Privacy Policy

account data. When you create an account, request an audit, or contact us, we collect your name, work email address, company, and any notes you provide. When you subscribe to a paid tier, Stripe collects your payment information; we receive a tokenized reference and billing metadata, not your full payment card number.

scan-target data. You tell us which URLs, career sites, applicant-tracking systems, and job-board listings to monitor. We store those targets, authority attestations, and any associated metadata you supply.

scanned content. Our scanner fetches the visible contents of the postings you authorize. This may incidentally include the names of recruiters or hiring managers where those names appear in the posting itself. We do not collect applicant data, candidate resumes, or any content behind authentication unless you provide API credentials for an authorized integration.

usage and diagnostic data. We log standard server events (request timestamps, IP addresses, user-agent strings, response codes) and product events (login, scan initiation, report download) necessary to operate and secure the Service.

marketing-site analytics. The Curevue marketing site collects minimal, privacy-respecting analytics to understand aggregate traffic. We do not run advertising retargeting pixels on our public pages.

We use the information described in §1 to: operate the Service and deliver the scans and reports you request; authenticate users and secure accounts; send transactional email (scan results, cure-window alerts, billing receipts); communicate service-related updates; respond to support requests; investigate abuse and enforce our Terms; and comply with legal obligations. We use aggregated, de-identified data to improve the Service and its rule library. We do not use your Customer Data to train general-purpose machine-learning models.

For individuals in the European Economic Area, the United Kingdom, or Switzerland, our legal bases under the GDPR are: performance of a contract (delivering the Service to a customer on whose behalf you act); legitimate interests (securing the Service, preventing abuse, improving the product); compliance with legal obligations; and consent, where required (for example, for non-essential marketing email).

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes. We share information only with sub-processors who help us operate the Service, and only to the extent necessary:

• Vercel Inc.United Statesapplication hosting, serverless compute, CDN
• Supabase Inc.United Statesdatabase, authentication, storage
• Stripe, Inc.United Statespayment processing and subscription billing
• Resend, Inc.United Statestransactional email delivery
• Anthropic, PBCUnited Stateslanguage-model inference for suggested-fix generation; operated under zero-retention commitments

We may also disclose information where required by law, in response to valid legal process, to protect the rights, property, or safety of HexWarden, our customers, or the public, or in connection with a merger, acquisition, or sale of assets (with notice where legally required).

HexWarden is based in the United States. Our sub-processors primarily operate in the United States. Where we transfer personal information from the EEA, the United Kingdom, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses, the UK Addendum thereto, or other lawful transfer mechanisms.

We retain account data for the life of your account and for a reasonable period afterward for legal, tax, and audit purposes. We retain scan results and audit logs for the duration of your subscription and, thereafter, for up to twenty-four (24) months to support audit-trail defense in the event of a post-termination claim — unless you request earlier deletion. Diagnostic logs are retained for up to ninety (90) days. Marketing leads who do not convert are deleted within twelve (12) months of last interaction.

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of personal information we hold about you, and to object to certain processing or withdraw consent. You may also have the right to lodge a complaint with a supervisory authority.

california residents. Under the California Consumer Privacy Act (as amended), you have rights to know, delete, correct, and limit sharing of personal information, and a right not to receive discriminatory treatment for exercising these rights. We do not “sell” personal information and do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA.

To exercise any of these rights, contact privacy@curevue.io. Where you interact with Curevue on behalf of an employer customer, some requests (such as deletion of scan data) may be routed to that customer for response, and we will assist them in responding.

We protect information with technical and organizational measures appropriate to the sensitivity of the data and the state of the art, including encryption in transit and at rest, least-privilege access controls, scoped credentials per venture and per purpose, and audit logging. No system is perfectly secure. If we become aware of a breach that affects your information, we will notify affected customers without undue delay and as required by applicable law.

The Service is not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@curevue.io.

We may update this Policy from time to time. When we do, we will revise the “last revised” date above and, for material changes, provide notice by email or in-product banner at least thirty (30) days before the change takes effect.

HexWarden Labs LLC · Colorado, USA · privacy inquiries to privacy@curevue.io.