Legal
Privacy Policy
Last updated: April 28, 2026
This Privacy Policy explains how Phantom Workflows LLC ("Phantom Workflows", "we", "us") collects, uses, and protects information when you use phantomworkflows.com, portal.phantomworkflows.com, the onboarding webhook, and the daily-pipeline service (together, the "Service"). By using the Service you agree to this policy.
1. Information We Collect
Information you provide
- Account information: Name, email address, and (for paid tiers) payment details processed by Stripe.
- Intake form data: Resume text (or PDF parsed client-side into text), job tagline, target roles, location preference, and other career-search preferences submitted at signup.
- Optional profile data: LinkedIn URL, portfolio URL, salary minimums, email tone, scoring context, and other fields you supply via the portal Settings page.
- Gmail OAuth (optional, paid tier only): If you connect Gmail, we store an encrypted refresh token in Upstash Redis keyed to your account. We use it solely to create draft outreach emails in your mailbox.
- Communications: Messages you send to our support team via email or the portal.
Information collected automatically
- Device type, browser, IP address (truncated for analytics), and approximate location.
- Pages visited, time on site, referral source, and signup-funnel events (form opens, submissions).
- Cookies and similar tracking technologies — see Section 5.
Information generated by the Service
- Job listings scored against your profile, decision-maker contact records pulled from Apollo, AI-generated outreach drafts, and execution logs of the daily pipeline. Stored in your private Notion workspace and indexed in our internal database for service operation.
2. How We Use Your Information
We use your data to:
- Operate and deliver the Phantom Workflows pipeline (job scoring, contact discovery, outreach drafting, portal hosting).
- Personalize your portal and tune outreach copy to match your tone and history.
- Process payments and manage your subscription via Stripe.
- Send transactional emails — welcome, daily completion, trial expiry, billing, and operator alerts.
- Diagnose service incidents, including routing failures to a Tier-2 error workflow that may include redacted execution context for fix attempts.
- Improve our service through anonymized, aggregated analytics.
We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your data to train AI models on your behalf or anyone else's.
3. Data Retention
We retain your personal data only for the duration of your active subscription. After cancellation or trial expiry: free-trial workspaces (3-day standard or 20-day beta) are retained 7 days post-expiry, then permanently deleted unless you upgrade. Paid-tier data is retained 30 days after final cancellation. You may request immediate deletion at any time by emailing hello@phantomworkflows.com.
4. Data Security
We use industry-standard measures to protect your data:
- TLS encryption for all data in transit.
- Encrypted credential storage for OAuth refresh tokens (Upstash Redis with AES at rest).
- Per-client Notion workspaces with access scoped to a single integration credential.
- JWT session cookies with short-lived expiries and rotation on login.
- Operator email alerts on every classified failure so issues surface within minutes.
No system is 100% secure. We take reasonable precautions to safeguard your information; we cannot guarantee absolute security.
5. Cookies & Analytics
Essential cookies
We set a session cookie when you sign in to the portal so we can keep you authenticated between page loads. This cookie is required to use the portal and cannot be disabled without breaking login.
Analytics cookies (Google Analytics 4)
The marketing site loads Google Analytics 4 (measurement ID G-6KQGKW8Q0F) to track aggregated page views and signup-funnel events (CTA clicks, form opens, submissions). GA4 receives a truncated IP address and a randomly generated client-id cookie; we do not pass it your name, email, or resume text. You can opt out by:
- Enabling Do Not Track or Global Privacy Control (GPC) in your browser — we honor both.
- Installing the Google Analytics opt-out browser add-on.
- Blocking the
googletagmanager.comdomain at the network level.
6. Third-Party Processors (Subprocessors)
The Service relies on the following third-party providers. Each operates under its own privacy policy. We share only the minimum data necessary for them to perform their function.
| Provider | Purpose | Data shared |
|---|---|---|
| Notion | Per-client workspace storage | Resume, job listings, contact records, outreach drafts |
| Apify | LinkedIn job & profile scraping | LinkedIn search URL, profile slug |
| Apollo.io | Decision-maker contact discovery | Target company & role criteria |
| Anthropic (Claude) | Job scoring, outreach drafting, intent classification | Resume text, job descriptions, reply text (sales flow) |
| OpenAI | Legacy embeddings & chat models on a few internal tasks | Anonymized text excerpts |
| Stripe | Subscription billing | Email, name, payment method (handled directly by Stripe) |
| Vercel | Marketing site & portal hosting | HTTP request metadata, edge logs |
| Cloudflare | DNS & CDN for the n8n webhook layer | HTTP request metadata |
| Google Workspace | Outbound email (welcome, transactional, operator alerts) | Recipient email, message contents |
| Upstash Redis | Encrypted Gmail OAuth token storage | Encrypted refresh tokens (paid tier only) |
| Instantly | Cold-email delivery for the Phantom Sales internal flow only — does not handle customer data | None (sales flow uses separate Job Seeker rows, not customer rows) |
| GitHub | Source-code hosting for the platform itself | None (no customer data) |
7. Your Privacy Rights
7a. CCPA / CPRA Rights (California Residents)
If you are a California resident, you have the right to:
- Know: request a copy of the personal information we hold about you and the categories of sources/uses.
- Delete: request deletion of your personal information.
- Correct: request correction of inaccurate personal information.
- Portability: receive your data in a machine-readable format.
- Non-discrimination: we will not deny service or change pricing based on you exercising any of these rights.
- Opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising.
To exercise any right, email hello@phantomworkflows.com with the subject "CCPA Request". We will verify your identity and respond within 45 days.
7b. GDPR / UK GDPR Rights (EEA / UK Residents)
If you are in the European Economic Area or the United Kingdom, you have the right to:
- Access, rectify, or erase your personal data.
- Restrict or object to processing.
- Data portability in a machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local supervisory authority.
Lawful bases we rely on:
- Contract: processing your intake data to deliver the Service you signed up for.
- Legitimate interest: aggregated analytics and service-improvement.
- Consent: optional analytics cookies and Gmail OAuth.
To exercise any right, email hello@phantomworkflows.com with the subject "GDPR Request".
7c. Children's Privacy
The Service is not directed at individuals under the age of 13, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected such data, email us and we will delete it promptly.
7d. International Data Transfers
We are a U.S.-based company. Several subprocessors (Vercel, Anthropic, OpenAI, Stripe, Google) operate in the U.S. By using the Service from outside the U.S., you consent to the transfer of your data to the U.S. For EEA/UK residents, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers, supplemented by the technical measures described in Section 4.
7e. Do Not Track & Global Privacy Control
We honor browser-level Global Privacy Control (GPC) signals. When GPC is enabled, we treat it as an opt-out from analytics cookies and any future signal-based sharing. The legacy DNT header is also respected. You can enable GPC in browsers that support it (Brave, Firefox with extensions, DuckDuckGo).
8. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to active subscribers and a notice on the marketing site. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.
9. Contact
Questions about this policy, privacy requests, or anything else? Reach us at hello@phantomworkflows.com. Mailing address is on the Contact page.