Flows CV ("Flows," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at flows.cv and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when using our Service:

Account Information: Email address, password, and username when you create an account.
Profile Information: Name, job title, biography, location, profile photo, and personal website.
Portfolio Content: Projects, work experience, education history, skills, social links, blog posts, and any other content you add to your portfolio.
Resume Data: Information extracted from uploaded resumes or imported from LinkedIn profiles.
Communications: Messages you send through our contact forms or customer support channels.
Job Application Materials: Resumes, cover letters, and other materials you create or store on the platform.

1.2 Information Collected Automatically

When you access our Service, we automatically collect certain information:

Device Information: Browser type, operating system, device type, and unique device identifiers.
Usage Data: Pages visited, time spent on pages, click patterns, and navigation paths.
Location Information: Approximate geographic location based on IP address (country and city).
Log Data: IP addresses, access times, referring URLs, and error logs.

1.3 Tracking Links and Analytics

If you create tracking links to share your portfolio, we collect detailed analytics about visitors who access your portfolio through those links:

Visitor Analytics: View counts, unique visitors, time spent on portfolio, and projects viewed.
Session Information: Browser, device, operating system, and referrer URL of visitors.
Geographic Data: Visitor country and city based on IP address.
Session Recordings: We use rrweb technology to record visitor sessions on your portfolio, allowing you to replay how visitors interact with your content. These recordings capture mouse movements, clicks, scrolls, and page interactions but do not capture keystrokes in input fields or sensitive data.

1.4 AI and Machine Learning Data

We use AI features to enhance your experience:

AI Chat: When visitors use the AI chat feature on your portfolio, their questions and the generated responses are processed.
Vector Embeddings: We create mathematical representations (embeddings) of your portfolio content to power AI-driven features like semantic search and personalized job matching.
Content Enhancement: When you use AI writing assistance, your content is processed to generate suggestions.
Job Matching: Your skills, experience, and preferences are analyzed to match you with relevant job opportunities.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Create and manage your account and portfolio
Process and display your portfolio content to visitors
Provide tracking analytics for your shared links
Power AI features including content suggestions, chat, and job matching
Send you notifications about portfolio activity, new job matches, and access requests
Send transactional emails (password resets, account confirmations)
Respond to your inquiries and provide customer support
Analyze usage patterns to improve our Service
Detect, prevent, and address technical issues and security threats
Comply with legal obligations

2.1 AI Processing and Discoverability

We also process your public profile data using artificial intelligence to improve your professional discoverability. This includes generating AI summaries, semantic tagging, structured data markup (JSON-LD, schema.org), and dynamic profile presentations. Your public profile content is intentionally structured to be indexable and queryable by search engines, LLM providers, and AI-powered discovery systems used by hiring managers and recruiters.

Every piece of AI-generated content derived from your data is visible to you on your profile or in your dashboard. We do not generate hidden assessments, scores, or rankings that you cannot see.

3. Public and Private Information

3.1 Public Profile Data

The following information is publicly accessible on your profile page and may be indexed by search engines and AI systems:

Your name and professional headline/title
Your biography and professional summary
Work experience (company names, titles, dates, descriptions)
Education history
Skills and competencies
Portfolio projects and case studies (unless individually password-protected)
Blog posts published on your profile
Social links you choose to display
AI-generated summaries and structured representations of your profile

3.2 Private Data

The following information is never publicly exposed and never shared with search engines or AI systems:

Your email address and phone number
Your authentication credentials
Application tracking data (which jobs you've applied to, application status, interview stages)
Tracking link analytics (who viewed your portfolio, session recordings, visitor data)
Internal analytics and usage patterns
Bookmark and saved role data
Swipe feedback and role preferences
Role-specific customized materials (tailored resumes, cover letters)
Notification history and account settings

3.3 Your Control

You can password-protect individual portfolio projects, choose which social links to display, and edit or remove profile content at any time. Your core professional identity — name, title, experience, skills — is public by design when you maintain an active profile on the Service.

4. Data Commitments

We do not sell your personal data. We will never sell, rent, lease, or trade your personal information to third parties for their own commercial purposes.
We do not use your private data for AI model training. Your content is processed by AI systems to generate features for you (summaries, matching, suggestions), but it is not used as training data for third-party AI models. Our AI service providers are contractually prohibited from using your data for model training.
We do not score you in hidden systems. Every AI-generated assessment, summary, or analysis we create from your data is visible to you. There are no secret rankings or blacklists.
We do not scrape your data from external sources without your consent. The data on your profile comes from you. If we import data (e.g., from a resume you upload or a LinkedIn export you authorize), it's because you initiated that action.
We do not make automated employment decisions. We provide information and tools. No automated system on our platform determines whether you get a job or an interview.

