Privacy Policy

1. Introduction

ResumeFry ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

By using ResumeFry, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Information you provide

• Account information — your email address and the authentication method you use (a one-time login code sent to your email, or Google sign-in). We do not ask for, store, or transmit passwords; sign-in is handled entirely through one-time codes or trusted identity providers.
• Resumes — the resume content you submit, either as pasted text or as an uploaded PDF or DOCX file (up to 10 MB). Uploaded files are stored in our cloud storage (Cloudflare R2) and the extracted text is stored in our database alongside your analysis.
• Job descriptions you paste for analysis (up to 30,000 characters per submission), and the analysis results we generate from comparing them with your resume.
• Generated content — optimized resume text and cover letters we produce for you, stored in your account so you can revisit them.
• Payment details when you subscribe or buy credits. Card numbers and bank details are collected and stored by Stripe; we never see or store your full payment instrument. We retain only billing metadata (plan, amount, currency, status, Stripe customer ID).
• Contact form submissions — your name, email address, and message when you contact us.

Information collected automatically

• Hashed IP address — we hash your IP using SHA-256 before storing it, so the original IP is not retained. The hash is used to derive approximate location (country, state, city) and to detect bots and abuse.
• Device and browser information — device type, operating system, browser, screen and viewport size, language, timezone, online status, and User-Agent string.
• Authentication and session data — login history (auth method, device, timestamp), refresh-token records (kept for up to 90 days), and one-time-code records (purged after expiry).
• Usage and analytics data — pages you visit, referrer URL, UTM campaign parameters, an anonymous session identifier, features you use, and analyses you have run. If you visit ResumeFry before signing in and later create an account, we link that earlier session activity to your new account so we can show you a continuous history.
• Temporary content while signing in — if you paste a job description or resume on the home page before logging in, we store it briefly in your browser's local storage (keys resumefry_pending_jd and resumefry_pending_resume_text) so we can pick it up after you sign in. It is removed once it has been processed or you clear your browser data.
• Error and diagnostic logs — when something breaks, we record the error message, stack trace, URL, and basic device information so we can investigate and fix it.
• Cookies and local storage — see our Cookie Policy for the full list and your choices.

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain our resume analysis and optimization service
• Process your analyses and deliver results
• Manage your account and subscription
• Improve our AI prompts, accuracy, and product experience
• Send service-related communications (login codes, billing, account notices)
• Detect and prevent fraud or abuse

4. Legal Bases for Processing (EEA, UK, Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data only when we have a valid legal basis under GDPR / UK GDPR:

• Contract — to create your account, run your analyses, manage your subscription, and provide customer support.
• Legitimate interests — to keep ResumeFry secure, prevent fraud and abuse, debug errors, measure usage, and improve our AI models and product, in a way that is balanced against your rights.
• Consent — for non-essential cookies and analytics, and for any optional marketing communications. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — to comply with tax, accounting, fraud-prevention, and law-enforcement requirements.

5. Data Retention

We keep different categories of data for different periods, depending on what they are used for:

• Account, resumes, JDs, and analysis history — for as long as your account is active. You can delete individual analyses or your entire account at any time from Account Settings.
• Uploaded resume files — stored in Cloudflare R2 for the lifetime of the analysis they belong to. They are deleted when you delete the analysis or your account.
• Deleted accounts — soft-deleted for 30 days (so you can change your mind and reactivate by logging back in) and then permanently purged. When permanent deletion runs, your resumes, job descriptions, analyses, login history, and refresh tokens are deleted with the account. Anonymous operational records (page-visit logs, error logs, and billing transaction rows) are kept for the operational and legal purposes described below, but the link to your user account is removed so the records can no longer be associated with you.
• Refresh tokens — up to 90 days, or until you log out.
• One-time login codes — until they expire (a few minutes) and are then purged.
• Billing and payment records — retained for the period required by tax and accounting laws (typically 7+ years), even after your account is deleted, with the user link removed.
• Operational logs (page visits, error logs, login history, hashed IPs) — retained only as long as needed for security, fraud prevention, debugging, and product improvement.

