Privacy Policy

This Privacy Policy explains how Gabriel Moraru, operating as Resume Genie (“we,” “us,” or “our”), acting as the data controller, collects, uses, shares, and protects your personal information when you use the Resume Genie web application and related services (collectively, the “Service”).

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy applies to all users of the Service, regardless of location, and is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy should be read in conjunction with our Terms of Service. If you do not agree with our practices, please do not use the Service.

We collect the following categories of personal information in connection with providing the Service:

Account Data

Name, email address, and profile avatar (provided directly or obtained via OAuth authentication).

Resume Content

Full name, email address, phone number, physical address or location, personal website URLs (including LinkedIn and other professional profile links), employment history (employer names, job titles, dates of employment, responsibilities and accomplishments), education (institution names, degrees, dates, GPA), professional skills, projects, awards, certifications, and professional summary text.

Cover Letter Content

Cover letter text, target company names, job titles, and job descriptions you provide for tailoring purposes.

Uploaded Files

PDF and DOCX files uploaded for resume import. Text is extracted for parsing purposes; the original file is not stored after processing is complete.

AI Interaction Data

Which AI feature was used, when it was used, the AI model invoked, token counts, and estimated cost. This data is logged for billing enforcement, rate limiting, and usage tracking purposes.

Payment Data

Stripe customer ID, subscription ID, subscription status, and billing tier. We do not collect or store credit card numbers, bank account details, or other sensitive payment instrument data on our servers. All payment processing is handled by Stripe.

OAuth-Derived Data

If you sign in via Google, Microsoft, or GitHub, we receive your name, email address, and profile picture URL from the identity provider.

Technical Data

IP address (captured via infrastructure provider logs) and session cookies necessary for authentication.

Under GDPR Article 6, we process your personal data on the following legal bases:

• Consent (Art. 6(1)(a)): AI processing of your resume and cover letter content is performed only when you explicitly initiate an AI feature. You may withdraw consent at any time by ceasing to use AI features.
• Contractual Necessity (Art. 6(1)(b)): Processing necessary to provide the Service, including maintaining your account, storing and displaying your resume content, processing payments, and delivering the core functionality you have requested.
• Legal Obligation (Art. 6(1)(c)): Retention of tax-related and financial records associated with payment transactions, as required by applicable law.
• Legitimate Interest (Art. 6(1)(f)): Service improvement through aggregated and de-identified usage analysis, abuse prevention, rate limiting, and security monitoring. We balance these interests against your rights and freedoms and do not process data where your interests override ours.

We use the personal information we collect for the following purposes:

• Providing and maintaining the Service, including storing your resumes and cover letters, rendering previews, and generating PDF exports.
• Processing subscription payments and managing your billing status through Stripe.
• Generating AI-powered suggestions, scores, and content when you explicitly request them by using an AI feature.
• Sending transactional emails via Resend, including welcome emails, subscription upgrade confirmations, and payment failure notifications. These are service-related communications, not marketing.
• Enforcing usage limits and rate limiting based on your subscription tier to ensure fair use and service stability.
• Improving the Service through aggregated, de-identified usage patterns. We do not build individual user profiles for advertising purposes.
• Complying with applicable legal obligations, including tax and financial record-keeping requirements.

The Service offers nine AI-powered features: bullet point enhancement, bullet point generation, professional summary generation, keyword extraction, resume tailoring, ATS scoring, resume analysis, cover letter generation, and resume import/parsing. When you use any of these features, the relevant resume or cover letter content is transmitted to OpenAI's API for processing.

OpenAI processes data in accordance with their privacy policy, available at https://openai.com/policies/privacy-policy. Under OpenAI's API data usage policy, API data may be retained for up to 30 days for abuse and misuse monitoring, after which it is deleted. OpenAI does not use data submitted via its API to train or improve its models.

We do not use your resume content to train AI models. Your content is sent to OpenAI solely to fulfill the specific feature request you initiated and is not used for any other purpose.

All AI features are entirely optional and user-initiated. You can use the Service's core resume-building and PDF export functionality without ever invoking an AI feature. AI-generated scores, suggestions, and content are advisory only and should be reviewed by you before use.

You have the right to not use AI features at any time. Opting out of AI features does not affect your ability to use the rest of the Service.

We engage the following third-party sub-processors to deliver the Service. Each sub-processor has been evaluated for adequate data protection practices:

The Service uses Supabase Auth session cookies that are strictly necessary for authentication and session management. These cookies enable you to remain logged in and are essential for the Service to function. They are not used for tracking, profiling, or advertising purposes.

We do not use third-party analytics cookies. We do not use advertising or retargeting cookies. We do not engage in cross-site tracking.

