Skip to main content
ResumesTailor

Last updated: 2026-05-11 · Effective: 2026-05-11

Privacy Policy

This Privacy Policy describes how ResumesTailor (“ResumesTailor”, “we”, “us”, “our”) collects, uses, shares, and otherwise processes information about you when you visit resumestailor.com, sign in to our application, install our browser bookmarklet or browser extension, contact us, or otherwise interact with our services (collectively, the “Service”). It also explains the choices and rights you have in relation to your personal data.

Please read this Privacy Policy carefully. By creating an account or using the Service you confirm that you have read and understood this Policy and our Terms of Service. If you do not agree, please stop using the Service.

Quick summary. We collect the data you give us (account info, resumes, cover letters, job descriptions, payment details) plus standard technical data (IP, device, usage). We use it to provide the Service, run AI tailoring through Google Gemini, process payments through Dodo Payments, and keep the platform secure. We do not sell your personal data. You can export or delete everything from your Settings tab. Detail follows below.

1. Who we are and how to contact us

ResumesTailor is operated by the entity that owns and runs the Service from India. For the purposes of the EU/UK General Data Protection Regulation (“GDPR”) and India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) we are the data controller / data fiduciary in respect of the personal data we determine the means and purposes of processing.

For all privacy-related queries, data-subject requests, breach notifications, or to reach our Data Protection Officer / Grievance Officer, write to support@resumestailor.com. We aim to respond to all requests within thirty (30) days, or sooner where required by law (e.g., seven days for erasure requests under the DPDP Act).

2. Scope of this Policy

This Privacy Policy applies to:

  • Visitors to our marketing website (resumestailor.com).
  • Registered users of the Service.
  • People who install the ResumesTailor bookmarklet or extension.
  • People who contact us by email or through forms.
  • People whose details appear in resumes, cover letters, or referral-search queries created by another user (e.g., recommenders, recruiters listed as references).

This Policy does not apply to third-party websites, services, or applications that may link to or from the Service. Those have their own privacy policies, which you should read before submitting personal data to them.

3. Personal data we collect

3.1 Data you provide to us

  • Account data — name, email address, profile image and Google account identifier, provided when you sign in through Google OAuth.
  • Resume and cover letter content — everything you type, paste, upload (via PDF import), generate via AI, or otherwise add to a document inside the Service, including but not limited to contact details, employment history, education, projects, skills, certifications, languages, references, photographs, and any free-form text you place into sections you create.
  • Job descriptions and tailoring inputs — text you paste into the AI optimizer and the bookmarklet/extension when tailoring documents for a specific role.
  • Job application tracker entries — company, position, location, status, notes, application URLs.
  • Portfolio content — anything you publish to a public portfolio page, including media, links and bio.
  • Referral-search inputs — company name, target role, search criteria, and personal notes you save against a contact.
  • Payment data — name, email, and billing address collected by our payment processor Dodo Payments. Card numbers and other sensitive payment instrument data are handled directly by the processor and are not stored on our servers.
  • Communications — emails, support tickets, chat messages, and any attachments you send us.
  • Preferences — chosen template, default tone, notification toggles, theme.

3.2 Data we collect automatically

  • Device and connection data — IP address, browser type and version, operating system, screen size, time zone, language preference.
  • Usage data — pages viewed, features used, timestamps, referring URL, search terms inside the app, file size of imports, rendering durations, error reports.
  • Cookies and similar technologies — see our Cookie Policy for the full inventory of cookies, pixels and local storage we use.
  • Audit logs — security-relevant actions (sign-in, document deletion, payment events) together with the IP address, user-agent and timestamp. Audit log entries are retained for up to thirty (30) days.
  • Rate-limit telemetry — counts of API calls per user / IP, used to enforce abuse thresholds.

3.3 Data we receive from third parties

  • Google — when you sign in with Google OAuth, Google provides your name, email, Google account ID, and profile image. We do not receive your Google password.
  • Dodo Payments — subscription status, payment status, customer reference, and transaction metadata.
  • Apollo.io (only when you use the referral search feature) — names, professional titles, employers, LinkedIn URLs, and (where Apollo provides them) business email addresses of public business contacts at companies you search.
  • Analytics providers (PostHog, where enabled and where you have consented) — pseudonymous behavioural metrics.

3.4 Sensitive personal data

Resumes and cover letters may, depending on the content you choose to include, contain data treated as “sensitive” or “special category” under GDPR or local laws — for example racial or ethnic origin, religious beliefs, trade-union membership, health information, sexual orientation, biometric data (photographs of yourself), criminal history, or political opinions.

