Privacy Policy

Last updated: March 29, 2026

Your trust means everything to us. That’s why xptracker was built with privacy and security top of mind. This page outlines exactly how we handle your information, and how we give you full control over it.

What We Collect

We only collect the information that’s necessary to provide our service. This includes:

• Your email address when you sign up (or your Bluesky handle if you sign up via Bluesky OAuth).
• Any data you voluntarily enter while using the site, including experiences, skills, projects, achievements, journal entries, and labels.
• Profile information you choose to provide, such as a short bio ("blurb") and profile photo.
• Files you upload, including images attached to journal entries and resume documents submitted for AI-assisted parsing.
• Support tickets you submit, including your email address and message content.

Automatically Collected Information

When you visit public pages on our site (such as public resumes, journal entries, or journal feeds), we collect limited analytics data to help us understand how the service is used. This includes:

• A one-way hash of your IP address (we do not store your actual IP address).
• Your browser's user agent string.
• The referring URL (if any).
• The type of content viewed and the date/time of the visit.

We use this data in aggregate to understand traffic patterns. We filter out known bots and crawlers. We do not use this data to identify or track individual users across sessions.

How We Use Your Information

Your data is used strictly for:

• Managing your account and preferences.
• Providing the features and functionality of the service.
• Displaying public content you have explicitly chosen to make visible (see "Public Content" below).
• Improving the user experience based on general usage patterns (without identifying individuals).

We will never sell, rent, or otherwise profit from your data. Your information stays yours.

Public Content

Certain features allow you to make content publicly accessible. All public features are opt-in and off by default. These include:

• Public resume page — You may choose to enable a shareable public page for your resume. When enabled, the experiences, skills, projects, and other data you have marked as active on your resume will be visible to anyone with the link.
• Public journal entries — Individual journal entries can be toggled between private and public. Public entries are accessible via a direct link and appear in your public journal feed.
• Profile information — If you add a bio and enable your profile photo, these will be displayed on your public pages.
• Public labels — Labels you create can optionally be made public, allowing visitors to filter your public resume or journal content by topic.

Search Engine & AI Indexing

Your public pages may be included in our sitemap and may contain structured data (schema.org markup) to help search engines and AI agents understand the content. This structured data can include your name, job title, state/region, and page descriptions.

You can control this from your profile settings using the "Allow search engine and AI indexing" toggle. When disabled, your public pages will be excluded from the sitemap and will not include structured data. Your pages will still be accessible via direct link, but search engines and AI agents will not be directed to them.

We also publish an llms.txt file that describes the site to AI agents. This file contains general information about xptracker and its public URL patterns, but does not include any user-specific data.

You can revoke public visibility at any time by toggling the relevant setting. Once toggled off, the content will no longer be accessible publicly.

Bluesky Integration

You may optionally link your Bluesky account to xptracker. This is entirely opt-in. When you choose to link your account:

• We store your Bluesky handle, DID (decentralized identifier), and profile photo URL so we can display them on your public pages.
• We store encrypted OAuth tokens to authenticate with your Bluesky account on your behalf. These tokens are encrypted at rest and are only used when you explicitly initiate an action, such as sharing a journal entry.
• When you share a journal entry to Bluesky, the post text and a link back to your public entry are sent to the AT Protocol network via your account. Once posted, that content is governed by Bluesky’s own terms and privacy policy.
• If you sign up using Bluesky OAuth, we create your account using your Bluesky handle. You may later add an email address to your account.
• If you choose to publish blog-style content via the AT Protocol’s standard.site publication feature, that content is published as a document on the AT Protocol network under your account.
• We do not read your Bluesky feed, access your direct messages, or collect any data from your Bluesky account beyond what is listed above.

You can unlink your Bluesky account at any time from your account settings. When unlinked, all stored Bluesky data (handle, DID, tokens) is permanently deleted from our systems. Posts previously shared to Bluesky will remain on the Bluesky network and must be deleted from Bluesky directly.

AI-Powered Features

We offer optional features that use artificial intelligence (Anthropic’s Claude API) to help you manage your career data. All AI features are opt-in and require you to explicitly initiate each action. We do not use your data to train AI models. Anthropic’s API usage policy governs their handling of data sent through the API.

