Privacy Policy

Last Updated: September 9, 2025

Resumly.AI (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy (“Policy”) explains how we collect, use, share, and protect your personal information when you interact with our website, software, and services (collectively, the “Services”). By using our Services, you agree to the practices described in this Policy.

1. Information We Collect

We may collect various types of information from you, including:

• Personal Identifiers: Information that identifies you, such as your name, email address, and other contact details you provide. If you create an account, we will collect your login credentials (e.g. email and password); if you choose to sign up or log in via Google or another third-party OAuth provider, we receive basic profile information from them like your name and email address.
• Uploaded Content: Information you submit to our Services, such as resumes, cover letters, job descriptions, or other documents and content you upload. This content may include personal information you have chosen to include in those materials.
• Payment Information: If you make a purchase or subscribe to a paid plan, you will provide payment details. Payment transactions are handled by our third-party payment processor (Stripe) – for example, you may need to provide your billing name, address, and credit card information to Stripe. We do not store your full credit card number or CVV on our servers; such sensitive financial data is transmitted directly to Stripe which processes it securely. (Stripe may also collect identifying information such as your billing address, email, and geographic location for fraud prevention and to process your payment.)
• Usage Data: Information about how you access and use our Services. This includes your IP address, device type, browser type, operating system, pages or features you access, the dates/times of access, and your interactions (such as clicks and other actions). We may also collect log data and analytics information through cookies and similar technologies (see Cookies below) to understand user engagement with our Services.
• Tracking and Cookies Data: We and our analytics partners use cookies and similar tracking technologies to collect information about your activities. This may include session cookies to keep you logged in, and analytics cookies to understand usage patterns. These technologies are described in more detail in Section 4 below.
• Communications: If you contact us (for example, via email or support channels), we will collect the information you provide in those communications (such as your name, email address, and the content of your message) in order to respond to you.

Sensitive Data: We do not actively collect any sensitive personal information such as government ID numbers, financial account passwords, or biometric data from you. We also do not knowingly collect personal data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health, or sexual orientation, and we ask that you not provide such sensitive information in the content you upload.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Improve Services: To provide our Services to you, maintain your account, and enable core functionality. For example, we use your information to create your account and authenticate you, to process payments for paid features, and to operate and improve the features of our resume-building and AI tools. Your uploaded content (e.g. resumes and related materials) may be used to deliver the functionality you request and to improve our algorithms (for instance, to train and enhance our AI models and develop new features).
• Personalization: To personalize and optimize your experience. This includes remembering your preferences and settings, and using cookies or similar technologies to tailor the content and recommendations you see. It also includes using data to improve our AI models and glean insights on how users generally use our service, which helps us refine the user experience.
• Communications: To communicate with you about your account and the Services. For example, we may send you service notifications, updates about new features, or respond to your inquiries. We may also send you informational or promotional emails about our Services or new offerings; you can opt out of marketing communications at any time.
• Analytics and Research: To analyze usage of our Services and conduct research. This helps us understand user behavior and preferences in order to improve our product design, performance, and offerings. We may also use aggregated, anonymized data for internal analysis, which does not identify individuals (e.g. overall usage trends, conversion rates, etc.).
• Payments and Fraud Prevention: To process transactions and to protect against fraud, hacking, or other misuse. For instance, when you make a payment, we share necessary information with Stripe to process the payment and Stripe may use this information for fraud screening and identity verification. We also monitor for suspicious or malicious activity on our Services to keep them secure.
• Legal Compliance and Protection: To comply with applicable laws, regulations, legal processes or enforceable governmental requests. We may use or disclose your information to enforce our Terms of Service, to assert or defend against legal claims, or to investigate and prevent fraud and other unlawful activities.

Legal Bases (for EU/UK users): If you are located in the European Economic Area or United Kingdom, we process your personal information on the following legal bases: (a) as necessary to perform our contract with you (to provide the Services and customer support); (b) based on your consent, where applicable (for example, for certain optional cookies or marketing emails); (c) as necessary for our legitimate interests (such as improving our Services, ensuring security, and fraud prevention) – we consider and balance any potential impact on your rights when relying on legitimate interests; and (d) to comply with legal obligations.

