Legal

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes how Breaking In ("Breaking In," "we," "us," or "our"), operated by Breaking In Technologies LLC, collects, uses, stores, and discloses information when you use the Breaking In web application at breaking-in.io (the "Service"). By using the Service, you agree to the practices described in this policy.

Breaking In is a recruiting pipeline tracker, AI copilot, interview practice tool, and mentor marketplace built for candidates pursuing roles in investment banking, private equity, growth equity, venture capital, and hedge funds.

1. Information we collect

1.1 Information you provide

When you create an account and use the Service, we collect:

  • Account information: email address, password (stored hashed), and display name.
  • Pipeline content: firms, contacts, actions, notes, tags, and status labels that you create inside the app.
  • Chat content: messages you send to Donna, our AI assistant, and the conversation history associated with your account.
  • Practice activity: the questions you attempt, your answers, AI grader feedback, and your scores.
  • Optional API keys: if you supply your own Anthropic API key for Donna, it is stored encrypted and used only to proxy your requests to Anthropic.
  • Billing identifiers and credit ledger: when you subscribe or purchase top-up credits, we store the Stripe customer ID and subscription ID associated with your account, your subscription status, your current billing period, and an audit log of credit allotments, top-ups, and consumption. We do not store your full card number, CVV, or bank details — those are collected and handled directly by Stripe, our payment processor.

1.2 Public profile information

You can fill in a public profile inside the Service — display name, title, school, and a short bio. Anything you put in your public profile is visible to other Breaking In users, including members of any group chat you share with them. Your display name and title also appear next to your messages in group chats.

These fields are optional. You can edit or clear any of them at any time from the Public Profile section in Settings. Your private Donna-context fields (recruiting goal, current role, target firm types, additional context) stay private and are never shown to other users.

1.3 Information we collect automatically

  • Session data: authentication cookies and session tokens issued by our authentication provider (Supabase).
  • Server logs: standard web server logs including IP address, user-agent, request path, and timestamp, used for operations and debugging. Logs are retained for up to 30 days.

1.4 Google user data

If you choose to connect your Google Calendar to Breaking In, we request your permission to access the following scope through Google's OAuth 2.0 authorization flow:

  • https://www.googleapis.com/auth/calendar.events — view and edit events on the calendars you grant access to.

We receive and store a Google OAuth access token and refresh token associated with your Breaking In account. These tokens let the Service create, read, update, and delete calendar events on your behalf — strictly for the purpose of scheduling interviews, coffee chats, and follow-up reminders that you explicitly ask Breaking In to create.

In addition to creating events you explicitly ask Breaking In to create, we will read your existing calendar events to (a) detect scheduling conflicts when proposing new event times, and (b) reflect reschedules or cancellations you make directly in Google Calendar back into your Breaking In recruiting timeline. We only read event titles, start/end timestamps, and event IDs — we do not read attendees, descriptions, or other metadata beyond what is necessary for these features. This two-way read functionality is currently in development and will be enabled after Google's OAuth verification process is complete.

Breaking In's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

1.5 How we obtain consent

We request Google Calendar permissions via Google's standard OAuth 2.0 consent screen, presented in-context the first time you click "Connect Google Calendar" in Breaking In's Settings page. We do not request these permissions during initial signup or as a precondition for using the rest of the product — Google Calendar integration is entirely optional. You can disconnect Google Calendar at any time from the same Settings page, which revokes the stored refresh token through Google's revocation endpoint and deletes all stored calendar event records associated with your account within 30 days.

2. How we use information

We use the information we collect to:

  • Operate, maintain, and improve the Service.
  • Render your pipeline, contacts, actions, chat history, practice scores, and mentor sessions inside the app.
  • Power Donna, our AI assistant, by sending the minimum necessary conversation context to our language-model provider (Anthropic).
  • Schedule and modify calendar events on your behalf when you connect Google Calendar.
  • Send transactional emails related to your account (password resets, security alerts, appointment confirmations).
  • Respond to support requests and user feedback.
  • Detect, prevent, and address fraud, security issues, and violations of our Terms of Service.

