Privacy Policy

What Autern does

Autern helps individual students write and send personalised internship application emails to specific hiring managers and founders. Each message is personal, non-commercial correspondence asking about an internship opportunity. We use AI to generate email drafts based on information you provide about yourself and your recipients.

What data we collect

• Your name, university, course, and year (entered by you in your profile)
• Your CV highlights (extracted from your uploaded CV, used only to personalise email drafts)
• Recipient details you enter (name, company, role, email address)
• Your Google account email address (used to identify your account)
• Gmail OAuth tokens if you choose to connect an outreach email account

Gmail access

If you connect a Gmail account, Autern requests the gmail.send and gmail.metadata scopes. This means:

• We can send emails on your behalf
• We can read email metadata (subject lines and sender addresses) to detect replies to your outreach
• We cannot read, view, or access the body of any emails in your inbox
• We cannot delete emails or access any other part of your Google account
• You can disconnect at any time from the Accounts page or from your Google account settings

OAuth tokens are encrypted before being stored in our database.

Sharing and disclosure of Google user data

"Google user data" means any data Autern receives from Google APIs, including Gmail message metadata, the contents of emails you send through Autern, and your OAuth access and refresh tokens.

We do not sell, rent, or share Google user data with any third party, with the following narrow exceptions:

• Service providers strictly necessary to deliver the feature you are using: Supabase (encrypted storage of OAuth tokens and email send records) and Vercel (hosting the server code that calls the Gmail API on your behalf). These providers act as data processors and are contractually prohibited from using your data for their own purposes.
• To comply with applicable law, regulation, legal process, or enforceable governmental request.
• To investigate and prevent security incidents, fraud, or abuse of the Autern service, where strictly necessary.
• With your explicit consent for any other purpose, communicated to you in advance.

We do not:

• Transfer Google user data to advertisers, data brokers, or information resellers
• Use Google user data for serving advertisements, including retargeting or personalised ads
• Use Google user data to develop, improve, or train generalised or large language models (we do not send Gmail content to Anthropic or any other AI provider)
• Allow humans at Autern to read your Gmail data, except where strictly necessary for security purposes (investigating abuse), to comply with applicable law, or where you have given us explicit consent for specific messages

How we protect your data

We apply the following safeguards to protect sensitive data, including Google user data, CV content, and account credentials:

• Encryption in transit: all traffic between your browser, Autern's servers, and third-party APIs is encrypted using TLS 1.2 or higher.
• Encryption at rest: Gmail OAuth access and refresh tokens are encrypted with AES-256-GCM before being written to our database. Our underlying database (Supabase Postgres) is additionally encrypted at rest by the provider.
• Access controls: our database enforces Row Level Security so each user can only access their own records. Service-role keys with elevated access are stored as server-side environment variables and are never exposed to the browser.
• Authentication: users sign in with Google OAuth. Autern never sees or stores your Google password.
• Minimum scope: we request the smallest set of Gmail scopes that allow the feature to work (gmail.send and gmail.metadata), and we never request scopes that would let us read the body of your emails.
• Internal access: access to production systems is limited to authorised Autern personnel and is used only for support, debugging, or security purposes. We do not browse user data for any other reason.
• Error monitoring: our error monitoring provider (Sentry) is configured to receive stack traces and request URLs only. We do not send email bodies, CV text, or auth tokens to Sentry.
• Token revocation: when you disconnect your Gmail account, your stored OAuth tokens are deleted from our database and the underlying Google grant is revoked.
• Incident response: if we become aware of a security incident affecting your data, we will notify affected users and the appropriate authorities as required by applicable law.

How we use your data

• To generate personalised email drafts using AI
• To send emails via Gmail on your behalf when you choose to use that feature
• We do not sell your data to any third party
• We do not use your data to train AI models

Third-party services

• Supabase - database and authentication
• Anthropic - AI email generation (your CV highlights and recipient details are sent to Anthropic's API)
• Google - sign-in and Gmail sending
• Vercel - hosting
• Sentry - error monitoring (stack traces and request URLs only; we do not send Sentry your email body, CV text, or auth tokens)
• PostHog - product analytics (page views and product events keyed by an opaque user id; we do not send PostHog your email address or email content)
• Resend - transactional email for Pro plan applications you submit
• Jina AI - reads public company webpages so we can ground the email draft (only the URL you enter, nothing about you)

Data retention and deletion

You can delete your account and all associated data at any time by contacting us. Disconnecting a Gmail account immediately removes the stored tokens from our database.

Contact

For any privacy questions or deletion requests, email us at support.autern@gmail.com.