3. Information Sharing and Disclosure

We do not sell your personal information to third parties. However, we may share your information with the following categories of recipients, as necessary to run our business and provide the Services:

• Service Providers: We employ trusted third-party companies and individuals to perform services on our behalf (“Service Providers”). These include hosting and infrastructure providers, customer support tools, analytics providers, authentication and identity management services, email delivery services, payment processors, and other vendors. For example, we use Amazon Web Services (AWS) (including AWS Cognito) to host our platform and manage user accounts, Stripe to process payments, and analytics tools like Google Analytics, Hotjar, and Microsoft Clarity to help us understand how users interact with our site. These Service Providers may process personal information on our instructions and for the purposes described in this Policy. We contractually require them to protect personal data and use it only for providing services to us.
• Third-Party Integrations: If you choose to use certain third-party integrations with our Services, or sign in via a third-party platform (like Google OAuth), some of your information will be shared with or collected by that third party. For example, when you use Google sign-in, Google may receive data indicating that you have authenticated with our Service, and we receive basic account information from Google to set up your account. We adhere to the Google API Services User Data Policy, including its Limited Use requirements, for any data obtained from Google APIs.
• Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction. We would ensure the successor respects your personal data in line with this Policy or notify you if any changes to processing are required.
• Legal and Safety Disclosures: We may disclose your information to courts, law enforcement, government authorities, or other third parties when we believe in good faith that such disclosure is required or appropriate to: (a) comply with the law or valid legal process (e.g. a subpoena or court order); (b) protect the rights, property, or safety of Resumly.AI, our users, or others; (c) investigate or enforce our agreements and policies; or (d) respond to an emergency that we believe in good faith requires us to disclose data to assist in preventing death or serious injury.

No Sale of Personal Data: We do not sell or rent your personal information to data brokers or marketers for monetary gain. Any sharing of data with third-party providers is only to support our own Services as described above, and those providers are bound to use the data solely for our specified purposes and not for their own marketing.

4. Cookies and Tracking Technologies

Like most online services, we use cookies and similar tracking technologies to collect usage data, remember preferences, and enhance your experience. Cookies are small text files placed on your device that allow us or third parties to recognize you and make your next visit easier and more useful. We use both first-party cookies (set by us) and third-party cookies (set by service providers) for several reasons:

• Essential Cookies: These cookies are necessary for our website and Services to function properly. For example, when you log in, we use session cookies to keep you authenticated as you navigate between pages. Disabling these cookies may cause certain core features to break (e.g. you might not stay logged in).
• Analytics Cookies: We use cookies and scripts from analytics providers like Google Analytics, Hotjar, and Microsoft Clarity to understand how users arrive at and use our site. These tools collect information such as what pages you visit, how long you stay, what links you click, and how you interact with various elements. We use these insights to improve the Service’s functionality and design. The data collected is typically aggregated and not personally identifiable; for instance, Hotjar may record user interactions (e.g. clicks, mouse movements, scrolling) but we configure it to avoid capturing sensitive fields, and we review this data in aggregate to identify usability issues. Microsoft Clarity similarly provides session replays and heatmaps to help us diagnose UX problems. (Note: Hotjar respects Do Not Track (DNT) signals and does not sell end-user data. Microsoft Clarity may require user consent for its analytics cookies in some jurisdictions. We honor applicable requirements by obtaining cookie consent where required.)
• Preference Cookies: These cookies allow our site to remember choices you make (such as your language or other preferences) to provide a more personalized experience.
• Advertising Cookies: Currently, we do not run third-party ads on Resumly.AI. If in the future we partner with advertising networks or social media platforms for promotional campaigns, cookies or pixels might be used to measure the effectiveness of our ads or to show you relevant content on other sites. We will update this Policy and seek any necessary consents if our use of advertising cookies changes.

Your Choices: When you first visit our site from certain regions (like the EU/EEA), you may see a cookie consent banner. Where required by law, we will only use non-essential cookies (such as analytics cookies) if you consent. You can adjust your browser settings to refuse or delete cookies as well; however, doing so may impact the functionality of our Services (for example, you might not be able to stay logged in or some features might not work properly). For more information about cookies and how to control them, check your browser’s help documentation. Additionally, Google provides an opt-out browser add-on for Google Analytics if you wish to prevent analytics data from being sent to Google. Keep in mind that even if you opt out of analytics, we will still use certain cookies that are necessary for the Service to function.

5. Data Retention

We retain your personal information for as long as your account is active or as long as it is necessary to fulfill the purposes described in this Policy. In practice, this means we will keep your data until you delete your account or request that we delete your data, unless a longer retention period is required or permitted by law. For example, we may retain certain transaction records or communications if needed for legal compliance or legitimate business interests such as resolving disputes, enforcing our agreements, or maintaining financial/tax records.

