Roleon

Privacy Policy

Version 1.0 — Effective: 2026-06-01 — Roleon Ltda

1. Controller and Data Protection Officer

The controller of your data is Roleon Ltda. For privacy questions and to exercise your data subject rights, contact the Data Protection Officer (DPO) at: privacidade@roleon.xyz.

2. Data Collected

2.1 Account Data

  • Name, email address, password (stored as a bcrypt hash)
  • Google ID (when authenticating via Google OAuth)
  • Registration IP address and access addresses

2.2 Professional Data

Data voluntarily entered to compose the résumé: full name, phone, location, links (LinkedIn, GitHub, portfolio), work experience, education, certifications, skills, languages, and projects.

2.3 Submitted Job Openings

Job descriptions submitted to generate résumé variants.

2.4 Files

PDF and DOCX files uploaded for résumé import, stored on Cloudflare R2.

2.5 AI Data

Snapshots of the CVs sent to the language models, generated responses, the selected adaptation level, and the number of tokens consumed.

2.6 Payment Data

Stripe customer identifier (stripe_customer_id), subscription status, and contracted plan. No credit card data is stored on our servers.

2.7 Security Data

Login attempt records (IP, email, result: success or failure) for the purpose of detecting unauthorized access.

3. Purpose and Legal Basis (LGPD)

DataPurposeLegal Basis (LGPD)
Account and paymentProvision of the contracted serviceContract performance (Art. 7, V)
Professional data and job openingsGeneration of résumé variantsConsent (Art. 7, I)
Google OAuthSimplified authenticationConsent (Art. 7, I)
Access logs and IPSecurity, fraud prevention, and operational monitoringLegitimate interest (Art. 7, IX)

4. Sharing with Third Parties

Your data is shared only with the providers necessary to operate the Service:

ProviderData sharedPurpose
xAI (Grok)CV snapshot + job descriptionVariant generation (primary LLM)
OpenAI (GPT)CV snapshot + job descriptionVariant generation (fallback LLM)
StripeEmail, planPayment processing
Cloudflare R2PDF/DOCX filesUpload storage
Cloudflare TurnstileIP, form behaviorAnti-bot protection
ResendEmailTransactional email delivery
Google (OAuth)Authentication tokenLogin with Google
SentryStack traces (no CV data)Error monitoring
NeonFull databaseData persistence
RenderBackend applicationAPI hosting
VercelFrontend applicationInterface hosting

We do not sell or transfer your data for third-party advertising or marketing purposes.

5. Data Retention

DataRetention period
Active accountWhile the account is active
Professional data and CVsUp to 30 days after account deletion
Files (PDF/DOCX)Up to 30 days after account deletion
BackupsUp to 90 days after account deletion
Payment records5 years (tax obligation)
Security logs (login)6 months

6. Your Rights (LGPD, Art. 18)

You have the right to: access your data, correct inaccurate data, portability, delete data processed on the basis of consent, withdraw consent, and obtain information about the operators with whom we share your data.

To exercise any of these rights, send a request to privacidade@roleon.xyz. We will respond within 15 business days.

7. Security

We adopt technical security measures including: encryption in transit (TLS), password hashing (bcrypt), JWT authentication with short expiration, per-user rate limiting, data isolation by user_id in all queries, and error monitoring without capturing sensitive data.

8. Cookies and Tracking

We use only technical cookies essential to the platform’s operation (authentication session). We do not use tracking or advertising cookies.

9. Changes to This Policy

Material changes will be communicated at least 15 days in advance. The effective date at the top of this document indicates the version in force.


Data Protection Officer (DPO) contact: privacidade@roleon.xyz

This is a faithful translation for convenience. The Portuguese version prevails for legal purposes. A jurisdiction-specific legal review is planned for a future release.