Last updated: April 2026
When you create an account, we collect your name, email address, university, degree, and year of study. If you upload a CV, it is stored securely and used solely to personalise your outreach emails. We also store your pipeline data, email drafts, and sending history.
Your profile information is used to generate personalised cold outreach emails on your behalf. Your CV text is extracted and used as context for email generation. We do not sell, share, or distribute your personal data to any third parties. Your data is used exclusively to provide the Severn service.
Emails are sent from your own Gmail account using an app password you provide. Your Gmail app password is encrypted using AES-256-GCM before being stored on our servers and is only decrypted at the moment of sending. Severn acts as an intermediary to send emails on your behalf through Google's SMTP servers. We never access your Gmail inbox, contacts, or any data beyond sending outreach emails you have explicitly drafted and approved.
Your account data is stored on Supabase (hosted on AWS in the EU region). Passwords are hashed using scrypt with a unique salt. SMTP credentials are encrypted with AES-256-GCM. Session tokens expire after 7 days. CV files are stored in encrypted cloud storage with access restricted to your account. All API endpoints that handle personal data require authentication.
The firm database contains publicly available information sourced from company websites, Companies House filings, and the FCA Register. Contact email addresses are generated using publicly observable patterns and verified where possible via SMTP. No private or restricted databases are used.
If you are on a paid plan, Severn includes a 1x1 tracking pixel in sent emails to detect when a recipient opens your message. This data is stored against your account and is not shared. Recipients are not individually identified beyond their email address.
To provide the service, your data may be processed by the following third parties, each under their own privacy policies:
Your data is retained for the duration of your account. When you delete your account, all personal data is permanently removed within 30 days, including your profile, pipeline, sent history, CV files, and SMTP credentials. Anonymised analytics data (e.g. aggregate reply rates) may be retained indefinitely.
If you are in the UK or EU, you have the right to access, correct, export, or delete your personal data at any time. You can delete your account from the dashboard. To request a data export or exercise any other right, contact us at the address below. Our lawful basis for processing is legitimate interest (providing the service you signed up for) and consent (for optional features like email tracking).
Severn uses browser sessionStorage to maintain your login session and localStorage for UI preferences (e.g. row density). We do not use third-party tracking cookies. No advertising or analytics cookies are set.
Severn is intended for users aged 18 and over, primarily university students and recent graduates. We do not knowingly collect data from anyone under 18.
For any privacy-related questions, data requests, or concerns, contact us at privacy@severn.app.