Resume Parsing

You can upload a resume document to have it parsed into structured career data. When you use this feature:

• Your uploaded resume file (up to 5MB) is sent to Anthropic’s Claude API for text extraction and structured parsing.
• The parsed data is presented to you for review before anything is saved to your account. You choose what to keep.
• We store the raw text and parsed results temporarily to allow you to confirm and apply the data.

AI Label Generation

You can use AI to generate suggested labels for organizing your career data. When you use this feature:

• A summary of your career data is sent to Anthropic’s Claude API. This includes your recent experiences (role, company, location, dates, and brief descriptions), projects (name, role, type, and descriptions), skill names, and your existing labels.
• The AI returns suggested label names based on a category you select (such as technical skills, industries, or impact types).
• Suggestions are presented to you for review. No labels are created until you explicitly confirm your selections.

AI Label Linking

You can use AI to suggest which of your existing labels apply to a specific record (such as an experience, project, or skill). When you use this feature:

• The details of the selected record and your list of existing label names are sent to Anthropic’s Claude API.
• The AI suggests which of your existing labels are relevant to that record.
• For individual records, suggestions are presented for your review before being applied. For bulk labeling (applying labels across multiple records at once), labels are applied automatically based on the AI’s suggestions.

Cookies and Sessions

We only use cookies when absolutely necessary to keep the site functional and secure. This includes:

• Session cookies — Used to keep you logged in. These expire when you close your browser and are transmitted only over HTTPS.
• CSRF tokens — Used to protect against cross-site request forgery attacks. These are a standard security measure.

We do not use cookies for advertising, tracking across sites, or collecting analytics. If it’s not essential, it’s not there.

Third-Party Services

We use a limited number of third-party services to operate xptracker. These services only receive the minimum data necessary to function:

• Postmark — We use Postmark to send transactional emails (account verification, password resets). Postmark receives your email address and the email content.
• DigitalOcean Spaces — Files you upload (images, resume documents) are stored in DigitalOcean Spaces, an S3-compatible cloud storage service. User-uploaded files are stored in a private bucket. Static site assets (CSS, JavaScript) are stored in a public bucket.
• Anthropic (Claude API) — If you use the AI resume parsing feature, your resume text is sent to Anthropic's API for processing. See "AI-Assisted Resume Parsing" above.
• Sentry — We use Sentry for error monitoring to help us identify and fix bugs. In production, Sentry does not receive personally identifiable information.

Data Sharing

We do not share your personal information with any third parties, partners, or advertisers beyond the service providers listed above. The only exceptions are:

• Content you explicitly choose to make public or share to external services (such as Bluesky).
• Third-party service providers listed above, who receive only the data necessary to perform their function.
• Situations where we are required to do so by law or legal obligation.

Data Security

We take data security seriously and implement industry best practices to protect your information. This includes:

• Secure data transmission (HTTPS everywhere).
• Encryption of sensitive information, including third-party OAuth tokens, stored using field-level encryption.
• Encrypted, off-site database backups.
• Content Security Policy (CSP) headers to prevent cross-site scripting.
• Passwords stored using industry-standard hashing (never in plain text), with a minimum 12-character requirement.
• Regular software updates and security audits.

While no system can be guaranteed 100% secure, we are committed to maintaining strong protections around your data.

Your Control

You have full control over your data. You can:

• Update or edit the information you’ve entered at any time. The only exception being the email address you sign up with.
• Delete individual records (experiences, skills, projects, achievements, journal entries, labels) at any time.
• Toggle any public content back to private at any time.
• Unlink third-party accounts (such as Bluesky) at any time, which permanently deletes all associated data from our systems.
• Export your resume data as a Word document (.docx).
• Request deletion of your account and all associated data by submitting a support ticket.
• Contact us with any questions or concerns about your privacy.

Data Retention

We retain your account data for as long as your account is active. Temporary data such as email verification links (30 minutes), password reset links (15 minutes), and OAuth authorization requests (10 minutes) are automatically expired and cleaned up.

Analytics data (page views on public content) is retained in aggregate form to help us understand usage trends. If you delete your account, all personally associated data is removed.

We believe your data belongs to you, and we’re here to support your right to privacy and transparency at every step.

---

If you have any questions or would like to make a data-related request, please don’t hesitate to reach out to us.