What Hireposture collects, how we use it, and what we don't do

This notice covers the Hireposture product at hireposture.com (and subdomains). It does not cover marketing channels such as social media accounts where the platform's own policies apply, or any third-party integration the customer chooses to enable.

Three categories. Nothing else is collected by the product itself.

• Account identity (via Microsoft Entra ID): email, display name, Entra object ID, and the timestamp of last sign-in. The Entra app registration requests openid profile email offline_access scopes only. We do not request or store passwords.
• Job descriptions you submit: the source text of every JD you submit for review, a SHA-256 hash of that text, and a timestamp. We treat these as customer data subject to the audit-trail retention rules below.
• Operational telemetry: audit-trail rows recording each state-changing action (submit, triage, extraction, memo signing, trail export, billing event, member invitation), plus quota counters per workspace. No marketing analytics, no behavioral tracking pixels.

We do not collect: payment-card numbers (Stripe handles those directly; we receive only the customer ID and subscription status), browsing history outside hireposture.com, or any third-party identifier beyond what your IT administrator chooses to expose via Entra ID.

• To run the review pipeline you requested. JD source text is sent to Anthropic's API at extraction time; the response (findings) is stored.
• To produce the timestamped record + audit trail, which is the product's output.
• To send transactional notifications you triggered (audit complete, memo signed, team invitation).
• To bill subscriptions and respond to webhook events from Stripe.

We do not use your data for any of the following:

• Training Hireposture's rule library. Rules come from public source material (EEOC enforcement guidance, public consent decrees, JAN qualification-standards material), not from customer JDs.
• Training third-party LLMs. Anthropic does not train on API customers' inputs by default; we don't opt in to any training program.
• Cross-customer analysis or benchmarking. Each customer's data is scoped to their workspace and never aggregated across workspaces in customer-facing surfaces.
• Marketing or remarketing. We don't share customer data with ad networks, data brokers, or analytics services beyond aggregate counts in our internal Mission Control dashboard.

The product runs entirely on Microsoft Azure infrastructure (Central US region). The following third parties process specific narrow categories of data on our behalf:

Adding a new subprocessor is a material change to this notice and will be reflected here before the change ships. Existing customers will be notified by email.

Audit trail rows and signed compliance memos are retained for a minimum of 7 years. The retention floor matches the EEOC charge-investigation period and is enforced at the database layer (the trail table's INSTEAD-OF-DELETE trigger blocks deletion of rows under 7 years old). This applies even after a workspace is cancelled — see /service-standards for the wind-down policy.

Submitted JD source text is retained alongside its audit row for the same 7-year minimum. Account identity records are retained while the workspace is active and for 90 days after cancellation, then deleted unless legal hold applies.

• Export: at any time, a workspace admin can download the full audit trail and audit summary CSVs from the workspace settings page. Memos are downloadable as PDF (signed) or markdown.
• Account access: sign out at any time, change which Entra account you sign in with, or have a workspace admin remove you from the workspace.
• Deletion: account-identity records are deleted on the schedule above. Audit trail rows are not deletable until 7 years old (defensible-record requirement). If you have a legitimate reason to require earlier deletion (e.g., regulatory request), email the address below.
• Questions: integrity@startvest.ai for any privacy question. Monitored quarterly by external counsel.

The site uses one essential cookie set: the NextAuth session cookie that keeps you signed in. We do not use marketing cookies, analytics cookies that track across sites, or third-party tracking pixels. Google Analytics is configured but only fires when an explicit measurement ID is provisioned by the operator; the production deployment may or may not have it enabled — see the source code for the current state.

Hireposture is a product sold to employers. It is not directed at children, and we do not knowingly collect personal information from anyone under 16.

Material changes to this notice will be reflected here with an updated date. We'll email registered workspace admins for changes that affect data handling.

Hireposture is operated by Startvest LLC under the Startvest Trust Principles. The principles describe portfolio-wide commitments on independence, evidence chains, AI accountability, and pricing-rigor alignment. Product-specific implementation lives in our Integrity Statement.