3. Limited Use of Google user data

Breaking In's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Consistent with the Google API Services User Data Policy's Limited Use requirements, Breaking In's use of Google user data is strictly limited as follows:

  1. We only use Google user data to provide user-facing features inside Breaking In — specifically, creating and managing calendar events that you ask the Service to create.
  2. We do not transfer Google user data to third parties, except as necessary to provide or improve user-facing features that are prominent in the Service, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (in which case successors inherit the same commitments).
  3. We do not use Google user data to serve advertisements, including personalized, retargeted, or interest-based ads.
  4. We do not allow humans to read Google user data, except (a) with your explicit consent for specific messages, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used only for internal operations.

4. How we store and protect information

Your account data is stored on Supabase (built on Amazon Web Services infrastructure). All data is encrypted in transit over TLS 1.2+, and at rest using industry-standard encryption. Passwords are hashed using bcrypt. Google OAuth refresh tokens are stored encrypted at rest and are never returned in any API response or client-side render.

We restrict access to personal data to authorized personnel who need it to operate the Service. We do not sell personal data.

5. Sharing and disclosure

We share information only in these limited circumstances:

  • Other Breaking In users. Your public profile (display name, title, school, bio) is visible to other signed-in users, including on your /profile/[id]page and anywhere your name appears in a shared group chat. You control what's in your public profile and can edit or clear it at any time in Settings.
  • Group chat members. Members of a group chat you join can see your display name, title, and messages you post in that group. Leaving a group removes you from its member list; messages you already sent remain visible to other members for message history continuity.
  • Service providers that power parts of the Service, under contractual data protection obligations: Supabase (database, authentication), Resend (transactional email), Stripe (subscription billing, top-up payments, mentor sessions, and promotion code redemption), Vercel (hosting), and Google (calendar scheduling when you connect it).
  • Anthropic (AI model inference for Donna) — we send Donna conversation messages to Anthropic's Claude API to generate responses. When you discuss a calendar event with Donna in chat (e.g., "reschedule my Goldman coffee chat"), the event title and time are included in the message context sent to Anthropic. Anthropic operates under zero-retention API terms: input and output data are not retained beyond the immediate response and are not used to train Anthropic's models.
  • Mentor marketplace counterparties. If you book a mentor session, we share your name, email, and any note you provide with the mentor so they can prepare for the call.
  • Legal compliance. If required by subpoena, court order, or applicable law, and only to the extent legally required.
  • Business transfers. If Breaking In is acquired, merged, or reorganized, information may transfer to the successor entity subject to this policy.

6. Data retention and deletion

We retain your account data for as long as your account is active. You may delete your account at any time from inside the Service, or by emailing help@breaking-in.io with a deletion request. Upon account deletion:

  • We delete your pipeline, contacts, actions, chat history, practice activity, profile, and any stored API keys within 30 days.
  • We revoke and delete any stored Google OAuth tokens associated with your account and stop making API calls on your behalf. You can also revoke Breaking In's access at any time from your Google Account permissions page.
  • Server logs and backups containing your data are purged on their normal retention cycle (maximum 30 days for logs, 35 days for backups).

7. Your rights

Depending on where you live, you may have rights under laws such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar regulations. These may include:

  • The right to access the personal data we hold about you.
  • The right to correct inaccurate data.
  • The right to delete your data ("right to be forgotten").
  • The right to export your data in a machine-readable format.
  • The right to object to or restrict certain processing.
  • The right to withdraw consent at any time (including revoking Google Calendar access).
  • The right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email help@breaking-in.io. We will respond within 30 days.

8. Children

Breaking In is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have, please email help@breaking-in.io and we will delete it.

9. International users

Breaking In is operated from the United States. If you use the Service from outside the U.S., you consent to the transfer, storage, and processing of your information in the United States, which may have data protection laws different from those in your country.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, if the changes are material, notify you by email or through an in-app notice. Continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

11. Contact

Questions, requests, or concerns about this Privacy Policy or your data? Contact us at help@breaking-in.io.

Operator: Breaking In Technologies LLC · Governing law: State of Delaware, United States.