Privacy Policy

Effective Date: July 21, 2025
Last Updated: August 28, 2025

Resumate ("Resumate," "we," "us," "our") provides a browser extension and related services that help users refine resumes and application materials (the "Service"). By installing, accessing, or using the Service, you acknowledge that you have read this Privacy Policy and consent to the practices described. If you do not agree, do not use the Service.

Important: This Privacy Policy describes our current practices in a transparent, plain-language way while leaving room for reasonable operational changes (for example, provider upgrades, regional failover, or security improvements). Some controls and configurations may vary over time as we evolve the Service. This Policy is not legal advice.

---

1) Data We Collect

1.1 Account & Identity

• Full name
• Email address
• Google OAuth identifier (if you sign in with Google)

1.2 Technical & Device

• IP address and approximate geolocation (city/region/country inferred from IP)
• Browser, operating system, device type, and settings (e.g., language, time zone)
• Extension version, app version, and basic diagnostics (e.g., crash/error signatures)

1.3 Content You Provide

• Resumes, cover letters, job descriptions, notes, and other documents you upload or create
• Metadata you add (tags, labels, preferences) and any prompts/instructions you enter

1.4 Usage & Diagnostics

• Authentication events (login/logout timestamps, session state)
• Generation events (resume/cover-letter generation history and job-fetch history)
• Error and performance logs (extension/editor/backend) with timestamps and request IDs
• UI state flags (e.g., dark-mode, last viewed tab) and non-sensitive local counters

Analytics: We do not currently embed third-party trackers or analytics SDKs. We may use privacy-preserving, first-party metrics and server-side logs to operate and secure the Service.

---

2) Cookies, Local Storage, and Similar Tech

• Session Cookie (first-party): Maintains your authenticated session.
• Local Storage (HTML5): Stores non-sensitive preferences (e.g., theme, last tab) and internal counters (e.g., generation totals).
• We do not use third-party cookies for advertising or cross-site tracking.

You can block cookies, but the Service may not function correctly without the session cookie.

---

3) How We Use Data (Purposes & Legal Bases)

We use personal data to:

• Provide, operate, maintain, and improve the Service (contract performance)
• Generate outputs you request (resumes, cover letters) (contract performance)
• Authenticate users and secure accounts (contract performance; legitimate interests)
• Process payments and manage subscriptions (contract performance; legal obligations)
• Detect, investigate, and prevent fraud, abuse, or security incidents (legitimate interests; legal obligations)
• Diagnose and fix bugs; measure reliability and performance (legitimate interests)
• Provide support (e.g., email/Discord) and handle feedback (contract performance; legitimate interests)
• Enforce our Terms and comply with applicable laws (legal obligations)

Where required, we rely on your consent (e.g., optional features). You may withdraw consent at any time; this will not affect processing that has already occurred.

---

4) Data Sharing & Processors (No Sale of Personal Data)

We do not sell or rent personal data. We disclose data to service providers ("processors") that enable core functionality. The exact vendors and regions may change as we improve the Service.

Each processor processes data under its own terms and privacy policies. By using the Service, you authorize us to transfer data to such processors as reasonably necessary to operate the Service.

---

5) Support Channels (Discord and Email)

If you choose to use Discord:

• Your Discord username and messages may be visible to our team and, depending on channel, other community members.
• Discord's Terms of Service and Privacy Policy govern your use of their platform.
• We may retain relevant excerpts from support conversations to improve the Service and train support staff (not to train third-party models).
• For private matters, use contact@resumate.ca instead of posting in public channels.

---

6) Job Posting Access, Scraping & Site Rules (Assumption of Risk)

At your direction, Resumate may access job postings on third-party sites to gather descriptions and requirements. While we implement rate limits and respectful access patterns, those sites may change their rules, block access, or introduce anti-bot measures at any time.

By using these features, you acknowledge and accept that:

• Access to certain sites may be restricted, throttled, interrupted, or banned without notice.
• Such restrictions may temporarily or permanently impact job-related features.
• We do not control third-party sites and cannot guarantee uninterrupted access.
• You are responsible for complying with third-party site terms and obtaining any necessary permissions.
• We are not responsible for any resulting losses, delays, or missed opportunities.

---

7) Security Overview (Transport, Storage, Access Controls)

We design our security program to align with industry-standard practices, while allowing for reasonable evolution over time.

7.1 Transport Security

• All client-server communications use HTTPS with TLS 1.2+.
• Where applicable, we enforce HSTS and prefer cipher suites that support Perfect Forward Secrecy (as provided by our managed load balancers/CDNs).
• WebSocket connections (if used) are established over WSS (TLS-secured).

