Privacy
by default.

Resume body (processed, not stored): The free-form parts of your resume — work experience bullets, education descriptions, projects, summaries, skills lists — are sent to OpenAI's API for text extraction and processing. The uploaded file is deleted from OpenAI's servers immediately after processing. We do not retain the body content of your resume (bullets, descriptions, summaries) in any database.

Contact details extracted from your resume (Lead record): When we parse your resume, the contact block we identify — your name, email address, phone number, LinkedIn / GitHub / portfolio URLs — IS saved as a "Lead" record in our MongoDB database. We keep this so we can: (a) help you recover or investigate your session if you contact support, (b) reach out to you in cases of suspected fraud, payment disputes, or security incidents tied to your account, and (c) measure unique users for product analytics. We do not use this contact data for marketing emails, promotional SMS, or sales outreach. If you do not want to share this, do not include those details on your resume.

Session data (browser only): Your extracted resume data, template selection, and payment status are stored in your browser's sessionStorage. This data exists only in your browser tab and is automatically cleared when you close the tab.

Payment records (our database): When you make a payment, we store the following in our MongoDB database: Razorpay order ID, payment ID, session ID (a random anonymous string), payment type, amount, and timestamp. We do not store your card number, CVV, or banking credentials at any point.

Payment contact details (held by Razorpay, accessed by us only as needed): Razorpay's checkout collects the payer's email address and phone number for the transaction. These are stored on Razorpay's servers, not ours. We may fetch them from Razorpay's API for the following narrow purposes: verifying a payer's identity for our referral programme's anti-fraud checks, investigating chargebacks or refund disputes, and contacting a payer about confirmed suspicious activity on their account. We do not use this data for marketing.

Feedback submissions: If you use our feedback form, we store your email, phone (optional), and message in our database to enable us to respond.

Token usage logs: We log the number of OpenAI API tokens consumed per request for internal cost monitoring. These logs are not linked to identifiable personal information.

Referral programme data: If you sign up at cvforge.in/refer, we store your normalised email (Gmail aliases collapsed for dedupe), a generated 6-character referral code, your accumulated points, and a count of free editor sessions earned/used. Each successful referral payment also records: the referee's anonymous browser session ID, a SHA-256 hash of the payer's payment instrument fingerprint (card last4 + bin, or UPI VPA, or wallet identifier — never the raw value), the payment ID, and a timestamp. We use this only to credit referrals correctly and prevent duplicate counting.

One-time codes (OTPs): When you request a verification code, we store a bcrypt hash of the 6-digit OTP, the email it was sent to, the request IP and user-agent, and an expiry timestamp. The plaintext OTP is never stored. Records are auto-deleted by a TTL index 10 minutes after creation.

• To extract and display your resume data within your current browser session
• To provide AI optimization of your resume content via OpenAI's API
• To process and verify your payment via Razorpay
• To generate and deliver your resume file (PDF or Word)
• To respond to feedback or support requests you initiate
• To monitor API usage and costs for operational purposes
• To operate the referral programme: send verification codes, attribute payments to referrers, prevent duplicate / fraudulent credits, and let you check your point balance
• To contact you about security or fraud: if we detect suspicious activity on your account or payments — for example, repeated failed authentication attempts, chargeback disputes, payment-instrument abuse, referral-programme abuse, or other behaviour that suggests the account is compromised or being misused — we may use the email or phone number we have for you (extracted from your resume, your feedback submission, or your Razorpay payment) to reach out and investigate. This is the only situation in which we initiate contact with you. We do not use these channels for marketing, promotional offers, sales calls, or any other unsolicited communication.

We do not sell, rent, or share your information with third parties for marketing purposes. We do not run promotional email campaigns, SMS blasts, or telemarketing.

OpenAI: Resume text extraction and AI optimization are performed via OpenAI's API. Your resume content is sent to OpenAI for processing under their Privacy Policy. We use the Files API; files are deleted immediately after processing.

Razorpay: All payment processing is handled by Razorpay. CVForge does not see or store your card number, CVV, or bank credentials. Razorpay's handling of your payment data is governed by their Privacy Policy.

MongoDB Atlas: Payment audit records, feedback submissions, and referral programme data are stored in a MongoDB Atlas database hosted on cloud infrastructure. Data is encrypted at rest and in transit.

Resend: Verification emails for the referral programme (signup OTP and claim OTP) are delivered through Resend. Resend processes the recipient email and the OTP message body to relay it to your inbox; their handling is governed by their Privacy Policy.

Google Analytics 4: We use Google Analytics to measure aggregate, anonymised usage (which pages are most visited, where traffic comes from, how long visitors stay). IP anonymisation is enabled (anonymize_ip: true) so your full IP is never recorded by us or by Google. We do not use Google Analytics for advertising, remarketing, or any cross-site tracking. Google's handling of the data is governed by their Privacy Policy. You can opt out by installing Google's Analytics opt-out browser add-on.

CVForge uses browser sessionStorage (not cookies) to temporarily store resume data during your session. This data is automatically deleted when you close your browser tab.

We use the following strictly-necessary cookies — never set without your action:

• cvforge_admin_token — only set when an administrator logs into the admin panel
• cvforge_referrer — only set when you complete OTP verification at /refer; lets you return to your referral dashboard without re-verifying for 90 days. HTTP-only, signed JWT, cleared on sign-out

Analytics cookies: Google Analytics 4 sets cookies (typically _ga and _ga_<PROPERTY_ID>) on your browser to distinguish unique visitors and aggregate usage statistics. IP anonymisation is enabled. We do not use these cookies for advertising, remarketing, or to personalise content. See section 03 above for opt-out instructions.

We do not use advertising cookies, retargeting pixels, or third-party trackers beyond Google Analytics.

Resume body content (bullets, descriptions, summaries): Not retained — exists only in your browser session.

Lead record (contact block from resume): Retained for up to 24 months from extraction so we can support security investigations, payment-dispute follow-ups, and product analytics. You can request earlier deletion at any time via the feedback form below.

Payment records: Retained for a minimum of 5 years for financial compliance and audit purposes.

Feedback submissions: Retained until resolved or deleted by our team.

Token usage logs: Retained for 90 days for operational monitoring, then automatically deleted.

One-time codes (OTPs): Auto-deleted by a database TTL index 10 minutes after creation, regardless of whether you used them.

Referral programme data: Referrer rows (email, code, points balance) and Referral rows (per-payment credit log) are retained for the lifetime of the programme so we can correctly attribute future credits and prevent duplicate counting. You can request deletion at any time via the feedback form below.

Under applicable data protection laws, you may have the right to:

• Access personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your personal data (subject to legal retention requirements)
• Object to or restrict certain processing

To exercise any of these rights, fill out the form here. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect your data, including HTTPS encryption for all data in transit, bcrypt hashing for stored credentials, HMAC-SHA256 for payment token verification, and MongoDB Atlas encryption at rest.

However, no internet transmission or storage system is 100% secure. If you believe your data has been compromised, contact us immediately.

CVForge is not intended for use by children under the age of 18. We do not knowingly collect data from minors. If you believe a minor has submitted data to us, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of CVForge after changes are posted constitutes acceptance of the updated policy.

For privacy-related questions or data requests fill out our feedback form. We will respond as soon as possible.

Website: cvforge.in