Privacy

Two modes. Browse without an account — no cookies, no personal data, as before. Or sign in and upload a CV, and I'll be precise about what I keep, where, and for how long.

Last updated: April 2026

If you sign in

Accounts are optional. Every analysis works without one. If you do create one, here is what sits against your identity:

  • Your email address, from Google, GitHub, or whatever you typed in
  • A display name, if your auth provider coughed one up
  • The skills you selected or confirmed
  • Your career goal — target occupation and optional free-text description
  • Your background — an optional free-text note about where you're coming from, if you wrote one
  • Upskilling goals you saved, and their status (planned, in progress, done)
  • Digest preferences: which skills, occupations, and cities you want me to watch

That's it. No browsing history, no IP logs tied to your account, no shadow profile assembled while you weren't looking. Authentication runs on Supabase, hosted in the EU.

When you sign in with Google or GitHub, I receive only what those providers share by default: your email address and (usually) a display name. No contacts, no repositories, no drive files, no profile photo. I never ask for more.

One cookie does exist for signed-in users: a secure, HTTP-only session cookie managed by Supabase Auth. It holds a signed token so I can remember you between page loads. It is not used for tracking, not shared with anyone, and it disappears when you sign out.

Your account data sticks around as long as the account does. No background pruning, no automatic purging. If you stop using the product, your profile waits for you.

If you upload a CV

CV upload is the most sensitive thing on this site, so I will be precise.

Your file (PDF, DOCX, or Markdown) is read in memory on the server. The extracted text goes once to Anthropic's Claude API, which picks out tech skills against my canonical list. Then the document and the text are discarded.

Nothing is written to disk. Nothing is written to the database. Nothing is written to logs.

I keep one thing: a short fingerprint of the request and a timestamp, so I can rate-limit uploads. No CV contents, no filename, no document history.

You review the extracted skills before they go anywhere near your profile. Keep the ones that are yours. Throw out the rest.

If you'd rather skip the LLM entirely, add skills by hand. The analysis is identical.

The personalized digest

For the personalized weekly digest, I use your email address and your digest preferences to send one email per week with movements in the skills, occupations, and cities you asked me to track.

One email per user, per week. The generic digest and the personalized digest are the same send, filtered differently depending on whether you have preferences saved.

Delivered via Resend (EU region). Unsubscribe in one click and I stop sending. Preferences live with your account — delete the account and they go with it.

Also obvious, but worth saying: no tracking pixels.

What I collect when you browse

The anonymous half. I use analytics to understand how people use this site. When you browse — signed in or not — I record:

  • Which pages are visited (page views)
  • UI interactions like changing a city filter or clicking a skill
  • Device type and browser (from the user-agent header)
  • Referrer (which site linked you here)

These events are anonymous. They are never connected to your account, even if you are signed in.

What the analytics never touches

  • No cookies — I don't set any cookies or use localStorage for tracking
  • No personal data in events — no names, emails, or account identifiers attached to analytics
  • No IP addresses — I explicitly discard them
  • No cross-session tracking — each page load is a fresh, anonymous session; I cannot identify returning visitors from analytics alone
  • No geolocation — no GPS, no IP-based location

How the analytics work

I use PostHog for analytics, hosted in the EU, configured in a privacy-first mode:

  • Data is stored in memory only — nothing persists after you close the tab
  • All cookies are disabled
  • IP addresses are never stored

Because the analytics set no cookies and collect no personal data, no consent banner is needed under GDPR for the browsing layer.

How to opt out of analytics

Any ad blocker will block the analytics requests. Everything works identically without them — all features, data, and interactions remain fully functional.

Who touches your data

Four vendors, each doing one specific job. All in the EU unless noted.

  • Supabase — hosts the database and handles authentication. EU region. Holds your profile, skills, goals, and digest preferences. Nothing else.
  • Anthropic (Claude API) — reads your CV text once to extract skills, only if you upload a CV. Anthropic's API terms prohibit training on API data. The text is sent over the wire and never stored on my side.
  • Resend — sends the weekly email. Processes your email address. EU region.
  • PostHog — the anonymous product analytics described above. EU region. Never connected to your account.

No advertising networks. No data brokers. No "partners."

Your rights

  • See what's stored. Your skill profile, career goal, upskilling goals, and digest preferences all live on your dashboard. Nothing hidden.
  • Edit or correct it. Change anything directly from the dashboard.
  • Delete everything. The "delete account" button removes your auth record. Your profile, skills, goals, and digest preferences cascade out with it automatically. Gone is gone.

Standard GDPR territory — access, rectification, erasure, portability. If you want to invoke any of it formally, reach out below.

Questions?

Questions about data handling? Reach out to Max — the human behind this project — on LinkedIn. He'll get back to you.