Privacy Policy

1. Introduction

INTRO ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the INTRO mobile application, website, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy. This policy applies to all users of the Service, including students, recruiters, and event organizers.

2. Information We Collect

2.1 Information You Provide

• Account Information: When you create an account, we collect your email address, first and last name, and user type (student, recruiter, or organizer). You may also register using Google Sign-In or Sign in with Apple, in which case we receive your name and email address from the respective provider. If you use Sign in with Apple and choose to hide your email, we receive only a private relay email address.
• Profile Information: Professional headline, company name, phone number, website URL, graduation date, years of experience, preferred industries, hiring preferences, and social media handles (LinkedIn, Instagram, Twitter, Facebook).
• Digital Business Card: Card design and customization data, including layout configurations, colors, font choices, and uploaded images (profile photos, headshots, company logos).
• Photographs: Images you upload from your device's photo library for use on your digital business card, including headshots, half-body photos, and company logos. These images are compressed, resized, and stored on our cloud infrastructure.
• Skills and Qualifications: Skills you add to your profile, which may be used for matching, recommendations, and analytics.
• Resume Data: If you upload or scan a resume using the device camera, we extract information such as education, work experience, projects, skills, and contact details using AI-powered parsing (Google Gemini).
• Voice Recordings: If you use the voice note feature during recruiting sessions, we capture audio recordings which are sent to OpenAI's Whisper API for transcription. The audio is discarded after transcription and only the text notes are retained.
• Connection Notes: Notes, ratings, and pipeline stage assignments you add about people you connect with at career fairs.

2.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including features used, screens visited, and actions taken within the app.
• Device Information: Device type, operating system version, and app version for debugging and compatibility purposes.
• Event Interaction Data: When you participate in career fairs through the Service, we collect data about booth visits, queue positions, wait times, check-in times, and connection exchanges.
• Push Notification Tokens: If you enable push notifications, we collect your device token to deliver notifications about queue updates, connection requests, event reminders, and other service alerts. Device tokens are stored securely and associated with your account.

2.3 Information from Third Parties

• Google Sign-In: If you authenticate with Google, we receive your name, email address, and profile picture from Google.
• Sign in with Apple: If you authenticate with Apple, we receive your name and email address (or Apple's private relay email address if you choose to hide your email).
• Event Organizers: Organizers may provide event and booth information, including company details, job descriptions, and booth configurations, that are displayed to attendees.

3. How We Use Your Information

We use your information for the following purposes:

• Providing the Service: Creating and managing your account, generating and displaying your digital business card, facilitating connections with other users via QR code scanning, managing booth queues in real time, and enabling business card exchanges.
• AI-Powered Features: Generating personalized follow-up messages, parsing resumes and business cards from scanned images, transcribing voice notes to text, matching candidates to job requirements, normalizing analytics data (such as major names and skills), and producing session summaries. Relevant data is sent to third-party AI providers (OpenAI and Google Gemini) for processing.
• Analytics: Providing event organizers and recruiters with aggregated analytics about booth traffic, candidate pipelines, skill distributions, and engagement patterns. Individual user data is anonymized in analytics reports where possible.
• Communication: Sending you service-related push notifications (queue alerts, connection requests, event reminders), in-app notifications, and security alerts.
• Improvement: Understanding how users interact with the Service to improve features, fix issues, and develop new functionality.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

• With Other Users: When you exchange digital business cards via QR code scanning, the recipient can view your shared profile information (name, headline, company, contact details, and skills). Your profile visibility and card visibility settings control what information is visible to others.
• With Recruiters: If a recruiter scans your QR code at a career fair, they may view your shared profile and resume information. Recruiters may export this data for use in their applicant tracking systems (Lever, Greenhouse, Workday).
• With Event Organizers: Organizers can view aggregated event analytics, including booth traffic, queue statistics, and attendee engagement metrics. Organizers do not have access to individual candidate details unless shared through the normal connection flow.
• With AI Service Providers: We send data to OpenAI (for follow-up message generation, voice transcription, candidate matching, and analytics normalization) and Google Gemini (for resume and business card image parsing). These providers process data according to their own privacy policies and do not use your data to train their models.
• With Infrastructure Providers: We use Supabase for database hosting, authentication, real-time data delivery, and file storage. Firebase Cloud Messaging is used for push notification delivery. Your data is stored and transmitted through these providers' infrastructure.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of INTRO, our users, or the public.

5. Data Storage and Security

Your data is stored on Supabase's cloud infrastructure with the following security measures:

• Row Level Security (RLS): Database-level access controls ensure that users can only access their own data and data explicitly shared with them.
• Encrypted Authentication: All authentication is handled through secure, encrypted tokens. Session credentials are stored in your device's secure Keychain storage.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
• Private Storage: Sensitive files such as resumes are stored in private storage buckets accessible only to the uploading user and authorized recipients.
• Public Storage: Profile avatars and card design assets are stored in public buckets to enable business card sharing functionality. Only images you explicitly upload for your business card are publicly accessible.

