Salary Freedom

Legal

Privacy notice

A plain-language description of what Salary Freedom collects, what we deliberately do not, and why. If the product behavior ever changes, this page is updated and the date below moves.

Last updated · May 28, 2026

The short version

Salary submissions are anonymous. We never collect your name, email, phone number, IP address, or any other identifier alongside a salary record — by design, not by policy. Aggregates require at least five matching submissions before any number is shown, so individual submissions can't be reverse-engineered out of a small-sample query. Paying API customers are a separate identity: they have an email and a Stripe customer record, neither of which is linked to any salary they may have personally submitted.

1. What we collect when you submit a salary

The submission form collects compensation and role context: base salary, optional bonus and equity, role, role family, industry, field of expertise, city, state, years of experience, employment type, and education level. Optionally we also collect the employer name — this is held server-side for moderation purposes only and is never exposed through public search or the paid API.

We do not collect any of the following alongside a salary record:

  • Your name or any pseudonym
  • Your email address or phone number
  • Your IP address or device identifiers
  • Cookies, session IDs, or login state

There is no "account" for submitting a salary. We cannot identify who sent a submission after the fact, because the necessary information was never written down.

2. How we keep submissions anonymous

Two technical guarantees are written into the codebase, not just the policy:

  • No PII on the salary record. The submission endpoint stores only the fields listed above. There is no field for identifying information.
  • k = 5 anonymity floor. Search and API responses return insufficient_data: truewhenever fewer than five records match the filters. We do not leak the count, minimum, maximum, or any percentile below that floor — each of those is itself an identifying signal in a small slice. Histograms collapse adjacent buckets so every visible bar is backed by at least five records.

3. Anti-spam

Every submission and search request carries a Firebase App Check token, backed by Google reCAPTCHA Enterprise, that proves the request came from our site rather than a bot. We verify the token server-side and discard it. The token is not stored, logged, or linked to the salary record.

4. API customers

The paid API is a separate identity domain from anonymous salary submitters. If you sign up for an API key, we collect:

  • Your email address, used as the sign-in identity (Firebase Auth magic link) and to send key-related notifications.
  • A Stripe customer IDwhen you upgrade to a paid tier. Card data is held by Stripe, never by us — we only see a customer reference and subscription status.
  • Hashed API keys. The raw key is shown to you once at creation and never stored. Only the hash is kept, so a database leak does not yield working keys.
  • Usage counters (number of API calls per day) for quota enforcement and billing.

An API-customer account is never joined to any salary submission. If you personally submitted a salary before opening an account, we have no way to identify it as yours.

5. Cookies

The marketing site uses one set of cookies and the authenticated areas use another:

  • Marketing analytics. Google Analytics 4 is loaded only after you accept the consent banner. Decline and no analytics cookies are set.
  • API customer session. A Firebase Auth session cookie scoped to the /dashboard area. Required to manage keys and billing.
  • Admin session. A separate Firebase Auth session cookie scoped to /admin, used by our team to moderate submissions and manage content.

6. Third parties we rely on

  • Google Cloud / Firebase— hosting, database, App Check, and authentication for staff and API customers.
  • Stripe— billing for the paid API. Card data is handled entirely by Stripe and never reaches our servers.
  • Google reCAPTCHA Enterprise— anti-spam token signing.
  • Google Analytics 4— marketing-page analytics, gated by the consent banner.

7. Where data lives

Salary records live in Google BigQuery in the United States. Operational data (taxonomies, API customer accounts, admin allowlist, articles) lives in Firestore in us-central1. We do not transfer data outside the United States.

8. Data retention

Salary records are retained indefinitely as part of the aggregate dataset — they are anonymous on arrival, so there is nothing to delete. If you are an API customer and want your account closed, contact us via the support form: we will revoke your keys, cancel any active subscription, and delete the customer record. The Stripe customer record is retained according to Stripe's retention rules.

9. Your rights

Because submissions are anonymous on arrival, we cannot honor access or deletion requests against a specific salary record — we genuinely don't know which one is yours. For API customer data, you can request access or deletion via the support form.

10. Changes to this notice

When the product changes the data it touches, this page changes too. We bump the Last updated date at the top whenever the substance changes. Material changes will be called out in the product before they take effect.

11. Contact

Questions about this notice or how we handle data: use the support form. It opens a public ticket in our issue tracker; if you prefer a private channel, say so in the ticket and we will respond by email.