A free AI-powered tool that reviews your Y Combinator application before you submit it. Built by Lobster Capital, a VC fund 100% focused on YC companies with $40M+ deployed across 100+ YC startups.

Is YC Roaster really free?

Yes, completely free — no catch, no upsell. Lobster Capital built this to give back to the YC community and help more great companies get accepted.

How does YC Roaster work?

Upload your YC application (PDF or Word) and you'll receive AI-powered feedback shortly after submission, scored across 7 dimensions — including traction, team, market, and scalability. Applications that show strong potential get matched with a YC alumni reviewer for deeper, personalized feedback.

What kind of feedback will I get?

A scored evaluation across 7 dimensions with specific strengths, risks, and suggestions tailored to your application. It's not generic advice — the feedback is based on what's actually in your application.

Who built YC Roaster and why?

YC Roaster is built by Lobster Capital, a venture firm 100% focused on investing in YC companies. With 100+ YC companies in their portfolio, this is their way of helping more founders put their best application forward. Not affiliated with Y Combinator.

How is this different from asking ChatGPT to review my application?

YC Roaster is built by a team that invests exclusively in YC companies. The AI uses a purpose-built framework across 7 specific dimensions based on insights from reviewing hundreds of YC applications. Strong applications also get matched with real YC alumni reviewers — something no general-purpose AI can offer.

When should I submit my application?

As early as possible. The sooner you submit, the more time you have to get feedback, iterate, and strengthen your application before the YC deadline.

Will everyone get a Zoom call?

Everyone gets AI-powered written feedback. If you're matched with a YC alumni reviewer and they see strong potential, they may invite you for a 1-on-1 Zoom session.

Rivian Just Let Drivers Kill All Connectivity. LinkedIn Got Caught Scanning 6,278 Browser Extensions. The Privacy Wedge for YC F26.

Two stories landed on the Hacker News front page within the same hour on May 26, 2026. One was a Rivian support article confirming that owners can now disable every byte of connectivity on their R1S or R1T, eSIM included. The other was a deep-dive from 404 documenting that LinkedIn quietly scans 6,278 browser extensions on every Chrome visit and ships an encrypted fingerprint with every API call.

If you are drafting a YC F26 application, those two stories should change your one-liner this week. Privacy stopped being a 2018 thesis the day a mainstream OEM shipped a kill switch and the day a Microsoft-owned property got named in a German criminal investigation. The wedge is wide open again, and reviewers are going to notice.

What actually happened in the last 24 hours

Rivian published a support page titled "Can I disable all data collection from my vehicle?" The answer, as of this week, is yes. In Canadian R1 vehicles a toggle in the Data and Privacy screen kills cellular. In US vehicles a service appointment disables the eSIM card entirely. Rivian warns you lose navigation, active lane centering, and over-the-air updates. They ship the trade-off anyway.

That is the first time a US-market EV maker has put a hard kill switch in front of customers without legislative pressure. Tesla, Ford, GM, and Hyundai have all been the subject of FTC and state AG actions on vehicle telematics in the last three years. Rivian skipped the lawsuit and shipped the feature.

At almost the same hour, security researcher Seth Honda published the 404 analysis of LinkedIn's extension scanning. The numbers are specific. The list contained 38 entries in 2017. As of April 2026 it contains 6,278. LinkedIn fires a fetch() request to a chrome-extension:// URL for each one, observes which succeed, packages the result into an AedEvent object, encrypts it with an RSA public key, and ships it to the li/track endpoint on every page. The Bavarian Central Cybercrime Prosecution Office in Bamberg has opened a criminal investigation. Honda has the case number.

Neither of these stories is hypothetical. Both are documented, both are recent, and both are about to be referenced in YC F26 partner meetings.

Why this resets the YC privacy thesis

YC's existing privacy and security bets are mostly compliance and identity infrastructure: Vanta (S18) for SOC 2, Persona (W18) for KYC, Stytch (W21) for auth, Doppler for secrets, Truffle Security (W23) for leaked credentials. Good companies. None of them are positioned at the consumer or browser layer where the two May 26 stories live.

