Incognito Security & Trust

Account Protection

Access controls

Incognito protects the account layer with hashed passwords, session-based auth, rate limits, and explicit account security controls.

Passwords: stored as hashes, not plaintext.
Sessions: issued server-side and invalidated on logout or account deletion.
Two-Factor Auth: available from Settings → Security.
Mutating requests: protected by origin and CSRF checks.

Product Boundaries

Scope and isolation

The product keeps job-search state scoped to the account and active profile so queue, scans, applications, and mailbox data do not bleed across profiles.

Profile-scoped runtime: scans, queue state, and mailbox workflows stay tied to the active profile.
Support tooling: admin impersonation is audit-logged and used only for debugging with consent.
Billing: Stripe handles card data directly; Incognito does not store raw card numbers.

Data Handling

Trust commitments

The service is opinionated about keeping trust pages and product behavior aligned.

No sale of resume or job-search data.
Export and delete: user-controlled from the app.
Retention: documented on the dedicated retention page, including the deletion window for residual logs.
Tier model: Scout is free forever; trust and policy commitments apply across every tier.

Disclosure

Reporting a security issue

Use the security channel for vulnerability reports. Use support for account or abuse issues that are not vulnerability disclosures.

Primary: security@useincognito.com
Spec: /.well-known/security.txt
Credits: Security acknowledgments
Support channel: support@useincognito.com for abuse, billing, or account help

Related trust pages

If you want the full operating contract, these are the public pages that explain how Incognito handles privacy, deletion, support, and the product terms.

Docs hub Data retention Privacy policy Terms of service Support