Privacy policy.

1. 01

   What data we collect

   Only the data necessary for the Service to work:

   Authentication data

   Your email address when you create an account or pay as a guest. Stored in Supabase Auth (Frankfurt, EU). We do not store passwords — we use magic-links.

   CV content

   The text you write in the editor: name, contact info, education, experience, etc. Stored in AWS S3 (us-east-1) as JSON, encrypted at rest, namespaced by your userId. For guests it's also held in browser localStorage until you clear cache.

   Payment data

   Fully processed by Stripe. We receive only: payment ID, amount, status, last 4 digits of the card, and country. We never receive full card number, CVV, or expiration date.

   Analytics data

   Anonymous events via PostHog: pages visited, main clicks, funnel conversion. No CV content. IPs anonymized. You can opt-out from the cookie banner or by sending Do-Not-Track headers.

   Technical logs

   Server logs (CloudWatch, Vercel) with userId/resumeId/paymentId, timestamps, and error codes. No CV content, no full emails. Retention: 30 days.

2. 02

   How we use the data

   • Operate the Service: render your PDF, persist your progress, authenticate you.
   • Process payments, issue receipts, manage recurring subscriptions.
   • Respond to your support messages when you write to hola@harvard-resume.com.
   • Understand which parts of the product are used most and which bugs appear (aggregated data, without identifying you personally).
   • Comply with legal obligations (taxes, invoice retention, legitimate judicial requests).

   We do not use your information for advertising profiling outside the Service, for training AI models, or to sell it to data brokers.

3. 03

   Who we share data with

   We only share data with sub-processors strictly necessary to operate the Service. Each one under a Data Processing Agreement (DPA):

   Supabase (auth + Postgres)

   Frankfurt, EU. Stores your email, session JWT, and the Postgres User row. GDPR and SOC2 compliant.

   Stripe (payments)

   Processes the charge and issues the receipt. Receives full name and email if you provide them at checkout. PCI-DSS Level 1.

   AWS S3 + Lambda (storage + PDF render)

   us-east-1. Stores your CV JSON and renders the PDF server-side. Encrypted at rest (SSE-S3). Access via pre-signed URLs with a maximum TTL of 60 seconds.

   Vercel (frontend hosting)

   Global edge. Hosts the Next.js app. Access logs with IP, user-agent, and URL (30-day retention).

   PostHog (analytics)

   Self-hosted EU. Anonymous events. No CV content. IPs truncated.

   Resend (transactional email)

   Sends magic-links and receipts. Receives your email and the message body. Does not use your email for anything else.

   We don't share with any other third parties. No Facebook, Google Ads, or similar tracking pixels.

4. 04

   How long we keep your data

   • Account data and CV: until you delete your account. Immediate deletion (except invoices, see below).
   • Guest data (CV in localStorage, one-time payment without an account): persists in localStorage until you clear cache. The row in our DB associated with the guestEmail is deleted 12 months after the last use.
   • Technical logs: 30 days.
   • Invoices and accounting records: 6 years (Chilean tax obligation, Article 17 of the Tax Code).
5. 05

   Your rights

   Under GDPR, CCPA, and Chilean Law 19.628 you have the right to:

   • Access the data we have about you.
   • Rectify incorrect data (from the dashboard or by email).
   • Delete your account and all associated data ("right to be forgotten") with one click from the dashboard.
   • Portability: export your CV as JSON or PDF at any time.
   • Object to analytics processing (opt-out of PostHog).
   • Withdraw consent at any time.
   • File a complaint with your local data protection authority (in the EU: your national DPA; in California: the California Privacy Protection Agency).

   To exercise any right not directly available from the dashboard, email hola@harvard-resume.com. We respond within 30 days.

6. 06

   Cookies and local storage

   We use the minimum:

   • Session cookies (Supabase Auth) — essential to keep you authenticated.
   • Language cookie (next-intl) — essential to preserve your es/en preference.
   • PostHog cookie (optional) — opt-out from the initial banner.
   • Browser localStorage — saves the draft CV for guests. You control it from your browser settings.

   We do not use third-party advertising tracking cookies.

7. 07

   Security

   All traffic travels over TLS 1.3. Data at rest encrypted on disk (Supabase, S3). JWT tokens signed with HS256, rotatable secret.

   We apply the principle of least privilege: each service accesses only what's strictly necessary. We keep audit logs for sensitive operations (account deletion, email changes).

   If we detect a breach affecting your personal data, we notify you by email within 72 hours (GDPR Art. 33 compliance), describing the scope, the remedy applied, and recommended steps on your end.

8. 08

   International transfers

   Your data may be stored or processed in countries different from yours (primarily Chile, EU, US). Each sub-processor operates under Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission.

9. 09

   Minors

   The Service is not directed at children under 16. We do not knowingly request data from minors. If we discover we have data from a minor without parental consent, we delete it immediately.

10. 10

    Changes to this policy

    Material changes are notified by email (accounts) or banner (guests) with 14 days' notice. Minor changes (wording improvements, new sub-processors of the same type) are announced in the site's changelog.

11. 11

    Data Controller contact

    For any question or to exercise rights related to this policy:

    hola@harvard-resume.com

← Back to homepage