How we handle your data today

This policy explains how we process personal information when you use webiculum to sign in, upload your CV, generate your website, publish it, download it or buy a plan.

It is written to reflect how the product currently works. If the service changes in a material way, we may update this text and publish a new version.

We collect identity and access data when you sign in with Google through Supabase Auth, including your user identifier, email, public name, avatar if Google provides it, and the username linked to your account.

We also process the content you choose to upload or generate inside the product: CV files in PDF or image format, extracted text, structured CV information, generated HTML, website metadata and publication status.

We use your data to authenticate you, let you access your account, process your CV with AI, store your websites, show previews, publish them on a subdomain, and let you download the HTML when your plan allows it.

We also use it to manage payments, enforce plan limits, prevent abuse, maintain service security, respond to incidents, and comply with legal or tax obligations where applicable.

The main legal basis is the performance of the service you request when you create an account, upload content, generate a website or purchase a plan. In some cases we also process data under legitimate interest, for example for security, fraud prevention, technical control and handling incidents or claims.

When processing depends on third-party services or on making data publicly available on the internet, you understand that this use is part of the normal operation of the product you requested.

Accounts, database records and uploaded files are currently managed through Supabase. Operations with elevated privileges run on the server, and the service-role key is not exposed in the browser.

CV content is sent to the AI provider configured in the backend in order to extract data and generate the website. In the current version of the project that provider is Google Gemini. Payments are processed through Stripe.

Deployment and publication may also rely on infrastructure, hosting or DNS providers. Some providers may process data outside the European Economic Area under their own safeguards and terms.

If you choose to publish your website, the content included in the public page stops being private and may be accessible to anyone who knows or finds your public URL or subdomain.

Before publishing, you should review which personal data appears in your CV or website, especially email, phone number, location, links and any other information you do not want to expose publicly.

Free unpublished previews may be deleted automatically after 24 hours, together with the uploaded file linked to them, in order to free storage and enforce the free-plan rules.

Data linked to paid accounts, websites, publications, billing, support and security may be kept for as long as reasonably necessary to provide the service, manage incidents, resolve disputes, comply with legal obligations or preserve technical evidence.

Public availability may expire depending on the active plan. As of today, the premium plan has a limited duration and the studio plan does not have an automatic publication expiry defined in the current code.

We use technical cookies required to keep your session active and operate Supabase-based access, as well as a language preference cookie. Without these cookies, the product does not work correctly.

We apply reasonable technical and organizational measures to reduce risk, but no internet-connected system can guarantee absolute security or permanent availability. You should not use the platform as your only storage location.

You may request access, rectification, deletion, restriction, objection or portability regarding data we can directly manage, within the legal and technical limits that apply. You may also request deletion of content linked to your account where appropriate.

To exercise rights, ask questions or report privacy issues, use the help channel available on this website. If part of the processing depends on providers such as Google, Supabase or Stripe, the request may need to be coordinated with them.