privacy policy.
we send the active-tab text to our AI engine on click, return the brief, and forget the request. no analytics, no fingerprinting, no PII in our database.
this is the privacy policy for interviewprep — the browser extension that turns any job posting on your active tab into a full prep brief: 5 likely questions with STAR-format answer scaffolds, plus a company research card. the policy applies to the chrome / firefox / edge extension and any data exchanged with our backend at api.voiddo.com.
voiddo is the data controller. you can reach us at support@voiddo.com for any privacy question.
last updated 2026-04-29 · v1.0 · effective immediately
1. what we collect (and what we do not)
we list every category of data we touch. if it is not in this table, we do not have it.
| data category | purpose | retention |
|---|---|---|
| job posting text | when you click the action button in the popup, the visible text of your active tab is sent to api.voiddo.com/v1/interviewprep/generate for AI processing. used to extract the role and generate the prep brief. | discarded immediately after the response is returned. not stored, not logged, not used for training. |
| install_id | a 24-character random string generated locally on first install, stored in chrome.storage.local. used as the rate-limit key for free-tier requests so we can enforce the 5 generations / month cap without collecting PII. the install_id is the only identifier the server sees for free users. | until you uninstall the extension. server-side, the rate-limit counter associated with it expires every ~32 days. |
| license key | paid users only. validates your subscription against our backend. | until uninstall or until you cancel. |
| usage log | timestamp, install_id, response code, token count. used for billing reconciliation and abuse prevention. does NOT include the prompt or the response. | 90 days, then aggregated to monthly counters. |
what we do not collect:
- the job posting itself (sent for processing, then forgotten)
- the generated prep brief (returned to you only, not retained)
- any other content from your tabs or browsing history
- analytics on which jobs you viewed or applied to
- your name, email, or any other PII unless you upgrade to Pro
2. browser permissions explained
chrome web store flags every permission your extension requests. here is what each one of ours actually does:
activeTab— read the visible text on the tab you opened the popup on, only when you click the action button. nothing else is accessed.scripting— execute the text-extraction script on the active tab on click.storage— remember your install_id and your local free-quota counter (and your license key if Pro).
summary: no host_permissions. no content scripts running in the background. no remote code. the only network traffic the extension generates is a single HTTPS POST to api.voiddo.com/v1/interviewprep/generate per click, plus a license-validation ping for Pro users.
3. how your data flows
- you open a job posting and click the interviewprep icon.
- you click "Generate prep brief" in the popup.
- the extension reads the visible text via
chrome.scripting.executeScript(no DOM mutation, no network calls from the page). - the text is sent over HTTPS (TLS 1.3) to
api.voiddo.com/v1/interviewprep/generate. - our API forwards it to our AI engine, gets the structured response back, validates it, returns to your extension.
- we keep an entry in the usage log: timestamp, install_id, endpoint, response code, token count for billing. we do not log the request body or the response body.
4. cookies
the extension itself sets no cookies. our website (extensions.voiddo.com, scrb.voiddo.com) uses two strictly-necessary cookies for the optional Pro account:
session— httpOnly + Secure session cookie. expires after 30 days of inactivity or on logout.csrf— httpOnly + Secure CSRF protection token. expires with the session.
paddle's checkout iframe sets its own cookies for the duration of the transaction; paddle deletes them when the checkout closes.
we do not set analytics, advertising, or behavioural cookies. we do not need consent banners because we do not need consent for strictly-necessary cookies (GDPR recital 30).
5. legal basis for processing (GDPR Art. 6)
- contract performance — for paid users, processing your billing email + license key.
- legitimate interest — aggregated usage logs to operate the service. you can object at any time.
- legal obligation — transaction records kept for the period required by tax law (typically 7 years).
- consent — for any optional feature beyond the above, we ask explicitly.
6. sub-processors
| processor | purpose | region |
|---|---|---|
| Paddle.com Market Limited | merchant of record for paid plans — receives billing email, country, payment instrument. paddle privacy policy. | UK / EU / US |
| Resend | transactional email delivery (license key, password reset). receives your email only when we send a transactional message. resend privacy policy. | US |
| OVH (hosting) | european virtual private server hosting our API. logs rotated every 14 days. | EU |
| our AI engine partner | processes each generation request. retention zero on our enterprise contract. | US / EU |
we do not use Google Analytics, Meta pixel, Hotjar, or any other behavioural-tracking service.
7. international data transfers
our hosting is in the european union. some sub-processors (Resend, our AI engine partner) are located in the united states. when we transfer your personal data outside the EU/UK, we rely on the European Commission's Standard Contractual Clauses (SCC) as the legal mechanism, supplemented by technical safeguards: TLS 1.3 in transit, AES-256 at rest, strict access controls. SCC copies + transfer impact assessments available on request.
8. security measures
- all traffic to our APIs uses TLS 1.3.
- credentials (license keys, password hashes) stored using bcrypt (cost ≥12).
- API access requires per-user license key with rate limiting (per-day, per-minute) to prevent abuse.
- servers are patched within 7 days of upstream security advisories; critical CVEs within 24h.
- operational logs stripped of PII before persistence.
- backups encrypted and stored in a separate region from production.
- multi-factor authentication enforced on every account that can access production.
- breach notification within 72 hours per GDPR Art. 33.
9. your rights under GDPR / UK GDPR / CCPA
- right of access — copy of any personal data we hold about you.
- right to rectification — correct inaccurate personal data.
- right to erasure — uninstall removes all local data; emailing us erases server-side data within 14 days.
- right to data portability — we provide JSON.
- right to restrict processing, right to object, right to withdraw consent.
- right not to be subject to automated decision-making — we do not use your data for automated decisions with legal effect.
- right to lodge a complaint — with your local data protection authority.
california residents (CCPA) additionally have the right to know, the right to delete, and the right not to be discriminated against. we do not sell personal information.
to exercise any right, email support@voiddo.com. response within 30 days (typically within 5 business days).
10. children's privacy
interviewprep is not directed at children under 13 (under 16 in some EU jurisdictions). we do not knowingly collect personal data from children. if you believe your child has provided us with personal data, contact us and we will delete it without delay.
11. changes to this policy
- we update the last updated timestamp at the top of this page.
- we publish previous versions in our change log.
- material changes (new data category, new sub-processor) trigger an email to all paid users at least 14 days before the change takes effect.
- continued use after the effective date constitutes acceptance.
12. contact
privacy questions, data subject requests, complaints: support@voiddo.com. response within 5 business days; full GDPR-deadline 30 days.
last updated 2026-04-29 · v1.0 · voiddo studio · remote / Israel