Rungio
TermsPrivacySign in

Privacy Policy

Effective 2026-05-01 · Written to actually be read.

The short version

We collect what we need to run Rungio and nothing more. Your CV is yours — we don't train AI models on it, we don't sell data to anyone, and you can delete everything in one click. The CV + job descriptions you ask us to evaluate get sent to third-party AI providers (Anthropic, OpenAI, Google) over their enterprise API. Payment goes to Stripe. Auth to Clerk. Auto-submit goes through Browserbase.

What we collect

  • Account info — email, name (from Clerk on sign-up), and your phone/location/links if you add them to your profile.
  • Your CV — paste-text or PDF upload. Stored in our database (text) and Supabase Storage (PDF). Used as input to every AI evaluation and tailored CV.
  • Search filters — job titles, industries, locations, keywords, salary range, etc.
  • Job postings we discover for you — title, company, JD text, source URL.
  • Generated artifacts — tailored CV PDFs, cover letter PDFs, submission screenshots.
  • Application history — which jobs you applied to, when, status updates, your notes.
  • Credit ledger — every credit spent or granted, with reason and timestamp.
  • Audit log — sign-ups, account deletions, security-relevant events. Retained 12 months.

We do not collect: your password (Clerk handles auth), your card number (Stripe handles payments), browsing history outside Rungio, or anything from your device beyond what's needed to run the web app.

Where your data goes

To deliver the service, we share specific data with these processors:

  • Anthropic, Google, OpenAI (via OpenRouter) — receive your CV text + the job description being evaluated/tailored. Used for inference only. None of them train on API customer data.
  • Browserbase — when you trigger auto-submit, your CV PDF + cover letter + form responses pass through their managed browser session. Session data retained ~7 days for debugging, then deleted.
  • Supabase — our database and file storage. They host the data; they don't access it.
  • Clerk — handles email/password and OAuth. They see your email + sign-in metadata; we never see your password.
  • Stripe — handles purchases. They see your card + billing address; we never see your card number, only a customer ID and the amount charged.
  • Inngest — orchestrates background jobs (evaluations, CV generation, submissions). They see event metadata (workspace ID, job ID), not the CV content itself.
  • Vercel — hosts the web app. Your browser talks to their servers, which talk to Supabase + the AI providers above.
  • Google Analytics 4 — measures aggregate traffic (pageviews, referrers, device class, coarse geography). We pass no personally identifying information to GA — IP anonymization is on by default, and we never send your email, name, CV content, or workspace ID. We use it only to understand which marketing pages convert and which features get used. If you'd rather opt out entirely, standard browser ad-blockers and "Do Not Track" extensions block it cleanly.

That's the full list. Beyond Google Analytics 4 (above), we do not use other third-party analytics — no Mixpanel, no Segment, no Hotjar, no session-replay tools on the authenticated app surface.

Workspace isolation

Every row in our database belongs to exactly one workspace, and our database enforces row-level security so a query authenticated as user A cannot read data belonging to user B. There is no admin "view as user" feature — even our own staff cannot see your CV or applications without your explicit support request.

How long we keep things

  • Active account data: as long as your account exists.
  • Browserbase session recordings: ~7 days, then auto-deleted by Browserbase.
  • Audit log entries: 12 months from creation, then auto-purged.
  • Generated PDFs (CV variants, cover letters, screenshots): kept while the parent application is active. Auto-purged 30 days after deletion or expiry.

Deleting your account

Profile → Danger Zone → Delete account. Type DELETE to confirm. The action:

  • Writes a final entry in the audit log.
  • Removes every PDF and screenshot from Supabase Storage.
  • Deletes the workspace row in our database, which cascades to every related row: profile, search filters, jobs, evaluations, CVs, applications, ledger, payments, referrals, sign-up attempts.
  • Deletes your Clerk account so the email frees up for future sign-up.

It is immediate and irreversible. We do not maintain a soft-delete or recovery period. Your unused credits are forfeited (per Terms §6).

Cookies

We use first-party cookies for authentication (Clerk session) and a single localStorage flag for the cookies banner consent state. We do not use tracking cookies or third-party analytics cookies on the application surface.

Your rights

Depending on where you live (GDPR, CCPA, etc.), you may have rights to access, correct, port, or delete your data. Most of these are self-serve through the Profile page. For anything else, email gaurav@rungio.com and we'll respond within 30 days.

Children

Rungio is not intended for users under 18. We do not knowingly collect data from minors.

Changes to this policy

We'll email account holders at least 14 days before any material change to data handling. The Effective date at the top changes on every revision; minor copy edits get a quiet update without notice.

Contact

Privacy questions, data requests, security concerns: gaurav@rungio.com.