Privacy policy

1.1 Account information. When you authenticate via Google OAuth, we receive and store your email address and, where provided, your Google display name. We do not receive or store your Google password.

1.2 CV content. Any content you enter into the editor — including but not limited to your name, work history, education, skills, projects, and profile photo — is stored in our database to enable the core functionality of the service. This content is not shared with any third party except as necessary to operate the service (see Section 3).

1.3 Analytics data. If you consent via the cookie banner, we collect page-level usage data including pageviews, feature interactions, and CTA clicks. If you decline, analytics are initialised in an opted-out state and no analytics data is collected or transmitted. We do not collect keystroke-level data or record the content you type inside the editor, regardless of your consent choice.

1.4 Operational logs. We maintain an internal audit log recording account events such as sign-in, CV creation and deletion, and credit transactions. These logs contain your user ID and event metadata only — never CV content. These logs are used for debugging, abuse prevention, and responding to deletion requests.

2.1 Strictly necessary cookies. Authentication and session cookies are required for the service to function. These cannot be disabled via the cookie banner — declining analytics consent does not affect auth cookies.

2.2 Analytics cookies. If you accept the cookie banner, first-party analytics cookies are set under our domain to measure unique visitors and session continuity. If you decline, no analytics cookies are written.

2.3 Changing your preferences. You may withdraw or change your consent at any time by deleting the resumap.consent key from localStorage for resumap.io — the consent banner will reappear on the next page load. A one-click preference reset may be added to account settings in a future update.

2.4 Editor draft backup. The CV editor writes an automatic safety-net copy of your in-progress section content to localStorage on your own device, in keys prefixed resumap_draft_v1_. This is the same pattern Gmail and Notion use for unsaved drafts. The copy is cleared after a successful save to our servers and is never transmitted independently. If you share a device, sign out and clear browser data — the draft survives browser restart but not localStorage clears.

We use the information we collect to:

• Provide, maintain, and improve the service
• Authenticate you and manage your account
• Process credit purchases and maintain transaction records
• Respond to support requests and deletion requests
• Detect, investigate, and prevent fraud or abuse
• Send transactional emails (welcome email, product updates) — your email is never added to any third-party marketing list

We do not sell your personal data. We do not use CV content to train machine learning models.

We do not sell or rent your personal data. We share data only with carefully selected third-party service providers (“processors”) engaged to operate the service, including providers of database and file storage, hosting and content delivery, analytics (consent-gated), transactional email, and payment processing. Each processor is bound by a data processing agreement and is permitted to use your data only as necessary to perform services on our behalf. A list of our current processors is available upon request at [email protected].

We do not share CV content with any processor beyond what is technically necessary to deliver the service.

We retain your data for as long as your account is active. Operational logs are retained for a limited period for debugging and compliance purposes.

Upon account deletion, we permanently delete:

• Your authentication record (cascades to all associated data)
• All CVs, sections, and editor content tied to your account
• All credit transaction records and audit log entries
• All photos and files uploaded under your account in storage
• A deletion event is dispatched to our analytics processor; your person record is purged on their side within 30 days per their GDPR deletion SLA

Note on CDN caching. Edge caches may retain cached versions of uploaded photos for up to 12 months following deletion. File paths are unguessable and inaccessible without the original URL; this does not constitute an accessible privacy exposure. If you require hard cache expiration, contact us at [email protected].

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (you can do this directly via /account)
• Object to or restrict certain processing
• Withdraw consent for analytics at any time (see Section 2.3)
• Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law.

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include encrypted connections (TLS), access controls, and EU-region data storage. However, no system is entirely secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from circumstances beyond our reasonable control.

The service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated via in-app notice or email at our discretion. Continued use of the service after a change constitutes acceptance of the revised Policy.

For privacy questions, data requests, or manual deletion requests: [email protected]