Privacy, in plain English.

On the landing page: your first name, last name, email, and a screenshot of your YC Startup School 2026 acceptance email. Optional: a one-line answer to “what are you building?”

On the verification flow: a six-digit code sent to your email, an SHA-256 hash of the screenshot file, and a salted hash of your IP (so we can rate-limit without storing IPs in the clear).

That’s the whole list for the waitlist. The four-line Founder Pass is built from a short follow-up after you’re approved.

The screenshot exists so Jumpstart can prove you’re actually attending Startup School. The cohort has to stay closed for the product to work; one founder per drop is meaningless if the room is full of imposters.

The email and name exist to route accepted intros and to send you a calendar invite when a match lands.

During the closed beta everything sits on infrastructure controlled by the founder (Tejas). Vercel for the app, a single database row per entry, file storage for the screenshots. No third party gets a copy. No data broker, no ad pixel.

We use Resend for transactional email and Upstash for rate limiting. Those vendors see only what they need to deliver their service (your email address for Resend, a hashed IP key for Upstash).

We don’t sell your data. We don’t share your screenshot with anyone. We don’t train an external model on your card. We don’t enrich your profile with third-party data.

We don’t tell other founders that you exist on the platform unless we route an intro to you. The cohort is opt-in by drop, not by directory.

Screenshots are deleted within thirty days of the event (August 25, 2026). After that, only the verification flag remains (a single “this person was confirmed” bit), so the same account can re-authenticate next year without re-uploading.

If you ask us to wipe everything, we wipe everything. Email tejas.naladala@gmail.com with the subject delete me and the email you signed up with. Done within 48 hours.

If a screenshot is ever exposed, we’ll email every affected person within 72 hours of detection and tell you what happened. There’s no PR draft for that. It’s a short note from the founder.

One person runs this. Tejas Naladala, tejas.naladala@gmail.com. Reply expected within a day.