Last Updated: February 22, 2026
This Privacy Policy describes how Laddro ("Laddro," "we," "us," or "our") collects, uses, discloses, and safeguards your information when you visit our website www.laddro.com (the "Website") and use our resume, CV, and cover letter building services, including AI-assisted features, subscriptions, referral program, and optional public API (collectively, the "Service"). Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
1. Introduction
Welcome to Laddro! We, Laddro, located in Berlin, Germany, are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy outlines our practices concerning the collection, use, and sharing of your personal data. By accessing or using our Website and Service, you signify your understanding and acceptance of the terms of this Privacy Policy.
2. Data We Collect and How We Use It
2.1 Account & Authentication
We collect and process the following in connection with your account and authentication:
| Data | Where / How | Purpose |
|---|---|---|
| Full name | Sign-up form | Account creation, identification |
| Sign-up, sign-in, forgot password, support form, referral invites | Account, login, password recovery, support, referral | |
| Password | Sign-up, sign-in, change password (hashed by our backend) | Authentication |
| Locale / language | Sign-up, login, settings, checkout, delete account, support, referral | Localization, emails, UI |
| Referral code | URL parameters on sign-in/sign-up; passed to backend on email login and OAuth | Referral program attribution |
Authentication flows:
- Email/password: Account creation, login, account activation (via code), and forgot password (recovery code and reset). Passwords are hashed by our backend; we do not store plain-text passwords.
- OAuth: You may sign in with Google or LinkedIn. Our backend receives your referral code via query parameters when applicable. We receive profile data (such as name and email) as provided by the provider for identification and account management. Please refer to Google’s and LinkedIn’s respective privacy policies for how they process your data.
- Session: We use cookies to store access and refresh tokens:
accessToken(short-lived) andrefreshToken(e.g. up to 365 days). In production these cookies are set withsecureandsameSite: 'strict'for security. These are strictly necessary for the operation of the Service.
Account management:
- Change password: Your current password and new password are sent to our backend to update your credentials.
- Delete account: You may delete your account via account settings. The request is sent to our backend (e.g.
/settings/delete-account). We may queue deletion and retain certain data as required for legal, administrative, or dispute resolution purposes. Our Privacy Policy and, where applicable, our Terms describe what is deleted and what we may retain, and the timeline.
We use your identity and authentication data to create and manage your account, authenticate you, reset your password when requested, and to enforce our Terms. We do not use this data for marketing or selling to third parties.
2.2 Resume & CV Data
We collect and store resume and CV content that you create, edit, or upload:
| Data | Where / How | Purpose |
|---|---|---|
| Resume content | Builder (form and template), tailor flow, upload PDF | Create, edit, store, tailor, export PDF |
| Stored fields | Personal info (name, role, email, phone, city, country), summary, employment, education, skills, certifications, etc. | Resume/CV creation and storage |
| Resume title, template, metadata | Saved with resume | Listing, display, PDF export |
| PDF file upload | Tailor-resume: you upload a PDF sent to our backend (e.g. for parsing) | Extract structured data to prefill resume |
Resume data is sent to our backend and stored per user. We use it to provide the Service (creation, editing, tailoring, and PDF export). For PDF export, resume data and template may be sent to our PDF generation API; we do not use this content for marketing or selling. If you upload a PDF for parsing, that file and the extracted data are processed and stored as part of your resume data. Only our systems and necessary subprocessors (e.g. hosting, AI where used for parsing) have access; we do not use your resume content for marketing or selling.
2.3 Cover Letter Data
We collect and store cover letter content and related inputs:
| Data | Where / How | Purpose |
|---|---|---|
| Cover letter content | Builder: personal details, employer details, letter body | Create, edit, store, export |
| Title, template | Saved with cover letter | Listing, display, export |
| Job description and position | Tailor flow, cover letter generation | AI tailoring and cover letter generation |
| Resume data used for cover letter | Sent to our backend/AI with job description | Generate tailored cover letter |
Cover letters are saved via our backend. To generate or improve cover letters, we may send your resume data, job description, position, and language preference to our backend and to AI/automated processing services (see Section 2.4). We use this data only to provide the Service; we do not use it for marketing or selling.
