What we store, how it is protected, and how to delete it.

Encryption

• +At rest: AES-256 encryption, provided at the infrastructure level by Supabase and AWS. Every field in your profile, your company notes, and your career history is encrypted on disk.
• +In transit: TLS 1.2 or higher on all connections between your browser, our servers, and the database. There is no unencrypted channel.

Who can access your data

Your data is readable only by your authenticated session. No Starting Monday employee or founder has routine query access to individual user records. Database access requires authenticated credentials and is logged.

We have no data-sharing relationships with employers, executive search firms, staffing agencies, or recruiters. We do not sell leads. Your identity, your targets, and your activity are not visible to anyone outside your account.

AI generation and third parties

Starting Monday uses the Anthropic API to generate prep briefs, strategy documents, and briefings. When you generate a brief, the relevant context (your profile, company notes, and scan data) is transmitted to Anthropic for generation only.

Anthropic does not store your data for training purposes under our API agreement. The content you send is used to generate the response and is not retained by Anthropic beyond the request lifecycle.

No other third party receives your profile, notes, resume, or career data.

Authentication

Authentication is handled by Supabase Auth, served from auth.startingmonday.app. This is a custom domain over Supabase infrastructure. You will never see a supabase.co subdomain in an authentication flow from Starting Monday.

Sessions are JWT-based with configurable expiry. Tokens are stored in secure, HttpOnly cookies and are not accessible to JavaScript.

Deleting your data

You can delete your sensitive career context at any time from your profile page after signing in, using the "Delete sensitive notes" option. This clears your positioning summary, beyond-resume notes, and verified career history. Your account, email, and pipeline remain active.

To delete your account and all associated data permanently, go to Settings and use the account deletion option. All records are removed from our systems within 30 days.

What we do not do

• +We do not use your data to train or fine-tune AI models.
• +We do not sell or rent your data to any third party.
• +We do not share your identity, targets, or activity with employers, search firms, or recruiters.
• +We do not run advertising or analytics that track you across other sites.

AI governance and regulatory compliance

Senior executives at enterprise companies are fielding AI governance questions from their own boards and legal teams. Starting Monday processes career data that falls under these frameworks. Here is our position.

• +CCPA: California residents can request access to, correction of, or deletion of all personal data at any time. Use the account deletion option in Settings. We do not sell personal information and have never sold personal information.
• +EU AI Act: Starting Monday uses AI to generate career documents — prep briefs, outreach drafts, and strategy summaries. This is an assistive tool that produces draft output for human review. No automated decisions are made about users. All outputs are reviewed and acted on by the user, not by automated systems acting on their behalf.
• +Enterprise procurement: If your organization requires AI vendor documentation, a data processing agreement (DPA), or AI usage disclosure for procurement review, contact us at [email protected]. We provide these on request.
• +AI model choice: We use Anthropic Claude. Anthropic does not use API data to train models under our agreement. We chose Anthropic specifically because of how they handle data and because the model calibrates better to executive-level language than the alternatives.

Incident response

If we detect unauthorized access to your data, here is what we do and when.

• +We contain and investigate the incident within 24 hours of detection.
• +We notify affected users by email within 72 hours of confirming a breach. The notification includes: what data was accessed, when the incident occurred, what we have done to contain it, and what steps you can take.
• +We cooperate with law enforcement and provide required regulatory notifications under applicable law.

To report a suspected security vulnerability or incident, email [email protected] immediately. We respond to all security disclosures within one business day.

Questions

If you have a security question, a disclosure, or a data request, contact us directly at [email protected]. We respond to all security inquiries within one business day.