When you delete your account through our Service or by contacting us, we will take steps to remove or anonymize your personal information. Please note that it may not be possible to immediately delete all data from all systems: your data may persist in secure backups or archives for a limited period until those are cycled out, and we may retain information as needed to comply with legal obligations. However, your data will no longer be readily accessible through our active user databases. We will also instruct third-party Service Providers (like Stripe or AWS) to delete or securely destroy the personal data they hold on our behalf when it is no longer needed. If you have any questions about data retention or wish to request deletion of your data, you can always contact us at the email provided in the Contact section below.

6. Data Security

We take data security seriously and implement reasonable and industry-standard measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include technical, administrative, and physical safeguards appropriate to the sensitivity of the data:

• Encryption: We use encryption to protect data in transit (e.g. SSL/TLS encryption for data transmitted between your browser and our servers) and, where applicable, encryption at rest for stored data. For example, any passwords you provide are stored in encrypted (hashed) form, and we do not store sensitive authentication tokens or secrets in plaintext.
• Access Controls: We limit access to personal data to authorized personnel and service providers who need it to operate our Services. Strict access controls, authentication measures, and network security are in place to prevent unauthorized access. For instance, sensitive information and account data stored via AWS Cognito are protected by AWS’s security protocols and our own access policies. Stripe, our payment processor, is certified to PCI-DSS (Payment Card Industry Data Security Standard), ensuring a high level of security for payment information.
• Monitoring and Testing: Our systems are monitored for vulnerabilities and attacks. We employ firewalls, intrusion detection systems, and other monitoring to guard against security breaches. We also periodically review our practices and update our security measures in light of new risks and developments.
• Employee and Contractor Obligations: All our employees, contractors, and agents who might have access to personal data are bound by confidentiality obligations. They are trained on data protection best practices to ensure your information is handled with care.
• Incident Response: Despite our best efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. However, we have a data breach response plan in place. In the event of any data breach or security incident affecting your personal information, we will notify you and the appropriate authorities as required by law, and work swiftly to mitigate the issue.

You also play a role in keeping your data secure. Please use a strong, unique password for your Resumly.AI account and keep your login credentials confidential. If you suspect any unauthorized access to your account or any security vulnerabilities, notify us immediately so we can assist.

7. International Data Transfers

Resumly.AI is a global service. The personal information we collect may be stored and processed in any country where we or our Service Providers maintain facilities, including the United States, Canada, and countries in the European Union. If you are located outside of these regions, be aware that your data (including personal data) may be transferred to and processed in a country different from your own, which may have data protection laws that are different or less protective than those in your jurisdiction. For example, data collected from users in the EU/EEA or Canada may be transferred to servers located in the United States for processing.

However, we take steps to ensure that international transfers of personal information comply with applicable data protection laws and that your data remains protected. If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we will implement appropriate safeguards for transfers of personal data outside these regions, as required by the EU General Data Protection Regulation (GDPR) and similar laws. These safeguards may include:

• Standard Contractual Clauses (SCCs): We may rely on European Commission-approved standard contractual clauses which legally bind our recipients to protect EU personal data. Our agreements with major service providers (such as AWS, Google, Microsoft, Stripe, etc.) incorporate Standard Contractual Clauses or other approved transfer mechanisms to ensure that any personal data leaving the EEA is safeguarded.
• Data Privacy Frameworks: Where applicable, we may transfer data to entities that have certified to recognized privacy frameworks (for instance, the EU-U.S. Data Privacy Framework or Swiss-U.S. framework, if the recipient is certified under those). (Note: As of the last update of this Policy, we are monitoring developments in international data transfer law and will adopt any new compliance mechanisms as needed.)
• Your Consent: In some cases, we may ask for your explicit consent to transfer your information to a third country when no other lawful basis for transfer is available. You have the right to withdraw such consent at any time.

If you have questions about our international data transfer practices, or need more information about the specific safeguards in place, please contact us using the details at the end of this Policy.