6. Sub-processors and Data Sharing

We do not sell your personal information and we do not share it with advertisers. We rely on a small number of trusted sub-processors to operate the Service. Each one is bound by a data processing agreement and may only use your data on our instructions:

• Hetzner Online GmbH (Germany / EU) — hosting and database infrastructure.
• Cloudflare, Inc. — object storage (Cloudflare R2) for the resume files you upload, plus the generated optimized resume files we produce. Cloudflare privacy.
• Stripe, Inc. (USA) — payment processing, subscription billing, and PCI-compliant card storage. Stripe privacy.
• Google LLC — Firebase Authentication — verifies the Google sign-in tokens we receive when you log in with Google. Firebase privacy.
• Resend — transactional email delivery (one-time login codes, account notifications, contact-form replies). Resend privacy.
• PostHog Inc. (USA) — product analytics and session-replay tooling, loaded only if you accept analytics in our cookie banner. PostHog records pages you visit, clicks, and a replay of your in-page activity, and receives identifying attributes (your user id, email, subscription tier, status, and credit balances) once you are logged in. Session replay captures the visible page including text content and form input. PostHog privacy.
• Zenixr CookieConsent — the cookie banner script loaded on every page. It receives your IP and country in order to determine which consent flow to show you, and stores a record of the consent choice you make.
• Google Fonts — to deliver the typefaces used on the site. Loading fonts shares your IP and User-Agent with Google.
• Zenixr LLM API — our AI processing service. The resume text and job description you submit are sent to this service to generate your analysis. See section 8 for details.

We may also disclose information when we are legally required to (court order, lawful request, regulatory investigation), to enforce our Terms, or to protect the rights, safety, and property of ResumeFry, our users, or the public. If ResumeFry is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction; we will notify you and this Privacy Policy will continue to apply.

7. International Data Transfers

Our primary infrastructure is hosted in the European Union (Hetzner). Some of our sub-processors — including Stripe, Cloudflare, Firebase, PostHog, and Google Fonts — process data in the United States or other regions. Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK / Swiss mechanisms.

8. AI Processing Notice

ResumeFry is an AI-powered service. When you submit a resume and a job description for analysis, the text of both is transmitted to our AI processing service (the Zenixr LLM API) where it is analyzed by a large language model to generate your insights, rewrite suggestions, and cover letter. By using ResumeFry, you understand and agree that:

• The text you submit will be processed by an AI model in order to produce your analysis.
• You must not submit personal data about other people, confidential information you are not authorized to share, or content that violates any third party's rights.
• AI-generated analyses, scores, and rewrites are produced automatically and may contain errors, omissions, or biases. They are intended as guidance, not as professional legal, financial, or career advice.

9. Your Rights

Depending on where you live, you have some or all of the following rights over the personal data we hold about you:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion ("right to be forgotten") — delete your account and associated data from Account Settings, or by contacting us.
• Portability — request a machine-readable export of your data. Self-service export is not yet available; please email us and we will fulfill your request within the timeframe required by law.
• Restriction or objection — ask us to limit how we process your data, or object to processing based on our legitimate interests.
• Withdraw consent — for analytics or any optional processing, at any time, via the Cookie Policy manager or by contacting us.
• Opt out of marketing communications.

EEA / UK / Swiss residents — you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data properly.

California, Virginia, Colorado and other US state residents — you have rights to know what categories of personal data we collect, request access and deletion, correct inaccurate data, and opt out of "sales" or "sharing" of personal data for cross-context behavioral advertising. We do not sell or share personal data for advertising. You have the right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, email us at [email protected] from the email address associated with your account. We may need to verify your identity before fulfilling the request, and we will respond within the timeframe required by applicable law.

10. Children's Privacy

ResumeFry is intended for adult professionals and is not designed for or directed at children. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not use the Service or provide any personal data. If we learn that we have collected personal information from a person under 18, we will delete it as soon as reasonably possible. If you believe a minor has provided us with personal data, please contact us at [email protected].

11. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. There is no industry-standard way to interpret DNT signals, so our first-party page-visit logging does not currently respond to them. However, our analytics provider PostHog is configured to respect DNT, which means PostHog tracking and session replay are automatically suppressed when your browser sends a DNT signal. You can also manage analytics directly through our cookie consent banner and your browser settings.

12. Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest, and regular security audits. However, no method of transmission over the internet is 100% secure.

13. Hosting Providers

Our primary infrastructure is operated by Hetzner Online GmbH in the European Union, and uploaded resume files are stored in Cloudflare R2. All personal data we store directly is held on EU-based infrastructure governed by Hetzner's data protection commitments and EU GDPR. For details:

• Hetzner Terms and Conditions
• Hetzner Privacy Policy
• Data Processing Agreement (GDPR DPA) signed with Hetzner (PDF)
• Cloudflare Customer Data Processing Addendum

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Service, sub-processors, or legal obligations. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will notify you by email or with a prominent in-app notice before they take effect. We encourage you to review this policy periodically.

15. Contact Us

If you have questions, requests, or complaints about this Privacy Policy or how we handle your personal data, contact us at [email protected].