Privacy Policy.

1. Data controller

The data controller for Itinero is Umberto Santarelli, reachable at hello@itinero.io. Itinero operates from Italy and processes personal data in accordance with the General Data Protection Regulation (GDPR).

2. What data we collect

When you use Itinero, we collect and store the following personal data:

• Account information — your email address, name, and authentication identifiers when you sign in with Google or by email.
• CV and career profile — CV content, work history, skills, salary context, and career preferences you enter into the app.
• Job descriptions and prompts — the job posting text and related instructions you submit for analysis, tailoring, parsing, and cover-letter generation.
• Generated outputs — analyses, verdicts, behavioral insights, tailored CV versions, and cover letters produced for you.
• Usage and quota data — analysis counts, plan limits, signup allowances, and anti-abuse records needed to administer the service.
• Support and contact data — messages you send through our contact form and waitlist or notification signups.
• Email screening data — disposable-email validation checks performed when you request email sign-in.
• Analytics data — page and feature usage events collected through Google Analytics 4 where you consent.
• Browser storage data — cookies and similar client-side storage, including local browser storage used to keep signed-in state, drafts, current analysis state, tailoring sessions, and UI preferences on your device.

We do not collect payment information directly. If and when payments are processed, they are handled by Stripe. We do not store card details.

3. Legal basis for processing

We process your personal data on the following legal bases:

• Contract performance — to create and maintain your account, provide CV tools, generate analyses, and deliver outputs you request (Art. 6(1)(b) GDPR).
• Consent — for optional analytics cookies and analytics processing that is not strictly necessary to run the service (Art. 6(1)(a) GDPR).
• Legitimate interests — to secure the service, prevent abuse of signup quotas, validate disposable email use, and maintain service reliability where those interests do not override your rights (Art. 6(1)(f) GDPR).
• Legal obligation — where required by applicable law.

4. How we use your data

Your data is used solely to operate Itinero. Specifically:

• To deliver analysis results, tailored CV outputs, and cover letters
• To maintain your account and track your usage quota
• To improve the service through anonymized analytics
• To communicate with you about your account when necessary

Your CV, career context, and job descriptions are not used to train AI models. Your data is not sold or shared with third parties for marketing or advertising purposes.

5. Data storage and security

Your data is stored securely using Supabase, a managed database platform with encryption at rest and in transit. Access to your data is restricted to authenticated requests tied to your account.

We use Google sign-in, email-based sign-in, cookies, and similar browser storage to maintain authenticated sessions and keep your in-progress work available on your device. We do not store passwords.

While we take reasonable technical measures to protect your data, no online service can guarantee absolute security.

6. Third-party services

Itinero uses the following third-party services, each of which may process personal data as part of providing their service:

• Google — for Google sign-in and Google Analytics 4.
• Supabase — for database and authentication infrastructure. Data is hosted in the EU.
• Vercel — for hosting the Itinero web application.
• Cookiebot — for cookie consent collection and consent records.
• Anthropic (Claude API) — CV content, job descriptions, and related prompt inputs are sent to Anthropic to generate analyses and outputs.
• Resend — for transactional email delivery, such as contact-form forwarding and waitlist emails.
• ZeroBounce — for disposable-email screening when users request email sign-in.

Some of these providers may process data outside the European Economic Area. Where that occurs, we rely on the provider's contractual and legal transfer safeguards, such as standard contractual clauses, where applicable.

7. Data retention

We retain your account data for as long as your account is active. When you delete your account, your profile, CV data, analyses, and generated outputs are deleted from the active product records.

To prevent repeated free-tier abuse after deletion and immediate re-registration, we retain a limited hashed record of the deleted account's email address together with quota-related metadata for 90 days after deletion. This retained record is not your full account profile and is used only for abuse-prevention purposes.

Analytics records may be retained in aggregated or de-identified form where they can no longer reasonably be linked back to you.

8. Your rights under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Right of access — to request a copy of the data we hold about you
• Right to rectification — to correct inaccurate or incomplete data
• Right to erasure — to request deletion of your data ("right to be forgotten")
• Right to restriction — to request that we limit how we process your data
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests

You can exercise your right to erasure directly in the app from the Profile area, or by emailing hello@itinero.io. For all other requests, contact us at the same address. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority.

9. Cookies

Itinero uses cookies and similar technologies, including browser local storage, for the following purposes:

• Strictly necessary cookies — including Supabase authentication cookies required to maintain your signed-in session and secure the service.
• Consent records — set by Cookiebot to remember your cookie choices.
• Analytics cookies — set by Google Analytics 4 where you consent to analytics.
• Similar client-side storage — including local browser storage used to keep drafts, current analysis state, tailoring sessions, cached workspace data, and certain UI preferences on your device.

You can manage your optional analytics consent through our cookie settings page. Blocking strictly necessary cookies may affect your ability to sign in and use the product.

10. Children

Itinero is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email. Continued use of Itinero after changes are published constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at hello@itinero.io.