Privacy Policy
Last updated: 2026-05-26
Who we are
STRMLYN is built for travel nurses and assignment-based workers to organize their credentials, job leads, offers, schedule, resume, and supporting documents in one place. This policy explains what data we collect, why, and how to control it.
Contact for privacy questions:
support@strmlyn.io
Data we collect
You provide it directly
Account: email address, password (or social-sign-in identifier) Profile: name, phone, specialty, years of experience, license states, preferred states, bio Credentials: license numbers, certification names, issuing organizations, issue and expiration dates, and optional uploaded documents (PDFs / images of cards) Job pipeline: leads you save, submissions, offers, assignments — including facility names, locations, pay details, dates, and notes Profile sections: references, vaccinations (including optional document uploads), generic documents, education history, skills checklist, benefits, travel-loyalty memberships (airline / hotel / rental / TSA PreCheck account numbers and preferences) Schedule: shifts (date, time, type, optional notes) and recurring series Resume: an uploaded PDF and any AI reviews / rewrites generated from it
Collected automatically
Session tokens and refresh tokens issued by our auth provider so you stay signed in Basic technical logs (IP address, user agent, request paths) retained by our infrastructure providers for security and abuse prevention; we do not run our own analytics
How we use it
Show you your own data inside the app Pre-fill credentialing forms, application packets, and resumes from your profile Score and (optionally) rewrite your uploaded resume against job leads you select, using Anthropic Claude as the language model Send job applications on your behalf when you click "Apply" (via Resend; we never email anyone you have not selected) Ingest job postings from Adzuna's public job feed when you choose to refresh leads
Third parties we share data with
The following processors receive the data they need to perform their part of the service. We do not sell data to third parties and we do not share data for advertising.
Supabase — primary database, storage, and auth (data hosted in their managed Postgres / S3-equivalent buckets) Vercel — web hosting for strmlyn.io Anthropic — receives your resume PDF + the job lead you selected when you run an AI resume review or rewrite. Anthropic does not train on data submitted via the API per their published policy. Adzuna — public job-feed provider; we send no personal data to them, only fetch listings Resend — outbound email when you click "Apply" with a recruiter email destination Apple / Google — when you sign in with a social provider, only the identifier we need to authenticate you
Where it lives
Database and files are hosted in Supabase's US infrastructure. Edge functions (the AI features, application send, lead ingest) run in Supabase's edge runtime, also US. Web frontend is served by Vercel's global CDN.
How long we keep it
Account data (profile, credentials, assignments, etc.): for as long as your account exists. Hard-deleted within minutes when you use the in-app Delete account button Uploaded files (credential documents, vaccine cards, resumes, marketplace photos): deleted alongside the account Resume AI reviews: kept linked to the resume; deleted with it Square subscription records: cancellation flows immediately to Square; locally retained as long as the account exists for billing-history transparency Technical logs at Supabase / Vercel infrastructure layer: retained per their policies (typically ≤ 30 days for routine access logs)
AI-generated content
STRMLYN uses Anthropic Claude as the language model behind three features:
Resume Review — scores your resume against a job lead and lists specific gaps and suggestions Resume Rewrite — produces a targeted resume draft using your existing experience. The model is explicitly instructed not to invent experience you don't have; output is yours to edit before sending Bulk Upload Extract — reads PDF / image credentials and extracts fields you confirm before saving
Per Anthropic's published API policy, content submitted to their API is not used to train their models. We do not pre-train any model ourselves. You are responsible for reviewing AI-generated output before sending it to an employer or recruiter.
Security
Every table in our database enforces row-level security so that you can only read, modify, or delete records owned by your account. File uploads are stored in private storage buckets gated by your user id. Only the Supabase anonymous key is embedded in the client; the privileged service key never leaves the server. Passwords are hashed by our auth provider — we never see them in plaintext. On mobile, session tokens are stored in the OS keychain (iOS) or encrypted SharedPreferences (Android), not in plaintext storage.
A more detailed security policy lives at
strmlyn.io/security
.
Breach notification
If we confirm a security incident that affects your data, we will notify you by email within 72 hours of confirming it. The notice will include what happened, what data was affected, what we're doing about it, and what you should do.
HIPAA
STRMLYN is a personal organization tool for licensed healthcare professionals. It is not a covered entity, a business associate, or a clearinghouse under HIPAA. The credentials, vaccination records, and other data you store here are your own records — not protected health information transmitted by a healthcare provider in a treatment, payment, or operations workflow. HIPAA's framework does not apply to this product.
Your rights and choices
Access: every piece of data we hold about you is visible to you inside the app Correction: edit your profile, credentials, and any section from inside the app Deletion: hard-delete your entire account in-app via Settings → Danger zone → Delete account. Wipes your profile, credentials, uploads, subscription, and sign-in within minutes. Individual row soft-deletes (e.g., archiving a credential) also available from within each section Export: email us to request a JSON export of your data
If you are in the EU/EEA, UK, or California, the same access / correction / deletion rights apply under GDPR / UK-GDPR / CCPA respectively.
Children
STRMLYN is intended for licensed healthcare professionals and is not directed to children under 13. We do not knowingly collect data from anyone under 13.
Changes
We will update this page when the data we collect or how we use it changes. The "last updated" date at the top reflects the most recent change.