1. Introduction

Welcome to PERM Tracker. PERM Tracker ("we," "our," or "us") operates permtracker.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application for tracking Permanent Labor Certification (PERM) cases.

By using PERM Tracker, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our service.

2. Information We Collect

Account Information

Email address — Used for account creation, authentication, and notifications
Name — Obtained via Google OAuth or entered during signup
Password — If you use email/password authentication, your password is securely hashed and never stored in plain text (managed by our authentication provider)

Case Data

Employer names and position titles
Beneficiary identifiers
Case status and progress information
Important dates (PWD filing, recruitment dates, etc.)
Notes and case-related documentation references
RFI/RFE information and response dates

User Preferences

UI settings (dark mode, sorting preferences)
Notification preferences (email, push, quiet hours)
Dismissed deadline alerts
Calendar sync preferences
AI chat action mode preferences

Technical Information

IP address and browser type
Device information and screen resolution
Usage patterns and interaction data
Performance metrics (page load times, Core Web Vitals)
Error logs and stack traces (for debugging)

3. How We Use Your Information

We use the information we collect to:

Provide and maintain the PERM tracking service
Authenticate your account and ensure security
Send email and push notifications about upcoming deadlines
Power the AI chat assistant with case context for relevant responses
Sync deadlines to your Google Calendar (if enabled)
Monitor application errors and improve reliability
Improve user experience and application features
Respond to customer support requests
Comply with legal obligations

4. Google OAuth Disclosure

PERM Tracker uses Google OAuth as one of our authentication methods. When you sign in with Google:

We access only your email address and display name
This information is used solely for authentication and account identification
We do not access your Google contacts, calendar (unless you separately enable Calendar Sync), or any other Google services
We do not share your Google account data with any third parties
We do not store your Google password

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Storage & Security

Your data is stored securely using industry-standard practices:

Database: Convex backend platform hosted on Amazon Web Services (AWS) in US East (N. Virginia)
Encryption at Rest: 256-bit AES encryption for all stored data
Encryption in Transit: All data transmitted via TLS/HTTPS encryption
Access Control: Server-side authorization ensures each user can only access their own data through authenticated backend functions. Internal access to the database is restricted to authorized PERM Tracker personnel who may access your data only to provide technical support you have requested, diagnose and fix bugs, maintain service security and reliability, or fulfill legal obligations
Authentication: Managed by Convex Auth with secure session handling
Compliance: Our backend provider (Convex) is SOC 2 Type II compliant and GDPR compliant
Calendar Tokens: Google Calendar OAuth tokens are encrypted at rest using AES-256-GCM before storage
Employer FEIN: Federal Employer Identification Numbers are encrypted at rest using AES-256-GCM and decrypted only when displayed to the authenticated case owner

While we implement robust security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

6. AI Chat Assistant

PERM Tracker includes an AI-powered chat assistant to help you understand your cases, deadlines, and PERM processes. When you use the AI chat feature:

What Data Is Shared

Your chat messages and questions
Case data referenced in conversations (employer names, position titles, case status, dates, notes)
System-generated context (your name, case counts, current page)
Conversation history for context continuity

AI Service Providers

Your AI chat data is processed by the following third-party providers via their APIs. We use a multi-provider fallback system for reliability:

Google Gemini (Google LLC) — Primary AI provider. Retains data for up to 55 days for abuse monitoring only. Does not use API data to train models.
OpenRouter — AI model routing. Zero Data Retention (ZDR) by default; prompts are not stored.
Mistral AI — Fallback AI provider. API data is not used for model training.
Groq — Fast AI inference on US-based Google Cloud servers. Does not use API data for training when ZDR is enabled.
Cerebras — Emergency fallback AI inference. Does not use API data for model training.

Web Search

When the AI assistant performs web searches on your behalf, search queries are sent to:

Tavily — Primary web search provider
Brave Search — Fallback web search provider

Search queries are derived from your questions and do not include your personal information or case data.

Your Controls

You can choose not to use the AI chat feature
You can configure AI action modes (off, confirm, auto) in Settings
You can delete your conversation history at any time

IMPORTANT: Do not share Social Security numbers, passport numbers, financial account information, or other highly sensitive personal data in AI chat messages. The AI assistant is designed to help with case management, not to process sensitive identity documents.

7. Product Analytics

We use PostHog (PostHog, Inc.) for product analytics to understand how the application is used and to improve features.

What We Collect

Page views and navigation patterns
Feature usage events (e.g., creating a case, using AI chat)
Browser exceptions and JavaScript errors
Browser type, device information, and screen resolution

User Identification

When you are logged in, analytics events are linked to your account to help us understand usage patterns. Your identity is reset on logout so anonymous browsing is not linked to your account.