The gap is consumer-facing privacy that does not require the user to read a 14-paragraph policy or run a CLI. Rivian solved it with one toggle. LinkedIn just demonstrated that even a regulated EU gatekeeper will quietly inventory your browser at 6,278 data points without consent. The market is telling you what the wedge looks like.

Harshita Arora, YC's newest GP (we wrote about her S26 implications on May 20), spent her pre-YC career building consumer products. She is the partner most likely to look at a privacy-first consumer pitch and pattern-match to something fundable. If you are F26 and your wedge maps to her taste, your application is in a better position than it was a week ago.

Five F26 angles that fit the moment

1. Browser extension inventory as a service

If LinkedIn is doing this, every B2B platform with a sales motive has the same temptation. The opportunity is a developer tool that lets product teams audit what their own first-party JavaScript is collecting, ship a public manifest, and prove to regulators they are not running an APFC-style scanner. Vanta does this for SOC 2 control evidence. Nobody is doing it for client-side telemetry. A YC reviewer will recognize the pattern.

Rivian shipped the feature, but they shipped it as a binary kill switch that breaks navigation. The right product is the granular middle layer: a consent management platform that lets a Toyota or a Hyundai turn on lane assist data without turning on advertising telemetry. Mozilla and the Center for Democracy and Technology have been writing about this for two years. Nobody has built the SaaS layer. F26 is the right timing.

3. Verified privacy claims for AI training data

This is the throughline back to the YC AI thesis, where 60% of the Spring 2026 batch landed (we covered this on May 9). If you can prove your model was not trained on identified user data, you become the version of an LLM that a regulated buyer (a hospital, a law firm, a German enterprise) will actually deploy. The Bavarian investigation into LinkedIn is the leading indicator of what is coming for OpenAI, Anthropic, and Google in the EU. A YC F26 startup that solves attestation for training data is timely.

4. Anti-fingerprinting at the SDK layer

The 404 article spells out the technical stack: canvas fingerprinting, WebGL renderer probes, audio processing inference, font enumeration, WebRTC local IP, battery level. There is a developer-facing product that ships an opinionated SDK to neutralize these signals for consumer apps that want to make a credible privacy claim. Brave proved the consumer demand exists. No YC company owns the developer wedge.

5. The Rivian-style kill switch for SaaS

This is the most consumer-friendly angle. If a B2C SaaS app shipped a single toggle labeled "Stop everything except what I am paying for," and made that toggle real, it would be the most defensible feature in the category. Notion, Linear, Figma, none of them have it. A new entrant that leads with it is the kind of pitch that gets a YC reviewer to read the second paragraph.

What to write in the YC F26 application

Three things from this week's news map directly to specific YC application questions.

The "What is your company going to make?" answer should reference the LinkedIn case in one sentence and pivot to your wedge. Specific beats general. Saying "we are building privacy infrastructure for the browser" is generic. Saying "we are building the developer SDK that would have made LinkedIn's APFC system impossible to ship" tells the reviewer you read the news and you have a thesis.

The "What is your unique insight?" question is where the Rivian story belongs. The insight is that consumer demand for hard privacy switches just got validated by a real OEM under no regulatory pressure. That is a market signal a reviewer will respect because it is not a survey, it is shipping software.

The "Why now?" answer writes itself. The Bavarian criminal investigation, the EU DMA gatekeeper enforcement, and the first OEM kill switch all happened in the same month. The window for a privacy-first consumer wedge is open in a way it has not been since Cambridge Analytica.

Where YC Roaster fits

We match YC applicants with alumni reviewers who have been through the partner conversation. If your F26 application is built around a privacy thesis, you want feedback from a founder who can tell you whether your wedge sounds like a Vanta-style infrastructure pitch or a Brave-style consumer pitch, because YC reads those very differently. That is the kind of read you cannot get from a friend who has not sat across from a YC partner.

F26 applications open this fall. The two stories from this week are not going to be news by then. Your insight needs to land before the partner sees it twenty times in the slush pile.

Sources

404 Privacy, "LinkedIn Is Scanning Your Browser Extensions," April 6, 2026
Rivian Support, "Can I disable all data collection from my vehicle?", accessed May 26, 2026
Hacker News front page, May 26, 2026
YC company directory, accessed May 26, 2026