Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and, if you choose email/password authentication, a securely hashed version of your password. If you sign in with Google, we receive your name, email address, and profile identifier from Google — we do not receive or store your Google password.

1.2 Resume & Cover Letter Data

We store the content you enter into the resume and cover letter editor, including but not limited to your name, contact details, work experience, education, skills, projects, certifications, and any other information you choose to include. This data is stored in our cloud database to enable syncing across your devices.

1.3 Payment Information

Payments are processed by Stripe. We do not directly collect, store, or have access to your full credit card number, debit card number, or banking details. Stripe provides us with a transaction identifier, the email associated with your purchase, and your plan type (Month Pass or Lifetime). Stripe's handling of your payment data is governed by the Stripe Privacy Policy.

1.4 Usage & Analytics Data

We use PostHog to collect anonymized usage data, including page views, scroll depth, and web performance metrics (such as page load times). We do not use autocapture, and analytics are limited to identified users only — meaning we do not track anonymous visitors. This data helps us understand how people use Resumello so we can improve the product.

1.5 Technical Data

When you access the Service, our hosting provider (Cloudflare) automatically collects technical information such as your IP address, browser type, operating system, referring URL, and access timestamps. This data is used for security, performance optimization, and abuse prevention.

1.6 Imported Documents

If you use the resume import feature, uploaded PDF or Word documents are parsed in your browser. The extracted text is used to populate your resume editor. We do not store the original uploaded files on our servers — only the extracted data that you save to your resume.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service — storing and syncing your resumes, generating PDF and Word exports, calculating ATS scores, and enabling cloud access across devices.
• Authentication — verifying your identity when you sign in, sending email verification codes, and processing password resets.
• Payment Processing — managing purchases, verifying active subscriptions, and processing refunds.
• Product Improvement — analyzing aggregated, anonymized usage patterns to identify bugs, improve features, and optimize performance.
• Security & Abuse Prevention — detecting and preventing fraudulent activity, unauthorized access, and other security threats.
• Communication — sending transactional emails related to your account (verification codes, password resets, purchase receipts). We do not send marketing emails.

We do not sell your personal data. We do not run advertisements. We do not use your resume content for training machine learning models. We do not share your resume data with recruiters, employers, or any third party unless you explicitly export and share it yourself.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance — processing your account, resume, and payment data is necessary to provide the Service you have purchased (Article 6(1)(b) GDPR).
• Legitimate Interest — collecting usage analytics and technical data for security, fraud prevention, and product improvement (Article 6(1)(f) GDPR). We balance this against your rights by minimizing the data collected and anonymizing it where possible.
• Legal Obligation — retaining purchase records as required by applicable tax and financial regulations (Article 6(1)(c) GDPR).

4. Third-Party Services

We rely on a limited number of third-party service providers to operate Resumello. Each provider only receives the minimum data necessary for their function:

4.1 Future AI Features

We plan to introduce optional AI-powered features in a future update. When available, these features may send portions of your resume content to third-party AI providers (such as OpenRouter or similar services) to generate suggestions. You will always have the option to use your own API key, and AI features will be clearly labeled as optional. We will update this Privacy Policy before launching any AI features and will notify existing users of the changes. No resume data will be sent to AI providers without your explicit action.

5. Cookies & Tracking Technologies

We use a minimal set of cookies and similar technologies:

We do not use advertising cookies, social media tracking pixels, or fingerprinting technologies. We do not participate in cross-site tracking.

6. Data Retention & Deletion

6.1 Active Accounts

We retain your account data, resume content, and purchase records for as long as your account remains active. You may delete individual resumes at any time from your dashboard.

6.2 Account Deletion

You may request deletion of your account and all associated data by contacting us at [email protected]. Upon receiving your request, we will permanently delete your account, resume data, and personal information from our active database within 30 days. Data may persist in automated encrypted backups maintained by our infrastructure providers for up to an additional 90 days, after which it is permanently purged.

6.3 Purchase Records

We may retain anonymized purchase records (transaction ID, plan type, date) as required by applicable tax and financial regulations, even after account deletion. These records do not contain personally identifiable information.

6.4 Analytics Data

Anonymized analytics data collected by PostHog is retained according to PostHog's retention policies and cannot be linked back to you after account deletion.

7. International Data Transfers

Resumello is operated from Canada. Our third-party service providers may process data in jurisdictions outside of your country of residence, including the United States and the European Union. When your data is transferred internationally, it is protected by the security measures described in this policy and by the data protection practices of our service providers.

For users in the EEA, UK, or Switzerland: transfers to countries without an adequacy decision are covered by the Standard Contractual Clauses (SCCs) implemented by our service providers, or by other approved transfer mechanisms under applicable data protection law.

Canada has been recognized by the European Commission as providing an adequate level of data protection under GDPR.

8. Your Privacy Rights

Depending on where you live, you have specific rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by law).

8.1 European Economic Area, UK & Switzerland (GDPR)

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Data Portability — receive your data in a structured, machine-readable format (e.g., JSON export of your resumes).
• Restriction — request that we limit how we process your data.
• Objection — object to processing based on legitimate interests.
• Complaint — lodge a complaint with your local data protection authority.

8.2 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete — request deletion of your personal information.
• Right to Opt-Out of Sale — we do not sell your personal information and have never done so.
• Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information collected: identifiers (email, name), commercial information (purchase history), internet/electronic activity (usage analytics), and professional information (resume content you provide).

We do not "share" personal information as defined by the CPRA for cross-context behavioral advertising purposes.

8.3 Canada (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act, you have the right to access your personal information held by us, challenge its accuracy, and withdraw consent for its collection, use, or disclosure (subject to legal or contractual restrictions). To make a request, contact us at [email protected].

8.4 All Users

Regardless of where you are located, you can always:

• Export your resume data as PDF or Word documents.
• Delete individual resumes from your dashboard.
• Request full account deletion by emailing us.

9. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected], and we will promptly delete that information.

10. Security

We take reasonable technical and organizational measures to protect your personal data, including:

• All data transmitted between your browser and our servers is encrypted via HTTPS/TLS.
• Passwords are hashed using industry-standard algorithms — we never store plaintext passwords.
• Authentication tokens are managed securely by Convex Auth with short-lived sessions.
• Payment data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.
• HTML content is sanitized using DOMPurify to prevent cross-site scripting (XSS) attacks.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that affects your personal information, we will notify you and the relevant authorities as required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify existing users via email for significant changes (such as new categories of data collection or new third-party data sharing).

Your continued use of the Service after a change to this policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically.