Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Koss Flow CV ("we", "us", "our"), operated by Individual Entrepreneur Kostyniuk Ihor Valeriiovych (Ukraine, Tax ID 3593802718), collects, uses, and protects your personal data when you use our service at hr.kossflow.space.

By creating an account or using our service, you agree to this Privacy Policy. If you do not agree, please do not use the service.

1. Data We Collect

We collect the following categories of personal data:

  • Account data: email address, name, profile photo (from Google/Telegram OAuth), authentication tokens.
  • Resume and CV data: content you enter manually or upload (PDF files), work history, skills, education, contact details.
  • Usage data: services used, credits spent, timestamps of actions, AI service outputs.
  • Payment data: transaction ID, amount, date of purchase. We do not store card numbers — payments are handled by WayForPay.
  • Technical data: IP address, browser type, device type, session identifiers (stored in cookies/localStorage for authentication).
  • OpenAI API key (if provided): stored encrypted in our database and never exposed to the client.

2. How We Use Your Data

  • To provide and improve our AI services (resume generation, ATS optimization, etc.)
  • To authenticate you and maintain your account session
  • To process payments and manage your credit balance
  • To send transactional emails (account verification, password reset)
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

We do not sell your data, share it for marketing purposes, or use your resume content to train AI models (unless you have explicitly consented to Google Gemini processing, which is disclosed separately at point of use).

3. Third-Party Services

We use the following third-party services that may process your data:

  • Supabase — database and authentication (your account data is stored here).
  • OpenAI API — processes your resume content to generate AI outputs. Data sent to OpenAI is governed by OpenAI's Privacy Policy. OpenAI does not use API data for model training by default.
  • Google Gemini API — used for free-tier AI processing. Requires explicit consent. Google's data handling is governed by Google's Privacy Policy.
  • WayForPay — Ukrainian payment processor. Handles credit card data. We do not receive or store your card details.
  • n8n (self-hosted) — workflow automation platform running on our own server, used to process AI service requests.
  • Google OAuth / Telegram Login — used for social login. We receive only your name, email, and profile photo.

4. Cookies & Local Storage

We use the following storage mechanisms:

  • Authentication cookies — required for login sessions. Cannot be disabled without breaking the service.
  • localStorage — stores your language preference, saved CVs, profile data, and UI state locally in your browser. This data never leaves your device unless you use an AI service.

We do not use advertising or tracking cookies. No third-party analytics (Google Analytics, etc.) are installed.

5. Data Retention

  • Account data: until deletion or 2 years of inactivity
  • Uploaded PDF files: deleted from processing servers within 24 hours
  • AI-generated output: stored until you delete it or close your account
  • Payment records: 5 years (Ukrainian tax law requirement)
  • Usage/access logs: 90 days

6. Your Rights

You have the following rights regarding your personal data:

  • Access — request a copy of all data we hold about you
  • Export — download your data in JSON format via Settings → Data & Privacy
  • Deletion — delete your account and all associated data via Settings → Data & Privacy
  • Correction — update your profile information at any time
  • Withdraw consent — revoke Gemini AI consent in Settings at any time
  • Portability — receive your data in a machine-readable format

To exercise any right, use the in-app tools in Settings or contact us at support@kossflow.space. We respond within 30 days.

7. Data Security

We use industry-standard security measures: HTTPS/TLS encryption in transit, encrypted storage for sensitive fields (API keys), access control via Supabase Row Level Security, and regular security reviews. Despite these measures, no system is 100% secure — please use a strong password and keep your credentials private.

8. Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by displaying a notice in the app or via email. Continued use after changes constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions or requests:

Email: support@kossflow.space

Individual Entrepreneur Kostyniuk Ihor Valeriiovych, Ukraine

→ Terms & Conditions
Last updated: April 2026 · © 2026 Koss Flow · Individual Entrepreneur Kostyniuk Ihor Valeriiovych