You decide what to include. We strongly recommend you only include sensitive personal data when it is genuinely necessary for the job application. If you do, you consent to us processing that data for the purposes of operating the Service (storing, rendering, tailoring, exporting) on the basis of your explicit consent (GDPR Article 9(2)(a)).

3.5 Children

The Service is not directed at and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, contact us at support@resumestailor.com and we will delete the data.

4. How and why we use your personal data

The table below sets out the purposes for which we process your personal data, the categories of personal data involved, and the lawful basis we rely on under GDPR / UK GDPR. Under the DPDP Act, the lawful basis for all processing is consent unless an exemption (e.g., legitimate use under section 7) applies.

4.1 Provide the Service

Create your account, store your documents, render them in the editor, generate PDFs, run the AI optimizer, sync your settings between devices, deliver subscription features.

Lawful basis (GDPR): performance of a contract with you (Article 6(1)(b)).

4.2 Run AI tailoring and content generation

When you submit a resume and job description for tailoring, both are transmitted to Google’s Gemini API for inference. We also send analytics about the document structure to optimize rendering. The output is stored in your account.

Lawful basis (GDPR): performance of a contract; consent for any sensitive personal data included.

4.3 Process payments and manage subscriptions

Create checkout sessions, manage your subscription state, issue receipts, prevent payment fraud.

Lawful basis (GDPR): performance of a contract; compliance with legal obligations (tax / accounting records).

4.4 Customer support

Respond to your support tickets, investigate bug reports.

Lawful basis (GDPR): performance of a contract; our legitimate interest in providing competent support.

4.5 Secure the platform and prevent abuse

Rate limiting, audit logging, fraud and abuse detection, account recovery, security monitoring, vulnerability response.

Lawful basis (GDPR): our legitimate interest in protecting the Service and our users.

4.6 Improve the Service

Aggregated and de-identified analytics about feature usage, crash reports, A/B testing of UI changes.

Lawful basis (GDPR): our legitimate interest in understanding how the Service is used; consent where analytics cookies are involved.

4.7 Marketing communications

Send you product updates, tips, and offers — only if you have opted in. You can unsubscribe at any time using the link at the bottom of any email.

Lawful basis (GDPR): consent.

4.8 Comply with legal obligations

Respond to lawful requests from public authorities, enforce our Terms, defend legal claims, retain financial records.

Lawful basis (GDPR): legal obligation; legitimate interest in defending claims.

5. AI processing — specific disclosure

Because AI processing is central to the Service we want to be explicit about how it works.

  • Provider. AI tailoring is powered by Google’s Gemini API (the “Gemini API”).
  • What is sent. When you trigger an optimization we send the relevant resume / cover-letter content, the job description you provided, and any tone / level preferences. We strip prompt-injection vectors before transmission but do not otherwise mask identifiers — your name, contact details and work history are visible to the Gemini API for the purpose of generating tailored output.
  • Retention by Google. Google retains API prompts for up to thirty (30) days for abuse-monitoring purposes when we use the paid API tier. Google has stated that prompts sent via the paid API are not used to train Google’s models. We rely on Google’s representations in this regard. See the Gemini API Additional Terms of Service for the controlling commitments.
  • Output ownership. You retain ownership of your inputs (the source resume and the job description) and of the AI-generated outputs, subject to the limited licence you grant us in our Terms of Service to host and render those outputs inside the Service.
  • Accuracy disclaimer. AI-generated content can be inaccurate, biased, fabricated, or otherwise unsuitable. You are solely responsible for reviewing and editing any AI-generated content before using it in a real application.
  • Automated decision-making. The Service does not use AI to make decisions that have legal or similarly significant effects on you. The AI suggests changes; you decide whether to accept them.
  • Opt-out. If you do not want your content processed by Google’s Gemini API, simply do not use the AI tailoring feature. The rest of the Service (manual editor, PDF export, job tracker) does not require AI processing.

6. How we share your personal data

We do not sell your personal data and we do not share it for cross-context behavioural advertising (as those terms are defined in California’s CCPA/CPRA). We share personal data only in the following situations.

6.1 With sub-processors

Third-party service providers we engage to operate the Service process personal data on our behalf, under written agreements that require them to handle the data only on our instructions and to keep it confidential and secure. Our current sub-processors are listed at /subprocessors. We will update that list before adding or replacing sub-processors.

