Privacy Policy

This draft privacy policy applies to Folio, the multi-tenant portfolio platform by wrxstack available at portfolio.wrxstack.com, app.portfolio.wrxstack.com, tenant subdomains, and connected custom domains.

The platform lets users create, edit, publish, and export professional portfolio pages. Farhan operates the platform for launch sign-off. This draft must be reviewed and approved before it is treated as the live legal policy.

• Platform contact: contactmdfarhankhan@gmail.com.
• Covered services: account, portfolio, admin, AI generation, uploads, email, custom domains, PDF export, status, and support surfaces.
• Tenant portfolio owners remain responsible for the content they publish about themselves and their work.

We collect the information needed to run the service, secure accounts, publish portfolios, process uploads, communicate with users, and operate support and incident response.

• Account data, such as name, email address, authentication state, session metadata, security settings, and tenant memberships.
• Portfolio content, such as profile copy, outcomes, experience, links, testimonials, theme selections, SEO fields, and public contact details you choose to publish.
• Generated-content inputs, such as resume text, pasted notes, uploaded PDF text, prompts, generated drafts, usage metadata, and selected or rejected AI sections.
• Media and export data, such as images, audio, video, documents, alt text, processing status, thumbnails, and generated PDF artifacts.
• Operational data, such as request IDs, IP-derived security signals, device or browser metadata, audit events, error events, health checks, and delivery status for emails or alerts.

We use personal information to provide, secure, improve, and support the service. We do not use private portfolio drafts to build unrelated advertising profiles.

• Create and authenticate accounts, including email verification, password reset, magic links, passkeys, TOTP, sessions, throttling, and account deletion.
• Generate, edit, publish, cache, index, export, and display portfolio content selected by the user.
• Process media, produce thumbnails and PDF exports, monitor storage limits, and remove stale or orphaned assets.
• Send service emails, support replies, security notices, super-admin alerts, and incident communications.
• Detect abuse, enforce quotas, investigate security events, preserve audit integrity, and troubleshoot reliability issues.

AI generation is optional. When you paste text or upload a resume for generation, the service sends the selected source material to the configured AI provider only to return a structured portfolio draft.

Generated drafts are not a substitute for human review. Users should remove confidential customer names, trade secrets, non-public financials, private compensation details, and unsupported claims before submitting or publishing content.

• We store generation metadata needed for usage limits, cost tracking, troubleshooting, and audit-safe telemetry.
• We do not intentionally log raw resume text, raw prompts, or private draft bodies in operational logs.
• Published portfolio pages are public and may be indexed, linked, archived, or copied by third parties.

The service uses cookies and similar storage for authentication, security, rate limiting, and local draft recovery. These are used to keep users signed in, prevent abuse, and recover work in progress.

• Session cookies are configured for secure, HTTP-only, same-site behavior where supported.
• Local browser storage may hold draft form state so users can recover unsaved work.
• Security systems may record source-safe request IDs, hashed or truncated network signals, and device metadata for abuse prevention and incident investigation.

We share information with service providers only as needed to operate the platform, and we do not sell personal information. Provider use is limited to hosting, storage, email, AI generation, observability, security, domain routing, and uptime monitoring.

• Render hosts the application, managed Postgres, supporting services, and scheduled jobs.
• Cloudflare supports storage, DNS, CDN, WAF, and custom-domain routing.
• AWS SES sends service and notification emails.
• Anthropic processes selected AI-generation inputs when users invoke AI generation.
• GlitchTip, Uptime Kuma, and optional analytics tooling support error, status, and operational visibility.

We keep information for as long as needed to provide the service, comply with legal obligations, preserve security and audit records, resolve disputes, and enforce agreements.

• Users can edit or delete portfolio content through the product where controls are available.
• Account deletion removes owned tenant data through the product workflow, subject to operational, legal, security, and backup retention limits.
• Audit logs, security records, backup artifacts, and incident evidence may be retained for integrity, abuse prevention, compliance, and recovery.
• Backups are overwritten or removed according to backup and restore procedures rather than edited record by record.

Depending on where you live, you may have rights to know, access, correct, delete, export, restrict, object to, or limit certain processing of your personal information.

We will verify requests in a way that protects account owners and tenants from unauthorized disclosure or deletion. Some requests may be limited by security, legal, billing, abuse-prevention, or backup obligations.

• Send privacy requests to contactmdfarhankhan@gmail.com with the account email or portfolio domain involved.
• Do not send government IDs, passwords, passkeys, secret tokens, or private keys by email unless requested through a secure process.
• California residents may have CCPA rights such as know, delete, correct, opt out of sale or sharing, limit sensitive personal information, and non-discrimination where the law applies.
• EU and UK users may have GDPR-style rights such as access, rectification, erasure, restriction, portability, objection, and complaint to a supervisory authority where the law applies.

The service may be operated from the United States and may use providers that process data in the United States or other countries. Where required, appropriate transfer safeguards should be reviewed before launch.

• This draft does not claim certification under a specific transfer framework.
• Enterprise data-processing terms and transfer safeguards belong in the draft DPA template and final customer schedules.

wrxstack is intended for professional portfolio publishing and is not directed to children. Users should not create accounts or publish personal information for children through the service.

We may update this policy as the service, providers, legal requirements, or launch posture changes. Material changes should be reviewed before publication and reflected with a new review date.

Questions, privacy requests, and legal-signoff comments should be sent to contactmdfarhankhan@gmail.com. Include the relevant account email, tenant slug, custom domain, request ID, or public URL when available.