Back to home

Security

Effective Date: October 31, 2025

Company: Guildy.ai, Inc.

Product: Guildy

Website: https://guildy.ai

Security Contact: security@guildy.ai

Overview

Guildy.ai, Inc. prioritizes protecting user data and maintaining the integrity and confidentiality of information processed through Guildy. We apply industry-standard security practices to protect Gmail data, personal information, and authentication credentials.

We designed our infrastructure and internal processes to ensure user data is secure at every stage — from authorization to storage to deletion.

Data Access & Permissions

  • Guildy uses Google OAuth 2.0 for secure authentication
  • Guildy requests the read-only Gmail scope
  • Guildy never sends, deletes, or modifies emails
  • Only email content relevant to job-search context is processed
  • No employee access to user mailbox data unless legally required

Data Minimization

Guildy only stores the minimum information needed to provide the service:

Stored:

  • Gmail message/thread IDs
  • From/to fields
  • Subject lines
  • Email timestamps
  • Relevant minimal text snippets for interview stage inference
  • Pipeline data and user notes
  • Authentication details (OAuth tokens encrypted)

Not Stored:

  • Full email bodies
  • Attachments
  • Drafts, chats, or unrelated messages
  • Entire inbox copies

Temporary text used for LLM classification is purged automatically within 30 days.

Encryption

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • Tokens and secrets stored in secure secret management systems
  • No plaintext token storage

Infrastructure Security

  • Hosted on secure, SOC-compliant cloud platforms
  • Production systems isolated from development environments
  • Strict least-privilege access controls
  • Continuous system logging and monitoring
  • Role-based access for internal tools
  • Automated backups with secure lifecycle handling

Identity & Authentication

  • Google OAuth 2.0 + OpenID Connect
  • Guildy does not store user passwords
  • Token rotation and secure token storage enforced
  • Multi-factor access controls for internal systems

AI & Data Processing Safety

  • Limited text sent to LLM services strictly to generate interview preparation and identify interview-related signals
  • No model training on user data
  • Providers contractually restricted from retaining or reusing data
  • AI requests encrypted in transit

Employee & Access Controls

  • No manual inbox access for employees
  • Access to production systems limited to authorized personnel
  • All admin access logged and periodically reviewed

Vulnerability Management

  • Security patches applied regularly
  • Dependency monitoring and upgrades
  • Network and application-level threat monitoring
  • Alerts for suspicious or unauthorized access attempts
  • Standard incident response procedures in place

Data Retention & Deletion

  • Gmail sync stops immediately when a user disconnects Google access
  • Gmail-derived cached data removed within 30 days of disconnect
  • Account deletion in the app triggers removal of all stored data
  • Backup data deleted according to secure lifecycle schedules

Responsible Disclosure & Reporting

If you believe you've discovered a security vulnerability affecting Guildy:

Email: security@guildy.ai

Subject line: Security Vulnerability Report

Include:

  • Detailed description
  • Reproduction steps
  • Severity/impact context (if known)

We review all reports and act promptly.

Compliance & Commitments

Guildy.ai, Inc. adheres to:

  • Google API Services User Data Policy
  • Limited Use Requirements
  • OAuth Restricted Scope security standards
  • Industry-standard data protection practices

We never sell, lease, or share Gmail data for advertising or profiling.

Last Updated: October 31, 2025