Privacy Policy

Effective date: April 6, 2026

Data Controller: Resumind — [Company legal name, registered address and VAT to be inserted before publishing] · privacy@resumind.app

1. What data we collect

When you use Resumind we collect and store:

  • Account details: name, email address, and password (stored only as a bcrypt hash — never in plain text)
  • CV content: personal details, work history, education, skills, projects, certifications, and any custom sections you add
  • Job applications: role titles, company names, job descriptions, statuses, and notes
  • Cover letters you create inside the app
  • An optional profile photo stored in our file storage
  • ATS quality scores generated automatically from your CV (see Section 10 — Automated processing)
  • Server access logs: IP address, timestamp, and request type, kept for security and diagnostic purposes

Providing your name, email address, and CV content is required to use the service. The profile photo is optional — you can use Resumind without uploading one.

2. Why we collect it and the legal basis

We process your personal data under the following legal bases (GDPR Art. 6):

Processing activityLegal basis
Account creation and authenticationArt. 6(1)(b) — performance of a contract
Storing and managing your CVs, applications, and cover lettersArt. 6(1)(b) — performance of a contract
Billing and payment processing via StripeArt. 6(1)(b) — performance of a contract
AI-assisted CV suggestions (Anthropic Claude)Art. 6(1)(a) — your consent, given by affirmatively choosing to use an AI feature
Optional profile photoArt. 6(1)(a) — your consent, given when you upload the photo
Security logging and fraud preventionArt. 6(1)(f) — our legitimate interest in operating a secure service
ATS scoring (automated CV profiling)Art. 6(1)(b) — performance of a contract; see Section 10

We do not sell your data to third parties.

3. Third-party processors

To deliver the service we share personal data with the following processors, each contracted under a GDPR Art. 28 Data Processing Agreement.

3.1 Anthropic (Claude AI)

AI features are powered by Anthropic PBC (United States). When you choose to use an AI feature, the relevant CV content — which may include personal data — is transmitted to Anthropic’s API. Anthropic states that API-submitted data is not used to train their models. Transfers to the US are covered by Standard Contractual Clauses (Art. 46(2)(c) GDPR). We have conducted a Transfer Impact Assessment and confirmed that supplementary measures (API data minimisation and contractual non-training commitment) are in place.

3.2 Stripe (Payments)

Payment processing is handled by Stripe Inc. (United States) and Stripe Payments Europe Ltd (Ireland). When you subscribe to a paid plan, Stripe processes your billing name, email address, and payment card details. We do not store card numbers on our servers. Stripe is PCI DSS Level 1 certified. US transfers are covered by Standard Contractual Clauses and Stripe’s Binding Corporate Rules. See Stripe’s Privacy Policy at stripe.com/privacy.

3.3 Hosting and storage infrastructure

Your data is stored in PostgreSQL databases and S3-compatible file storage hosted by [Infrastructure Provider — to be named before publishing], located in [country/region]. Transfers outside the EU/EEA, if any, are covered by Standard Contractual Clauses and a Transfer Impact Assessment. Passwords are hashed with bcrypt. Data in transit is encrypted via HTTPS (TLS 1.2+). Storage-at-rest encryption is provided at the infrastructure level.

4. Authentication and browser storage

Your authentication token (JWT) is stored in your browser’s localStorage and expires after a period of inactivity. We protect against cross-site scripting (XSS) attacks through a strict Content Security Policy. You should log out when using shared or public devices. Your AI preferences (tone and writing style) are also stored in localStorage on your device and are not transmitted to our servers independently.

5. Data retention

We keep personal data only for as long as necessary:

Data typeRetention period
Account data, CVs, applications, cover lettersDuration of your account. If inactive for 24 consecutive months we will email you and delete the account and all associated data 30 days later, unless you log in again.
Profile photoUntil you remove it or delete your account
Server access logs90 days
Backup copiesUp to 30 days after account deletion, then purged in the normal backup rotation cycle
Payment records10 years, as required by applicable fiscal law

If you delete your account manually, your CVs, applications, cover letters, and profile data are permanently removed immediately. Backup copies are purged on the schedule above.

6. Your rights (GDPR)

If you are in the EU or EEA you have the following rights:

  • Right of access (Art. 15) — Download your personal data from Settings → Export My Data (machine-readable JSON).
  • Right to rectification (Art. 16) — Update your information directly in the app at any time.
  • Right to erasure (Art. 17) — Delete your account and all related data from Settings → Delete Account.
  • Right to data portability (Art. 20) — Your export is provided in JSON format, processable by automated systems.
  • Right to object (Art. 21) — Object to processing based on legitimate interests (e.g. security logging) by contacting us.
  • Right to restriction of processing (Art. 18) — Request that we restrict processing of your data in the circumstances defined by Art. 18.
  • Right to withdraw consent (Art. 7(3)) — Where we rely on consent (AI features, profile photo), you may withdraw it at any time without affecting the lawfulness of prior processing. To withdraw consent for AI features, stop using them and contact us; to withdraw consent for your profile photo, delete it from Settings.
  • Rights related to automated decision-making (Art. 22) — See Section 10.

To exercise any right, contact us at privacy@resumind.app.

We will respond within 30 days (extendable by a further two months for complex requests, with notice to you).

Right to lodge a complaint

You have the right to lodge a complaint with your national data protection supervisory authority at any time. In Italy:

Garante per la protezione dei dati personali

Piazza Venezia 11, 00187 Roma

www.garanteprivacy.it · garante@gpdp.it

7. Data Protection Officer

Resumind is not required to appoint a Data Protection Officer under GDPR Art. 37, as it does not carry out large-scale systematic processing of special categories of data or systematic monitoring of individuals. For all privacy matters contact us directly at privacy@resumind.app.

8. Cookies and local storage

We do not use third-party analytics or advertising cookies. The only browser storage we use is:

  • localStorage (authentication token): A JWT to keep you logged in. Cleared on logout.
  • localStorage (AI preferences): Your preferred tone and writing style for AI features. Stored locally on your device only.

No cookie consent banner is required as we do not use non-essential cookies.

9. Data minimisation and security

We collect only the data necessary to provide the service (Art. 5(1)(c) GDPR). When sending data to Anthropic for AI processing, we transmit only the specific CV sections relevant to your request — not your entire account. Security measures include: bcrypt password hashing, HTTPS/TLS encryption in transit, infrastructure-level encryption at rest, access controls limiting staff access to personal data, and Content Security Policy headers.

10. Automated processing and ATS scoring

Resumind automatically analyses your CV to generate an ATS (Applicant Tracking System) quality score. This involves automated profiling of your CV’s structure, keywords, and formatting against common ATS criteria.

What this means for you: The score is a guidance tool visible only to you. It is not shared with employers or third parties and does not produce legal or similarly significant effects within the meaning of Art. 22(1) GDPR. Accordingly, Art. 22 mandatory safeguards do not apply, but we disclose this processing in the interest of full transparency.

Logic used: The score is calculated by heuristic rules that check for completeness of sections, keyword density, formatting conventions, and CV length. No external data about you is used.

Contact us at privacy@resumind.app if you have questions about how your score is calculated or wish to object to this processing.

11. Changes to this policy

We will notify you by email if we make material changes to this policy. The date of the last update is shown at the top of this page.

12. Contact

For privacy questions, to exercise your rights, or to withdraw consent: privacy@resumind.app