6.2 With other users (your choice)

Portfolio pages you choose to publish are publicly accessible at a slug you choose. Cover letters and resumes you choose to share via a unique share link are accessible to anyone with that link until you delete the link or the document. We do not otherwise publish your content.

6.3 With law enforcement and authorities

We may disclose personal data to courts, law-enforcement agencies, regulators, or other public authorities when we are legally required to do so or where it is reasonably necessary to comply with a valid legal process, enforce our Terms, prevent fraud or protect anyone’s rights, property or safety. Where the law permits, we will notify you of the request before disclosure.

6.4 With professional advisers

We may share personal data with auditors, lawyers, accountants and insurers in the ordinary course of our business, under appropriate confidentiality obligations.

6.5 In a business transaction

If ResumesTailor is involved in a merger, acquisition, financing round, restructuring, bankruptcy, or sale of all or part of its assets, personal data may be transferred to the relevant counterparties subject to standard confidentiality terms. We will give you notice through the Service or by email if such a transaction affects how your data is processed.

6.6 With your consent or at your direction

We may share personal data with third parties when you ask us to (for example, when you connect a third-party integration in the future).

7. International data transfers

ResumesTailor is operated from India, and our primary hosting infrastructure (Vercel) and AI provider (Google Gemini) operate in the United States. Some sub-processors operate from the European Union, the United Kingdom, or other jurisdictions.

Where we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission, we put in place appropriate safeguards, typically by entering into the European Commission’s Standard Contractual Clauses (or the UK addendum to those clauses). Where applicable we also conduct Transfer Impact Assessments.

Where we transfer personal data from India to other jurisdictions, we comply with the DPDP Act’s transfer provisions. The Government of India may notify a list of restricted territories from time to time; we will not transfer personal data of Indian data principals to any such territory once notified.

8. Data retention

We keep personal data for as long as we need it to provide the Service and to comply with our legal, accounting, regulatory and reporting obligations.

The specific retention rules are:

  • Active account data and your documents — retained while your account is active.
  • Soft-deleted documents — when you delete a resume, cover letter, portfolio, or job application, it is moved to Trash and retained for thirty (30) days, after which a daily cron job permanently deletes it.
  • Deleted accounts — when you delete your account, your documents are removed within thirty (30) days and your User row is anonymized.
  • Audit logs — up to thirty (30) days.
  • Rate-limit telemetry — Redis records expire within minutes to hours of last activity.
  • Payment records (invoices, refunds) — retained for the period required by tax / accounting laws (typically seven years in India under section 44AA of the Income Tax Act and related rules).
  • Marketing consent records — retained for the duration of your subscription to marketing communications and for two (2) years after you unsubscribe, as evidence of consent.
  • Records required to defend legal claims — retained for the duration of the applicable limitation period.

9. Security

We implement and maintain reasonable security practices appropriate to the nature of the personal data we process and to the risks of processing, including:

  • Encryption in transit (TLS 1.2 or higher) for all connections.
  • Encryption at rest for sensitive third-party caches and for our primary database (managed by Supabase).
  • HMAC-signed webhooks with timing-safe comparison and database-level idempotency to prevent replay attacks.
  • Strict Content-Security-Policy headers with nonce-based script-src.
  • Distributed rate limiting and circuit breakers on external APIs.
  • Principle-of-least-privilege access controls for engineers and contractors who can access production systems.
  • Logging of security-relevant events with tamper-resistant retention.
  • Vendor security review before adding a new sub-processor.

No system is perfectly secure. We do not warrant that our security measures will prevent all unauthorized access, loss, misuse or alteration of personal data.

10. Data breach notification

If we suffer a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in line with GDPR Article 33 and the DPDP Act’s breach notification requirements.

Where required, we will also notify affected individuals. Notifications will describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Suspected security issues should be reported to support@resumestailor.com.

11. Your rights and choices

Depending on the law that applies to you (which depends on where you live), you may have one or more of the following rights. The list is not exhaustive.

11.1 Rights for everyone (self-serve)

  • Access / export. Settings → Privacy & Data → Download. Generates a JSON file of every record we hold about you.
  • Correction. Edit your profile in Settings or your documents in the editor. For corrections we can’t surface in-app, contact us.
  • Deletion. Settings → Danger Zone → Delete Account. Removes documents within thirty (30) days and anonymizes the rest.
  • Marketing opt-out. Unsubscribe link in any marketing email; toggle in Settings.
  • Cookie preferences. Manage Cookies link in the footer.

