top of page

Privacy Policy

A legal disclaimer

Privacy Policy for Commit

Effective date: November 18, 2024
Controller/Publisher: Tyler Dechant (d/b/a 'Commit')
Contact: thecommitteam@gmail.com

1) Summary

  • We don't collect your browsing history

  • We process page content on-device to compute a risk score; this analysis stays on your computer unless you submit a review

  • New: You can opt-in to automatic response tracking via Gmail, which searches only emails from companies you're actively tracking

  • Submitting a review is optional. If you submit, we store only what's needed to show stats and fight spam

  • We don't sell your data and we don't share it for cross-context behavioral advertising

  • Local preferences (education, years of experience, role title, minimal UI state) are stored in your browser and never leave your device unless included in a review you submit

2) Data we process
A. Authentication & Account Information

Google Sign-In (OAuth 2.0):

  • When you sign in with Google, we receive your email address, name, and profile picture

  • We do NOT receive your Google password

  • Authentication tokens are securely managed by Chrome Identity API and Firebase Authentication

  • You can revoke access at any time through your Google Account settings

Purpose: Authenticate your account, sync tracked applications across devices, enable Gmail integration
Storage: Firebase Authentication (Google Cloud)
Legal basis (GDPR): Your consent (Art. 6(1)(a))
Retention: Until you delete your account

B. On-device processing (not sent to us)

  • Visible job posting content on the page you open (title, company, location, description, salary text, applicants counts, etc.)

  • Derived signals and the risk score (e.g., "no salary listed," "vague wording")

  • Local preferences and UI state (e.g., highest education, years of experience, role title, whether the panel is collapsed)

  • Last Gmail check timestamp (to enforce 30-minute cooldown)

Purpose: Provide the overlay, compute the score, pre-fill your profile fields, manage automatic Gmail checking
Storage: chrome.storage.local on your device
Retention: Until you clear your browser data, remove the extension, or change the values

C. Application tracking (optional, stored in our backend)

When you click "I Applied to This Job":

  • Company name and detected email domains (e.g., meta.com, facebook.com)

  • Job title, location, source (LinkedIn/Indeed), and URL

  • Date you applied

  • Tracking status (active, response detected, confirmed)

Purpose: Enable automatic response detection via Gmail, show you which applications are being tracked
Storage: Firebase Firestore (Google Cloud)
Legal basis (GDPR): Your consent (Art. 6(1)(a))
Retention: Until you stop tracking or delete your account

D. Gmail access (optional, requires explicit permission)

What we access:

  • We search ONLY for emails from companies you're actively tracking

  • We search ONLY emails received AFTER the date you applied

  • We read email subject lines, sender addresses, snippets (preview text), and received dates

  • We do NOT access your entire inbox

  • We do NOT read emails unrelated to your tracked applications

  • We do NOT access emails sent before you applied

How we use it:

  • Automatically detect when companies respond to your applications

  • Parse keywords to determine outcome (rejection, interview, offer)

  • Create notifications for you to confirm or dismiss

Email content processing:

  • Email subject and snippet are analyzed using keyword matching

  • Detection results are shown to you for confirmation before becoming public data

  • You can dismiss false detections—they won't be shared

Purpose: Automatically detect application responses without requiring manual tracking
Storage: Email metadata (subject, snippet, date) stored temporarily in Firebase for pending notifications
Legal basis (GDPR): Your explicit consent (Art. 6(1)(a))
Retention: Notification data deleted when you confirm, dismiss, or delete your account

E. Data you can choose to submit (sent to our backend)

  • Review basics: applied date, (optional) response date, outcome (no response/rejected/interview/offer), and optional comments

  • Optional profile transparency: highest education, years of experience, role title

  • Optional extras (when relevant): interview rounds/types, feedback, offer acceptance, decision factors, etc.

  • Post metadata: hashed IDs we generate for the company and job, job title, company name, location, source site (e.g., LinkedIn/Indeed), and source URL

  • Account identifier: your Firebase user ID (authenticated via Google Sign-In)

  • Auto-tracked flag: indicates if review was created from automatic Gmail detection

  • Timestamps and integrity flags (created/updated, verified status)

Purpose: Show community stats, compute aggregates, deter spam/duplicates, improve fraud/ghost-job detection
Legal bases (GDPR): Your consent (Art. 6(1)(a)) to submit; legitimate interests (Art. 6(1)(f)) in preventing abuse and producing aggregates
Retention: Until you delete your review or your account; de-identified/aggregated stats may be retained

