Privacy Policy

Last updated: June 12, 2026

Submio (“Submio,” “we,” “us”) is an AI recruiting workflow tool built and operated by RemoteBridge. This policy explains what data we collect, how we use it, how long we keep it, and the choices you have. Plain language, no fluff.

1. Who this applies to

This policy covers people who sign up for a Submio account at getsubmio.com (or any domain we operate Submio on), candidates whose information is processed in Submio by recruiters using the product, and visitors to our marketing site.

2. What we collect

2.1 Account information

When you sign up for Submio, we store:

• Your email address and name
• The password (hashed, never stored in plaintext) or, if you sign in with Google, the linked identity
• Account metadata (when you signed up, what plan you're on, last activity)

2.2 Recruitment data you upload

Submio is designed for recruiters working on real roles for real clients. When you use the product, you upload candidate data (LinkedIn profiles, resumes, contact information) and role context. We store this data in your workspace and use it to power Submio's correlation, enrichment, and outreach features.

2.3 Connected email accounts (Gmail)

If you connect a Gmail account to Submio for sending outreach, you grant us OAuth permission to send mail on your behalf. We store:

• The email address of the connected account
• An OAuth refresh token, encrypted at rest using AES-256-GCM
• The list of scopes you granted

We do not store the message bodies of emails we send through the Gmail API beyond what is necessary to associate a sent message with the candidate conversation it belongs to (subject line, recipient, timestamp, Gmail message ID and thread ID).

2.4 Email replies

When candidates reply to outreach you sent through Submio, the reply content is processed so the product can classify sentiment (interested, declined, out of office) and surface the reply in your inbox view. We store the reply text, sender details, and our classification result.

2.5 Usage and diagnostics

We log basic usage information (which pages you visit, which actions you trigger) and error information (stack traces when something breaks). This helps us keep the product working. We do not sell or rent this data.

3. Limited Use of Google Workspace data

Submio's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request the Gmail scopes required to send outreach on the recruiter's behalf and modify message labels (mark threads read). We do not request gmail.readonly or full mailbox access.
• We do not use Google user data for serving advertisements, including personalized or retargeted ads.
• We do not sell Google user data, transfer it for advertising, or transfer it to data brokers, information resellers, or any party that does not need access to provide Submio's services.
• We do not allow humans to read your Google data unless (a) we have your specific consent for them to read specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) we are legally compelled to, or (d) the data has been aggregated and anonymized.
• We do not use Google user data to train, refine, or improve generalized or non-personalized AI or ML models.

4. Why we collect each Gmail scope

5. Who we share data with

We share the minimum data necessary with the following service providers:

• Supabase — primary database and authentication
• Vercel — application hosting
• OpenAI — powers the Strategist agent and correlation reasoning. We do not allow our data to be used for training under our agreement.
• Lemlist — when you choose Lemlist as your sending channel rather than Gmail
• Sentry — error monitoring
• Inngest — background job orchestration
• Cloudflare — we use Cloudflare Turnstile, an invisible bot-mitigation service, on our sign-in and sign-up pages to protect against automated abuse. Turnstile collects limited session and device signals (browser characteristics, IP address, interaction patterns) to determine whether a request is from a human and does not use this data for advertising or for training machine-learning models unrelated to Turnstile. By using these pages you also agree to Cloudflare's Turnstile Privacy Addendum. You can read more about Turnstile in Cloudflare's general privacy policy.

We never sell or rent personal data to third parties.

6. Data retention

We retain account information and recruitment data for as long as your account is active. When you delete your account, we delete or anonymize your data within 30 days, except where we are required to retain it for legal or auditing purposes.

Connected email account refresh tokens are deleted immediately when you disconnect the account, and we also call Google's revoke endpoint to invalidate the grant on Google's side.

7. Your choices

• Disconnect any Gmail account. Open Submio → Email Accounts → click Disconnect. We immediately delete the stored token and revoke our access at Google.
• Revoke at Google directly. Visit myaccount.google.com/connections to revoke any third-party app at any time, including Submio.
• Export or delete your account data. Email privacy@gosubmio.com and we will respond within 30 days.

8. Security

We use industry-standard practices: TLS in transit, AES-256-GCM encryption for OAuth refresh tokens at rest, scoped database access via row-level security, and least-privilege service accounts for our infrastructure. No system is perfectly secure, but we take this seriously.

9. Children

Submio is a tool for professional recruiters. It is not intended for and not directed at children under 16. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy as the product evolves. When we make material changes we will notify users via email and update the “Last updated” date at the top.

11. Contact

Questions about this policy or your data? Email privacy@gosubmio.com. We respond within a few business days.