Legal

Privacy Policy

Last updated: May 20, 2026 (rev. 4)

FolioGen (“we”, “us”) turns a CV into a polished public portfolio. This page explains what data we collect, why we collect it, and what control you have. We try to keep this plain, with no legalese for the sake of it.

1. What we collect

Account data

When you sign up, we store:

  • Your name, email address, and chosen username (your public URL handle).
  • A hashed version of your password. We never see the plaintext.
  • Bearer tokens used to keep you signed in.

Content you upload or create

  • CV files (PDF, DOCX, TXT, MD) you upload for parsing. We store the original file and extract its text for processing.
  • Generated portfolio data: the structured JSON the AI produces (profile, experience, projects, skills, education, services, testimonials, contact).
  • Images you upload: profile photo, project covers, galleries, testimonial photos.
  • Settings: theme, accent color, typography, template.

Public portfolio data

When you publish a portfolio, everything in it becomes publicly visible at foliogen.io/<your-username>. That is the whole point of the service, but we want it stated plainly.

Waitlist signups

If you join our pre-launch waitlist, we store your email address and (if you provide it) your name. We use this only to:

  • Send a one-time confirmation that your signup worked.
  • Email you when FolioGen opens to new users.

You can ask us to remove your waitlist entry at any time by emailing legal@foliogen.io. We do not share waitlist emails with anyone.

Payment reservation data

When you reserve a Lifetime Pro spot through our pricing page, we store:

  • Your email address and (if provided) name and preferred handle.
  • The amount, the discount code used (if any), whether the reservation came from a waitlist member, and the IP address you submitted from.
  • The payment method you eventually used (Wise, bank, PayPal, crypto), recorded by us when we mark the reservation as paid. We do not store account numbers, card details, or transaction identifiers from third parties.

Reservation rows are kept so we can track who is Lifetime Pro, handle refunds within the 14-day money-back window, and reconcile payments. Cancelled or expired reservations are retained for audit but can be deleted on request.

Visitor contact submissions

If your portfolio has a contact form, visitors can send you a message. That message (their name, email, and text) is forwarded to your email through our transactional email provider. We do not store visitor messages in our database after they are forwarded.

Usage data

  • View counts on published portfolios (a simple increment, no per-visitor profile).
  • Temporary IP records for rate limiting (contact form, password reset). These live in transient cache and are not retained.
  • IP and timestamp on password change are sent to you in the password-changed security email so you can spot unauthorized activity. They are not retained beyond sending.
  • Standard server logs from our hosting provider.

2. How we use it

  • To run the service: create your account, generate portfolios, host your public page.
  • To send CV text to our AI provider so we can structure and rewrite it as portfolio content.
  • To forward contact-form messages to you.
  • To prevent abuse (rate limits, spam filters).
  • To communicate with you about your account, specifically: a welcome & email-verification message when you sign up, password-reset and password-changed security notifications (including the time and IP of the change), and a confirmation when you delete your account.

We do not sell your data. We do not run third-party advertising or behavioural tracking.

3. Third parties we share data with

We only share what we need to make the service work. Each provider has their own privacy practices.

  • OpenAI: your CV text is sent to OpenAI to parse and rewrite it. Per OpenAI's API policy, content sent via the API is not used to train their models.
  • Resend: we use Resend to deliver transactional email, including contact-form forwarding and account notifications.
  • Cloudflare: DNS and (planned) image hosting via R2.
  • Payment processors: Lifetime Pro is currently fulfilled manually via Wise, bank transfer, PayPal, or crypto. We interact with those services as a customer would; we do not embed their checkout in FolioGen and do not receive card data. When we integrate an automated processor (planned: Lemon Squeezy), this section will be updated and you will be notified.
  • Hosting providers: our application is hosted on third-party infrastructure (frontend, backend, database). They process data only on our behalf.

4. How long we keep your data

  • Account and portfolio data: until you delete it.
  • CV files and generated content: until you delete them.
  • Contact-form messages: not retained after forwarding.
  • Waitlist signups: kept until launch, then until you ask us to delete or one year after launch, whichever comes first.
  • Payment reservations: kept for 7 years for tax / accounting reconciliation, then deleted.
  • Rate-limit records: transient cache (typically an hour).

5. Your rights

From your account you can:

  • View and edit your profile (name, email, username).
  • Change your password.
  • Edit portfolio content and uploads at any time.
  • Unpublish a portfolio to remove it from public view.
  • Delete your account permanently. This removes your portfolios, uploads, generations, and tokens.

If you need a copy of your data or have any other request (access, correction, deletion of specific data), email legal@foliogen.io.

6. Security

  • All traffic uses HTTPS.
  • Passwords are hashed (bcrypt).
  • Authentication uses bearer tokens, not long-lived cookies.
  • We do not store payment card data. Payment instruments (Wise / bank / PayPal / crypto details) are exchanged out-of-band with us when you reserve a Lifetime spot; we record only what is needed to confirm payment and provide a refund within the 14-day window.

No service is perfectly secure. If you spot a security issue, please write to security@foliogen.io.

7. Cookies and local storage

We store an authentication token in your browser's localStorage so you stay signed in. We do not use third-party advertising or tracking cookies.

8. Children

FolioGen is not directed at children under 16. If you believe a child has created an account, contact us and we will remove it.

9. International users

Our providers may store data in regions other than where you live. Using FolioGen, you accept that your data may be processed outside your country.

10. Changes to this policy

We update this policy when we change features that affect data collection or third-party services. The Last updated date at the top reflects the most recent change. Significant changes will be called out by email or in-app.

11. Contact

Questions? Write to legal@foliogen.io.