Data Routing

Analytics data is sent through a reverse proxy on our domain (permtracker.app/ingest) to PostHog's US servers (us.posthog.com). This means analytics requests appear as first-party traffic in your browser's network tab rather than as requests to a third-party domain.

PostHog acts as our data processor. For details, see PostHog's Privacy Policy.

8. Error Monitoring & Session Replay

We use Sentry (Functional Software, Inc.) to monitor application errors and improve reliability.

Error Tracking

JavaScript error messages and stack traces
Browser and device information (browser type, OS, screen size)
User actions leading to errors (page navigation, clicks)
Application performance metrics

Session Replay

To help diagnose errors, Sentry records anonymized session replays of page interactions for 10% of normal sessions and 100% of sessions where an error occurs.

All text content is masked — replaced with asterisks so no readable text is captured
All images and media are blocked — replaced with blank placeholders
Form input values are not recorded — keystrokes are redacted
Only page structure, mouse movements, clicks, and scrolls are captured

Privacy Protections

sendDefaultPii is disabled — cookies, user agent strings with PII, and request bodies are not sent
Request body data is stripped before transmission to Sentry
Sentry automatically scrubs credit card numbers, SSNs, and other PII patterns
Development environment events are suppressed (not sent to Sentry)

Sentry acts as our data processor under a Data Processing Agreement. For details, see Sentry's Privacy Policy.

9. Bot & Fraud Prevention

To protect our sign-up, sign-in, and password-reset forms from automated abuse, we use Cloudflare Turnstile, operated by Cloudflare, Inc.

Signals Collected by Turnstile

Per Cloudflare's Turnstile Privacy Addendum, the following signals are processed when a Turnstile challenge is rendered:

Client IP address
TLS fingerprint
HTTP User-Agent header
Your interactions with our forms (mouse movement, click timing)
The PERM Tracker sitekey and origin URL

Turnstile does not use third-party tracking cookies and does not read the contents of form fields you type (email, password, or name).

Cloudflare's Role

Cloudflare acts as our data processor when providing Turnstile to us, and as an independent data controller when using aggregated signals to improve its own bot-detection capabilities.

When Turnstile Appears

Sign-up: widget is always visible
Password reset: widget is always visible
Sign-in:widget is invisible for most visitors; an interactive challenge only appears if Cloudflare's risk analysis flags the attempt as suspicious

Legal Basis

We process this data on the basis of our legitimate interest in preventing fraud, spam, and abuse of our service (GDPR Art. 6(1)(f); CCPA service-provider disclosure).

For more detail, see Cloudflare's Turnstile Privacy Addendum and Cloudflare's Privacy Policy.

Vercel BotID (Invisible Bot Detection)

In addition to Turnstile, we use Vercel BotID on our AI chat and authentication API endpoints. BotID passively observes browser-level signals to distinguish humans from automated scripts, without requiring any user interaction or showing any widget.

BotID may process the following client signals:

TLS handshake fingerprint (JA4 digest)
Browser characteristics (rendering capabilities, engine internals)
JavaScript execution timing patterns
Pointer and interaction characteristics

BotID does not read the contents of the requests it protects (your chat messages, credentials, or form fields), does not use tracking cookies, and is invisible to legitimate users. Vercel Inc. operates the service; its verification data is processed in the United States. See Vercel's Privacy Policy.

Rate Limiting

We enforce multiple layers of rate limiting to prevent abuse: per-IP limits at the network edge (covering all traffic to sign-up, sign-in, password-reset, OTP verification, and AI chat endpoints), per-email limits on authentication actions, and per-user limits on hot backend mutations (case create, conversation create, notification marks, knowledge search, etc.). When a limit is reached, requests return an HTTP 429 response for the duration of the rate-limit window. We retain only the minimum counter state needed (request count + timestamp) and an internal abuse blocklist of IP addresses that trip limits repeatedly (auto-expired after 24 hours). Counter state is automatically purged when the window closes.

Automated Account Protection

If we detect an abnormal volume of failed sign-in attempts against the same account (for example, 10 failures within 30 minutes — the signature of credential-stuffing), we automatically place the account in a temporarily locked state for up to 24 hours to protect the legitimate owner. We notify our security team and record the event for audit. Owners of accounts placed in this state can contact support to appeal and have the lock lifted earlier.

10. Push Notifications

When you enable push notifications, your browser generates a unique subscription including an endpoint URL and encryption keys. We store this subscription data on your user profile to deliver deadline reminders and case alerts.

What We Collect

Endpoint URL — Browser-generated URL for receiving notifications
Encryption keys (p256dh, auth) — Browser-generated keys for secure message delivery

This data does not contain personally identifiable information and consists of technical identifiers generated by your browser.

Delivery Services

Notifications are delivered through your browser's push service (Google FCM for Chrome, Mozilla Push Service for Firefox, Apple Push Notification service for Safari). These services may collect technical device metadata. Notification content is encrypted end-to-end where supported.

Your Controls

Push notifications require explicit opt-in via browser permission
Disable anytime in browser settings or in-app notification preferences
Configure quiet hours and notification types in Settings
Subscription data is deleted when you revoke permissions or delete your account

11. Google Calendar Integration

You may optionally connect your Google Calendar to sync PERM deadlines as calendar events.

OAuth Scope: We request access only to create, update, and delete calendar events (calendar.events scope)
Data Synced: Deadline dates, event titles with case information (employer, deadline type), and deadline descriptions
Token Storage: Your Google Calendar OAuth tokens are encrypted at rest using AES-256-GCM before storage in our database
Disconnect Anytime: You can disconnect Google Calendar from Settings, which revokes access and removes stored tokens

We do not access your existing calendar events, contacts, or other Google services through this integration.

12. Cookies & Local Storage

We use the following storage technologies:

Session Cookies: Essential for authentication and maintaining your login session
LocalStorage: Stores preferences such as dark mode settings, UI preferences, and temporary authentication state during OAuth redirects
Error Monitoring: Sentry uses browser local storage to temporarily buffer error and session replay data before transmission
Analytics: PostHog uses cookies and local storage to identify your device across sessions for analytics purposes. Analytics data is routed through our domain (permtracker.app/ingest) rather than directly to PostHog

These storage technologies are used for application functionality and service improvement. They do not track you across other websites.

13. Third-Party Services

We use the following third-party services to operate PERM Tracker:

Convex: Backend platform, database, and authentication (SOC 2 Type II, hosted on AWS)
Vercel: Frontend hosting, deployment, and performance monitoring (Speed Insights)
Resend: Transactional email delivery (notifications, OTP verification, password resets)
Google: OAuth authentication and Calendar API integration
PostHog: Product analytics and event tracking (see Section 7)
Sentry: Error tracking, performance monitoring, and session replay (see Section 8)
AI Providers: Google Gemini, OpenRouter, Mistral AI, Groq, and Cerebras for AI chat assistance (see Section 6)
Search Providers: Tavily and Brave Search for AI web search capabilities (see Section 6)
Cloudflare, Inc.: Bot and fraud prevention via Turnstile on authentication forms (see Section 9)
Vercel Inc.: Frontend hosting + BotID invisible bot detection on AI chat and auth endpoints (see Section 9)
Browser Push Services: Google FCM, Mozilla Push Service, and Apple APNs for push notification delivery (see Section 10)

Each of these services has their own privacy policies. We recommend reviewing their policies for additional information. Convex maintains a public list of sub-processors at convex.dev/legal/subprocessors.

14. Data Retention & Deletion

Your data is retained for as long as your account is active
You may request deletion of your account and all associated data at any time from Settings
Upon deletion request, your account enters a 30-day grace period during which you can cancel. After the grace period, all data is permanently deleted
AI conversation data is automatically deleted after 90 days of inactivity, even if your account remains active
Read notifications older than 90 days are automatically cleaned up
Rate limit records are automatically cleaned up after 24 hours
Some data may be retained longer if required by law

AI Provider Retention

Google Gemini: Up to 55 days (abuse monitoring), then deleted
OpenRouter: Not stored (Zero Data Retention)
Mistral AI: Per their data processing terms
Groq: Not stored when ZDR is enabled
Cerebras: Per their data processing terms

To request data deletion, please email us at support@permtracker.app.

15. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access:Download all your data at any time via the "Export All My Data" button in Settings, or request a copy by contacting us
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data
Portability: Request your data in a portable format
Objection: Object to certain processing of your data
AI Opt-Out: Choose not to use AI chat features

To exercise any of these rights, please contact us at support@permtracker.app. We will respond within 30-45 days.

16. International Data Transfers

Your data is primarily stored and processed in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to the United States by our service providers (Convex, AI providers, Sentry, PostHog).

These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, as well as Data Processing Agreements with our service providers.

17. Children's Privacy

PERM Tracker is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date at the top
Sending an email notification for material changes

Your continued use of the service after changes constitutes acceptance of the updated policy.

19. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: support@permtracker.app
Application: PERM Tracker
Operator: PERM Tracker, Washington, DC 20001