Trust Center

Last updated · May 30, 2026

Privacy Policy

Plain-English version: we collect the minimum data to make ResumeAI work, we don't sell it, we don't train AI on it, and you can delete it anytime.

01The short version

  • We collect your email, uploaded resumes, and job descriptions you analyze.
  • We use this only to provide the service to you. Not for ads. Not for AI training.
  • We share data only with providers we use to run the service.
  • You can delete your account and all data anytime from Account settings.
  • EU users have full GDPR rights. Indian users have full DPDP Act rights.

02What data we collect

Account information: Your email address and authentication identifier from our auth provider (Clerk). If you sign in with Google, we receive your name and profile picture from Google.

Content you provide: Resumes (as text extracted from PDFs you upload), job descriptions you paste, and any AI-generated analyses, rewrites, cover letters, ATS scans, and interview prep we produce for you.

Payment information: If you buy credits, Stripe handles card data — we never see or store it. We only receive payment confirmation and the credits-purchased amount.

Usage and technical data: Server logs (IP address, browser type, request paths), audit logs of sensitive actions, and error reports.

Cookies: Essential cookies only — see Cookie Policy.

03How we use your data

We use your data exclusively to:

  • Provide the ResumeAI service (run AI analyses, generate cover letters, etc.)
  • Process payments and grant credits
  • Show your history of past analyses
  • Send transactional emails (sign-up confirmation, payment receipts, account changes)
  • Detect and prevent abuse (rate limiting, security monitoring)
  • Improve the service through aggregated, anonymized analytics
  • Comply with legal obligations

What we DO NOT do:

  • Sell your data — ever
  • Use your resumes or job descriptions to train AI models
  • Share your data for advertising
  • Send marketing emails without explicit consent
  • Profile or score you for any purpose other than the service

05Who we share data with

We share the minimum data needed with these service providers (sub-processors):

Clerk

United States

Authentication

Email, name, OAuth tokens

Supabase

United States

Database hosting

All account and content data (encrypted at rest)

Groq

United States

AI model inference

Resume text and job descriptions (transient; not retained or used for training per Groq policy)

Stripe

United States, Ireland

Payment processing

Email, payment metadata. Card details handled directly by Stripe.

Vercel

United States

Application hosting

Request logs, IP addresses (standard hosting telemetry)

Upstash

United States

Rate limiting

User ID or IP address (transient, expires after 1 hour)

Sentry

United States

Error monitoring

Sanitized error stack traces and request context

We don't share with advertisers, data brokers, or anyone not listed. We disclose data only if legally required (court order, subpoena) — and notify you unless legally prohibited.

06International data transfers

ResumeAI is operated from India, but most of our infrastructure providers are based in the United States. This means your data is transferred internationally.

For EU/UK users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transferred to the US. Our key processors (Clerk, Supabase, Stripe, Vercel) have published SCCs and are GDPR-compliant.

For Indian users: Under the DPDP Act 2023, cross-border transfers to non-restricted countries are permitted. We monitor government notifications for any restrictions.

07Storage and security

Your data is stored in Supabase (PostgreSQL) on AWS infrastructure, primarily in US East (Virginia). Backups are encrypted and retained for 7 days.

Security measures we have in place:

  • HTTPS/TLS encryption for all data in transit
  • Encryption at rest for database and backups
  • Strict content security policies (CSP) and origin restrictions
  • Rate limiting on all API endpoints
  • Audit logging of sensitive actions
  • Regular dependency updates and security patches
  • HSTS enforcement (HTTPS-only)

If you discover a security issue, please email security@resumeai.blog. We commit to acknowledging valid reports within 48 hours.

08How long we keep data

  • Active accounts: for as long as your account is active
  • Deleted accounts: all personal data deleted within 24 hours; anonymized audit logs retained for 90 days for fraud prevention
  • Payment records: retained for 7 years (tax compliance — applies in both India and most jurisdictions)
  • Server logs: 30 days, then automatically purged
  • Error reports (Sentry): 30 days
  • Rate limit data (Upstash): 1 hour rolling window

09Your rights (general)

You have the right to:

  • Access your data — export available from Account settings
  • Correct inaccurate data — update via Account settings
  • Delete your data — self-serve via Account settings
  • Restrict processing in specific circumstances
  • Object to processing where based on legitimate interests
  • Portability — receive your data in a machine-readable format (JSON export)
  • Withdraw consent to any communications
  • Lodge a complaint with your local data protection authority

To exercise these rights, email privacy@resumeai.blog. We'll respond within 30 days as required by law.

10Rights for Indian users (DPDP Act 2023)

If you're in India, you have specific rights under the Digital Personal Data Protection Act 2023:

  • Right to information about personal data processing
  • Right to correction and erasure of inaccurate data
  • Right to nominate a person to exercise rights in case of death or incapacity
  • Right to grievance redressal — contact our designated person (see below)

Grievance Officer (India)

Divyam Sirswal

grievance@resumeai.blog

Response within 30 days as required by DPDP Act.

If unsatisfied with our response, you may contact the Data Protection Board of India once notified by the government.

11Children's privacy

ResumeAI is not intended for users under 18. We do not knowingly collect personal data from children. If we learn we've collected data from a child under 18, we'll delete it.

In India, under the DPDP Act, individuals under 18 are considered children, and we require verifiable parental consent for processing their data — which we currently do not facilitate. If you're under 18, please do not use ResumeAI.

If you believe we have collected data from a child, contact privacy@resumeai.blog.

12How AI processing works

When you submit a resume or job description, the text is sent to our AI provider (Groq) for processing. Key facts:

  • Groq processes your text transiently — they do not retain it after the API response
  • Groq does not use this data to train AI models per their published policy
  • We do not modify, save copies of, or share AI inputs with anyone other than Groq
  • AI-generated outputs (analyses, cover letters, etc.) are saved to your account so you can review them later
  • AI outputs may contain inaccuracies — always review before using in real applications

For full details on Groq's data handling, see Groq's privacy policy.

13Changes to this policy

If we make material changes to this policy, we'll notify you via email (if you have an account) and update the "Last updated" date at the top. Continued use after material changes constitutes acceptance.

For non-material changes (typo fixes, link updates, etc.), we may update without notice.

14Contact us

For privacy questions, complaints, data requests, or anything related to this policy:

General privacy contact

privacy@resumeai.blog

Grievance Officer (India)

grievance@resumeai.blog

Security disclosures

security@resumeai.blog

We respond to all valid requests within 30 days.