BridgeIB
← Back to BridgeIB

Privacy Policy

Last updated: April 30, 2026

1. Introduction

BridgeIB ("we", "our", or "us") provides tools that help college students reach out to investment banking firms. This policy explains what data we collect when you use bridgeib.net and related services, and how we handle it.

2. Information We Collect

  • Account information: name, email, school, major, graduation year, and password (hashed with bcrypt) for credentials-based accounts.
  • OAuth account data: if you sign in with Google, we receive your name, email, and profile image from Google.
  • Resume files: if you upload a resume, we store it encoded at rest and only attach it to emails you author and explicitly send.
  • Gmail OAuth tokens: if you connect Gmail for outreach, access and refresh tokens are encrypted at rest with AES-256-GCM and used only to draft, send, and detect replies on emails you originate through BridgeIB.
  • Campaign and email metadata: recipient addresses, subject lines, draft body content, send timestamps, and reply timestamps for outreach you send through the Service.
  • Usage data: pages visited, features used, IP address (hashed for rate limiting), and basic device information.
  • Payment data: handled by Stripe; we never receive or store your card details.

3. Google User Data

BridgeIB's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect Gmail, we request the following scopes:

  • gmail.send and gmail.compose — to draft and send outreach emails you create.
  • gmail.metadata — header-only access (From, Subject, Date) on the threads you initiated through BridgeIB, used to detect when a banker has replied so we can pause your follow-up sequence. We do NOT read, store, or process any message bodies or other inbox content.
  • userinfo.email — to confirm which Gmail account is connected.

We never sell, share, or transfer Gmail data to third parties for advertising, and we do not use Gmail content to train AI or machine-learning models. You can revoke access at any time in Pro Settings or at myaccount.google.com/permissions.

4. How We Use Information

  • Authenticate your account and maintain your session.
  • Generate personalized cold-email drafts and firm research using Anthropic's Claude API. Only your profile information and the banker's public details (name, firm, role, public LinkedIn bio when available) are sent — never your inbox content or other users' data.
  • Match you with relevant IB firms from our lead database.
  • Send transactional emails (verification, billing receipts, reply notifications) via Resend.
  • Process payments via Stripe.
  • Monitor for errors and abuse via Sentry; enforce rate limits via Upstash.

5. Data Sharing

We share data only with infrastructure providers required to run the service:

  • Vercel — hosting
  • Neon — PostgreSQL database (US East region)
  • Stripe — payment processing
  • Anthropic — email personalization, firm research, resume critique, and mock interviews via the Claude API. Data sent under terms that prohibit training on customer inputs.
  • Google — OAuth and Gmail API when you connect your account
  • Resend — transactional email delivery (verification, receipts)
  • Upstash — rate limiting (stores hashed IPs only)
  • Sentry — error monitoring (cookies, auth headers, and message bodies are scrubbed before transmission)

We do not sell your data. We do not share data for advertising purposes.

6. Data Security

We encrypt sensitive data at rest (Gmail OAuth tokens via AES-256-GCM), enforce HTTPS everywhere with HSTS, hash passwords with bcrypt, and apply strict ownership checks on every API endpoint. Database access is restricted and traffic flows only over TLS. Webhook events from Stripe are signature-verified and idempotent.

No system is perfectly secure; we follow industry best practices and will notify you via email of any incident affecting your data within 72 hours of confirmation.

7. Your Rights

You can:

  • Request a copy of your data by emailing support@bridgeib.net.
  • Delete your account and all associated data at any time. Pro users can disconnect Gmail in Settings; full account deletion is available on request to support and via our self-serve API.
  • Export your campaigns and lead interactions as CSV.
  • Correct inaccurate profile data anywhere it appears in the dashboard.
  • Opt out of non-essential email communications.

California residents have additional rights under the CCPA, including the right to know what personal information we collect, the right to deletion, and the right to non-discrimination for exercising those rights. We do not sell personal information.

Users in the EU/UK have rights under GDPR/UK GDPR, including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is the contract you enter into when creating an account, plus your consent for non-essential features.

8. Data Retention

We retain account data for as long as your account is active. After deletion, we purge your account and associated records (campaigns, drafts, OAuth tokens) within 30 days, except where retention is required by law (e.g. tax records related to billing are kept for 7 years).

9. Cookies and Tracking

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Vercel Analytics may collect anonymous, aggregated traffic stats without setting tracking cookies.

10. Children's Privacy

BridgeIB is intended for users 18 years or older. We do not knowingly collect data from children under 13.

11. Changes

We may update this policy. Material changes will be notified via email or a banner on the site. The "Last updated" date above reflects the most recent revision.

12. Contact

Privacy questions or data requests: support@bridgeib.net