Privacy Policy

Last updated: 15 June 2026

This Privacy Policy explains how Gadease Software OÜ, registry code 17425488, registered at Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Paavli tn 5a/1, 10412, Estonia (“AIFolio”, “we”) collects and processes personal data when you use AIFolio. We are the data controller. This policy is written to meet the EU/UK GDPR and applies to users worldwide.

1. Data we collect

• Account data — when you sign in via Google, GitHub, or LinkedIn, we receive your name, email address, profile picture, and a provider user ID.
• Profile & résumé content — the CV/résumé text, files, bio, skills, title, and avatar you provide to build your portfolio.
• Chat content— questions visitors send to your portfolio’s AI assistant and the generated answers (processed in real time; see retention below).
• Billing data— handled by our payment provider (see §3); we store only subscription status, a customer/subscription identifier, and renewal date.
• Technical data — basic logs, IP address, and device/browser information needed to operate and secure the Service.
• Portfolio analytics data — visits and chat-start events on public portfolio pages, referrer host, rough country from request headers, device/browser information, and salted hashes used to count visits without storing raw visitor IP addresses.

2. Why we process it & legal bases

• To provide the Service (create your portfolio, run AI features) — performance of a contract.
• To process payments for paid features — performance of a contract.
• To secure and improve the Service and prevent abuse — our legitimate interests.
• To measure portfolio and product performance — our legitimate interests, and consent where required for optional analytics cookies.
• To comply with legal obligations (e.g. tax, accounting) — legal obligation.

3. Sub-processors & third parties

We share data with the following providers strictly to operate the Service:

• Hosting — Hetzner, where the application and database run.
• Authentication — your chosen identity provider (Google, GitHub, or LinkedIn) and our auth infrastructure.
• AI processing — OpenRouter and the underlying model providers it routes to receive your résumé/profile text and chat messages to generate summaries and answers. If you configure your own AI provider key (OpenAI, Google, or Anthropic), data is sent to that provider instead.
• Payments — Lemon Squeezy acts as Merchant of Record and processes your payment data under its own privacy policy. We do not store your full card details.
• Analytics — when enabled, Google Analytics and Microsoft Clarity may process website usage data to help us understand product performance and improve the Service. We do not use analytics data for advertising.

4. International transfers

Some providers may process data outside your country. Where data leaves the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.

5. Retention

We keep account and profile data while your account is active. Résumé content is retained until you change or delete it, or delete your account. Chat messages are processed in real time to produce a response and are not stored by AIFolio as a separate chat transcript; however, they are sent to the relevant AI provider during processing. Portfolio analytics events are retained for up to 13 months unless needed for security or legal reasons. Billing records are kept as long as required by law. On account deletion, we remove or anonymise your personal data within a reasonable period, except where retention is legally required.

6. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. You may also lodge a complaint with your local data-protection authority. To exercise your rights, contact us at [email protected].

7. Public portfolios

Content you publish to your portfolio page is, by design, publicly accessible to anyone with the link. Do not include information you do not wish to make public.

8. Cookies

We use strictly necessary cookies to keep you signed in and to operate the Service. We do not use advertising cookies. We may use analytics cookies only when analytics is enabled and consent or another applicable legal basis is in place.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

10. Changes

We may update this policy and will post the revised version with a new “Last updated” date, notifying you of material changes where required.

11. Contact

Data controller: Gadease Software OÜ, registry code 17425488. Contact: [email protected]. No Data Protection Officer has been appointed at this time.