Privacy Policy

1. Who We Are

Foliovo is a portfolio review service operated by Simon Brookes (sole trader).

Business address: 4, 1911 Cottages, Nyewood, Hampshire, GU31 5JG, United Kingdom
Contact: hello@contact.folovio.com

For the purposes of UK GDPR, Simon Brookes is the data controller responsible for your personal data.

2. What Data We Collect

We collect and process the following categories of personal data:

• Account information — Your name and email address, provided via our authentication provider (Clerk) when you sign up or sign in.
• Portfolio files — PDF files you upload for review. These may contain your name and creative work.
• Review data — AI-generated scores, feedback, annotations, and compliance check results associated with your submissions.
• Chat messages — Messages exchanged with our AI chat assistant (Flo), stored to maintain conversation history. This includes conversations during portfolio review discussions and personal statement building sessions.
• Personal statement content — Draft text, notes, and outlines you create using the Personal Statement Builder. This content is stored securely to allow you to save progress and return later.
• Payment information — Payment details are processed by Lemon Squeezy (our Merchant of Record). We do not store your payment details. We receive order confirmations and subscription status from Lemon Squeezy.
• Usage data — Basic analytics such as pages visited and feature usage, collected via cookies and server logs.

3. How We Use Your Data

We use your personal data for the following purposes:

• To provide and deliver portfolio review services.
• To process your portfolio through our AI analysis pipeline.
• To send you email notifications about your review status and results.
• To maintain your account and chat history.
• To process payments via Lemon Squeezy.
• To improve our service and fix technical issues.

Legal basis (UK GDPR): We process your data on the basis of (a) contractual necessity — to deliver the service you purchased, and (b) legitimate interest — to improve and maintain our platform.

4. AI Processing

Your portfolio is processed by AI language models (via OpenRouter) to generate review feedback. Your portfolio content is sent to the AI provider solely for the purpose of generating your review and is not used to train AI models.

We enforce Zero Data Retention (ZDR) on all AI API requests, meaning the AI provider does not store your data after processing.

5. Data Storage and Security

Your data is stored using the following services:

• Supabase (EU region) — Database records, portfolio files, and rendered page images.
• Clerk — Authentication and account management.
• Lemon Squeezy — Payment processing and order records.
• Resend — Transactional email delivery.

All data is transmitted over encrypted connections (HTTPS/TLS). We use industry-standard security practices to protect your data.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the service. Specifically:

• Portfolio PDF files (free scan) — Automatically deleted 90 days after your review is delivered.
• Portfolio PDF files (paid reviews) — Retained for up to 90 days after your review is delivered. We will then email you to confirm whether you would like to keep or remove your files. If we receive no response within 30 days of that notification, your portfolio files will be automatically deleted.
• Page images and review results — Retained while your account is active so you can access past reviews.
• Personal statement content — Draft text, notes, and chat history from the Personal Statement Builder are retained while your account is active. Deleted permanently when you delete your account or remove a statement.
• Account data — Retained until you request deletion.

You can delete your portfolio files at any time from within your account, or request deletion of all your data by contacting us (see section 7).

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate data.
• Right to erasure — Request deletion of your personal data.
• Right to restrict processing — Request that we limit how we use your data.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interest.

To exercise any of these rights, contact us at hello@contact.folovio.com. We will respond within 30 days.

8. Cookies

We use essential cookies to maintain your authentication session and remember your theme preference (light/dark mode). These are strictly necessary for the service to function and do not require consent.

We do not use third-party tracking cookies or advertising cookies.

9. Third-Party Services

We share data with the following third parties, solely to deliver our service:

• OpenRouter / Google (Gemini) — Portfolio content for AI analysis (ZDR enforced).
• Clerk — Authentication provider.
• Supabase — Database and file storage (EU region).
• Lemon Squeezy — Payment processing (Merchant of Record).
• Resend — Email delivery.
• Vercel — Application hosting.

We do not sell your personal data to any third party.

10. Children

Our service is intended for users aged 16 and over. Users under 16 may use the service with parental or guardian consent. We do not knowingly collect data from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

13. Contact

For any questions about this Privacy Policy or your personal data, contact us at hello@contact.folovio.com.