Privacy Policy

Last updated: April 15, 2026

This Privacy Policy explains how ProPage (“ProPage,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use our website at pro.page and all related services (the “Service”).

By using ProPage, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

Key Points

• We collect only what we need. We collect your account information, the content you create (resumes, cover letters, hub pages), and basic analytics about how the Service is used.
• Your public pages are public. When you publish a page at pro.page/username/slug, that content is visible to anyone on the internet and may be indexed by search engines.
• We never sell your personal data. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
• We use trusted third-party services. We rely on Stripe for payments, Cloudflare for content delivery, and Google Analytics for usage insights. Each of these services has its own privacy practices.
• You control your data. You can update, export, or delete your data at any time. EU, UK, and California residents have additional rights described below.
• We do not store your credit card information. All payment processing is handled securely by Stripe.

1. What Information We Collect

We collect information in three ways: information you provide to us, information collected automatically, and information from third-party services.

1.1 Information You Provide

Account Information

When you create a ProPage account, we collect:

• Your name
• Your email address
• A username you choose
• Your locale (language) preference
• A profile photo (if you upload one)

If you sign up with email and password, we store a securely hashed version of your password using the bcrypt algorithm. We never store your password in plain text.

If you enable two-factor authentication, we store the encrypted secret used to generate your verification codes and a set of encrypted backup codes.

OAuth Sign-In Data

If you sign up or log in using Google, GitHub, or another OpenID Connect provider, we receive limited information from that provider, typically:

• Your name
• Your email address
• Your profile photo URL

We do not receive or store your password from these providers. We store which authentication provider you used and your account identifier with that provider so you can sign in again.

Document Content

When you use ProPage, you create documents such as resumes, cover letters, and hub pages. The content you enter is stored in our database in a structured format (JSON). This content may include:

• Your professional summary or biography
• Work history (job titles, companies, dates, descriptions)
• Education history (schools, degrees, dates)
• Skills, languages, certifications, and awards
• Volunteer experience and interests
• Links to your website, social media profiles, or portfolio
• Custom sections and content you choose to add
• Contact information you include in your documents (phone number, address, etc.)

You decide what information to include in your documents. We store only what you enter.

Uploaded Files

We store files you upload or that are generated through your use of the Service:

• Profile photos you upload
• PDF files generated from your documents
• Preview thumbnail images of your documents

These files are stored in cloud storage services (see Section 5 for details).

Billing Information

If you subscribe to a paid plan, we collect:

• Your Stripe Customer ID
• Your Subscription ID and Price ID
• Your subscription status (active, canceled, etc.)
• Your billing period dates

We do not collect or store your credit card number, expiration date, or CVV. All payment card information is collected and processed directly by Stripe. Stripe’s privacy policy is available at https://stripe.com/privacy.

1.2 Information Collected Automatically

Authentication Cookies

When you log in, we set the following cookies on your device:

• An access token cookie (HTTP-only, expires after 15 minutes)
• A refresh token cookie (HTTP-only, expires after 2 days)
• A session cookie (HTTP-only)

These cookies are strictly necessary for the Service to function. They are set with the SameSite: Strict and Secure flags for your protection. See Section 6 for more details on cookies.

Analytics Data

We use analytics services to understand how the Service is used:

• ProPage application analytics: We track page view counts and document download counts for each document. These counts are stored as aggregate numbers in our database. Our application does not store your IP address or User-Agent string.
• Google Analytics: We use Google Analytics to collect information about how visitors use the Service. Google Analytics collects data such as which pages you visit, how long you spend on each page, your general geographic location (derived from your IP address), and your device and browser type. Google Analytics uses cookies to identify unique visitors. Google’s privacy policy is available at https://policies.google.com/privacy.
• Cloudflare Web Analytics: As part of our use of Cloudflare’s content delivery network, Cloudflare may collect analytics data including your IP address, User-Agent string, referrer URL, page URLs you visit, your country, and your browser and device type. Cloudflare’s privacy policy is available at https://www.cloudflare.com/privacypolicy/.

