Privacy Policy

Profylo (“we”, “our”, or “us”) operates the website profylo.app and the Profylo application. This Privacy Policy explains what personal data we collect, how we use it, and what controls you have over it.

By using Profylo, you agree to the collection and use of information described here. If you do not agree, please do not use the service.

Information you provide directly

• Account data — your name and email address when you sign up or sign in via email/OAuth.
• Resume content — all text, structured data, and files (PDF / DOCX) you upload or build inside the app. This includes contact details, work history, education, skills, and any other information you choose to include in your résumé.
• Job descriptions — job posting text you paste or upload for Job Match analysis and cover letter generation.
• Profile data — a LinkedIn URL or any additional profile information you choose to connect.
• Payment information — billing details (name, address) processed by Stripe. We never see or store your full card number.
• Support messages — messages you send via our contact form or email.

Information collected automatically

• Usage data — pages visited, features used, buttons clicked, and session duration — collected to improve the product.
• Device & technical data — browser type, operating system, IP address, and timezone.
• Cookies — authentication tokens and analytics cookies (see Cookies section).

• Provide the service — generate, store, and export your résumés; run AI analysis on your content; match your résumé to job descriptions.
• AI processing — your resume text and job descriptions are sent to third-party AI providers (see Sharing) to power features like bullet enhancement, Job Match scoring, Cover Letter Studio, and Resume Roast. We do not use your content to train AI models without your explicit consent.
• Authentication — verify your identity and keep your account secure.
• Billing — process subscription payments and manage your plan.
• Product improvement — aggregate, anonymised usage patterns help us build better features.
• Communication — send transactional emails (email confirmation, password reset, trial status) and, with your permission, product updates.
• Legal compliance — meet regulatory obligations and enforce our Terms of Service.

We do not sell your personal data. We share it only with the following categories of service providers, each contractually bound to protect it:

• Supabase — our primary database and authentication provider. All résumé data, user accounts, and uploaded files are stored on Supabase infrastructure.
• AI providers — resume text and job description content is sent to AI model providers for feature processing. Content is transmitted under data-processing agreements and is not used for training.
• Stripe — handles all payment processing. Stripe may collect billing name and address; we receive only a payment reference.
• Vercel — hosts the Profylo application. Request metadata (IP, headers) passes through Vercel infrastructure.
• Email providers — transactional emails are delivered via Supabase Auth and our email service provider.

We may also disclose information if required by law, court order, or to protect the safety of our users or the public.

We retain your account and résumé data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. billing records for up to 7 years in some jurisdictions).

Deleted résumés are removed immediately from our active database. Backup copies may persist for up to 14 days before being purged.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Deletion — request that we delete your account and associated data (“right to be forgotten”).
• Portability — receive your résumé data in a machine-readable format.
• Objection / Restriction — object to or restrict certain types of processing.
• Opt-out of marketing — unsubscribe from marketing emails at any time via the link in any email or by contacting us.

To exercise any of these rights, email us at hello@profylo.app. We will respond within 30 days.

If you are in the European Economic Area (EEA) or UK, you also have the right to lodge a complaint with your local data protection authority.

We use a minimal set of cookies:

• Essential cookies — authentication session tokens required for you to stay logged in. These cannot be disabled without breaking core functionality.
• Analytics cookies — anonymous, aggregated usage statistics to understand how features are used. No personally identifiable information is attached.

We do not use advertising or cross-site tracking cookies. You can configure or block cookies in your browser settings; disabling essential cookies will prevent sign-in.

We take security seriously. Profylo uses industry-standard measures including:

• TLS encryption for all data in transit.
• Encrypted storage for data at rest via Supabase.
• Row-Level Security (RLS) policies ensuring users can only access their own data.
• OAuth and password-less sign-in options to reduce credential risk.

No method of transmission over the internet is 100% secure. If you discover a vulnerability, please disclose it responsibly to hello@profylo.app.

Profylo is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email. Your continued use of Profylo after changes take effect constitutes acceptance of the revised policy.

Questions, requests, or concerns about this Privacy Policy? Reach us at: