Sypher

Sypher · Privacy

Your data, on a tight leash.

We built Sypher because the tools we wanted didn’t exist — and the ones that did quietly turned the user into the product. Here’s the honest version of what we keep, what we don’t, and where the line is.

Last updated · 8 May 2026

What we collect

Sypher collects the smallest amount of personal data we can get away with while still being a useful set of tools. When you sign in, we receive your name, email, profile picture, and a stable account ID from your identity provider. That's the entire account record at the platform layer.

Beyond that, the data inside each tool is whatever you put there. In Pegasus, that's the applications, notes, resumes, and AI prompts you create. In future tools, the categories will be different but the rule is the same: only what you explicitly hand over, never anything enriched, scraped, or cross-referenced against external databases.

What we don't collect

We don't track you across the web. There are no third-party analytics SDKs, no behavioural pixels, no fingerprinting, no ad networks. We don't read your inbox, scrape your social profiles, or pull anything from your browser beyond what you've explicitly typed into a Sypher interface.

Where it lives

Application data sits in a Postgres database, with row-level isolation per user. File uploads (resumes, cover letters, anything similar) go to Cloudflare R2 with private signed URLs — nobody outside the app can list or download them. Both tiers are encrypted in transit (TLS) and at rest. Backups follow the same encryption.

When you ask one of our AI features to write a cover letter or critique a resume, the contents of that single request are passed to our LLM provider for inference and then discarded. The provider doesn't retain the prompt or use it for future training.

Who else sees it

A small set of vendors get a narrow slice of data, and only what they need to do their job:

  • Google — handles the OAuth sign-in handshake.
  • Cloudflare R2 — stores files you've uploaded.
  • Our LLM provider — receives the contents of an AI request only at the moment you trigger it.
  • Stripe (when paid tools land) — handles the billing handshake. They see the email and payment method, never the contents of your account.

Your controls

You can edit or delete any item in any tool at any time. If you want everything gone — account included — email us and we'll wipe the row tree across every tool you've used. No retention games, no dark-patterned "are you sure?" loops designed to talk you out of it.

Cookies

We use one thing that walks like a cookie: a JWT in localStorage that proves you're logged in. We don't set tracking cookies, advertising cookies, or anything that would make a cookie banner necessary.

Tools inherit this policy

Every tool inside Sypher — Pegasus today, more tomorrow — operates under this same policy. If a specific tool needs to handle a category of data not covered here (say, recordings, or bank links), the tool's own page will describe that category before you give it to us, and the broader principles still apply.

Changes to this policy

If we change anything material, we'll update the "Last updated" date below and post a note in the changelog. We won't quietly broaden what we collect.

Get in touch

Questions, requests, or concerns: reply to any system email. A real person reads it.