2.4 AI and Automated Processing
We use AI and automated tools, including third-party services such as OpenAI, to provide the following features:
| Feature | Data used | Where processed |
|---|---|---|
| Resume tailoring | Resume data, position name, job description | Our backend and/or AI providers |
| Improve content | Current text, field type, resume context | Our backend and/or AI providers |
| Cover letter generation | Resume data, position, job description, language | Our backend and/or OpenAI (e.g. app routes) |
| PDF resume parsing | Uploaded PDF file | Our backend and/or OpenAI (e.g. parse routes) |
User content (resume text, job descriptions, cover letter inputs, uploaded PDFs) may be sent to OpenAI and any other AI providers we use for these features. We use such data only to provide the described functionality. We have contracts in place with providers where required (e.g. data processing agreements, subprocessor lists). We do not use your content to train AI models; our AI providers are used in a way that does not use your data for training their public models, in line with our and their policies. If our practices change, we will update this policy and, where required, obtain consent.
2.5 Support & Communication
When you contact support, we collect:
| Data | Where / How | Purpose |
|---|---|---|
| Name, email, subject, message | Support form (e.g. sent to our backend) | Handle support requests |
| Logged-in user | Request sent with your session | Associate request with your account |
We use this information to respond to you and to maintain support records. We do not use support content for marketing without your consent.
2.6 Referral Program
We process the following in connection with our referral program:
| Data | Where / How | Purpose |
|---|---|---|
| Referral code / URL | Generated per user, stored and displayed (e.g. in settings) | Share with others |
| Emails for invites | You enter one or more emails; sent to our backend (e.g. referral/emails) with locale | Send referral invites to third parties |
| Referral attribution | Referral code in sign-up/sign-in URL, passed to backend on login/signup (email and OAuth) | Attribute new signups to referrer |
When you send referral invites, we process the email addresses you provide to send the invite. You should only submit contacts who have agreed or where lawful (e.g. legitimate interest or consent as required in your jurisdiction). We retain referral-related data (e.g. who referred whom) as needed for attribution, rewards, and analytics, as described in our data retention section below.
2.7 Payments & Subscriptions (Stripe)
Payment processing is handled by Stripe. We do not store full credit card details.
| Data | Where / How | Purpose |
|---|---|---|
| Checkout | Plan ID, locale sent to backend; you are redirected to Stripe | Create session, redirect to pay |
| Session completion | Session ID sent to our backend after payment | Activate plan / tokens |
| Subscriptions | Our backend retrieves subscription data from Stripe | Show current plan |
| Customer/plan data | Stored by our backend and Stripe (not full card details) | Billing, subscription management |
We store only what is necessary for billing and subscription management (e.g. plan type, expiry, transaction IDs). Card data is processed by Stripe in accordance with their privacy policy and terms. We recommend reviewing Stripe’s privacy policy for details.
2.8 Language / Locale Preference
We store your language preference when you set it (e.g. via settings or during checkout). It may also be stored in localStorage (e.g. i18nextLng, preferred-locale) for UI and email language. We use this only to personalize the interface and communications.
2.9 API Keys (Developer / Public API)
If you use our public API, we process API keys that you generate (e.g. via our API key management endpoints). Keys are stored and associated with your account and are used to authenticate requests to our API. You must keep your API keys confidential. We use them only to identify your account for API usage and to enforce acceptable use and rate limits.
2.10 Cookies and Local Storage (Technical)
Cookies we use:
| Cookie | Purpose | Duration / Type |
|---|---|---|
accessToken | Session authentication | Short-lived; strictly necessary |
refreshToken | Session refresh | Up to 365 days; strictly necessary |
In production, these cookies are set with secure and SameSite attributes. For more details, see our Cookie Policy if available.
Local storage may be used for:
- Language preference (e.g.
i18nextLng,preferred-locale) — to remember your language. - Redirect path — to redirect you after login when applicable.
- Draft data (e.g. tailor-resume draft such as position, job description, options) — to restore drafts during your session.
You can clear cookies and local storage via your browser settings; doing so may log you out or reset preferences and drafts.