7.2 Storage & Cloud Architecture

• Application Hosting: AWS (generally in us-east-1 or a comparable U.S. region).
• Primary Database: Google Cloud Firestore in a U.S. region (e.g., multi-region or regional deployment such as "us"/"nam5" - the exact setting may vary as we optimize reliability and latency).
• Encryption at Rest: Cloud-provider managed encryption (e.g., AES-256) for disks and database storage.
• Object Storage (if used for documents/previews): Stored with provider-managed encryption and access controls.

7.3 Access Controls & Segregation

• Principle of Least Privilege: Access scoped to the minimum necessary roles.
• Role-Based Access Control (RBAC) and service accounts separate user-level access from operational access.
• Administrative Access: Limited to authorized personnel for support or incident response; access is logged and periodically reviewed.
• API Authentication: Session cookies or short-lived tokens (e.g., JWT) protect endpoints; server-side checks validate permissions.

7.4 Secret Management & Hardening

• Secrets (API keys, database credentials) are stored as environment variables and may be managed via cloud secret stores; we avoid hard-coding secrets.
• Regular dependency updates and security patches are applied on a reasonable cadence.
• Basic protections such as rate-limiting, input validation, and CSRF defenses are implemented where appropriate.

7.5 Firestore Security Posture

• Firestore enforces provider-managed encryption at rest and TLS in transit.
• Firestore Security Rules and IAM roles restrict read/write operations based on authenticated context.
• Access from compute is scoped to service accounts with narrowly defined permissions.

7.6 Backups, Continuity, and Logging

• We may maintain rolling, encrypted backups and system logs for continuity, restoration, and security review; specific retention windows can vary as we refine our operational needs.
• Operational logs may include IP addresses, timestamps, request identifiers, and error traces; logs are access-controlled.

No system is 100% secure. You use the Service at your own risk, and you should keep your own copies of important documents.

---

8) User Responsibilities & Assumption of Risk

To help protect your data and the reliability of the Service, you agree to:

• Keep your browser, OS, and the extension updated to the latest security versions.
• Avoid uploading Sensitive Information (e.g., government ID numbers, full payment card data, health/medical records, highly confidential employer data). If you choose to upload sensitive content, you do so at your own risk and acknowledge we treat it as ordinary user content.
• Ensure you have the legal right to upload any content and that your use complies with all applicable laws and third-party terms.
• Refrain from attempting to bypass rate limits, access controls, or site rules when using job-site features.

---

9) Retention & Deletion

• Account Data & Content: Retained while the account is active and for a reasonable period thereafter for operational, legal, and audit purposes.
• Error/Access Logs: Typically retained up to ~90 days (or longer if needed for security/abuse investigations).
• Backups: Rolling backups (if maintained) expire on schedules that may vary.

Export: Email contact@resumate.ca for a machine-readable export of your data.
Deletion: Email contact@resumate.ca to request deletion. We generally aim to delete primary records within 72 hours of verification, with some residual references in backups/logs expiring on their normal cycles. Legal holds override these timelines.

---

10) Payments

We use Stripe to process payments. We do not store full card numbers on our systems. Stripe provides us tokens and status updates necessary to manage your subscription. Stripe's processing is governed by its own terms and privacy policy.

---

11) Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If we learn that we have done so, we will delete that data and terminate the account. Users aged 13-17 may use the Service only with parental or guardian consent and are bound by this Policy.

---

12) International Transfers

We may process data in Canada and the United States (and, where necessary for redundancy or failover, in other regions with comparable protections). By using the Service, you consent to these transfers. Where required, we rely on appropriate transfer mechanisms (e.g., standard contractual clauses) and provider assurances.

---

13) Your Privacy Rights

Depending on your location (e.g., GDPR, CCPA/CPRA, PIPEDA), you may have rights to:

• Access and portability (a copy of your data)
• Rectification (correction of inaccuracies)
• Erasure (deletion), subject to legal obligations
• Restrict or object to certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

To exercise rights, email contact@resumate.ca. We may request additional information to verify your identity and authority.

---

14) Automated Decision-Making & AI

We use large language models (LLMs) only to transform content you choose to submit (e.g., to rewrite bullet points). We do not use automated decision-making that produces legal or similarly significant effects about you. We instruct providers not to use your submitted content to train their public models to the extent contractual settings allow; however, each provider's terms and controls apply.

---

15) Third-Party Links & Integrations

The Service may contain links to third-party websites or integrations. We are not responsible for their content, privacy practices, or compliance. Review their terms and policies before using those sites or services.

---

16) Government, Legal Requests & Safety

We may preserve and disclose information if we believe it is reasonably necessary to comply with law, regulation, legal process, or governmental request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect our rights or property. Where permitted, we will notify you of requests relating to your data.

---

17) Changes to This Policy

We may revise this Policy from time to time. Material changes will take effect upon posting and, where appropriate, we will notify you by email or in-app. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

---

18) Contact

Resumate Privacy
contact@resumate.ca