Privacy, security, and technical reviewers who need more operational detail than the main packet.
Technical Trust Appendix
Privacy, retention, and technical handling appendix
Use this when a reviewer wants concrete retention windows, token handling, provider boundaries, and minimization details without needing a longer custom follow-up first.
Blacklight Resumes is operated by Blacklight AI Resumes Inc.
Retention windows, provider handling, hashed tokens, accessibility/document-delivery posture, minimization, and bounded operational controls.
Pair it with the main packet when a review moves past summary-level trust questions.
Use after the packet
Open this once the review needs operational detail, not just a summary
This appendix is for retention windows, token handling, provider boundaries, analytics posture, and other operational questions that usually arrive after the packet has already established the high-level trust picture.
Keep the packet as the circulation document when the review only needs a credible first review summary.
Use the trust contact flow when the appendix still is not enough and your team needs formal questionnaire or procurement follow-up.
Technical posture in plain language
These are the operational boundaries most reviewers ask for after the initial packet has already done its job.
Data stays tied to the service path
Blacklight collects and keeps the data it needs to generate, deliver, support, and govern resume requests. It is not built around ad tracking, resale, or off-site behavioral profiling.
Application records are not open-ended
Normal retention, scheduled minimization, and purge behavior are part of the system. A deletion request speeds up removal for a specific person or request, but it is not the only reason cleanup happens.
Billing records are retained separately
Invoice copies, payment status history, and contract-linked billing records follow a longer business-record retention schedule than resume artifacts because accounting, audit, dispute, and collections needs do not end on the same timeline as request delivery.
Tokenized access is bounded
Access tokens used for status links, campaigns, feedback, and similar flows are handled as hashes in storage so the raw token is not the system record.
Partner controls are scoped
Partner operations such as reporting, hosted-link management, and billing changes are role-scoped and, where applicable, location-scoped rather than broadly visible to every partner user.
Retention windows
These are the current baseline windows reflected in the application policy snapshot. Different record classes have different windows because delivery, privacy handling, support, and accountability do not all need the same retention period.
Delete-request delay
3 daysPrivacy deletion requests are queued with a short delay window before purge processing begins.
Case-file retention
120 daysOne recoverable case file is retained briefly for operations, support, and dispute handling unless a legal hold applies.
Billing records / invoice copies
7 yearsBilling records, invoice copies, payment status history, and contract-linked commercial records are retained longer than resume artifacts for accounting, audit, dispute, collections, and legal needs.
Email outbox content
30 daysTransactional email content is redacted on schedule and also redacted earlier on privacy purge when linked to a request.
Audit events
30/730 daysIP address, user-agent, and similar request-origin details age out first; the broader audit record remains longer for accountability.
Site events
30/180 daysIP address, user-agent, and similar request-origin details are minimized earlier than the site event record itself.
Queue payloads
7/90/180 daysPayload trim happens first, followed by different succeeded and failure retention windows.
Contact attachments / tickets
6 / 12 monthsAttachments clear sooner than the support ticket record that documents the interaction.
What gets minimized or removed
Cleanup is an operational behavior, not an afterthought reserved only for exceptional privacy requests.
Stored delivery files and uploaded source documents are removed on schedule rather than retained indefinitely.
One short-lived recoverable case file is retained briefly for operations, dispute handling, and continuity unless a legal hold requires more time.
Billing records and invoice copies can remain on a longer retention schedule even when request artifacts are later minimized or purged.
Personal details in request records are scrubbed or minimized when purge workflows complete.
Transactional email content linked to a request is redacted on schedule and earlier when privacy purge requires it.
Older request-origin details such as IP address and user-agent data are removed or minimized before the longer-lived event record ages out.
Operational queue payloads are trimmed before the underlying job records are later deleted on their own schedule.
When a request is fully purged, the remaining record is reduced to the minimum state needed to show that the purge occurred.
Confirmation and audit follow-through still happen, but they do not depend on keeping the original personal-information payload intact.