1.3 Information from Third-Party Services

When you sign in using Google, GitHub, or another OpenID Connect provider, we receive the account information described in Section 1.1 above. We do not receive any information from these providers beyond what is described.

When you subscribe to a paid plan, Stripe may provide us with limited information about your subscription status. Stripe does not share your full payment card details with us.

2. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Operate the Service

• Create and maintain your account
• Authenticate your identity when you log in
• Store and display the documents you create
• Generate PDF versions of your documents
• Serve your public pages to visitors
• Process your subscription payments through Stripe
• Send you transactional emails (email verification, password resets)

To Improve and Protect the Service

• Understand how the Service is used through analytics
• Identify and fix technical problems
• Protect against unauthorized access and abuse
• Monitor the performance and reliability of the Service

To Communicate with You

• Send email verification messages when you create an account or change your email address
• Send password reset emails when you request them
• Respond to your support requests or inquiries

We do not send marketing emails. All emails we send are transactional, meaning they are directly related to your use of the Service (such as verifying your email address or resetting your password).

3. Public Pages and Visitor Data

3.1 How Public Pages Work

ProPage allows you to publish documents as public pages at URLs like pro.page/username/slug. When you make a document public:

• The content of that document is visible to anyone on the internet
• Search engines (such as Google and Bing) may index your public page
• Anyone can view your public page without logging in to ProPage
• Your public page includes a navigation header with ProPage branding

3.2 What Public Page Visitors See

When someone visits your public page, they see the content you chose to include in your document. This may include your name, professional history, contact information, skills, and any other information you entered.

You are responsible for deciding what information to include on your public pages. We recommend that you carefully consider what personal information you make publicly available. For example, you may choose not to include your phone number or home address on a public page.

3.3 Caching of Public Pages

To deliver your public pages quickly and reliably, we cache static HTML versions of public pages on Cloudflare’s content delivery network (CDN) and on Cloudflare R2 storage. This means your public page content may be temporarily stored on Cloudflare servers around the world. When you update your document, the cached version is updated accordingly.

3.4 Visitor Analytics

When someone visits your public page, we record a page view count for that document. This count is a simple number and does not include any identifying information about the visitor.

However, third-party analytics services (Google Analytics and Cloudflare Web Analytics) may collect information about visitors to your public pages, as described in Section 1.2. This data is subject to the privacy policies of those third-party services.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:

4.1 Service Providers

We use trusted third-party service providers to help us operate the Service. These providers access your information only to perform services on our behalf and are obligated to protect it:

4.2 When You Make Content Public

When you publish a public page, the content of that page is shared with anyone who visits the URL. This is a deliberate action on your part, and we treat published content as public information.

4.3 Legal Requirements

We may disclose your information if we are required to do so by law, or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, court order, or legal process
• Protect and defend the rights or property of ProPage
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

4.4 Business Transfers

If ProPage is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will notify you by email or by a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5. Cookies and Tracking Technologies

5.1 What Are Cookies

Cookies are small text files stored on your device by your web browser. They serve various purposes such as keeping you logged in, remembering your preferences, and helping us understand how you use the Service.

5.2 Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the Service to function. You cannot opt out of these cookies because the Service will not work without them.

Analytics Cookies

These cookies help us understand how visitors use the Service. They are non-essential and you can opt out of them.

Performance and Security Cookies

5.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

• See what cookies are stored on your device
• Delete individual or all cookies
• Block cookies from specific or all websites
• Block third-party cookies

Please note that blocking strictly necessary cookies will prevent you from using the Service. Blocking analytics cookies will not affect your ability to use ProPage.

You can also opt out of Google Analytics specifically by installing the Google Analytics Opt-Out Browser Add-on.

5.4 Do Not Track

Some browsers send a “Do Not Track” (DNT) signal to websites. There is currently no industry standard for how websites should respond to DNT signals. At this time, ProPage does not respond to DNT signals but we limit our tracking to the analytics services described in this policy.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service.

Account Data: Retained until you delete your account.

Document Content: Retained until you delete the document or your account. When you delete a document, its content is permanently removed from our database.

