Privacy Policy
How we handle your personal data
Effective date: 3 June 2026 · Last updated: 24 June 2026
1. Data Controller & Contact Information
Controller: FolioBuild (foliobuild.co.uk)
Support / Data-protection contact: sup.foliobuild@gmail.com
If we appoint a Data Protection Officer (DPO) in future, their contact details will be included.
2. What Personal Data We Collect
We collect and process the following categories of personal data, when you use the Service:
- Identity & Contact Data: name, email address (or other contact details if provided).
- Uploaded Data (CVs, project files, etc.): any personal data included in those documents (education history, employment history, dates, addresses, skills, contact info — whatever the CV or project content contains).
- Technical & Usage Data: IP address, browser / device information, timestamps, usage logs, session data.
- Account Data: credentials, preferences, settings.
3. Purposes of Processing and Lawful Basis
| Purpose | Data categories used | Lawful basis (UK data protection law) |
|---|---|---|
| Provide the core service: account creation, storage, parsing and presentation of CVs/projects as a portfolio. | Identity, Contact, Uploaded Data, Account Data, Usage Data | Performance of a contract (you signed up for the service) |
| Parsing a CV that may contain special-category data (e.g. details revealing health, ethnicity, or beliefs). | Uploaded Data (special category) | Your explicit consent (Art. 9(2)(a)), captured via a checkbox at upload — in addition to the contract basis above |
| Communication (account updates, support, admin). | Contact Data, Account Data | Legitimate interest or contract performance |
| (Optional) Marketing / promotional communications (only if user explicitly opts-in). | Contact Data, Account Data | Consent |
| Data storage, security, compliance, audit logging. | Account Data, Usage Data | Legitimate interest / legal obligation |
We try to collect only the personal data we need to provide the Service.
4. Public Portfolios
If you choose to use the "Publish" feature, your portfolio and the personal data contained within it (e.g., name, experience, projects) will be made publicly accessible on the internet via a unique URL.
- Voluntary Action: Publishing is strictly voluntary and requires your explicit action (clicking "Publish"). By default, all portfolios are private.
- Public Access: Once published, this data is accessible to anyone with the link. Please be mindful of what you choose to share (e.g., avoid sharing home addresses or sensitive personal ID numbers).
- Right to Withdraw: You can "Unpublish" your portfolio at any time via your dashboard. This will immediately make the page private and inaccessible to the public.
5. Cookies & Similar Technologies
We use cookies or similar technologies for:
- Essential functionality (session management, login) — these are required for the service to work.
- Analytics — we use a privacy-friendly, cookieless analytics provider (Vercel Web Analytics) that sets no tracking cookies and stores no cross-site identifiers. We still load it only after you opt in, in line with the UK Privacy and Electronic Communications Regulations (PECR).
On your first visit we present a cookie banner before any non-essential analytics run; nothing loads until you choose. You can change your choice at any time using the “Cookie settings” link in the site footer. Should we ever add a tool that sets non-essential cookies, we will gate it behind the same consent mechanism.
6. Who We Share Data With / Sub-Processors
We do notsell or rent your personal data. We share it only with the service providers (“sub-processors”) needed to run FolioBuild, each under a data-processing agreement:
| Provider | Purpose | Data | Region |
|---|---|---|---|
| Clerk | Authentication & accounts | Email, name, avatar, login activity | USA |
| Convex | Application database | Account, portfolio, project & file records | USA |
| Vercel | Hosting, image storage & cookieless analytics | Uploaded images, request/usage data | USA / global edge |
| Stripe | Subscription billing | Name, email, billing details (card data is handled by Stripe — we never see it) | USA / global |
| OpenAI | AI CV parsing & content generation | CV text you submit for extraction (see §11) | USA |
The current list, with links to each provider’s data-processing agreement, lives on our sub-processors page. International transfers are covered in §7. We do not sell or lease your personal data.
7. International Transfers
Several of the providers above process data in the United States. Where they do, we rely on UK GDPR transfer safeguards: the UK extension to the EU–US Data Privacy Framework where the provider is certified (for example Vercel and Stripe), or Standard Contractual Clauses together with the UK International Data Transfer Addendum under each provider’s data-processing agreement. CV text you submit for AI parsing is processed by OpenAI in the US — see §11.
