Milo Labs & Wayfinder Privacy Policy

Effective Date: November 8, 2025
Last Updated: November 8, 2025

1. Introduction
Milo Labs, Inc. (“Milo Labs,” “we,” “our,” or “us”) operates the Wayfinder web application (“Wayfinder” or the “Service”). Wayfinder helps Yale students and alumni explore careers, discover jobs, and connect with the wider community. This Privacy Policy explains how Milo Labs collects, uses, shares, and safeguards personal information when you interact with Wayfinder or otherwise engage with us. By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the related Terms of Use.

2. Scope and Roles
Milo Labs acts as the data controller for personal information we collect about you through Wayfinder. We process information to deliver the Service, personalize recommendations, operate supporting analytics and infrastructure, communicate with you, and meet legal obligations. Certain processing activities involve service providers that act as processors on our behalf.

3. Information We Collect
A. Information You Provide Directly
- Account registration details such as name, Yale email address, password (stored as a bcrypt hash), and optional preferred name.
- Profile and onboarding information including school affiliation, major, graduation year, hometown, LinkedIn or portfolio URLs, career interests, pronouns, phone number, college affiliation, NETID, and profile photo.
- Uploaded materials such as resumes, cover letters, or referral requests, which we store in an encrypted AWS S3 bucket and make available through short-lived download links.
- Agent and job assistant inputs: questions, prompts, notes, and other content you send through agent chat, job conversations, or feedback forms.
- Manual annotations including bookmarks, likes, saved notes, and job application tracking entries you create within Wayfinder.

B. Information Collected Automatically
- Technical metadata that accompanies every request, such as IP address, device or browser type, operating system, timestamps, and request IDs generated by our middleware. We use this data for security, abuse prevention, debugging, and service reliability.
 - Device cookies and similar technologies, including an authentication cookie ('wayfinder_token') that stores a JSON Web Token (JWT) to keep you signed in.
- Application telemetry, such as API usage counts and rate-limit events, used strictly to monitor system health and performance.

C. Information from Third Parties and Combined Sources
- Yale directory enrichment: With your Yale email address, we query the Yalies API to pre-fill fields like NETID, preferred name, college affiliation, pronouns, and other academic metadata.
- Publicly available or licensed professional profiles: Wayfinder’s network search references professional data about alumni and connections that Milo Labs curates from publicly available sources or data partners.
- Email delivery partners (Resend) confirm message status (sent, delivered, bounced) when we send verification or magic-link emails.
- Generative AI vendors (OpenAI): When you use AI-powered features, we send necessary prompt content, relevant user context, and conversation snippets to OpenAI’s API to generate responses or embeddings.

4. How We Use Information
We process personal information to:
- Authenticate accounts, administer sessions, and secure the Service.
- Pre-populate and maintain your profile, including optional enrichment from Yale directory data when you consent.
- Recommend jobs, people, and content using hybrid search, collaborative filtering, and conversational agents.
- Store and resurface your job and agent conversations so you can revisit prior research, including message histories and follow-up prompts.
- Manage saved artifacts such as bookmarks, likes, notes, and job application tracking.
- Upload, store, and share resumes or other documents you choose to provide, and enable short-term download links for your personal use.
- Operate our infrastructure, including logging, debugging, abuse monitoring, analytics, and product improvement.
- Send transactional communications (verification emails, sign-in links, onboarding prompts) and respond to support inquiries.
- Enforce our Terms of Use, protect the rights and safety of users, and comply with applicable laws.
We do not sell personal information.

5. How We Share Information
We share personal information only when necessary:
- Service providers. We rely on trusted processors for hosting, database, file storage, authentication, and communications (e.g., AWS for infrastructure and S3 storage, Resend for email delivery, OpenAI for AI-powered features, database hosting, and logging platforms). These partners may process data solely to provide contracted services, must implement appropriate safeguards, and are prohibited from using data for independent purposes.
- Yale directory integration. When you opt into Yale-specific onboarding, we send your Yale email to the Yalies API to retrieve school directory data to pre-fill your profile.
- Other users. Wayfinder is primarily an individual experience; we do not automatically expose your profile to other users. If you choose to share content or refer opportunities, that information may become visible to intended recipients.
- Legal compliance. We may disclose information if required to satisfy applicable law, regulation, legal process, governmental request, or to protect against misuse, security threats, or harm to Milo Labs, our users, or the public.
- Business transfers. If we engage in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the commitments in this policy.

6. Cookies and Similar Technologies
Wayfinder uses strictly necessary session cookies to keep you signed in and remember basic preferences. We do not deploy advertising or cross-site tracking cookies. You can manage cookies through your browser settings, though disabling them may limit certain functionality.

7. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Service. If you delete your account through the in-app controls, we remove your user record, associated profile fields, stored conversations, bookmarks, likes, job applications, and uploaded resume references, and we attempt to delete associated resume files from S3. We may retain limited records (e.g., security logs, aggregated analytics, or legal compliance data) when required by law or legitimate business needs.

8. Your Rights and Choices
Depending on your location, you may have rights to:
- Access and obtain a copy of your personal information.
- Correct or update inaccurate data in your profile.
- Delete your account and associated personal information using in-app settings or by contacting us.
- Object to or restrict certain processing, particularly marketing communications (we currently only send transactional messages).
- Export personal data in a portable format, where required by law.
You can exercise many of these rights directly within the application under account settings. You may also contact us at privacy@milolabs.ai for additional support or to exercise rights that are not self-service.

9. Security
We implement administrative, technical, and organizational measures to protect personal information, including:
- Encrypted network connections (HTTPS/TLS) for data in transit and server-side encryption for resumes stored in S3.
- Credential management that stores passwords as bcrypt hashes and never in plain text.
- Strict access controls, audit trails, and short-lived presigned URLs for sensitive document access.
- Rate limiting, request IDs, and monitoring to detect abuse and maintain service integrity.
No system can be perfectly secure, and we encourage you to use strong passwords and keep credentials confidential.

10. International Data Transfers
Wayfinder is operated from the United States. If you access the Service from outside the U.S., your information may be transferred to, stored in, or processed in the U.S. or other jurisdictions where our service providers operate. We take steps to ensure that any transfers provide appropriate safeguards consistent with applicable data protection requirements.

11. Children’s Privacy
Wayfinder is not directed to individuals under 16, and Milo Labs does not knowingly collect personal information from children under this age. If we learn that we have collected information from a child under 16, we will delete it promptly and may disable the associated account.

12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect new features, legal requirements, or operational changes. When we make material updates, we will revise the “Last Updated” date and provide additional notice (e.g., in-product notifications or email) where required.

13. Contact Us
For questions, concerns, or privacy requests, contact:
Milo Labs Privacy Team
Email: privacy@milolabs.ai
Mail: Milo Labs, Inc., 37 Elm Street, New Haven, CT 06511, USA

If you have unresolved concerns, you may contact the appropriate data protection authority in your region.