( Legal ) GDPR

Privacy Policy

This policy explains what data we process, why, and the rights you have, in accordance with the General Data Protection Regulation (GDPR).

Data controller

The data controller is 404Factory (sole proprietorship), 20 Avenue de la Gare, 34770 Gigean, France. For any question about your data: factory404@outlook.fr.

Data we collect

Account data

When you register, we collect your name, your email address and your password (stored encrypted via a bcrypt hash — we never know your password in clear text).

Content you create

The resumes and cover letters you write — including the personal information you enter in them (contact details, experience, photo, etc.) — are saved so you can edit, export and share them.

Artificial-intelligence API keys

If you use the AI features, your API key (OpenAI, Gemini or Anthropic) is stored only in your browser (localStorage) and is never saved on our servers. Calls to OpenAI and Gemini go directly from your browser; calls to Anthropic pass through a technical proxy that forwards the key with each request without keeping it.

Technical data

For authentication to work, we use cookies and tokens (see “Cookies” below). We may also keep limited technical logs for security and abuse-prevention purposes.

Purposes and legal bases

  • Providing the service (creating, saving, exporting documents) — performance of the contract.
  • Managing your account and its authentication — performance of the contract.
  • Sending transactional emails (password reset) — performance of the contract.
  • Ensuring security and preventing fraud — legitimate interest.

Processors and recipients

Your data is hosted by Railway Corporation (railway.com). Transactional emails are sent via Google Workspace (Google Ireland Limited). When you use the AI, the content sent is processed by the provider you chose (OpenAI, Google or Anthropic) under its own privacy policy. We do not sell or rent your data.

Retention period

Your account data and your documents are kept as long as your account is active. When you delete your account, your data (resumes, letters, tokens) is permanently deleted. Expired session and reset tokens are purged automatically.

Your rights

In accordance with the GDPR, you have the right of access, rectification, erasure, restriction, objection and portability. You can correct your information from your My account page, or delete your entire account from that same page. To exercise your other rights, contact factory404@outlook.fr. You may also lodge a complaint with the CNIL (www.cnil.fr).

Cookies

We use only cookies strictly necessary for the service to work: an access_token cookie (session, ~15 min) and a refresh_token cookie (httpOnly, ~7 days) to keep you logged in. We do not use advertising cookies or third-party trackers.

The “Buy me a coffee” button in the footer loads an image from Buy Me a Coffee's servers (buymeacoffee.com). That request may transmit your IP address to this provider; no cookie is set by us on that occasion.

Security

Passwords are hashed (bcrypt), authentication relies on signed tokens with a limited lifetime, and resource access is controlled per owner. As no measure is infallible, we recommend a strong and unique password.

Last updated: June 9, 2026