Legal
Privacy Policy
Last updated: 12 June 2026
1. Who we are
LowerSecond (“we”, “us”) is an AI-powered career platform for UK university graduates, operated from the United Kingdom. We are the data controller for the personal data described in this policy. [Company registration details to be added at legal review.]
Questions, requests or concerns about your data: support@lowersecond.com.
2. What we collect
- Account data — your name, email address and password. Passwords are handled by our authentication provider (Supabase) and are never stored in plain text.
- Onboarding details — university, degree subject, graduation year and how urgent your job search is, if you choose to provide them.
- Conversation and story content — what you tell our career assistant: education history, work experience, skills, achievements, values, preferences (such as target sectors, salary expectations and right-to-work status) and the career narrative built from them.
- CV uploads — PDF or DOCX files you upload, stored in a private bucket. Download links are time-limited (they expire after 7 days), though the file itself remains stored until you ask us to delete it.
- Application tracking data — jobs you save, apply to, and the status, interview dates and notes you record against them, plus documents (CVs, cover letters, interview preparation) generated for you.
- Usage signals — how you interact with suggested career routes and jobs (for example which ones you open, save or dismiss), used to improve the guidance you receive.
- Technical data — IP address (used for security and rate limiting), request logs and error reports.
- Newsletter email — if you join the waitlist on our landing page.
3. How we use your data and our lawful bases
- Providing the service (contract) — running your career conversations, building your profile and narrative, generating CVs and cover letters, searching jobs and tracking applications.
- Security and service quality (legitimate interests) — rate limiting, abuse and anomaly detection, error monitoring and audit logging.
- The newsletter (consent) — we email you about the product because you asked us to; you can withdraw at any time.
We do not sell your personal data, and we do not use it for third-party advertising.
4. AI processing — and what our audit logs actually store
LowerSecond is built on Anthropic's Claude models. To provide guidance, the content of your conversation and relevant parts of your career profile are sent to Anthropic, acting as our processor, to generate responses. AI outputs (career suggestions, CVs, cover letters) are drafts for your review, not professional advice.
For security and compliance we keep an audit log of each AI interaction. That log stores a cryptographic fingerprint (a SHA-256 hash) of the message content — not the message text itself — together with technical metadata such as token counts and processing time. Your actual conversation history is stored separately in your account so the assistant can remember context between sessions.
5. Who processes your data for us
We use a small set of service providers, each processing data only on our instructions:
- Supabase — database, authentication and file storage.
- Anthropic — AI model processing of conversation and profile content.
- Vercel — application hosting.
- Sentry — error and performance monitoring.
- Adzuna and Reed — job search. We send search terms derived from your preferences (such as role keywords and location), not your identity.
- Notion — newsletter subscriber list.
- Resend — transactional email (such as the newsletter confirmation).
- Upstash — rate limiting, keyed on identifiers derived from your IP address or account.
Some of these providers process data outside the UK (notably in the United States). Where they do, transfers are made under appropriate safeguards such as the UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses. [Transfer mechanism per processor to be confirmed at legal review.]
6. How long we keep it
We keep your data for as long as your account is active. If you ask us to delete your account, we delete your personal data within 30 days, except where we need to retain limited records to meet legal obligations. CV download links expire automatically after 7 days; the underlying files are deleted with your account. Audit logs, which contain hashed (not readable) message fingerprints, are retained for security analysis.
7. Your rights
Under UK GDPR you have the right to:
- access a copy of your personal data;
- correct inaccurate data;
- have your data deleted;
- restrict or object to certain processing;
- data portability;
- withdraw consent where processing relies on it.
We don't yet offer self-service account deletion or data export — email support@lowersecond.com and we'll action your request within one month, as the law requires.
If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office at ico.org.uk.
8. Cookies
We use only strictly necessary cookies — authentication session cookies and a chat session identifier. There are no analytics or advertising cookies. Details are in our Cookie Policy.
9. Changes to this policy
We'll update this page when our practices change and revise the “last updated” date above. Significant changes will be flagged in the product.