5. Third-Party Services

We use trusted third-party services to operate our platform. These services may process your data according to their own privacy policies:

Supabase

Database hosting and authentication. Stores your account data, portfolio content, and application data securely with PostgreSQL and Row Level Security.

View Supabase Privacy Policy →

Microsoft Azure OpenAI

Powers our AI features including content generation, job matching analysis, and the AI chat assistant. Your content is processed to generate AI responses but is not used to train AI models.

View Microsoft Privacy Statement →

Amazon Web Services (AWS Bedrock)

Provides AI processing capabilities including text parsing and image analysis for profile features. Data processed through AWS Bedrock is not used for model training.

View AWS Privacy Policy →

PostHog

Product analytics to understand how users interact with our Service. Helps us improve features and fix issues. We may use feature flags to test new functionality.

View PostHog Privacy Policy →

Resend

Email delivery service for transactional emails (notifications, password resets, shortlist alerts). Processes email addresses and message content.

View Resend Privacy Policy →

Vercel

Hosts and serves our website. Processes requests and may log access data for security and performance monitoring.

View Vercel Privacy Policy →

Firecrawl

Web scraping service used for importing portfolio content and extracting job posting information. Processes URLs and publicly available web content you choose to import.

View Firecrawl Privacy Policy →

Parallel

AI research platform used to gather company information, funding data, and business insights for our job discovery features. Helps enrich job listings with relevant company context.

View Parallel Privacy Policy →

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

Essential Cookies: Required for authentication, session management, and core functionality.
Analytics Cookies: Help us understand how you use our Service (via PostHog).
Preference Cookies: Remember your settings and preferences.

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Service.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Encryption of data in transit (HTTPS/TLS)
Encryption of data at rest
Row Level Security (RLS) policies in our database
Regular security audits and monitoring
Access controls and authentication requirements
Secure password hashing

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide you services. Specifically:

Account Data: Retained until you delete your account.
Portfolio Content: Retained until you delete specific content or your account.
Tracking Analytics: Session data and analytics are retained for up to 2 years.
Session Recordings: Retained for up to 90 days.
Log Data: Retained for up to 30 days for debugging purposes.
AI-Generated Content: Summaries, structured data, and embeddings derived from your profile are retained for as long as your profile is active and deleted when you delete your account.

After account deletion, we may retain certain information as required by law or for legitimate business purposes (such as fraud prevention). We will delete or anonymize the remainder within 30 days of your deletion request.

10. Data Ownership and Portability

You retain all ownership rights to your content. The work history, portfolio projects, blog posts, and other materials you create on Flows CV are your intellectual property. Our license to display and process that content exists solely to provide the Service and terminates when you delete your account.

You can export your data at any time. To request a full data export, contact us at privacy@flows.cv. You can also edit, update, or remove any content from your profile at any time through the Service.

When you delete your account, we remove your profile, portfolio content, application materials, tracking data, and all associated records from our active systems. We also submit deindexing requests to major search engines and remove AI-generated content derived from your profile.

Note: We cannot control how quickly third-party services (search engines, LLM providers, web archives) update their caches or indexes. While we take commercially reasonable steps to request removal, some third-party systems may retain cached versions of your previously public data for a period of time after deletion.

11. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

11.1 General Rights

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information.
Data Portability: Request a copy of your data in a portable, machine-readable format.
Opt-out: Opt out of marketing communications at any time.

11.2 U.S. State Privacy Rights

If you reside in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), or any other U.S. state with comprehensive privacy legislation, you have additional rights including:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, our business purposes, and the categories of third parties with whom we share it.
Right to Delete: Request deletion of personal information, subject to certain exceptions permitted by law.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Appeal: If we deny your privacy request, you may appeal by contacting us at privacy@flows.cv.

We do not use or disclose sensitive personal information for purposes beyond those permitted under applicable law. We do not engage in "selling" or "sharing" (as defined under CPRA) of personal information.

11.3 For European Users (GDPR)

If you are in the European Economic Area, you have additional rights under the General Data Protection Regulation:

Right to object to processing based on legitimate interests
Right to restrict processing
Right to withdraw consent at any time
Right to lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us at privacy@flows.cv. We will respond to verifiable requests within 45 days (or 30 days for GDPR requests), as required by applicable law.

12. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@flows.cv, and we will take steps to delete such information.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure your personal information remains protected in accordance with this Privacy Policy, including using Standard Contractual Clauses approved by the European Commission where applicable.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@flows.cv

Website: flows.cv/contact

Privacy Policy