Attest · Legal
Attest Privacy Policy
Last updated 5 July 2026
This policy explains what data Attest handles and how. Attest is provided by Speedy Bloom Limited ("we", "us"), registered in Hong Kong at 19 Bonham Road, Floor 11 Flat A, Hong Kong; we are the data controller for the little we hold, and you can reach us about privacy at [email protected]. Like all our policies, this one is written to be specific and literal. Attest is deliberately built so that most of your data never reaches us at all. Our other tools are covered by our general Privacy Policy.
- Account
- None. No login, no email address, no password.
- Identity
- A random device ID generated in your browser. It contains no personal information.
- Your profile
- Stored in your browser's extension storage, on your machine. Never stored on our servers.
- Our servers keep
- Plan status and monthly usage counts, keyed to the device ID. Nothing else.
- AI processing
- Transient, via Anthropic. Not stored by us; not used to train AI models.
- Payment
- Handled by Paddle as merchant of record. We never see your card details.
1. Your profile stays in your browser
The profile you build in Attest — your work history, education, answers to common application questions, and anything else you add — is stored in Chrome's extension storage on your own machine. It is not uploaded to an account, because there is no account. You can view, edit, or delete any part of it at any time from the extension, and every field is optional. Removing the extension removes the profile from your browser.
2. What is sent when Attest fills a form
When you ask Attest to fill an application, it sends the form's field labels and questions, together with the matching facts from your profile, over an encrypted connection to our backend. The backend forwards that material to our AI processing provider, Anthropic, which generates the proposed fills. This processing is transient: the material exists on our systems only for the duration of the request, the response is returned to your browser, and our backend stores none of it — not your profile facts, not the form's questions, and not the generated fills. It is not used to train AI models. The only record our backend keeps of the request is a usage count (see section 5).
3. What is sent when Attest tailors (paid plan)
The tailoring layer works the same way, with one addition: the text of the job posting you are applying to is sent alongside your profile facts, so answers and cover letters can be drafted for that specific job. The same rules apply — transient processing via Anthropic, nothing stored by our backend, nothing used for training, and the draft is returned to your browser for your review.
4. Sensitive information — a candid note
Job applications routinely ask about work authorisation and visa status, salary expectations, citizenship, and voluntary EEO self-identification (gender, race or ethnicity, veteran status, disability status). Be clear-eyed about what Attest does with these:
- Such information is processed only if it is in your profile or on the form — you choose what your profile contains, and every field is optional.
- When present, it transits the same path as everything else: transiently, to generate the fill, and is not retained by our backend.
- Voluntary EEO and demographic questions are filled only when your profile explicitly states the exact matching answer. Attest never infers a demographic attribute from your name, your history, or anything else — if there is no exact stated match, the field is left for you.
5. What our servers store
This is the complete list of what our backend keeps:
- Your device ID — a random identifier generated in your browser, containing no personal information.
- Entitlement — your plan (free or paid), its status, a Paddle subscription reference if you subscribe, and the date your paid period ends.
- Usage counts — how many autofills and tailoring requests the device ID made in each calendar month, used to apply the free tier's fair-use ceiling.
There are no names, no email addresses, no profile content, no form content, and no generated text in our storage. We could not look up "your data" by your name, because we do not have your name.
6. Payments
Subscriptions are sold by Paddle.com Market Limited as merchant of record. Paddle collects your payment details and billing information under its own privacy policy; we never receive your card details. What we receive from Paddle is the subscription's status and reference, tied to your device ID, so the backend knows which device is entitled to the tailoring layer.
7. Service providers
- Anthropic — processes each fill or tailoring request transiently to generate the result. Not used to train AI models.
- Paddle (Paddle.com Market Limited) — merchant of record for subscriptions; processes payment under its own privacy policy.
- Render — hosts our backend service, which relays requests and keeps the entitlement and usage records described above.
- Cloudflare — hosts this website and processes standard request logs to deliver and protect it.
We never sell your data.
8. Retention and deletion
Your profile is yours to delete at any time, and removing the extension removes it from your browser. The device ID is kept in Chrome's extension storage (including Chrome's sync storage, so your usage record and any subscription survive a reinstall). On our side, entitlement and usage records are kept while they are needed to operate the service. To have the server-side records for your device deleted, email us with your device ID and we will remove them.
9. Legal bases
Where the EU/UK GDPR applies: we process fill and tailoring requests to perform our contract with you (generating the fills and drafts you asked for); we keep usage counts and entitlement records for our legitimate interest in operating the service fairly and preventing abuse; and transaction records are kept by Paddle, as merchant of record, to comply with legal obligations.
10. Your rights
Subject to applicable law, you may request access to, correction of, deletion of, or restriction of your personal data, object to certain processing, and request portability. Email [email protected] and we will respond within the time the law requires. One honest caveat that follows from how Attest is built: because we hold no identifying information, we can only locate server-side records if you give us your device ID — without it, we have no way to connect any record to you. If you are in the EU/UK, you also have the right to complain to your local data protection authority.
11. International transfers
We are based in Hong Kong, and our service providers may process data in other countries. Where we transfer personal data internationally, we rely on appropriate safeguards as required by applicable law.
12. Changes
If we change this policy materially, we will update the "last updated" date above. We encourage you to review it when you install Attest or start a subscription.
Privacy questions? Email [email protected].