3) What we do NOT collect or do

  • No collection of passwords, payment data, private messages, or contact lists

  • No collection of emails outside your tracked applications

  • No collection of emails sent before you applied to a job

  • No collection of your entire Gmail inbox or email history

  • No continuous tracking across sites; we only read visible job pages where the extension runs

  • No sale of personal information; no cross-context behavioral advertising

  • No unnecessary permissions—we limit host access to job pages and Gmail to only what's needed

4) Permissions disclosure (Chrome Web Store)

Host permissions:

  • https://*.linkedin.com/*, https://*.indeed.com/* – Only to analyze visible job postings and render the overlay

Identity permission:

  • Used to authenticate users with their Google account via OAuth 2.0

  • Enables secure sign-in without requiring manual credential entry

  • Required for chrome.identity.getAuthToken() API to access Gmail

Gmail.readonly permission:

  • Used ONLY to search for emails from companies you're actively tracking

  • Searches ONLY emails received after you applied to a specific job

  • Never accesses your entire inbox or unrelated emails

  • Enables automatic detection of application responses

Storage permission:

  • Saves local preferences and UI state on your device

  • Stores last Gmail check timestamp to enforce 30-minute cooldown and respect rate limits

We comply with the Chrome Web Store Developer Program Policies, including the Limited Use restrictions for user data.

5) Data sharing and processors

We do not sell or rent data. We store and process data using:

Google Firebase (Authentication & Firestore):

  • Cloud infrastructure hosted by Google Cloud

  • Stores user accounts, tracked applications, notifications, and reviews

  • Data is encrypted in transit (HTTPS/TLS) and at rest

  • Google acts as our processor under applicable terms and Google Cloud's data processing agreements

Gmail API (Google):

  • Accessed via Chrome Identity API and OAuth 2.0

  • Used solely to search emails from tracked companies

  • Subject to Google API Services User Data Policy and Limited Use requirements

We do not permit processors to use your data for their own marketing.

6) Security

  • Transport encryption (HTTPS/TLS) for all traffic to our backend

  • OAuth 2.0 authentication with Google Sign-In

  • Firebase Security Rules enforce user-level access control

  • Server-side validations to limit abuse (e.g., rate limits, duplicate checks)

  • Regular reviews of permissions and dependencies

  • Automatic Gmail check cooldown (30 minutes) to prevent excessive API usage

No system is 100% secure. If we discover a breach, we will notify affected users and authorities as required.

7) International transfers

Data may be processed and stored in the United States (and other regions supported by Firebase and Google Cloud). Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) for transfers.

8) Your rights

Depending on your location, you may have the right to:

  • Access your data

  • Correct inaccurate data

  • Delete your data

  • Withdraw consent (e.g., revoke Gmail access)

  • Object to or restrict processing

  • Request portability of your data

CCPA/CPRA (California): We do not "sell" or "share" personal information as defined by CPRA. You can request access or deletion by contacting thecommitteam@gmail.com.

Revoking Gmail access:

  • Go to your Google Account → Security → Third-party apps with account access

  • Remove "Commit" from the list

  • Or uninstall the extension (automatically revokes access)

9) Data retention & deletion

  • Local preferences: Remain in your browser until you clear them or remove the extension

  • Tracked applications: Retained until you stop tracking them or delete your account

  • Pending notifications: Deleted when you confirm, dismiss, or delete your account

  • Submitted reviews: Retained until you delete them (email us or use any in-product delete function, if available)

  • Aggregates: We may keep de-identified metrics (e.g., "38% no response") even after a specific review is deleted

  • Gmail data: We do not permanently store email content; only metadata for pending notifications

To request deletion/access: Email thecommitteam@gmail.com from the address associated with your account and include any relevant details.

10) Children's privacy

Commit is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child provided data, contact us and we will delete it.

11) Changes to this policy

We may update this policy to reflect improvements or legal requirements. We'll post the new version with an updated Effective date. Material changes will be highlighted in-product or on our website when feasible.

12) Contact

Tyler Dechant (d/b/a 'Commit')
Email: thecommitteam@gmail.com

13) Google API Services User Data Policy Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request Gmail.readonly scope to search for emails from companies users are tracking

  • We do not transfer Gmail data to third parties (except as necessary to provide our service via Firebase)

  • We do not use Gmail data for serving advertisements

  • We do not allow humans to read Gmail data unless necessary for security purposes, to comply with applicable law, or with your explicit consent

bottom of page