Privacy Policy

SculptCV ("we", "us", "SculptCV") operates sculptcv.com, an AI-assisted resume tailoring service for jobseekers in India. This policy explains what personal data we collect, why, and what rights you have over it under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").

For any questions about this policy or to exercise your data rights, contact our Data Protection Officer at support@sculptcv.com.

Account data — your email address (or Google/LinkedIn identifier if you use social sign-in). Used solely for authentication and to send transactional emails.

Resume content — the text content extracted from PDFs you upload, plus a structured JSON representation (work history, skills, education). Used to generate your analyses and stored so you can return to past results.

Job descriptions — text you paste or that we fetch from public job boards on your behalf. Used to score the match and produce a tailored rewrite.

Payment metadata — Razorpay order ID, payment ID, amount, currency, and status. We never see or store your card number, UPI handle, or bank details — those go directly to Razorpay.

Usage analytics — page views, button clicks, browser type, and approximate region, captured via Vercel Analytics. We do not link this to your account identity in our systems.

Hashed IP address — for view-count throttling on shared job pages, we hash your IP with a server-side salt and store the hash (not the IP). The salt is rotated periodically and the hash cannot be reversed.

Server logs — Vercel and Supabase retain technical logs (request paths, status codes, error stacks) for ~30 days for operational debugging.

Your primary data (account, resumes, analyses, payments) lives in a Supabase Postgres instance hosted in ap-south-1 (Mumbai). This means your personal data stays within India, in line with DPDP Act expectations for data residency.

Resume and job-description text is transmitted to OpenAI's API (US-hosted) for the duration of the analysis request. OpenAI does not train on data submitted via its API (per their published API data policy as of 2024-2026). Output is returned to us and stored only in our Mumbai database. No copy of your resume is retained by OpenAI for training purposes.

We use a minimal set of sub-processors. Each has signed enterprise-grade data agreements with their own published privacy commitments:

• Supabase (Inc., US-incorporated, ap-south-1 Mumbai region) — database, auth, and storage.
• OpenAI (US) — generates the AI analysis. API data is not used for training.
• Razorpay (India) — payment processing. Razorpay receives transaction-related personal data per its own published policy.
• Resend (US) — sends transactional email (magic links, payment receipts). Email address is the only personal data transmitted.
• Vercel (US) — application hosting and analytics. Receives request metadata and your IP at the network edge; this is not joined to your account record.
• Spaceship / Spacemail — receives email sent to support@sculptcv.com when you contact us.

We do not sell your personal data. We do not share data with advertising or marketing platforms.

• Encryption in transit — every request to sculptcv.com runs over TLS 1.3. Database connections from our servers to Supabase are encrypted.
• Encryption at rest — Supabase encrypts all stored data using AES-256.
• Row-level access control — every user-owned database table enforces Postgres Row-Level Security policies that restrict each user to their own records, verified at the database layer regardless of application code.
• Webhook integrity — payment webhooks from Razorpay are verified using HMAC signatures with timing-safe comparison.
• Minimal admin access — administrative database access is limited to the founder and gated through Supabase's audit-logged dashboard.
• Rate limits + SSRF protection — automated abuse is throttled and our job-board scraper is locked to a public allowlist of well-known career sites.

Account, resume, and analysis data are retained until you delete your account or request erasure (see §8). After deletion: hard-delete from primary database within 7 days; Supabase's automated backups (rolling 30-day) age out within 30 days.

Payment records are retained for 7 years after the transaction date to comply with Indian financial recordkeeping requirements (the Income Tax Act and CGST Act require business records to be preserved for this duration).

Server logs and analytics are retained for ~30 days then auto-rotated.

We use cookies and browser storage for these purposes only:

• Authentication — Supabase session cookie (required for login). HTTP-only, secure, SameSite=Lax.
• Theme preference — localStorage entry remembering light/dark mode.
• Wizard state — sessionStorage entry remembering your in-progress analysis, so you can sign in mid-flow without losing work. Cleared on completion.
• Analytics — Vercel Analytics uses cookie-less measurement; no advertising trackers.

We do not display a cookie consent banner because none of the above are non-essential or trackers under the DPDP Act / GDPR essential-purpose tests.

You have the right to:

• Access the personal data we hold about you. Download a full JSON export anytime from Settings → Data & privacy, or email us.
• Correct inaccurate data. You can edit most fields in your dashboard; email us for anything you cannot edit yourself.
• Delete your account and all associated personal data. Request it from Settings → Data & privacy or email us — we'll confirm and process within 7 days (payment records are retained for 7 years per §6).
• Withdraw consent at any time. Withdrawal means deleting your account, since the service requires data to function.
• Nominate someone to exercise these rights on your behalf in case of your death or incapacity.
• Lodge a complaint with the Data Protection Board of India if you believe we've mishandled your data.

To exercise any of these rights, email support@sculptcv.com from the email address registered with your account. Identity verification may be required for sensitive requests.

The service is intended for users 18 years and older. We do not knowingly collect personal data from children under 18. If we learn that we hold data belonging to a minor, we will delete it. Parents or guardians who believe their child has provided data may email us for prompt removal.

In the event of a personal data breach that is likely to result in risk to your rights, we will notify the Data Protection Board of India and affected users without undue delay, in the manner prescribed by the DPDP Act and its rules.

Some sub-processors (OpenAI, Vercel, Resend) operate from the United States. Transfers to these processors are made under their published data processing agreements, which include standard safeguards consistent with the DPDP Act's cross-border transfer requirements. The Indian government may from time to time notify additional restricted territories; we will adjust sub-processors accordingly if SculptCV processes any restricted-category data.

We may update this policy as the service evolves or as the law changes. Material changes (new data collected, new sub-processors handling sensitive data, changes to your rights) will be announced via email and an in-app banner at least 14 days before they take effect. The "Effective" date at the top of this page tracks the latest version.

SculptCV
Email: support@sculptcv.com
Data Protection Officer: contactable at the same address.
Governing law: Republic of India. Disputes are subject to §11 of the Terms of Service.