Loophire

Security

What we store, what we don't, and how we keep your data safe.

Data we store

We store the minimum data needed to run your job search on your behalf:

  • Resume answers — the structured answers you configure for common application questions (work authorization, years of experience, salary expectations, etc.), stored in your profile and used to fill job-application forms.
  • Application history — a record of every job we scouted and applied to on your behalf: company name, job title, submission status, timestamp, and the LLM cost incurred. Used to power your Activity tab and billing.
  • LinkedIn session cookies — the cookies you upload via the Sessions tab, sealed with AES-256-GCM encryption at rest and never written to disk in plaintext. Decrypted only in-memory when a browser automation job is actively running.
  • Email address — used for login and billing receipts only.
Data we don't store
  • LinkedIn password — we never ask for or store your LinkedIn password. Authentication works by uploading an exported cookies.json file from a browser where you are already logged in. The raw cookie bytes are sealed immediately on receipt and are never persisted in plaintext.
  • Payment card details — card numbers, CVVs, and billing addresses go directly to Stripe and never touch our backend. We store only a Stripe customer ID and subscription status.
Encryption posture

All traffic between your browser and our servers is encrypted with TLS via the Fly.io edge — plain HTTP is not served.

LinkedIn session cookies are encrypted at rest using AES-256-GCM with a per-tenant key before being written to the database. They are decrypted only in-memory for the duration of a browser automation job.

Application data (resume answers, job records, profile settings) is stored in our managed Postgres database. Physical-layer encryption at rest depends on the hosting provider's defaults (Fly.io Postgres volumes are encrypted at the infrastructure level).

LinkedIn automation — honest risk disclosure

Automating actions on LinkedIn is against LinkedIn's User Agreement. That risk is real, and we want you to understand it before you use this service. We use server-side browsers with realistic pacing and human-like delays to reduce the chance of triggering LinkedIn's detection systems, but we cannot eliminate the risk entirely. If LinkedIn restricts or suspends your account, that is your responsibility to resolve — we cannot intervene on your behalf.

To stay as healthy as possible: upload fresh cookies regularly (sessions expire, and stale cookies raise the restriction risk more than fresh ones), avoid running other automation tools against the same LinkedIn account at the same time, watch the Sessions tab for cooldown signals or re-auth prompts and respond to them quickly, and keep your daily application volume at a level that looks human. The slower and steadier the pace, the lower the risk.

Security disclosure

If you discover a security vulnerability, please report it responsibly to security@loophire.org. We will acknowledge receipt within 48 hours and aim to resolve confirmed issues as quickly as possible.

Questions about how we handle your data? We're happy to answer.

Get started free