Privacy Policy

Milliard Points Works LLC (“Company”, “we”, “us”, or “our”) operates the Milliard Points Works platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our Service. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the “Last Updated” date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

Table of Contents

1. Information We Collect

We collect information that you provide directly to us, information that is collected automatically when you use the Service, and information from third-party sources.

1.1 Personal Information You Provide

Identity Information:

• Full name (first name and last name), email address, date of birth, gender, age range, race/ethnicity (voluntarily provided for EEO compliance purposes), and profile photograph.

Contact Information:

• Phone number, residential address (street, city, state, ZIP code), and email address.

Professional Information:

• Resume/CV documents; job preferences (desired job titles, locations, job types, employment types, industries, experience level); professional references (names, email addresses, phone numbers of up to three references); visa/immigration status; security clearance level; veteran status; cover letters and other application materials; work history and professional qualifications as contained in your resume.

Financial Information:

• Payment card type and last four digits (stored by Stripe; full card details are never stored on our servers); billing address; transaction history and payment records; subscription plan and billing cycle details.

Account Security Information:

• Password (stored as a one-way bcrypt hash; we never store your password in plain text); two-factor authentication (2FA) configuration data (encrypted TOTP secret); login history and failed authentication attempts.

Communication Data:

• In-platform messages between you and your assigned Specialist; chat conversations and attachments; customer support correspondence.

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

• IP address; browser type and version; operating system; device type (desktop, mobile, tablet); device name; approximate geographic location (derived from IP address); session duration and timestamps; pages visited and features used; referring URLs and exit pages; user agent string.

1.3 Information from Third-Party Sources

• Email account profile information (name, email address, profile picture) when you connect your Gmail, Outlook, or Yahoo account via OAuth 2.0;
• Payment information from Stripe (transaction status, payment method type, card brand, last four digits);
• Verification results from Cloudflare Turnstile (human verification status);
• Job listing data from third-party job boards and aggregators.

1.4 Sensitive Personal Information

Certain information we collect may be classified as sensitive personal information under applicable law, including race/ethnicity, veteran status, immigration/visa status, and security clearance information. This information is collected solely to assist with your job applications where employers require or request such information for equal employment opportunity (EEO) compliance. Providing this information is entirely voluntary.

2. How We Collect Information

• Direct Collection: Information you provide when creating an account, completing onboarding, uploading documents, filling out your profile, or communicating through the platform;
• Automated Collection: Information collected automatically through cookies, session tokens, server logs, and similar technologies;
• OAuth Integrations: Information received from email providers (Google, Microsoft, Yahoo) when you authorize email account access;
• Third-Party APIs: Information received from Stripe for payment processing and from job listing aggregators for job matching;
• Human Verification: Verification data from Cloudflare Turnstile during account registration.

3. How We Use Your Information

Service Delivery: Creating and managing your account; processing onboarding; matching you with a dedicated Specialist; scraping and matching job listings; facilitating job applications; generating AI-optimized resumes and cover letters; managing email correspondence; enabling in-platform messaging.

Payment Processing: Processing subscription payments; handling refunds and disputes; maintaining transaction records and invoices.

Security and Fraud Prevention: Authenticating your identity; detecting and preventing fraud; enforcing rate limits; monitoring for anomalous activity; maintaining audit logs; implementing CSRF protection.

Communications: Sending transactional emails (verification, password resets, payment confirmations); service notifications; optional marketing communications (subject to your preferences); responding to support requests.

Service Improvement: Analyzing usage patterns; improving AI models using anonymized, aggregated data; monitoring performance and reliability; conducting internal analytics.

Legal Compliance: Complying with applicable laws and regulations; responding to lawful governmental requests; enforcing our Terms and Conditions; protecting our rights, privacy, safety, or property.

4. Legal Bases for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, our legal bases for processing include:

• Contractual Necessity: Processing necessary to perform our contract with you (providing the Service, managing subscriptions, facilitating job applications);
• Legitimate Interests: Processing necessary for our legitimate business interests (improving the Service, preventing fraud, ensuring security) that are not overridden by your rights;
• Consent: Processing based on your explicit consent (connecting email accounts, receiving marketing communications, providing sensitive personal information);
• Legal Obligation: Processing necessary to comply with a legal obligation (tax reporting, responding to lawful government requests).

