Prototype privacy boundary
Privacy Notice
This page describes the current CVPortal / ChatMyApp prototype behavior. It is a product placeholder for deployment review and should be reviewed by counsel before a commercial launch.
What this product is
CVPortal helps a candidate gather career evidence, review it, and publish role-specific dossier spaces for hiring managers or recruiting agents. The Patrick Kelly workspace is the seed implementation.
Information handled
- Candidate workspace records such as profile details, sources, claims, artifacts, interview answers, and dossier spaces.
- Uploaded files such as resumes, PDFs, screenshots, images, headshots, and project notes.
- Generated access-link metadata such as source label, recipient label, status, use count, expiry, and last-used time.
- Interaction metadata such as resume source, timestamp, broad question category, message length, model status, hashed session, and hashed client identity.
- Redacted workspace export metadata such as inventory counts, review status, analytics summaries, audit events, billing posture, and explicit omission flags.
What is not stored by default
- Raw hiring-manager chat transcripts are not stored by default; if transcript capture is enabled, visitors or recruiting agents must opt in unless that consent guard is deliberately disabled by the operator. Expired raw transcripts can be purged through a private operator command whose report exposes counts only.
- Raw access codes are not stored in generated workspace access links; the workspace stores HMAC hashes.
- Candidate-visible analytics omit session hashes, IP hashes, raw transcripts, request bodies, and credential material.
- Candidate workspace data exports omit raw workspace JSON, registered source URLs, raw evidence bodies, prompt and answer text, access-code hashes, object keys, storage paths, local paths, vectors, and credentials.
- Public dossier and agent endpoints do not expose private-review records, object keys, storage paths, or private upload internals.
Published dossier boundary
Public hiring-manager and agent-readable surfaces may retrieve only reviewed evidence marked public-safe, generalized, or published. Private-review uploads, draft claims, off-limits material, protected records, credentials, private production configuration, and trade-secret implementation detail are outside the published agent boundary.
Visitor guidance
Do not enter confidential, sensitive, protected, or proprietary information into the hiring-manager chat. Treat access links and QR URLs as bearer credentials. Anyone with a valid access code may reach the gated dossier until the candidate revokes the link or the link expires.
Candidate controls
The candidate workspace can review, edit, approve, generalize, reject, or keep evidence private before it becomes visible in a published dossier. Workspace write, private search, upload, analytics, and audit APIs require candidate workspace authorization. The authenticated workspace also exposes a redacted data export so the candidate can inspect stored categories, review posture, analytics, audit, and billing metadata without downloading bearer material or raw private evidence bodies.
Prototype status
The local prototype is not yet production SaaS. A hosted launch should use managed identity, durable database storage, private object storage, secure cookies, production secrets, backups, monitoring, and completed legal review.