Skip to main content

Privacy Policy

Last updated: March 6, 2026

1. Who We Are

UpgradeYou is an AI-powered career planning service operated by Neamtu Alexandru PFA, CUI: RO42457920, Trade register: F2020000916404, with registered address at Str. Thomas Masaryk nr. 10, 020983 Bucharest, District 2, Romania. We act as the data controller for your personal data. Contact: [email protected].

2. Data We Collect

  • CV/Resume PDF — the file you upload for analysis. We extract text content including your name, work history, education, skills, and contact details to generate your career report.
  • Email address and display name — collected via our authentication provider (Clerk) when you create an account.
  • Optional email updates signup — if you opt in on our public pages, we store your email address, preferred language, signup source, and consent timestamp so we can send occasional product updates and career guides.
  • Payment information — processed by Stripe. We store transaction references (Stripe session IDs, amounts, currency) but do not store your credit card details directly.
  • Usage data — IP addresses and timestamps for rate limiting and abuse prevention (stored transiently in server memory).

3. Legal Basis and Purpose of Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Consent (Art. 6(1)(a)) — Processing your CV through AI analysis and web research, and sending optional product updates or career guides by email when you explicitly opt in on public pages.
  • Contract performance (Art. 6(1)(b)) — Generating and delivering the career report you purchase, processing payments, and managing your account.
  • Legitimate interest (Art. 6(1)(f)) — Rate limiting, abuse prevention, and maintaining service security.

You may withdraw your consent at any time by deleting your account, using our unsubscribe page, contacting us, or asking us to remove your marketing signup. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

4. Third-Party Services

We use the following third-party services to operate UpgradeYou. Each acts as a data processor under GDPR Article 28:

  • Clerk (USA) — authentication and user management. Receives your email and display name.
  • Stripe (USA) — payment processing. Receives payment details necessary to complete your purchase.
  • Backblaze B2 (EU/Global) — S3-compatible object storage for uploaded files and generated reports.
  • Cloudflare (USA/Global) — bot verification (Turnstile) and edge routing. Receives your IP address for security checks.
  • LLM providers — AI models (DeepSeek [China], Google Gemini [USA], Mistral [EU], Groq-hosted models [USA]) used to analyze your CV and generate reports. The full text content of your CV is sent to these providers for processing.
  • Tavily / DuckDuckGo — web search services used to research publicly available career market data. Your name, location, current role, and company names may be included in search queries.

Each provider processes data according to their own privacy policies. We recommend reviewing each provider's current terms for the most up-to-date information.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically:

  • United States — Clerk, Stripe, Cloudflare, Google Gemini, Groq-hosted models (covered by EU-US Data Privacy Framework where applicable, or Standard Contractual Clauses)
  • China — DeepSeek (if selected as the AI model). China does not have an EU adequacy decision; transfers are based on Standard Contractual Clauses and your explicit consent.

We take appropriate safeguards to protect your data during international transfers in accordance with GDPR Chapter V.

6. Data Retention

  • Uploaded CV files — stored for up to 90 days for deduplication and re-processing, then automatically deleted from cloud storage.
  • Generated reports — retained for as long as your account is active. Deleted when you delete your account.
  • Account data — retained until you delete your account. Upon deletion, your personal data is erased and purchase records are anonymized.
  • Optional email updates signups — retained until you withdraw consent or ask us to delete the signup record.
  • Payment records — anonymized purchase records (without personal identifiers) are retained for financial and tax audit purposes as required by law.

You may request deletion of all your data at any time via the Account page or by contacting us.

7. Automated Decision-Making

Our service uses automated processing (AI/LLM analysis) to generate your career report. This includes extracting your professional profile from your CV, researching market data, and producing personalized career recommendations and salary estimates. The output is an informational report intended to support your career decisions — it does not produce any legal effects or similarly significantly affect you. The AI analysis is based on pattern matching and publicly available market data, and should be reviewed critically as one input among many in your career planning.

8. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data (available via the Account page)
  • Data portability — receive your data in a structured, machine-readable format
  • Restriction — request restriction of processing in certain circumstances
  • Object — object to processing based on legitimate interests
  • Withdraw consent — withdraw your consent at any time

To exercise any of these rights, use the Account page in the application, our unsubscribe page for optional email updates, or email us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)www.dataprotection.ro.

9. Cookies

We use the following cookies and similar technologies:

  • Authentication cookies (Clerk) — essential for maintaining your login session. Strictly necessary.
  • Bot verification (Cloudflare Turnstile) — may set cookies to verify you are a human user. Strictly necessary for security.
  • Local storage — used to store your language preference and cookie consent status. No tracking purposes.

We do not use tracking, analytics, or advertising cookies.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encrypted data transmission (HTTPS/TLS), secure cloud storage with server-side encryption, JWT-based authentication with cryptographic verification, rate limiting and bot protection, and access controls on sensitive endpoints. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top indicates when the policy was last revised. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For any questions, concerns, or data protection requests regarding this privacy policy or your personal data, please contact us at [email protected].