Folio← Back to home

Privacy policy

Last updated: 2026-04-26 · Status: Draft, subject to change before public launch.

We wrote this in plain language on purpose. If something is unclear, email privacy@folio.app.

Who we are

Folio is operated by Kirates, registered at [[REGISTERED_ADDRESS]] (company no. [[COMPANY_NUMBER]]) in the Republic of Ghana. We are the data controller for personal data processed through this service, in accordance with Ghana's Data Protection Act, 2012 (Act 843) and the Electronic Transactions Act, 2008 (Act 772).

Contact: privacy@folio.app.

Where Folio is offered

Folio is intended for users in Ghana and other jurisdictions where Kirates can fully meet local data-protection requirements. We do not currently offer the service to residents of the European Union, the European Economic Area, or the United Kingdom.

What we collect

  • Résumé content: the name, contact details, work history, education, and prose sections you enter in the editor. Stored locally in your browser by default; if you sign in, synced to our database.
  • Account information: email address, name, and authentication metadata when you sign up with email/password, Google, or GitHub.
  • Usage analytics: page views and interaction events, collected only after you grant cookie consent. These events carry an opaque account identifier; they never carry your name, email, or résumé content.
  • Technical logs: IP address, user agent, and request timestamps captured by our hosting provider for security and abuse prevention.

Why we process it

  • Building and syncing your résumé: the work you do in the editor only makes sense if we can store and render it.
  • Account authentication and security logs: to keep your account secure and detect abuse of the service.
  • Usage analytics: only after you grant cookie consent. You can withdraw at any time.
  • Service announcements: to let you know about important changes to Folio.

Third-party services (sub-processors)

  • Convex: backend database and authentication. Processing region: [[CONVEX_REGION]].
  • PostHog: product analytics. Hosted in the European Union (Frankfurt, eu.i.posthog.com). Identified with an opaque account id only; no résumé content is sent.
  • Vercel: hosting and edge network. Processes request metadata globally per Vercel's policy.
  • AI providers (optional): if you use AI writing assistance with your own API key, your browser sends requests directly to OpenAI or Anthropic. In that case you are the data controller for that processing; we neither proxy nor store those requests.

International transfers

Your data may be transferred to the sub-processors listed above, some of whom operate outside Ghana. Where transfers leave Ghana, we rely on contractual safeguards consistent with section 47 of the Data Protection Act, 2012.

How long we keep it

  • Account and résumé data: until you delete your account; backups are purged within 30 days of deletion.
  • Inactive accounts: if your account is inactive (no login) for 24 months, we may delete it and your content, after at least 30 days' notice to your registered email.
  • PostHog analytics events: 12 months, then aggregated or deleted.
  • Vercel request logs: approximately 30 days per Vercel's default policy.
  • Consent records: for the lifetime of your account, to demonstrate that consent was obtained.

Cookies and local storage

We store only strictly necessary items by default: your authentication session, your current résumé draft, and your cookie-consent choice. Non-essential storage (PostHog analytics identifiers, for example) is set only after you grant consent via our cookie banner. You can change your choice at any time; withdrawing consent stops further analytics processing and clears identifiers from your browser.

Security

Data in transit is encrypted with TLS. Convex encrypts data at rest. Authentication tokens are short-lived and scoped. We review access logs and notify affected users of personal-data breaches as required by applicable law.

Your rights

Under California CCPA/CPRA, Ghana's Data Protection Act 2012, and similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"). Account deletion is available by emailing privacy@folio.app; a self-serve flow in the profile settings is on our roadmap.
  • Restrict or object to specific processing.
  • Port your data. Folio also lets you export your résumé as JSON Resume or PDF at any time from the dashboard.
  • Withdraw consent for analytics at any time via our cookie banner (this doesn't affect prior processing).
  • Lodge a complaint with your supervisory authority: the Data Protection Commission of Ghana, or the California Attorney General if you are a California resident.

To exercise any of these rights, email privacy@folio.app. We respond within 45 days.

California residents

This section applies if you are a California resident under the CCPA (Cal. Civ. Code §1798.100 et seq., as amended by CPRA).

Categories of personal information we collect (per §1798.140(v)):

  • Identifiers (email, account id, IP address)
  • Customer records / professional information (résumé content)
  • Internet or other electronic network activity (usage analytics, only with consent)
  • Approximate geolocation (derived from IP, coarse region only)

We do not sell or share your personal information as those terms are defined in §1798.140(ad) and (ah). We do not use or disclose sensitive personal information for purposes that would require a §1798.121 "Limit the Use of My Sensitive Personal Information" link.

We do not discriminate against you for exercising your rights, in line with §1798.125.

To exercise your California rights, email privacy@folio.app.

Children

Folio is not directed to anyone under 16. Our Terms of Service set 16 as the minimum age to use the service, in line with international best practice and laws including the U.S. Children's Online Privacy Protection Act (15 U.S.C. §6501) and similar protections elsewhere. We do not knowingly collect data from anyone under 16. If you believe a child has given us data, email privacy@folio.app and we will delete it.

Ghana

If you are a Ghanaian resident, your data is processed in accordance with the Data Protection Act, 2012 (Act 843). [[GHANA_DPC_REGISTRATION]] You may lodge a complaint with the Data Protection Commission of Ghana.

What we don't do

  • We don't sell your personal information.
  • We don't train machine learning models on your résumé content.
  • We don't share your data with advertising or marketing partners.

Changes to this policy

We will update the "Last updated" date at the top if this policy changes. Material changes take effect 30 days after notice in the app. Continued use after that date constitutes acceptance.