Privacy Policy
Last updated: February 20, 2026
Profica (“we”, “us”, “the Service”) is committed to protecting your privacy. This policy explains what data we collect, how we use it, who we share it with, and your rights.
1. Information We Collect
Account information: Name, email address, and password (hashed) when you register. If you sign in with Google, we receive your name, email, and profile picture from Google.
Career profile data: Work experience, education, skills, certifications, projects, career targets, links, and any other information you add to your profile. This data is provided by you and is used to generate career content.
Job descriptions: When you paste a job posting for generation, we process the text to extract requirements and match them against your profile. Job descriptions are stored as part of your generation history.
Payment information: Payment processing is handled entirely by Lemon Squeezy. We never receive, store, or have access to your credit card number or banking details. We store your Lemon Squeezy customer ID and transaction records (amounts, dates, credit pack purchased) for accounting and support purposes.
Usage data: Generation history, credit transactions, feature usage, page views, interactions, device type, browser, and approximate location (country-level). This is collected through PostHog (analytics) and Microsoft Clarity (session replay and heatmaps).
2. How We Use Your Information
Career content generation: Your profile data and job descriptions are sent to OpenAI to generate tailored resumes, cover letters, pitch statements, and platform profiles. This is the core function of the Service.
Service operation: Account management, credit tracking, generation history, and delivering the features you use.
Transactional emails: Email verification, password resets, purchase confirmations, and account notifications sent via Resend. We do not send marketing emails unless you explicitly opt in.
Analytics and improvement: Anonymized usage patterns help us understand how features are used and where to improve the Service. Collected via PostHog and Microsoft Clarity.
Support: If you contact us via live chat (Crisp), your messages and email are stored to provide support. Crisp may set cookies on your device.
We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising.
3. AI Processing
When you generate content, your career profile data and the job description you provide are sent to OpenAI's API for processing. OpenAI processes this data solely to return generated content to you. Under OpenAI's API data usage policy, data sent via the API is not used to train their models. We retain the generated outputs in your generation history for your future access.
4. Third-Party Service Providers
We share data with the following processors, each operating under their own privacy policies and data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| OpenAI | AI content generation | Profile data, job descriptions |
| Lemon Squeezy | Payment processing | Email, payment details (direct) |
| Neon | Database hosting | All account and profile data |
| Vercel | Application hosting | Request logs, IP addresses |
| Resend | Transactional email | Email address, name |
| PostHog | Product analytics | Anonymized usage events, device info |
| Microsoft Clarity | UX analytics & heatmaps | Anonymized session data, interactions |
| Crisp | Live chat support | Email, chat messages |
| Sentry | Error monitoring | Error logs, stack traces (no PII) |
| Upstash | Rate limiting & caching | Hashed identifiers, request counts |
| Cloudflare | DNS, CDN, bot protection | IP addresses, request metadata |
5. Data Storage and Security
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Passwords are hashed with bcrypt. Sessions use HTTP-only, secure, SameSite cookies. CSRF protection is enforced on all state-changing requests. Payment information is never stored on our servers — it is processed directly by Lemon Squeezy in a PCI-compliant environment.
6. Data Retention
Active accounts: Your account data, profile, and generation history are retained for as long as your account is active.
Account deletion: When you delete your account, all personal data is soft-deleted immediately (inaccessible) and permanently purged from our systems after 30 days. You may contact us within this window to reverse the deletion.
Financial records: Transaction records (amounts, dates, credit purchases) are retained for a minimum of 7 years after the transaction date, as required by applicable tax and accounting regulations.
Analytics data: Anonymized usage events are retained for up to 24 months, after which they are automatically purged.
7. Your Rights
Under the GDPR and similar data protection laws, you have the right to:
- Access — request a copy of all data we hold about you
- Export — download your full profile and generation history in a portable format (available in account settings)
- Correction — update inaccurate data at any time through your profile
- Deletion — delete your account and all associated data
- Objection — object to processing of your data for analytics purposes
- Portability — receive your data in a structured, machine-readable format
To exercise these rights, use the account settings page in the app or email privacy@profica.ai. We will respond within 30 days.
8. Cookies & Tracking
We use cookies and similar technologies for the following purposes:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Essential | Authentication & session management | Session |
| CSRF token | Essential | Security — prevents cross-site request forgery | Session |
| Cookie consent | Essential | Stores your cookie preferences | 1 year |
| PostHog | Analytics | Product usage analytics | 1 year |
| Microsoft Clarity | Analytics | Session replay, heatmaps, UX insights | 1 year |
| Crisp | Support | Live chat session and conversation history | 6 months |
| Cloudflare (cf_clearance) | Essential | Bot protection verification | 30 min |
How to opt out: When you first visit the site, a cookie consent banner allows you to accept or decline non-essential cookies. You can change your preferences at any time by clearing your cookies and revisiting the site. Essential cookies cannot be disabled as they are required for the Service to function. You can also disable cookies in your browser settings.
9. International Data Transfers
Your data may be processed in countries outside your own, including the United States, where our infrastructure providers operate. All transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) where required by GDPR.
10. Children's Privacy
The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or by prominent notice on the Service. The “Last updated” date at the top of this page indicates when it was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related inquiries, data access requests, or questions about this policy, contact us at privacy@profica.ai.