality
• To provide AI features: Sending relevant content to our AI providers (Anthropic and OpenAI) to generate suggestions, enhancements, analysis, and voice transcription
• To provide the AI Agent: Processing messages you send via Telegram, WhatsApp, or Slack to provide conversational access to your Katalyst data including job applications, invoices, expenses, and interview preparation
• To process payments: Managing your subscription, processing upgrades and cancellations via Stripe
• To improve the product: Understanding how features are used so we can make the platform better
• To communicate with you: Sending account-related emails such as invoice delivery, payment reminders, billing confirmations, security alerts, and service updates
• To provide proactive notifications: Alerting you when clients view your invoices or proposals, when invoices become overdue, and sending daily briefings and job matches if you have opted in
• To send marketing communications: Only if you have explicitly opted in, and you can unsubscribe at any time
• To ensure platform safety: Screening messages for harmful content, detecting abuse, and enforcing rate limits to protect all users

4. Legal Bases for Processing

We process your personal data under the following lawful bases as defined by the UK GDPR, EU GDPR, and the Data Protection Act 2018:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide you with the Katalyst service you signed up for, including CV building, job tracking, invoicing, AI features, and the AI Agent
• Legitimate interests (Article 6(1)(f)): Improving the platform, preventing fraud and abuse, content moderation to maintain platform safety, and ensuring system security. We have conducted legitimate interest assessments to ensure these interests do not override your fundamental rights
• Consent (Article 6(1)(a)): Marketing communications via MailerLite (opt-in only), analytics data collection via PostHog (opt-in via cookie consent), and connecting messaging channels to the AI Agent
• Legal obligation (Article 6(1)(c)): Retaining transaction records as required by applicable tax and financial regulations

For US residents, we process data as described in Section 12 of this policy, which covers rights under the California Consumer Privacy Act (CCPA) and other US state privacy laws.

5. How We Store Your Data

• Your data is stored in Supabase (PostgreSQL database) with servers located in the European Union
• All data is encrypted at rest and in transit using TLS 1.2 or higher
• Bank details stored for invoice display are additionally encrypted at the application level using AES-256 encryption
• Row Level Security (RLS) is enforced at the database level, ensuring that users can only ever access their own data
• Payment card data is handled entirely by Stripe, which is PCI DSS Level 1 compliant, the highest level of payment security certification
• We do not store passwords. Authentication is handled by Clerk using industry-standard security practices

6. AI and Automated Data Processing

Katalyst uses artificial intelligence to provide core features. It is important that you understand exactly what data is processed by AI systems, how it is handled, and your rights in relation to automated processing.

What Data Is Sent to AI Providers

• CV/Resume content: When you use features such as bullet point enhancement, summary generation, ATS checking, job matching, CV tailoring, and cover letter generation, the relevant sections of your CV data are sent to Anthropic's Claude API for processing
• Job descriptions: When you match your CV against a job or generate interview preparation materials, the job description text is sent to the AI
• Financial data (limited): Tax insight features send aggregated income and expense totals (not individual transaction details). Proposal and invoice reminder features send document-level information (client name, amounts, dates) but not bank details or payment card information
• Conversation messages: Messages you send via the AI Agent (Telegram, WhatsApp, or Slack) are processed by Anthropic's Claude API to generate responses. A limited conversation history (up to 6 recent messages) is included for context
• Voice messages: Voice messages sent via messaging channels are transcribed using OpenAI's Whisper API. The audio data is sent to OpenAI for transcription only and is not stored by OpenAI after processing
• Receipt images: Photos of receipts sent via messaging channels are processed by Anthropic's Claude Vision API to extract vendor, amount, date, and category information

How AI Providers Handle Your Data

• Anthropic (Claude): Per Anthropic's API terms, data sent via the API is not used to train their AI models. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety purposes (abuse detection), after which it is deleted. Full details are available in Anthropic's Privacy Policy
• OpenAI (Whisper): Per OpenAI's API data usage policy, data sent via the API is not used to train their models. OpenAI may retain API data for up to 30 days for abuse monitoring. Full details are available in OpenAI's Privacy Policy

What Is NOT Sent to AI Providers

• Bank account details, sort codes, or routing numbers
• Payment card information (handled exclusively by Stripe)
• Authentication credentials or passwords
• Other users' data (each user's data is strictly isolated)

Content Moderation

All messages sent to the AI Agent are screened for harmful content (violence, threats, illegal activity) and prompt injection attempts before being processed. Flagged messages are logged for administrative review to ensure platform safety. This screening is performed locally on our servers and does not involve sharing flagged content with third parties.

