FolioGen

Legal

Privacy Policy

Last updated: May 20, 2026 (rev. 2)

FolioGen (“we”, “us”) turns a CV into a polished public portfolio. This page explains what data we collect, why we collect it, and what control you have. We try to keep this plain — no legalese for the sake of it.

1. What we collect

Account data

When you sign up, we store:

  • Your name, email address, and chosen username (your public URL handle).
  • A hashed version of your password — we never see the plaintext.
  • Bearer tokens used to keep you signed in.

Content you upload or create

  • CV files (PDF, DOCX, TXT, MD) you upload for parsing. We store the original file and extract its text for processing.
  • Generated portfolio data — the structured JSON the AI produces (profile, experience, projects, skills, education, services, testimonials, contact).
  • Images you upload — profile photo, project covers, galleries, testimonial photos.
  • Settings — theme, accent color, typography, template.

Public portfolio data

When you publish a portfolio, everything in it becomes publicly visible at foliogen.io/<your-username>. That is the whole point of the service — but we want it stated plainly.

Visitor contact submissions

If your portfolio has a contact form, visitors can send you a message. That message — their name, email, and text — is forwarded to your email through our transactional email provider. We do not store visitor messages in our database after they are forwarded.

Usage data

  • View counts on published portfolios (a simple increment, no per-visitor profile).
  • Temporary IP records for rate limiting (contact form, password reset). These live in transient cache and are not retained.
  • IP and timestamp on password change are sent to you in the password-changed security email so you can spot unauthorized activity. They are not retained beyond sending.
  • Standard server logs from our hosting provider.

2. How we use it

  • To run the service: create your account, generate portfolios, host your public page.
  • To send CV text to our AI provider so we can structure and rewrite it as portfolio content.
  • To forward contact-form messages to you.
  • To prevent abuse (rate limits, spam filters).
  • To communicate with you about your account — specifically: a welcome & email-verification message when you sign up, password-reset and password-changed security notifications (including the time and IP of the change), and a confirmation when you delete your account.

We do not sell your data. We do not run third-party advertising or behavioural tracking.

3. Third parties we share data with

We only share what we need to make the service work. Each provider has their own privacy practices.

  • OpenAI— your CV text is sent to OpenAI to parse and rewrite it. Per OpenAI's API policy, content sent via the API is not used to train their models.
  • Resend — we use Resend to deliver transactional email, including contact-form forwarding and account notifications.
  • Cloudflare — DNS and (planned) image hosting via R2.
  • Stripe — when paid plans launch, payments will be processed by Stripe. We do not store card numbers.
  • Hosting providers — our application is hosted on third-party infrastructure (frontend, backend, database). They process data only on our behalf.

4. How long we keep your data

  • Account and portfolio data: until you delete it.
  • CV files and generated content: until you delete them.
  • Contact-form messages: not retained after forwarding.
  • Rate-limit records: transient cache (typically an hour).

5. Your rights

From your account you can:

  • View and edit your profile (name, email, username).
  • Change your password.
  • Edit portfolio content and uploads at any time.
  • Unpublish a portfolio to remove it from public view.
  • Delete your account permanently — this removes your portfolios, uploads, generations, and tokens.

If you need a copy of your data or have any other request (access, correction, deletion of specific data), email legal@foliogen.io.

6. Security

  • All traffic uses HTTPS.
  • Passwords are hashed (bcrypt).
  • Authentication uses bearer tokens, not long-lived cookies.
  • We do not store payment card data; payments go through Stripe.

No service is perfectly secure. If you spot a security issue, please write to security@foliogen.io.

7. Cookies and local storage

We store an authentication token in your browser's localStorage so you stay signed in. We do not use third-party advertising or tracking cookies.

8. Children

FolioGen is not directed at children under 16. If you believe a child has created an account, contact us and we will remove it.

9. International users

Our providers may store data in regions other than where you live. Using FolioGen, you accept that your data may be processed outside your country.

10. Changes to this policy

We update this policy when we change features that affect data collection or third-party services. The Last updated date at the top reflects the most recent change. Significant changes will be called out by email or in-app.

11. Contact

Questions? Write to legal@foliogen.io.