8. Data Retention and Deletion
- We retain your account data and uploaded content only as long as needed to provide the Service or until you request deletion.
- How to delete your account or export your data: You can do both yourself from Settings while signed in: “Delete account” permanently erases your data (you are already identity-verified by being logged in), and “Download my data” gives you a machine-readable JSON copy of everything we hold on you. If you can’t access your account, email us at sup.foliobuild@gmail.com from your account email (subject “Data deletion request”) and we’ll action it manually.
- What we delete: Deleting your account permanently removes your personal data — your account, portfolios, projects, and uploaded files — and cancels any active subscription. Your account becomes inaccessible immediately; we begin erasing the underlying data straight away and complete it without undue delay (within one month at the latest). Manual email requests are actioned on the same basis.
- Legal retention: We may retain limited personal data where we are legally required to (e.g. for compliance, accounting, tax, or dispute resolution), and will delete it once that obligation ends.
| Data | Retention |
|---|---|
| Account, portfolios & projects (Convex) | Kept for the life of your account; erased when you delete it. |
| Uploaded images (Vercel Blob) | Until you remove them or delete your account. |
| CV PDF you upload for parsing | Processed in memory and not stored — only the extracted text is saved to your portfolio. |
| Billing records (Stripe) | Retained by Stripe per its terms and any legal/tax obligation (typically up to 6 years). |
| Authentication data (Clerk) | Life of your account. |
| Analytics (Vercel) | Cookieless and aggregate; retained per Vercel’s defaults. |
| Inactive accounts | If an account stays inactive for an extended period (around 24 months), we may delete it and its data after that period. |
9. Your Rights (as Data Subject under UK data protection law)
You have the right to:
- Access your personal data (what we hold)
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”)
- Restrict or object to processing (where lawful basis allows)
- Request data portability
- Withdraw consent (if processing based on consent)
- Lodge a complaint with a supervisory authority (e.g. ICO) if you believe your data is mis-used
You can exercise the erasure and portability rights yourself from Settings (“Delete account” and “Download my data”). The export covers your application data (account, portfolios, projects, and uploaded-file records); your authentication records are held by Clerk and your billing records by Stripe, which we can provide on request. For the other rights, or if you can’t access your account, email us at sup.foliobuild@gmail.com from the email address linked to your account. We aim to respond as promptly as we reasonably can, and free of charge where possible.
10. Data Security & Accountability
We aim to use reasonable technical and organisational measures (such as access controls and secure storage) to help protect personal data against unauthorised access, loss, alteration or disclosure. As an early-stage product, we are continually working to improve our security practices and record-keeping as we grow.
We use the sub-processors listed in §6 (and on our sub-processors page) and put data-processing agreements in place with them.
11. Automated Processing / Profiling / AI Use
If we use automated processing (e.g. parsing your CVs to extract data, build portfolio automatically), we will not use it to make decisions with legal or similarly significant effects without your explicit consent.
We will explain what data is extracted, how it is used, and for what purpose — transparently.
CV parsing and content generation are powered by OpenAI’s API. OpenAI does not use data submitted through its API to train its models; it may retain API inputs for up to 30 days for abuse-monitoring before deletion. Extracted data is only ever saved to your own portfolio. Because a CV may contain special-category data (e.g. details revealing health, ethnicity, or beliefs), we ask for your explicit consent (Art. 9(2)(a)) at the point of upload before parsing it, and you can withdraw by deleting your account.
12. Changes to this Policy
We may update this Privacy Policy from time to time (e.g. when we change how we process data, add new features, or change storage providers). We will publish the updated version on our website, with a new “Last updated” date. If changes are material, we will notify users (e.g. via email).
13. Contact & Complaints
If you have any questions, wish to exercise your data rights, or wish to lodge a complaint, contact us at:
Email: sup.foliobuild@gmail.com
You can also file a complaint directly with us using our complaints form; we acknowledge complaints within 30 days.
And you can lodge a complaint with the UK supervisory authority (the ICO) if you believe your rights under UK data protection law have been breached.