Uploaded Files: Retained until you delete the associated document or your account. Files are removed from cloud storage upon deletion.

Billing Records: Retained for as long as required by applicable tax and financial regulations (typically 7 years) after your subscription ends. This includes Stripe transaction IDs and subscription records but does not include payment card information, which is stored by Stripe.

Analytics Data: Aggregate analytics data (page view and download counts) is retained as long as the associated document exists. Third-party analytics data (Google Analytics, Cloudflare) is retained according to those services’ own retention policies.

Authentication Tokens: Access tokens expire after 15 minutes. Refresh tokens expire after 2 days. Expired tokens are no longer valid and are not retained.

Transactional Emails: Email content is not stored by ProPage after delivery. Your SMTP email provider may retain delivery logs according to its own policies.

Account Deletion: When you delete your account, all of the following are permanently removed:

• Your account information (name, email, username, profile photo)
• All of your documents (resumes, cover letters, hub pages)
• All uploaded files (photos, PDFs, previews)
• All associated analytics data (page view and download counts)
• Your Stripe customer association (though Stripe may retain its own records)
• Your public pages (taken offline and removed from cache)

Account deletion is permanent and cannot be reversed.

7. Data Security

We take reasonable and appropriate measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

• Password hashing: Passwords are hashed using the bcrypt algorithm and are never stored in plain text.
• Encrypted cookies: Authentication tokens are transmitted via HTTP-only cookies with the Secure and SameSite: Strict flags, preventing access by client-side scripts and protecting against cross-site request forgery.
• Token expiration: Access tokens expire after 15 minutes, limiting the window of exposure if a token is compromised. Refresh tokens expire after 2 days.
• Two-factor authentication: Users can enable TOTP-based two-factor authentication for an additional layer of account security.
• HTTPS: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Secure file storage: Uploaded files are stored in dedicated cloud storage with access controls.
• CDN protection: Cloudflare provides DDoS protection, bot mitigation, and SSL/TLS termination for all traffic.

Organizational Safeguards

• We limit access to personal information to those who need it to operate the Service.
• We regularly review our security practices.
• We do not store sensitive payment information; all payment processing is handled by Stripe, which is PCI DSS compliant.

No system is perfectly secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you become aware of any security vulnerability or unauthorized access to your account, please contact us immediately at [email protected].

8. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information. We honor these rights regardless of where you are located, to the extent we are able.

8.1 Rights Available to All Users

All ProPage users can:

• Access your data: View your account information and document content at any time by logging in to the Service.
• Update your data: Edit your account information, documents, and profile at any time.
• Change your email: Update your email address, with re-verification required for the new address.
• Delete your data: Delete individual documents or your entire account. Account deletion permanently removes all your data from our systems (see Section 6).
• Request a copy of your data: Contact us at [email protected] to request a copy of your personal data in a portable format. We are working on a self-service data export feature and will update this policy when it becomes available.

8.2 European Economic Area (EEA) and United Kingdom Residents -- GDPR

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and the UK GDPR.

Legal Bases for Processing

We process your personal information based on the following legal grounds:

• Performance of a contract: Processing necessary to provide the Service to you (account management, document storage, public page hosting, PDF generation, payment processing). This covers the core functionality you signed up for.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and conducting analytics. We balance our interests against your rights and do not use this basis where your interests override ours.
• Consent: Where we rely on your consent (such as for non-essential analytics cookies), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
• Legal obligation: Processing necessary to comply with applicable laws, such as retaining billing records for tax purposes.

Your GDPR Rights

In addition to the rights available to all users, you have the right to:

• Right of access: Request a complete copy of the personal data we hold about you.
• Right to rectification: Request that we correct any inaccurate personal data.
• Right to erasure (“right to be forgotten”): Request that we delete your personal data. You can do this yourself by deleting your account, or contact us for assistance.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, commonly used, and machine-readable format (JSON), and transmit it to another service.
• Right to object: Object to our processing of your data based on legitimate interests. If you object, we will stop processing your data unless we have compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time.
• Right to lodge a complaint: File a complaint with your local data protection authority if you believe we have violated your privacy rights. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days, as required by law.

