Privacy Policy

Last updated: May 13, 2026

Draft — pending legal review. This document describes Step's actual data practices, but is not yet finalised by our counsel. If anything here matters to your decision to use Step, email us at hi@step.careers and we'll confirm.

Who we are

Step (“we”, “Step”) operates the website step.careers. We are the data controller for the personal data described below. We're a small team based in Italy and the UK building career-advice software for early-career professionals worldwide.

Contact: hi@step.careers.

What we collect

Account data

When you sign in via Google or email magic link, we receive and store your email address and (from Google) your display name and profile photo URL. We do not receive your Google password. For magic-link sign-in we generate a short-lived verification token sent to your inbox.

Career profile data (the form)

When you generate a plan in /beta we collect what you type into the form: career stage, field, skills, interests, your current dilemma, studies, past positions, languages, salary band (optional), location preference (optional), and your 5-year future-self description.

If you upload or paste a CV, the parser extracts a structured profile in memory. The original PDF/DOCX is not stored. The extracted text is used to pre-fill the form and you can edit any field before submitting.

Generated content

When you submit the form, we send the structured profile to Anthropic Claude and Voyage AI (see “Sub-processors” below) to retrieve similar real career paths from our dataset and generate ranked recommendations. The resulting plan is stored if you are signed in (so you can revisit it from /account) and may be cached anonymously for service quality monitoring.

Technical data

On every session we record an SHA-256 hash of your IP address (not the address itself) and your browser's user-agent string, for rate-limiting and abuse prevention. Sentry receives error stack traces when something breaks server-side; these may include URL paths and a minimal user identifier but never form content.

Payment data

If you purchase Premium, Stripe processes your payment directly and we never see card numbers. We store a Stripe customer identifier so we can match subscription events back to your account, plus your Premium expiry timestamp.

Analytics

We use PostHog (EU-hosted) for product analytics. We capture anonymised events such as “result_received” or “premium_card_clicked” without form content. We do not share analytics data with advertising networks.

Why we use it

Our legal bases under the GDPR:

Performance of a contract — to operate your account, generate plans, deliver Premium features, and send transactional emails (sign-in links, payment receipts).
Legitimate interest — security, fraud prevention, service-quality monitoring, and product improvement. You can object at any time.
Consent — for the Premium check-in email series. Every check-in email contains a one-click unsubscribe link, and you can also toggle the cadence from /account.
Legal obligation — payment, accounting, and tax records for purchases, as required by Italian and UK law.

Sub-processors

We use the following services to operate Step. They process personal data on our behalf under data-processing agreements:

Vercel (USA & EU) — application hosting.
Supabase (EU, Ireland) — Postgres database.
Anthropic (USA) — Claude LLM. Receives the structured profile and the retrieved career paths to generate recommendations. Anthropic does not train models on API content per their default Commercial Terms.
Voyage AI (USA) — embedding model used to find similar career paths.
Stripe (USA & EU) — payment processing for Premium.
Resend (EU) — transactional and check-in emails.
Google (USA) — OAuth login.
Cloudflare Turnstile (global) — bot protection.
Sentry (EU) — error monitoring.
PostHog (EU) — product analytics.

International transfers

Anthropic, Voyage, Stripe, Google, and Vercel (depending on region) process data in the United States. Transfers rely on the EU-US Data Privacy Framework where the vendor is certified, and otherwise on Standard Contractual Clauses (SCCs) approved by the European Commission.

How long we keep it

Account and profile data: until you delete your account. Generated plans: until you delete the plan (soft delete) or your account (hard cascade). Payment records: 10 years, as required by accounting law. Logs and analytics events: 90 days by default. IP hashes: 30 days.

Your rights

Under the GDPR you can:

Access and download a copy of your data — one click from /account (“Download my data (JSON)”).
Delete your account and all linked data — also from /account (“Delete my account”). The action is irreversible.
Correct inaccurate data, restrict processing, or object to processing — email hi@step.careers.
Withdraw consent at any time (e.g. unsubscribe from check-ins). Withdrawal doesn't affect processing already done.
Lodge a complaint with your national supervisory authority (in Italy, the Garante per la protezione dei dati personali).

Cookies

We use a NextAuth session cookie (HTTP-only, secure, SameSite=Lax) to keep you signed in, and Cloudflare Turnstile may set a short-lived cookie during bot challenges. PostHog uses a first-party cookie for anonymous analytics; you can disable it through your browser's Do-Not-Track signal which we honour.

Children

Step is not directed at users under 16. We don't knowingly collect data from anyone under that age. If you believe we have, email us and we'll delete the account.

Changes

We'll post any material changes on this page and update the “Last updated” date. If the change is significant (e.g. a new sub-processor with material risk), we'll email registered users in advance.