Privacy Policy

1. Introduction

Resume Studio ("we," "our," or "us") is operated by Resume Studio, a sole proprietorship based in Frisco, Texas, United States. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide

• Account Information: Email address, full name, and authentication credentials when you register. If you sign in via Google or GitHub, we receive your name and email from those providers.
• Resume & Career Data: Resume text, work experience, job descriptions, certifications, skills, references, and other career-related information you provide to generate documents.
• Contact Information: Name, email, phone number, and location you provide in contact forms or for inclusion in generated documents.
• Support Messages: Name, email, subject, and message content when you contact us through our support form.

2.2 Information Collected Automatically

• Usage Data: IP address, browser type and version, operating system, pages visited, timestamps, referral URLs, and device identifiers.
• Device Information: Device fingerprint data used solely for security purposes (concurrent session management, fraud prevention).

2.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not receive, store, or process your full credit card number, CVV, or banking details. We only receive a Stripe customer identifier, subscription status, and transaction confirmations.

3. How We Use Your Information

We use collected information for the following purposes:

• To provide, operate, maintain, and improve the Service
• To generate tailored career documents using AI on your behalf
• To process payments, manage subscriptions, and issue refunds
• To send transactional emails (account verification, password resets, subscription confirmations)
• To respond to support requests and customer inquiries
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues
• To enforce our Terms of Service and protect our legal rights
• To comply with applicable laws, regulations, and legal obligations

We do not use your personal information for advertising, profiling, or automated decision-making that produces legal effects.

4. AI Processing & Data Handling

Resume Studio uses Anthropic's Claude API to generate career documents. When you submit your resume and a job description for generation:

• Your resume text and job description are transmitted to Anthropic's servers for processing
• Anthropic does not use your data to train their AI models (per their data usage policy)
• Generated content is returned to our servers and stored in your account if you have a paid plan
• Free-tier generations are provided for preview only and are not persisted in our database
• We do not share your resume data with any party other than Anthropic for the purpose of document generation

5. Disclosure of Information

We may disclose your information in the following circumstances:

• Service Providers: We share data with third-party service providers who assist in operating the Service (see Section 6). These providers are contractually obligated to protect your data.
• Legal Requirements: We may disclose your information if required by law, subpoena, court order, or government regulation.
• Protection of Rights: We may disclose information to protect our rights, safety, or property, or that of our users or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.

6. Third-Party Services

We rely on the following third-party services:

• Supabase, Inc.: Database hosting, authentication, and file storage. Your data is stored with row-level security policies ensuring access is restricted to your account only.
• Stripe, Inc.: Payment processing. Stripe collects and processes your payment information in accordance with PCI DSS standards and their own privacy policy.
• Anthropic, PBC: AI document generation. Your resume and job description text are processed by Anthropic's Claude API solely for the purpose of generating your requested documents.
• Vercel, Inc.: Web application hosting and content delivery.

Each third-party service operates under its own privacy policy and terms of service. We encourage you to review their policies.

7. Cookies & Tracking Technologies

We use only essential cookies required for the Service to function:

• Authentication Session Cookie: Maintains your login session. This is a first-party, httpOnly, secure cookie.

We do not use advertising cookies, third-party tracking pixels, social media tracking scripts, or analytics cookies that track you across websites. We do not participate in any ad networks.

8. Data Retention

• Account Data: Retained for as long as your account is active. If you delete your account, we will remove your personal data within 30 days.
• Generated Documents: Stored for as long as your account is active and you maintain a paid plan. Deleted when your account is deleted.
• Security Logs: IP addresses, rate limit events, and security audit logs are retained for up to 90 days for fraud prevention and then automatically purged.
• Legal Obligations: We may retain certain data beyond the above periods where required by applicable law (e.g., tax records, billing records).

9. Data Security

We implement industry-standard technical and organizational security measures, including:

• Encryption of all data in transit using TLS 1.2+
• Row-level security (RLS) policies on our database ensuring users can only access their own data
• Rate limiting and IP-based abuse prevention
• Input validation and sanitization to prevent injection attacks
• Security event logging and anomaly detection
• Device session management with concurrent session limits
• Bcrypt password hashing (we never store plaintext passwords)

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords.

10. Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will notify affected users without unreasonable delay and no later than 60 days after discovery of the breach, as required by the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521.053). Notification will be made via email to the address associated with your account, or by conspicuous posting on our website if email notification is not feasible. We will also notify the Texas Attorney General if required by law.

11. Your Rights Under Texas Law (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, grants you the following rights regarding your personal data:

• Right to Know: You may request confirmation of whether we process your personal data and access the specific data we hold about you.
• Right to Correct: You may request correction of inaccurate personal data.
• Right to Delete: You may request deletion of personal data you have provided to us.
• Right to Data Portability: You may request a copy of your personal data in a portable, readily usable format.
• Right to Opt Out: You may opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling that produces legal effects. Note: We do not engage in any of these activities.

To exercise any of these rights, please contact us at privacy@resume-studio.io. We will respond to your request within 45 days. If we need additional time, we will notify you of the extension (up to an additional 45 days) and the reason. We will not discriminate against you for exercising your TDPSA rights. If we deny your request, you may appeal by contacting us, and we will respond to the appeal within 60 days.

12. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to know what personal information we collect, use, disclose, and sell
• Right to request deletion of your personal information
• Right to opt out of the sale or sharing of your personal information (we do not sell or share your data)
• Right to correct inaccurate personal information
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@resume-studio.io.

13. Your Rights Under GDPR (EEA Residents)

If you are located in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) grants you the following rights:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

Our legal basis for processing your data is: (a) contract performance (providing the Service you requested), (b) legitimate interests (security, fraud prevention), and (c) your consent where applicable.

14. "Do Not Sell or Share My Personal Information"

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out. However, if you wish to confirm this or have concerns, please contact us at privacy@resume-studio.io.

15. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to promptly delete that information. If you believe a child has provided us with personal data, please contact us immediately.

16. International Data Transfers

Our Service is operated from the United States. Your data may be transferred to and processed in the United States and other countries where our service providers (Supabase, Stripe, Anthropic, Vercel) maintain infrastructure. These jurisdictions may have different data protection laws than your country of residence. By using the Service, you consent to the transfer of your data to these jurisdictions. Where required by law, we ensure appropriate safeguards are in place for international transfers.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email to the address associated with your account. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

18. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us:

• Email: privacy@resume-studio.io
• Contact Form: resume-studio.io/contact
• Mailing Address: Resume Studio, Frisco, TX 75034, United States