8.3 California Residents -- CCPA / CPRA

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

Under the CCPA/CPRA, the personal information we collect falls into these categories:

• Identifiers: Name, email address, username, account ID, IP address (collected by third-party analytics providers)
• Customer records: Name, billing information (Stripe subscription data)
• Internet or network activity: Pages visited, browser type, device information, referrer URL (collected by analytics providers)
• Professional or employment-related information: Work history, education, skills, and other professional information you enter into your documents
• Inferences: None. We do not create consumer profiles or draw inferences about you.

Your CCPA / CPRA Rights

• Right to know: You can request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete: You can request that we delete the personal information we have collected about you. You can do this yourself by deleting your account.
• Right to correct: You can request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to Exercise Your Rights

You can exercise your rights by:

• Using the account settings in the Service to update or delete your data
• Contacting us at [email protected]

We will verify your identity before fulfilling any request. For requests made by email, we may ask you to verify your identity by confirming details associated with your account.

We do not use authorized agents, but if California law requires us to accept requests from authorized agents in the future, we will update this policy.

Financial Incentives

We do not offer financial incentives for the collection, sale, or deletion of personal information.

Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about the disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.

9. International Data Transfers

ProPage is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

Cloudflare CDN: Because we use Cloudflare as our content delivery network, your requests may be processed at Cloudflare edge servers located in many countries around the world. Public page content is cached on Cloudflare servers globally to provide fast access. Cloudflare acts as a data processor on our behalf.

Cloud storage: Your uploaded files (photos, PDFs, previews) are stored in cloud storage that may be located in the United States or other regions depending on the storage provider’s infrastructure.

Transfers from the EEA/UK: If you are in the European Economic Area or United Kingdom, we rely on the following mechanisms for transferring your personal data to the United States:

• Standard contractual clauses (SCCs): Where applicable, we enter into standard contractual clauses approved by the European Commission with our service providers to ensure adequate protection for your data.
• Service provider safeguards: Our key service providers (Stripe, Google, Cloudflare) maintain their own compliance frameworks for international data transfers, including SCCs and other approved transfer mechanisms.

If you have questions about international data transfers, please contact us at [email protected].

10. Children’s Privacy

ProPage is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and you believe your child under 16 has provided personal information to ProPage, please contact us at [email protected]. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information as quickly as possible.

If you are between the ages of 16 and 18, you may use ProPage only with the involvement and consent of a parent or guardian.

11. Future AI Features

We plan to introduce AI-powered features in the future, such as:

• AI-assisted resume writing and improvement suggestions
• AI-generated cover letter drafts
• ATS (Applicant Tracking System) compatibility scoring
• Other AI-powered tools to help you create better professional documents

When these features are introduced:

• Your document content may be sent to third-party AI providers (such as OpenAI) for processing.
• Your content will be used only to generate results for you and will not be used to train AI models.
• AI processing will be optional. You will be able to use ProPage without AI features.
• We will update this Privacy Policy before launching AI features to provide full details about how your data is used.
• We will clearly indicate when a feature uses AI processing and give you control over whether to use it.

We are committed to transparency about AI features and will notify you of any material changes to this policy before they take effect.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

How we will notify you:

• Material changes: For significant changes that affect how we collect, use, or share your personal information, we will notify you by email (sent to the email address associated with your account) or by a prominent notice on the Service at least 30 days before the changes take effect.
• Minor changes: For minor updates (such as formatting changes, clarifications, or corrections that do not materially affect your rights), we will update the “Last updated” date at the top of this policy.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes take effect constitutes your acceptance of the updated policy.

Previous versions of this policy may be available upon request by contacting us at [email protected].

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Website: https://pro.page

We aim to respond to all privacy-related inquiries within 30 days.

For complaints related to GDPR, you also have the right to lodge a complaint with your local data protection supervisory authority.

This Privacy Policy is effective as of April 15, 2026.