Back to home

Privacy Policy

Last updated: April 3, 2026

1. Introduction

This Privacy Policy explains how Carta ("we", "us", "our"), operated at carta.cv, collects, uses, stores, and protects your personal information when you use our resume generation service.

We take your privacy seriously. We collect only what is necessary to provide the Service and do not sell your data.

2. Information We Collect

2.1 Account Information

When you sign up, we receive your name, email address, and profile image from your OAuth provider (GitHub, Google, or LinkedIn). We store this to identify your account.

2.2 Career Data You Provide

This includes data you upload or enter directly:

  • LinkedIn data exports (ZIP files containing your career history)
  • Resume documents (PDF, LaTeX, Markdown, or plain text files)
  • Manually entered experience, education, skills, and certifications
  • Job listings you paste for resume targeting

2.3 GitHub Data

When you connect GitHub, we access your repositories (public and, if authorized, private) including repository names, descriptions, languages, star counts, topics, and homepage URLs. We store this data to enable AI-powered project selection for your resumes.

2.4 OAuth Tokens

We store OAuth access tokens from GitHub, Google, and LinkedIn to maintain your session and access authorized data on your behalf. Tokens are stored encrypted in our database. We do not store your passwords.

2.5 Generated Content

Resumes and related content generated by our AI are stored in your account so you can access, download, and manage them.

2.6 Usage Data

We track generation counts per user for tier limit enforcement. We log AI model usage (model type, token counts, latency) for cost monitoring and debugging. These logs do not contain your resume content.

3. How We Use Your Information

We use your information to:

  • Generate resumes based on your career data and target roles
  • Screen and rank your GitHub repositories for relevance
  • Merge and augment your profile data from multiple sources
  • Enforce subscription tier limits and rate limits
  • Process payments through Stripe
  • Send essential service communications (account-related emails)
  • Monitor and improve the reliability of the Service

4. AI Processing

Your career data is sent to AI language models (currently Anthropic Claude) for processing. This includes your experience, education, skills, and selected GitHub repositories. The AI uses this data solely to generate your resume content within a single request.

We do not use your data to train AI models. Your data is processed per-request and is not retained by the AI provider beyond the duration of the API call, in accordance with their data processing terms.

5. Data Sharing

We share your information only with:

  • Anthropic (AI provider): receives your career data for resume generation. Subject to their data processing agreement.
  • Stripe (payment processor): receives your payment information for subscription billing. We do not store your credit card details.
  • Supabase (database provider): hosts our database where your account and career data is stored.
  • GitHub/Google/LinkedIn (OAuth providers): we exchange tokens with these services for authentication and data access.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Supabase. We use industry-standard security measures including:

  • Encrypted connections (TLS) for all data in transit
  • Database-level encryption for data at rest
  • OAuth-based authentication (no password storage)
  • Rate limiting to prevent abuse
  • State validation and CSRF protection on OAuth flows

7. Data Retention

We retain your data for as long as your account is active. If you delete your account or request data deletion:

  • Your career data (LinkedIn, GitHub, resumes) is deleted within 30 days
  • Your account information is deleted within 30 days
  • Generation logs (which do not contain resume content) may be retained for up to 90 days for billing and debugging purposes
  • Stripe retains payment records per their own retention policy

8. Your Rights

You have the right to:

  • Access your data through the profile and dashboard pages
  • Correct your data using the manual edit features
  • Delete your uploaded data through the profile page
  • Export your generated resumes as PDF, text, or LaTeX
  • Revoke GitHub, Google, or LinkedIn access through those platforms
  • Request full account deletion by contacting us

9. Cookies

We use essential cookies only:

  • Session cookies for authentication (required for the Service to function)
  • Theme preference stored in localStorage (not a cookie, stays on your device)
  • Short-lived cookies for OAuth state verification (deleted after the flow completes)

We do not use analytics cookies, tracking cookies, or advertising cookies.

10. Children

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or to exercise your data rights, contact us at the email address listed on carta.cv.