Privacy Policy — CVGen

Last updated: April 2026

Orbit Apps (“we”, “Operator”) respects your privacy. This Policy describes how we process personal data in the CVGen mobile application (the “App”), in accordance with the Brazilian General Data Protection Law (Law No. 13.709/2018 — LGPD) and other applicable legislation.

Data protection contact: contact@orbitapps.dev

1. Data controller

The controller of personal data processed to provide the CVGen service is Orbit Apps, responsible for decisions concerning the processing described in this Policy.

2. What data we collect

Depending on how you use the App, we may process:

Category	Examples
Account data	Email, user identifier (Supabase Auth), password (stored securely by the authentication provider).
Résumé content	Name, phone, email, work experience, education, cover letter text, optional photograph, template preferences, and document language.
Technical and usage data	Device type, operating system, app identifiers, error logs (when necessary), basic network data.
Purchases and subscriptions	Subscription identifiers and plan status processed by the stores (Apple/Google) and RevenueCat (or equivalent), without our storing your full card number (handled only by the stores). Purchase events may update your AI improvement credits balance.
Product metrics	Usage events (e.g. screens viewed, onboarding completion), app version, and a pseudonymous device identifier; when configured, sent to PostHog (or equivalent) to improve the service.
AI data (Pro+)	Text excerpts you submit to suggestion features, processed as described in section 6.

Photograph: if you add a photo to your résumé, it may be stored locally and, when sync is enabled, in secure cloud storage (private bucket), linked to your account.

3. Purposes and legal bases (LGPD)

We process personal data to:

Performance of the contract / use of the App — create and edit résumés, export PDF, sync when enabled (Art. 7, V and VII, LGPD).
Consent — when required for optional features (e.g. system permissions or AI features), via acceptance or device settings.
Legitimate interest — security, fraud prevention, service improvement, and aggregate metrics, respecting your rights (Art. 7, IX).
Compliance with legal obligations — when required by law or court order.

4. Sharing with third parties

We may rely on strictly necessary processors:

Supabase (authentication, database, and storage of résumé/photo files, per project configuration).
Apple / Google — for in-app purchases, sign-in, and app distribution.
RevenueCat (or similar) — subscription and entitlement management.
PostHog (or equivalent) — product metrics and diagnostics when enabled via app environment variables; we do not sell your personal data for marketing.
AI provider — when you use AI suggestions, the text sent is processed through the Operator’s functions (Edge Functions) and may be forwarded to a model provider (e.g. OpenAI), without using your personal data to train models for the provider’s commercial purposes, except as stated in the provider’s policy applicable at the time.

We do not sell your personal data to third parties for marketing.

5. International transfers

Some providers may process data outside Brazil. In those cases, we adopt measures compatible with the LGPD (e.g. contractual clauses or adequacy assessment), as applicable.

6. AI and cache

To reduce cost and duplication, suggestions may be cached and linked to your account and document (hash of the analyzed excerpt). You may accept, edit, or discard suggestions; the final résumé content remains under your control.

7. Retention

We keep data while your account is active or as needed to provide the service.
After account deletion or a deletion request, we may anonymize or delete data within reasonable timeframes, except where retention is required by law or dispute resolution. Deletion via the Account screen removes the auth user and associated cloud data per our infrastructure (including AI cache tied to documents), subject to temporary backups.
Backups may retain copies for a limited technical period.
Analytics provider logs follow that provider’s retention policies, in aggregate or pseudonymous form.

8. Your rights (LGPD)

You may request:

Confirmation of processing and access to data;
Correction of incomplete or outdated data;
Anonymization, blocking, or deletion of unnecessary or excessive data;
Portability, where applicable;
Information about sharing;
Withdrawal of consent, when processing is based on consent.

Requests can be sent to contact@orbitapps.dev. We may ask for information to verify your identity.

Metrics: you may request object or clarification on processing for product improvement via the same email. After account deletion, we stop associating your user identifier with events sent thereafter, subject to the provider’s technical policies. Fully disabling collection while using the App may require support contact or a future in-app setting.

9. Security

We adopt reasonable technical and organizational measures (e.g. HTTPS, access controls, secure storage of secrets on the server). No system is 100% secure; use a strong password and protect your device.

10. Children and adolescents

The App is not intended for users under 16 (or the local minimum age). If we learn of an improper registration, we will take steps to remove the data.

11. Cookies and similar technologies

In web versions (if any), cookies or local storage may be used per the browser. In the native app, we use the system’s local storage for session and preferences.

12. Changes to this Policy

We may update this Policy. The date at the top will be revised. Material changes will be communicated by reasonable means (e.g. in the App or by email). Continued use after the effective date may indicate awareness of the changes, where permitted by law.

13. Contact

Privacy and questions: contact@orbitapps.dev

You may also contact the Brazilian National Data Protection Authority (ANPD) under applicable law.

Legal review is recommended before final publication.