Hashed identifiers and bounded tokens
Where tokenized access or low-friction abuse controls are needed, the system uses hashed values so the stored record is the hash, not the original token or raw input.
Status-link tokens are stored as hashes rather than as reusable raw tokens in the database.
Campaign and embed access tokens are hashed before lookup/storage so the raw token is not the system record.
Feedback and contact verification tokens follow the same pattern: the raw value is used once, while the stored record is the hash.
Upload rate limiting and some access-request abuse checks use hashed IP values rather than keeping the raw client IP in the application record for that purpose.
Analytics use anonymized or hashed session linkage and respect Do Not Track instead of relying on third-party tracking scripts.
Analytics and public-site privacy stance
The public surface stays intentionally light on tracking so trust review does not have to unravel an ad-tech or audience-profile stack first.
Cookie-light public experience
The public site is intentionally light on tracking. The current policy stance is no off-site trackers and no advertising-cookie stack layered across the site.
Local preference storage
Some user experience preferences, such as theme selection, may be stored locally in the browser. That is separate from third-party tracking or ad-tech profiling.
Do Not Track respected
Internal analytics route through first-party handling and respect Do Not Track rather than relying on external tracking scripts to build audience profiles.
AI processing boundaries
The appendix keeps AI claims narrow and operational. It explains where model processing is used and what remains the business record.
Where AI is used
AI is used inside the resume-generation workflow and supporting analysis tasks, not as a general-purpose chat layer spread across the whole product.
What is kept as the business record
Blacklight keeps its own request records, outputs, status data, and delivery artifacts in its system. The application does not depend on an external chat history as the official record of the service.
Billing access is limited
Billing records, invoice copies, and payment state are intended for billing, admin, finance, support, legal, or similarly authorized roles with a legitimate operational need, rather than broad partner-wide visibility by default.
API storage setting
OpenAI API requests in the current workflow are configured with response storage turned off, so the service is not asking OpenAI to store responses for later API retrieval.
Accessibility and delivered-document handling
Reviewers often ask whether accessible handling stops at the webpage. The current answer is no: the posture now covers both key web flows and the plain-text DOCX files generated for delivery.
Web-surface baseline
Key public review surfaces and preview-safe portal shells are part of the automated accessibility validation path, so the accessibility posture is not just a point-in-time manual opinion.
Certification boundary
Blacklight should describe the current target as a practical WCAG 2.2 AA posture with meaningful automated coverage, not as a formal accessibility certification or completed external audit.
DOCX semantic structure
Delivered resume and cover-letter DOCX files now use semantic headings, real list structure, numbering, default language metadata, and document properties instead of relying on bare paragraph output alone.
ATS-safe formatting restraint
The document path still avoids tables-for-layout, text boxes, multi-column structure, and other decorative patterns that can complicate ATS parsing, so the accessibility improvement does not depend on visually complex Word formatting.
Core providers
The provider footprint is narrow and tied directly to the service path.
Supabase
Application database, auth, and storage.
Stripe
Payment processing and invoice/payment records.
Postmark
Transactional email delivery.
Cal.com
Partner commercial, trust, and onboarding booking workflows where scheduling is enabled.
Cloudflare
Web delivery and edge infrastructure.
OpenAI
Bounded model processing inside the resume-generation workflow; API calls are configured not to store responses for later retrieval.
Partner operational handling
Public trust material stays high-level, but these are the operational guardrails the appendix is meant to clarify.
Hosted links and embeds are managed through explicit partner controls rather than unmanaged raw links alone.
Partner reporting is designed around aggregate and scoped visibility, including location-aware reporting where the account configuration supports it.
Recurring partner billing changes are represented as explicit state transitions such as active plan, scheduled change, or meeting-based review.
Trust, commercial, and onboarding review workflows can route through booking and support paths without requiring those meeting records to become the system of record for request content.
When to ask for more detail
If your institution needs answers beyond this appendix, the next step is the trust contact flow or a formal questionnaire exchange. That is the right point for deeper institution-specific review rather than turning the public trust center into an internal runbook.