While we implement reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

6. Device Permissions

The INTRO app may request the following device permissions:

• Camera: Required for scanning QR codes to exchange digital business cards and for capturing images of physical business cards or resumes for AI-powered parsing using the device's document scanner. Camera data is processed in real-time and is not stored unless you explicitly capture an image for scanning.
• Microphone: Used for recording voice notes about candidates during recruiting sessions. Audio is sent to OpenAI's Whisper API for transcription, after which the audio recording is discarded and only the text transcription is retained.
• Photo Library: Used when you select images from your device's photo library to upload as profile photos, headshots, or company logos for your digital business card. We only access the specific images you select; we do not scan or access your full photo library.
• Push Notifications: Used to deliver real-time alerts about booth queue position changes, connection requests, event reminders, and other service-related notifications. You can enable or disable specific notification categories within the app's settings.

All permissions are requested only when you first use features that require them. You can revoke any permission at any time through your device's Settings app. Revoking permissions may limit certain functionality but will not affect your account or stored data.

7. Third-Party AI Services

INTRO uses the following third-party AI services to power its features. When you use AI-powered features, relevant data is sent to these providers for processing:

• OpenAI (GPT-4o-mini, Whisper): Used for generating follow-up messages, transcribing voice recordings, matching candidates to job requirements, normalizing analytics data (major names, skills, school names), and generating session summaries. Data sent may include professional context, connection information, and audio recordings.
• Google Gemini (Gemini 2.5 Flash): Used for parsing and extracting structured information from scanned resumes and business card images. Image data is sent to Google for processing and is not retained by Google after processing.

We have configured our integrations with these providers so that your data is not used to train their AI models. Data is processed transiently and deleted after the response is generated.

These providers have their own privacy policies governing how they handle data. We encourage you to review OpenAI's Privacy Policy & Google's Privacy Policy for more details.

8. Tracking and Advertising

INTRO does not track you across other apps or websites. We do not use advertising identifiers (IDFA), and we do not serve advertisements within the Service. We do not share your data with advertising networks, data brokers, or information resellers. The app does not participate in any cross-app tracking or targeted advertising programs. We do not use cookies in the mobile application. Our website may use essential cookies only for basic functionality such as session management.

9. Your Rights and Choices

You have the following rights regarding your personal information:

• Access and Export: You can export a copy of your personal data (profile information, connections, and business card data) through the app's privacy settings at any time.
• Correction: You can update your profile information at any time through the app.
• Deletion: You can delete your account and all associated data directly within the app through Settings > Privacy. Account deletion is permanent and will remove your profile, connections, uploaded images, and all associated data from our active systems.
• Cache Clearing: You can clear locally cached data (images and temporary files) through the app's privacy settings.
• Profile Visibility: You can control what information is visible on your profile and digital business card through your profile and card visibility settings.
• Permission Control: You can grant or revoke camera, microphone, photo library, and push notification permissions at any time through your device's Settings app.
• Consent Withdrawal: You can withdraw your consent to data processing at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information. You can exercise this right directly within the app through Settings > Privacy > Delete Account.
• Right to Opt-Out of Sale: We do not sell your personal information. As such, there is no need to opt out of sales.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, you may use the in-app privacy settings or contact us at jiouyuc@umich.edu. We will respond to verifiable consumer requests within 45 days.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your personal data based on: (a) your consent (for optional features like AI processing, voice recording, and push notifications); (b) performance of a contract (to provide the Service you requested); (c) legitimate interests (to improve the Service, ensure security, and prevent fraud); or (d) legal obligations (to comply with applicable laws).
• Your GDPR Rights: You have the right to access, rectify, erase, restrict processing, object to processing, and port your personal data. You also have the right to withdraw consent at any time and to lodge a complaint with your local data protection authority.
• International Transfers: Your data may be transferred to the United States where our service providers (Supabase, OpenAI, Google) operate. These transfers are conducted in accordance with applicable data protection laws.

To exercise your GDPR rights, please contact us at jiouyuc@umich.edu.

12. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete your personal information from our active systems within 30 days. Some data may be retained in encrypted backups for up to 90 days as required for security and legal compliance purposes, after which it will be permanently deleted. Anonymous, aggregated data that cannot be used to identify you may be retained indefinitely for analytics purposes.

13. Children's Privacy

The Service is not directed to individuals under the age of 17. We do not knowingly collect personal information from children under 17. If we learn that we have collected personal information from a child under 17, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child under 17 has provided us with personal information, please contact us at jiouyuc@umich.edu.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. Our service providers (Supabase, OpenAI, Google, Firebase) may store and process data in the United States or other jurisdictions. These transfers are necessary to provide the Service and are conducted in accordance with applicable data protection laws. By using the Service, you acknowledge that your information may be transferred to countries which may have different data protection laws than your jurisdiction.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the revised policy within the Service and updating the "Last updated" date. For significant changes, we may also notify you through push notifications or in-app alerts. Your continued use of the Service after such changes constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should stop using the Service and delete your account.

16. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise any of your privacy rights, please contact us at jiouyuc@umich.edu.