3. Third-Party Services
We use the following third-party services. Where they process personal data, we ensure appropriate agreements and safeguards are in place.
| Service | Use | What we state |
|---|---|---|
| Google Analytics (GA) | Analytics (e.g. page views, events) | Collection of usage data, IP, pages; see Section 4. You can opt out via browser add-ons or cookie preferences. |
| Google Tag Manager (GTM) | Tag management, analytics/events | GTM is used to load scripts and send data to analytics/marketing tools; the data sent is as described in Section 4. |
| Stripe | Payments, subscriptions | Payment processing; we do not store full card data. See Stripe’s privacy policy. |
| OpenAI | Resume parsing, cover letter generation (e.g. in app routes) | User content is sent to OpenAI for these features only. See OpenAI’s privacy policy; we do not use your data for training their models. |
| Backend / hosting | All API calls, storage, auth | Our backend and databases are hosted by our infrastructure provider(s); they process all data as necessary to run the Service. |
| Google & LinkedIn | OAuth login | Sign-in only; we receive data such as email and name as provided by them. See their respective privacy policies. |
| Email delivery | Activation, recovery, support, referral emails | We may use an email delivery provider (e.g. SendGrid or similar); they process recipient data and email content for delivery. |
If we add or change subprocessors that process personal data, we will update this policy and, where required by law, inform you or obtain consent.
4. Analytics & Tracking
We use Google Analytics and Google Tag Manager to analyze usage and improve the Service. This may include device information, IP address, pages visited, and custom events (e.g. authentication, resume actions, template selection, download, purchase, referral). We may use cookies for this. You can opt out via your browser settings, browser add-ons (e.g. GA opt-out), or our cookie preferences if we offer them. We do not use analytics data to identify you for marketing without your consent.
5. Sharing and Disclosure of Your Data
We do not sell, rent, or trade your personal information to third parties for their direct marketing purposes. We may disclose your information:
- Service providers: To trusted third parties who perform services on our behalf (hosting, storage, email, analytics, payment processing, AI providers). They are contractually bound to protect your data and to use it only for the services they provide to us.
- Legal and safety: When required by law or when we believe in good faith it is necessary to comply with legal obligations, protect our or others’ rights and safety, or prevent fraud or abuse.
- Business transfers: In connection with a merger, acquisition, or sale of assets; we will notify you and explain your choices where required by law.
- Aggregated/anonymized data: We may share aggregated or anonymized data that does not identify you for research, analytics, or product improvement.
6. Data Retention & Deletion
We retain your data only as long as necessary for the purposes described in this policy or as required by law. Retention may vary for: account data, resumes, cover letters, support tickets, referral data, payment/transaction data, logs, and backups. When you delete your account, we delete or anonymize your personal data in line with our internal procedures; we may retain certain data for legal, security, or dispute resolution for a limited period, as permitted by law.
You may request access, correction, deletion, portability, or restriction of your data, or object to certain processing, by contacting us at the details in Section 10. We will respond within a reasonable time and in accordance with applicable law. You also have the right to lodge a complaint with a supervisory authority (e.g. in the EU/UK).
7. International Transfers & Legal Bases (GDPR / UK GDPR)
If you are in the European Economic Area or the UK, we process your data on the following bases, where applicable: performance of our contract with you, your consent, our legitimate interests (e.g. security, improving the Service), and compliance with legal obligations. Where we transfer data to countries outside the EEA/UK (e.g. to the US for hosting or AI providers), we use appropriate safeguards such as standard contractual clauses or adequacy decisions. You may request more detail on the legal basis for specific processing by contacting us.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, loss, or alteration. This includes encryption, access controls, and secure infrastructure. No method of transmission or storage is 100% secure; we cannot guarantee absolute security but we strive to use industry-standard practices.
9. Your Rights (Access, Rectify, Delete, Portability, Restrict, Object, Complain)
Depending on your location (e.g. GDPR in the EEA/UK), you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your data under certain conditions.
- Restriction — request that we restrict processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format and, where feasible, have it transmitted to another controller.
- Object — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Lodge a complaint — with a supervisory authority if you believe our processing violates data protection law.
To exercise these rights, contact us at the details in Section 10. We may need to verify your identity before responding.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated policy on our Website and update the "Last Updated" date. For material changes, we may provide additional notice (e.g. email or in-app). Your continued use of the Service after changes constitutes acceptance of the revised policy. We encourage you to review this policy periodically.
11. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices:
- Email: support@laddro.com
- Address: Laddro, Berlin, Germany
We are committed to protecting your privacy and will respond to your requests in accordance with applicable law.