5. Disclosure of Your Information

5.1 With Service Providers

We share your information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your information.

5.2 With Your Assigned Specialist

When matched with a Specialist, they will have access to your profile information, job preferences, resume, and communication history as necessary to provide the Service. Specialists are bound by confidentiality obligations.

5.3 With Employers (Indirectly)

When your Specialist applies to jobs on your behalf, information from your resume, cover letter, and application materials will be submitted to prospective employers.

5.4 For Legal Reasons

We may disclose your information to comply with legal obligations, court orders, protect the Company’s rights or property, prevent wrongdoing, protect personal safety, or protect against legal liability.

5.5 Business Transfers

If involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice of any change in ownership.

5.6 With Your Consent

We may disclose your information for any other purpose with your explicit consent.

5.7 No Sale of Personal Information

We do not sell, rent, or lease your personal information to third parties. We do not share your personal information with third parties for their direct marketing purposes.

6. Third-Party Service Providers

We engage the following third-party service providers. Each provider receives only the minimum information necessary to perform their function:

7. Email Account Integration and Google API Compliance

7.1 Email Account Access

When you connect an email account, we use OAuth 2.0 to obtain access tokens. We request only the minimum permissions (scopes) necessary to send emails on your behalf and manage job application correspondence.

7.2 Google API Services User Data Policy Compliance

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the job application features of the Service;
• We do not use Google user data for advertising purposes;
• We do not allow humans to read your Gmail content unless: (a) you have given us affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized;
• We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or as part of a merger/acquisition with adequate data protection provisions;
• We store Google OAuth tokens encrypted at rest and transmit them only over secure (TLS) connections;
• Users can revoke access to their Google account at any time through the Service’s settings or through Google’s security settings.

7.3 Token Security

All OAuth access tokens and refresh tokens are encrypted using industry-standard encryption before being stored in our database. Tokens are only decrypted when needed to make authorized API calls on your behalf. When you disconnect an email account, all associated tokens are immediately and permanently deleted.

7.4 Email Content

We do not store the full content of your emails on our servers beyond what is necessary for display within the Service. Email metadata (sender, subject, date) may be cached temporarily for performance purposes.

8. Artificial Intelligence Data Processing

8.1 Data Sent to AI Providers

To provide AI-powered features, we transmit relevant portions of your data to Anthropic’s Claude AI API. This includes resume content, job descriptions, and job preferences. This data is transmitted over encrypted connections (TLS).

8.2 AI Training

The Company does not use your personal data to train AI models. Anthropic’s commercial API terms state that data submitted through the API is not used to train their models. We may use anonymized, aggregated data to improve our AI prompts and optimization strategies.

8.3 AI-Generated Content

Content generated by AI is stored on our servers and associated with your account. You retain ownership of AI-generated content as described in our Terms and Conditions.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Strictly Necessary Cookies:

• Session cookie (next-auth.session-token) — Required for user authentication and maintaining your logged-in state;
• CSRF token cookie (__Host-csrf-token in production, csrf-token in development) — Required for protection against cross-site request forgery attacks;
• Callback URL cookie (next-auth.callback-url) — Required for authentication redirect handling.

Functional Cookies:

• Theme preference — Stores your light/dark mode preference;
• Language preference — Stores your selected language;
• Sidebar state — Remembers your navigation sidebar preference.

9.2 Third-Party Cookies

Cloudflare Turnstile may set cookies for human verification during account registration. We do not use third-party advertising cookies or analytics tracking cookies.

9.3 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using the Service.

10. Data Storage and Security

10.1 Data Storage Location

Your data is stored on servers provided by Railway (database hosting) and Amazon Web Services (file storage), located in the United States. All data is encrypted at rest and in transit.