11.2 Additional rights under GDPR (EEA, UK, Switzerland)

  • Right of access (Article 15) — receive confirmation of processing and a copy of your data.
  • Right to rectification (Article 16).
  • Right to erasure (“right to be forgotten”, Article 17).
  • Right to restrict processing (Article 18).
  • Right to data portability (Article 20) — receive your data in machine-readable format.
  • Right to object (Article 21) — including to processing based on legitimate interests and to direct-marketing processing.
  • Rights related to automated decision-making and profiling (Article 22).
  • Right to withdraw consent at any time where consent is the lawful basis.
  • Right to lodge a complaint with your local supervisory authority. See our GDPR page for the list of national authorities.

11.3 Rights under India’s DPDP Act

  • Right to access information about personal data (section 11).
  • Right to correction, completion, updating and erasure of personal data (section 12).
  • Right of grievance redressal (section 13). The contact for grievances is support@resumestailor.com. We will respond within the timelines specified by the rules made under the DPDP Act.
  • Right to nominate (section 14) — to designate someone to exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent at any time.
  • Right to complain to the Data Protection Board of India.

11.4 Rights for California residents (CCPA, as amended by CPRA)

We do not sell or share personal information as those terms are defined by the CCPA/CPRA. If you are a California resident, you also have:

  • The right to know what personal information we collect.
  • The right to access and obtain a copy of that information.
  • The right to request deletion.
  • The right to correct inaccurate personal information.
  • The right to limit our use and disclosure of sensitive personal information (we do not use sensitive personal information for any purpose beyond providing the Service).
  • The right not to be discriminated against for exercising your rights.
  • The right to opt out of automated decision-making (we do not engage in this for California consumers).

We honour valid Global Privacy Control (GPC) signals as an opt-out of sale/share for visitors who appear to be California residents. To exercise other CCPA rights, contact us at support@resumestailor.com. You can also designate an authorised agent to make a request on your behalf.

11.5 Rights for residents of other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Jersey, New Hampshire, Indiana, Kentucky, Maryland, Minnesota, Rhode Island, Nebraska and other US states with comprehensive privacy laws have similar rights of access, correction, deletion, portability, and opt-out of targeted advertising and sale (which we do not engage in). Contact us at support@resumestailor.com to exercise these rights.

11.6 How we verify your request

Before we act on a rights request, we may need to verify your identity. For account-holders we generally treat a signed-in session as sufficient verification. For non-account-holders or where the request is unusually sensitive, we may ask you to confirm details that match information already in our records. We will not ask you to create an account just to make a request.

11.7 Response timelines

We aim to acknowledge your request within ten (10) calendar days and to substantively respond within thirty (30) days, extendable once by an additional thirty (30) days where the request is complex (we will tell you if so). DPDP-Act erasure requests will be honoured within the period specified by the rules made under the DPDP Act.

12. Cookies and tracking technologies

We use cookies and similar technologies. The categories, names, purposes, durations and parties are set out in our Cookie Policy. You can change your cookie preferences at any time through the Manage Cookies link in the footer.

We honour browser-level signals where the law requires us to. In particular, when your browser sends the Global Privacy Control (“GPC”, Sec-GPC: 1) header, we treat that as an opt-out of non-essential analytics processing.

13. Third-party links

The Service may contain links to third-party websites or services that we do not control (for example, the bookmarklet sends you to job-listing sites; portfolio pages may link out to your projects). We are not responsible for the privacy practices of those third parties.

14. Do Not Track

Some browsers send a “Do Not Track” (“DNT”) signal. Because there is no industry consensus on how to interpret DNT signals, we currently do not respond to them, but we do honour GPC as described above.

15. Profiling and automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. The AI tailoring feature generates suggestions for you to review and accept or reject; the decision to apply or discard those suggestions is always yours.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make a material change, we will:

  • Post the updated Policy on this page with a new “Last updated” date.
  • Notify you in-app and, where required, by email at least fourteen (14) days before the change takes effect.
  • Where the change requires fresh consent (e.g., a new processing purpose), ask for that consent.

Continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes. If you do not agree to the updated Policy, you should stop using the Service and may delete your account from Settings.

17. How to contact us / make a complaint

For any question, request, or complaint relating to this Privacy Policy or your personal data, write to support@resumestailor.com. If you are not satisfied with our response, you have the right to complain to your local data-protection authority. For EEA / UK residents, please see our GDPR page for a directory of national supervisory authorities. For Indian data principals, the relevant authority is the Data Protection Board of India.