Your Rights Regarding Automated Processing

Under Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Katalyst's AI features provide suggestions and assistance only. They do not make automated decisions about your employment, creditworthiness, or any other matter with legal effect. All AI-generated content (CV suggestions, interview tips, tax estimates) requires your review and approval before use. Tax calculations and financial estimates are provided for informational purposes only and should not be relied upon as professional financial or tax advice.

7. Messaging Channel Integration

Katalyst offers an AI Agent accessible via Telegram, WhatsApp, and Slack. When you connect a messaging channel:

• Account linking: We store your messaging platform user ID (not your phone number or account password) to link your messaging account to your Katalyst account
• Message processing: Messages you send to the Katalyst bot are received by our servers, processed by our AI systems, and a response is sent back. We store a limited conversation history (up to 30 days) for context in subsequent interactions
• Notifications: If you enable notifications, we may send proactive messages to your connected channels (e.g., invoice viewed alerts, daily briefings, job matches). You can disable these in your Agent settings
• Voice and image messages: Voice messages are transcribed via OpenAI Whisper. Images are analysed via Claude Vision for receipt processing. The original media files are not permanently stored on our servers after processing
• Disconnecting: You can disconnect any messaging channel at any time from your Settings page. Disconnecting stops all message processing and notifications for that channel. Conversation history is retained for 30 days after disconnection, then automatically deleted

Each messaging platform has its own privacy policy governing how they handle your data on their infrastructure: Telegram, WhatsApp, Slack. We are not responsible for the data practices of these third-party platforms.

8. Third-Party Services and Sub-Processors

We use the following third-party services (sub-processors) to operate Katalyst. Each service only receives the minimum data necessary to perform its function. We have Data Processing Agreements (DPAs) or equivalent contractual protections in place with each sub-processor where required by law:

• Clerk (authentication, USA) processes your name, email address, and profile picture to manage your account and sign-in sessions. Standard Contractual Clauses (SCCs) apply for EU/UK transfers
• Supabase (database, EU) stores all application data including CVs, invoices, expenses, and job applications. Hosted in the European Union. Row Level Security enforced at database level
• Stripe (payments, USA) processes payment card details and billing address for subscription payments. PCI DSS Level 1 compliant. We never receive or store payment card numbers
• Anthropic (AI processing, USA) processes CV/resume content, job descriptions, conversation messages, and receipt images via the Claude API. API data is not used for model training. Data may be retained up to 30 days for trust and safety monitoring
• OpenAI (voice transcription, USA) processes voice messages via the Whisper API for speech-to-text conversion. API data is not used for model training. Data may be retained up to 30 days for abuse monitoring
• Adzuna (job search, UK) receives keyword and location search queries for the Job Scout feature. No personal data is sent to Adzuna, only search terms and location preferences
• Resend (transactional email, USA) processes recipient email addresses and email content for invoice delivery, payment reminders, and proposal sending
• PostHog (analytics, EU) receives anonymised usage data to help us understand how features are used. Hosted in the EU. Only activated with your consent via cookie banner
• Vercel (hosting, USA/EU) serves the application and handles web requests. Application logic runs in serverless functions
• MailerLite (email marketing, EU) receives your email address only if you explicitly opt in to marketing communications. Hosted in the EU
• Telegram, WhatsApp (Meta), Slack (messaging platforms): if you connect your messaging account to the AI Agent, messages are transmitted via these platforms. We receive and process messages on our servers. Each platform has its own privacy policy governing message delivery infrastructure

9. International Data Transfers

Your data is primarily stored in the European Union (Supabase, PostHog, MailerLite). However, some of our sub-processors are based in the United States (Anthropic, OpenAI, Clerk, Stripe, Vercel, Resend). When your data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We rely on EU/UK-approved Standard Contractual Clauses with US-based sub-processors to ensure an adequate level of data protection
• UK Addendum: Where applicable, we use the UK International Data Transfer Addendum to the EU SCCs, as approved by the Information Commissioner's Office (ICO)
• Data minimisation: We only transfer the minimum data necessary for each service to function. For example, AI providers receive specific content for processing, not your entire account data

You can request information about the specific safeguards applied to transfers of your data by contacting us at the address below.

