Privacy Policy

Last updated: June 2026

What we collect

When you create an account, we collect your name, email address, university, degree, and year of study. If you upload a CV, it is stored securely and used solely to personalise your outreach emails. We also store your pipeline data, email drafts, and sending history.

How we use your data

Your profile information is used to generate personalised cold outreach emails on your behalf. Your CV text is extracted and used as context for email generation. We do not sell, share, or distribute your personal data to any third parties. Your data is used exclusively to provide the Severn service. We do not use your data — including any Google user data — to develop, improve, or train generalised or personalised AI or ML models.

Gmail access (Google OAuth)

If you connect your Gmail account, Severn uses Google OAuth and requests two scopes:

  • gmail.send — to send the outreach and follow-up emails you compose and approve in Severn, from your own Gmail account.
  • gmail.readonly — to detect and read replies to the emails you sent through Severn, so we can mark a contact as replied and help you draft a response.

When checking for replies, Severn reads only messages relevant to your outreach: bounce notifications, and replies whose sender matches an address you contacted through Severn. For a matched reply, we read the sender, subject, date, and the plain-text body. We do not read, index, scan, or process the rest of your mailbox, and we do not access your contacts.

The text of a matched reply is stored against your account so we can display it and, if you choose, generate a suggested response. You can remove this at any time by deleting the contact from your pipeline, or by deleting your account.

Severn does not use Gmail data (message content, metadata, or replies) to develop, improve, or train any generalised or personalised AI or ML models. Reply text is sent to our AI processor only to generate a draft for you, at the moment you request it.

Email sending via app password (alternative)

If you connect using an app password instead of Google OAuth, your app password is encrypted using AES-256-GCM before being stored and is decrypted only at the moment of sending or when checking for replies via IMAP. The same reply-checking limits described above apply: Severn reads only bounce notifications and replies from addresses you contacted.

Data storage and security

Your account data is stored on Supabase (hosted on AWS in the EU, region eu-west-1, Ireland). Passwords are hashed using scrypt with a unique salt. App-password credentials are encrypted with AES-256-GCM. Session tokens expire after 7 days. CV files are stored in encrypted cloud storage with access restricted to your account. All API endpoints that handle personal or firm data require authentication.

Firm and contact data

The firm database contains publicly available information sourced from company websites, Companies House filings, and the FCA Register. Contact email addresses are generated using publicly observable patterns and verified where possible via SMTP. No private or restricted databases are used.

Email tracking

If you are on a paid plan, Severn includes a 1x1 tracking pixel in sent emails to detect when a recipient opens your message. This data is stored against your account and is not shared. Recipients are not individually identified beyond their email address.

Third-party data processors

To provide the service, your data may be processed by the following third parties, each under their own privacy policies:

  • Supabase (database hosting, EU region)
  • Vercel (application hosting)
  • Stripe (payment processing — we never see or store your card details)
  • Anthropic (AI email and reply generation — your profile context, and the text of a reply when you request a draft, are sent to generate output in real time; under Anthropic's commercial API terms this data is not used to train their models)
  • Google (Gmail API and SMTP — sending email from, and reading replies to, your own connected Gmail account)
  • Finnhub, FRED, Yahoo Finance (market data — no personal data shared)

Data retention

Your data is retained for the duration of your account. When you delete your account, all personal data is permanently removed within 30 days, including your profile, pipeline, sent history, CV files, and SMTP credentials. Anonymised analytics data (e.g. aggregate reply rates) may be retained indefinitely.

Your rights (GDPR)

If you are in the UK or EU, you have the right to access, correct, export, or delete your personal data at any time. You can delete your account from the dashboard. To request a data export or exercise any other right, contact us at the address below. Our lawful basis for processing is legitimate interest (providing the service you signed up for) and consent (for optional features like email tracking).

Cookies and local storage

Severn uses browser sessionStorage to maintain your login session and localStorage for UI preferences (e.g. row density). We do not use third-party tracking cookies. No advertising or analytics cookies are set.

Age restriction

Severn is intended for users aged 18 and over, primarily university students and recent graduates. We do not knowingly collect data from anyone under 18.

Contact

For any privacy-related questions, data requests, or concerns, contact us at privacy@severn.app.