8. Your Rights and Choices

You have certain rights regarding your personal information, especially if you are located in jurisdictions with privacy laws like the European Union (GDPR), California (CCPA/CPRA), or Canada. We are committed to honoring your rights and giving you control over your data. These rights include:

• Access and Portability: You have the right to request a copy of the personal information we hold about you and to obtain it in a readily usable format. This is often called a “data subject access request.”
• Correction (Rectification): If any of your information is inaccurate or incomplete, you have the right to ask us to correct or update it. You can also update some of your own profile information by logging into your account settings.
• Deletion (Erasure): You have the right to request deletion of your personal data. This is also known as the “right to be forgotten.” You can delete your Resumly.AI account at any time, and as described in our Data Retention section, we will delete your personal data (except for information we are permitted or required to retain). If you prefer, you may also contact us to request deletion of specific data.
• Restriction of Processing: You can ask us to limit the processing of your personal information in certain circumstances – for example, if you contest the accuracy of the data or object to us processing it on the basis of our legitimate interests, we will consider your request and only store the data without further use until we’ve addressed your concern.
• Objection to Processing: You have the right to object to certain processing activities. For instance, if we are processing your data based on legitimate interests or for direct marketing, you can object. If you object to direct marketing, we will stop sending you marketing communications. If you object to other processing, we will evaluate your request and comply unless we have compelling legitimate grounds to continue (or if the data is needed for legal reasons).
• Withdraw Consent: Where we rely on your consent to process personal information (such as for optional analytics cookies or newsletters), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we already performed based on your consent before its withdrawal. For example, you can opt out of email marketing by clicking the “unsubscribe” link in our emails or adjusting your account settings.
• Automated Decision-Making: Resumly.AI does not typically make any legally significant decisions about you solely by automated means. If that changes and we utilize automated decision-making or profiling that produces legal or similarly significant effects, you have the right not to be subject to such decisions without human intervention, and to express your point of view or contest the decision.
• California Privacy Rights: If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) (as amended by the CPRA). These include the right to know what personal information we collect, how we use and share it, and the categories of information sold or disclosed to third parties. You also have the right to request deletion of your personal information, and the right to opt out of the “sale” or “sharing” of your personal information (as defined by CCPA). Please note we do not sell personal data, and any sharing with service providers (for analytics or advertising) is done under contracts that protect your data. California residents also have the right not to receive discriminatory treatment for exercising their privacy rights. If you are a California resident and have questions or requests, you can contact us as described below.
• Canadian Privacy Rights: If you are in Canada, you have similar rights under laws like PIPEDA, including the right to access and correct your personal information, and to withdraw consent for certain uses. We will also notify you of any security breach involving your personal information that poses a real risk of significant harm, as required by Canadian law.

Exercising Your Rights: Many of the rights above can be exercised by logging into your account and using self-service tools (for example, accessing or updating your profile, or deleting your account). For any rights that you cannot self-serve, please contact us at [email protected] with your request. We may need to verify your identity (for example, by confirming control of your email address or requesting additional information) before fulfilling certain requests. We will respond to your request within a reasonable timeframe, and in any event within the timeframe required by applicable law (e.g., within 30 days for most GDPR requests, or 45 days for CCPA requests, with extensions if applicable). If we cannot fulfill your request, we will provide an explanation subject to legal restrictions.

Finally, if you have concerns about how we handle your data, you have the right to lodge a complaint with a supervisory authority (for EU users, this would be your country’s Data Protection Authority; for UK users, the ICO; for Canada, the Privacy Commissioner; for California, the Attorney General or CPPA). We would, however, appreciate the chance to address your concerns first – so please reach out to us and we will do our best to resolve any issue.

9. Children’s Privacy

Our Services are not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13 years old. If you are under 13, please do not use our Services or provide any personal information to us. In addition, if you are under the age of consent in your jurisdiction (for example, under 16 in certain European countries), you should not use our Services unless your parent or guardian has provided verifiable consent.

If we become aware that we have inadvertently collected personal data from a child under 13 (or under the applicable age of consent) without proper consent, we will take steps to delete that information as soon as possible. If you are a parent or guardian and you believe we might have information from or about a minor child, please contact us so that we can promptly investigate and address the issue.

10. Changes to This Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the “last updated” date at the top of this Policy. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

If we make any material changes to this Policy, we will take additional steps to notify you. For significant changes, we may provide a notice on our website or notify you via email or in-app notification, especially if required by law. Once any updated Privacy Policy is in effect, by continuing to use the Services you will be deemed to have accepted the changes (to the extent permitted by law).

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

We will do our best to address your inquiry promptly. If you contact us to exercise any of your privacy rights, please include “Privacy Request” in the subject line of your email and describe the nature of your request. This will help us route your request to the correct team.

Thank you for trusting Resumly.AI with your personal information. We value your privacy and are committed to safeguarding your data while providing you with a useful and secure service.