10. Cookies and Tracking

We use a minimal number of cookies:

Essential Cookies

• Clerk session cookies: required for authentication and keeping you signed in. These cannot be disabled as they are necessary for the service to function.

Analytics Cookies

• PostHog: used to collect anonymised usage data. These are optional and can be declined via our cookie consent banner. If you decline, no analytics cookies are set and no usage data is collected.

We do not use advertising cookies. We do not use third-party tracking cookies. We do not sell or share your data with advertisers.

11. Your Rights (UK/EEA Residents)

Under the UK GDPR, EU GDPR, and the Data Protection Act 2018, you have the following rights:

• Right of access: you can download a copy of all your personal data at any time from your Settings page
• Right to rectification: you can edit and update your personal data at any time within the platform
• Right to erasure: you can delete your account from your Settings page. This permanently and immediately removes all of your data from our systems
• Right to data portability: you can export all of your data in JSON format from your Settings page
• Right to object: you can opt out of analytics data collection via the cookie consent settings
• Right to restrict processing: you can request that we restrict the processing of your data by contacting us
• Right to withdraw consent: where we rely on your consent (such as marketing emails or analytics), you can withdraw that consent at any time by updating your preferences

12. Your Rights (US Residents)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with consumer privacy laws, you have additional rights:

• Right to know: You may request information about what personal data we collect, the purposes of collection, the categories of third parties with whom we share it, and the specific data we hold about you
• Right to delete: You may request deletion of your personal data, subject to certain legal exceptions
• Right to opt out of sale: We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioural advertising
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights
• Right to correct: You may request correction of inaccurate personal data

Categories of data collected: Identifiers (name, email), commercial information (invoices, expenses), professional information (CV data, job applications), internet activity (usage analytics), and inferences drawn from the above (AI-generated suggestions).

Do Not Track: We respect browser Do Not Track signals. When a Do Not Track signal is detected, we disable optional analytics tracking.

13. How to Exercise Your Rights

Most rights can be exercised directly within the platform:

• Download your data: Go to Settings and click "Download My Data"
• Delete your account: Go to Settings and click "Delete My Account". This will permanently delete all your data, cancel any active subscription, and remove your authentication account
• Update your information: Edit your details directly in the relevant section of the platform

For any other requests, or if you need assistance, contact us at support@getkatalyst.dev. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

14. Data Retention

We retain your personal data for as long as your account is active and you continue to use the service. Specific retention periods:

• Account data: Retained until you delete your account. When you delete your account, all data is permanently and immediately removed from our database. We do not soft-delete or archive your data
• AI Agent conversation history: Automatically deleted after 30 days. Used only to provide context for ongoing conversations
• AI processing data: Anthropic and OpenAI may retain API inputs/outputs for up to 30 days for trust and safety purposes, after which it is deleted per their respective policies
• Payment records: Stripe retains transaction records in accordance with their own policies and applicable financial regulations
• Activity logs: Internal usage logs are retained for up to 12 months for platform security and abuse prevention, then automatically purged

15. Data Security and Breach Notification

We implement appropriate technical and organisational measures to protect your personal data:

• All data encrypted in transit (TLS 1.2+) and at rest
• Bank details additionally encrypted at application level using AES-256-GCM
• Row Level Security (RLS) at database level preventing cross-user data access
• Content moderation and prompt injection detection on all AI Agent inputs
• Per-user rate limiting to prevent abuse
• Webhook signature verification on all external service integrations
• No storage of passwords (delegated to Clerk)
• No storage of payment card data (delegated to Stripe, PCI DSS Level 1)

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (the ICO for UK residents) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.

16. Children's Privacy

Katalyst is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe a child under 16 has provided us with personal data, please contact us at support@getkatalyst.dev.

17. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. If we make significant changes, we will notify you by email or through a prominent notice within the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

18. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us:

• Email: support@getkatalyst.dev
• Website: getkatalyst.dev