During PDF generation, the Service loads fonts from Google Fonts. These external requests transmit your IP address to Google. This occurs only during server-side PDF rendering and does not set any cookies in your browser.

The following table details the cookies set by the Service:

No non-essential cookies are currently used by the Service. If this changes in the future, this policy will be updated and, where required by law, your consent will be obtained before setting non-essential cookies.

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Active account: Your data is retained for the duration of your active account. You may access, modify, or delete your content at any time through the Service.
• Account deletion: When you delete your account, all associated data is removed from active systems via cascading deletes. This includes your profile, resumes, resume sections, ATS scores, AI usage logs, and cover letters.
• Database backups: Deleted data may persist in encrypted database backups maintained by our infrastructure provider, subject to their backup rotation schedule.
• AI usage logs: Retained for the life of your account for billing and rate-limiting purposes. These logs are deleted on account deletion via cascade.
• Stripe: Stripe retains payment and transaction data in accordance with their own data retention policy and applicable financial regulations.
• OpenAI: API data submitted to OpenAI may be retained by OpenAI for up to 30 days for abuse monitoring purposes, after which it is deleted.

Your personal data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA) and the United Kingdom (UK).

Our primary database is hosted by Supabase in the United States (us-east-2). OpenAI processes AI feature requests in the United States. Vercel may process server-side requests in various global regions.

For transfers of personal data from the EEA or UK to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, and/or the EU-US Data Privacy Framework, as applicable. You may request a copy of the relevant transfer safeguards by contacting us at privacy@resumegenie.app.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest: Data stored in our database and file storage is encrypted at rest by our infrastructure provider.
• Row-level security (RLS): Database tables enforce row-level security policies that ensure each user can only access their own data. This provides database-level isolation between users.
• Authentication: User authentication is managed by Supabase Auth. No passwords are stored in plain text.
• Key separation: Service role keys are separated between client-facing and administrative operations to minimize the impact of any potential compromise.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about how it is processed.
• Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed.
• Right to erasure (Art. 17): You have the right to request the deletion of your personal data (“right to be forgotten”), subject to certain legal exceptions.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data.
• Notification obligation (Art. 19): We will communicate any rectification, erasure, or restriction of processing to each recipient to whom personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object (Art. 21): You have the right to object to the processing of your personal data, including processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our AI features provide advisory suggestions only and do not make automated decisions about you.

To exercise any of these rights, contact us at privacy@resumegenie.app. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) provides you with the following rights:

• Right to know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request that we delete the personal information we have collected about you, subject to certain exceptions.
• Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale/sharing: We do not sell your personal information and do not share your personal information for cross-context behavioral advertising purposes.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

“Do Not Sell or Share My Personal Information” — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. There is no need to submit an opt-out request because we do not engage in these practices.

To exercise your rights under CCPA/CPRA, contact us at privacy@resumegenie.app. We will verify your identity before processing your request.

The Service is not intended for, and is not directed at, anyone under the age of 16. We do not knowingly collect personal information from children under 16 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA) and GDPR provisions regarding children's data.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to promptly delete that information from our systems. If you believe that a child under 16 has provided personal information to us, please contact us at privacy@resumegenie.app.

In the event of a personal data breach, we will comply with applicable breach notification requirements:

• Supervisory authority notification (GDPR Art. 33): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons.
• User notification (GDPR Art. 34): We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms.

Breach notifications will include: the nature of the personal data breach, the categories and approximate number of data subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

You may download your resumes as PDF files at any time using the Service's built-in export features. PDF export availability and frequency may be subject to rate limits based on your subscription tier.

For a complete machine-readable copy of all your personal data in JSON format (fulfilling GDPR Art. 20 data portability requirements), please contact us at privacy@resumegenie.app. We will provide your data export within 30 days of your verified request.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

For material changes, we will notify you via email to the address associated with your account and/or by placing a prominent notice on the Service at least 30 days before the changes take effect. Material changes include any modifications that significantly affect how your personal data is collected, used, shared, or protected.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Service and delete your account. Previous versions of this policy are available upon request by contacting us at privacy@resumegenie.app.

For any privacy-related inquiries, requests, or complaints, please contact us at:

Email: privacy@resumegenie.app

Mailing address: Available upon request via privacy@resumegenie.app

Under GDPR Article 37, the appointment of a Data Protection Officer (DPO) is not required for small businesses that do not process special categories of personal data at scale or carry out large-scale systematic monitoring of individuals. As a small business that processes only standard personal data for the purpose of resume creation, we are not required to appoint a DPO. Nonetheless, you may direct any data protection concerns to us at the contact details above, and we will address them promptly.

You have the right to lodge a complaint with a supervisory authority. For residents of the EEA, this is your local data protection authority. For residents of the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

This Privacy Policy is effective as of March 1, 2026. Last updated: March 2026.