10.2 Security Measures

• Encryption at rest: All sensitive data, including OAuth tokens and 2FA secrets, is encrypted before storage;
• Encryption in transit: All data uses TLS (HTTPS) encryption;
• Password hashing: Passwords are hashed using bcrypt with appropriate salt rounds;
• CSRF protection: Double Submit Cookie pattern protects against cross-site request forgery;
• Rate limiting: API endpoints are rate-limited to prevent brute-force attacks;
• Content Security Policy (CSP): Strict CSP headers prevent cross-site scripting (XSS) attacks;
• Input validation: All user inputs are validated and sanitized using Zod schemas;
• Session management: Sessions are tracked with device fingerprinting, revocable remotely;
• Two-factor authentication: Optional TOTP-based 2FA for all accounts;
• Account lockout: Temporary lockout after multiple failed login attempts;
• Security audit logging: All security-relevant events are logged;
• Anomaly detection: Automated monitoring for suspicious account activity.

11. Data Retention

11.1 Retention Periods

• Account data: Duration of your account plus thirty (30) days after deletion;
• Resumes and documents: Duration of your account; deleted within thirty (30) days of account deletion;
• Payment records: Seven (7) years for tax and legal compliance;
• Activity and security logs: Twelve (12) months from the date of the event;
• Session data: Automatically purged when sessions expire or are revoked;
• OAuth tokens: Immediately deleted when you disconnect an email account or delete your account;
• AI processing logs: Ninety (90) days for debugging and quality assurance;
• Email content cache: Purged automatically; not retained beyond the active session.

11.2 Account Deletion

You may request deletion through your account settings. We will delete or anonymize your personal data within thirty (30) days, except for legally required retention (e.g., payment records). Backups may persist for up to ninety (90) days before purging.

12. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights:

• Right to Access: Request a copy of your personal data;
• Right to Rectification: Request correction of inaccurate or incomplete data;
• Right to Erasure: Request deletion of your personal data;
• Right to Data Portability: Receive your data in a structured, machine-readable format;
• Right to Restrict Processing: Request restriction of processing in certain circumstances;
• Right to Object: Object to processing based on legitimate interests;
• Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based;
• Right to Non-Discrimination: You will not be discriminated against for exercising your rights.

To exercise any of these rights, contact privacy@milliardpointsworks.com. We will respond within thirty (30) days.

13. California Privacy Rights (CCPA/CPRA)

13.1 Categories of Information Collected

In the preceding twelve (12) months, we have collected: identifiers (name, email, phone, IP address); personal information under Cal. Civ. Code 1798.80; characteristics of protected classifications (voluntarily provided); commercial information (subscription records, payment history); internet activity (browsing history, session data); professional information (resumes, job preferences); and sensitive personal information (voluntarily provided for EEO purposes).

13.2 Your California Rights

• Right to Know: Request disclosure of categories and specific pieces of personal information collected;
• Right to Delete: Request deletion of personal information;
• Right to Correct: Request correction of inaccurate personal information;
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA;
• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information.

13.3 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

13.4 Authorized Agent

You may designate an authorized agent to make requests on your behalf. You must provide the agent with written permission, and we may require direct identity verification.

14. European Economic Area Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR:

• All rights listed in Section 12;
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA);
• Data Protection Officer: Contact our privacy team at privacy@milliardpointsworks.com;
• International Transfers: If your data is transferred outside the EEA, we ensure adequate safeguards as described in Section 16.

15. Children’s Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal information, contact privacy@milliardpointsworks.com.

16. International Data Transfers

Your information may be transferred to and maintained on servers located outside your jurisdiction. If located outside the United States, please note that we transfer data to the United States and process it there. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms.

17. Do Not Track Signals

The Service does not currently respond to “Do Not Track” (DNT) browser signals. However, we do not use third-party advertising cookies or analytics tracking cookies. Our data collection practices remain the same regardless of DNT settings.

18. Links to Third-Party Websites

The Service may contain links to third-party websites, including job listing pages. These have their own privacy policies, and we have no responsibility for their content, activities, or privacy practices.

19. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Investigate the breach and take immediate steps to contain it;
• Notify affected users via email within seventy-two (72) hours of becoming aware of the breach, or as required by applicable law;
• Provide a description of the nature of the breach, the types of data affected, and measures taken;
• Notify the relevant supervisory authority (if applicable under GDPR) within seventy-two (72) hours;
• Offer appropriate remediation measures;
• Document the breach and our response for compliance purposes.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy and updating the “Last Updated” date. For material changes, we will provide at least thirty (30) days’ notice via email or in-app notification.

21. Contact Information

If you have questions, concerns, or complaints about this Privacy Policy, our data practices, or your privacy rights, please contact us: