Privacy Policy

Last updated: January 2026

1. Introduction

Beijing Xilin Technology Co., Ltd ("we," "us," or "our") operates the ResumaryAI website and services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Service. We are committed to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) in the European Economic Area (EEA) and the United Kingdom (UK), and the California Consumer Privacy Act (CCPA) and similar laws in the United States where applicable.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data in connection with the Service is:

3. What Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, password (hashed), name, phone number, location, timezone, current position, and other profile information you provide when you register or update your account (including via Settings). We use Supabase for authentication and user management.
  • Resume and job application data: Resumes, cover letters, job descriptions (JDs) you paste or upload, optimized content, application tracking data (company name, position, status, interview time and timezone, dates, notes), and exported resume files (e.g. HTML stored in our cloud storage). This data is necessary to provide the Service.
  • Usage and credits data: We track your credit balance and consumption (credits used per AI operation) to manage your subscription plan. Log data (e.g. IP address, browser type, pages visited, timestamps), device information, and analytics data are also collected. Our hosting and edge functions are provided by Vercel; they may collect and process such data as described in their privacy policy.
  • Payment data: Payments for paid subscriptions are processed by authorized third-party payment processors, depending on checkout availability and region. We do not store full payment card numbers. The applicable payment processor for your transaction is identified during checkout and in your receipt, and may collect billing name, email, billing address, tax/VAT information (where applicable), and payment method details in accordance with that processor's privacy policy and legal obligations.

4. How We Use Your Data

We use your personal data to:

  • Provide, operate, and improve the Service;
  • Authenticate you and manage your account;
  • Process and store your resumes, applications, and related content;
  • Power AI features (e.g. JD analysis, resume optimization, ATS scoring, cover letter generation, interview preparation, company research) by sending relevant content to our AI providers (see Section 5);
  • Track and enforce usage limits via a credits-based system (each AI operation consumes a defined number of credits; your credit balance resets monthly based on your subscription plan);
  • Send you transactional emails (e.g. password reset, subscription confirmations) and, with your consent where required, marketing or product updates;
  • Send interview reminders and AI-generated preparation emails if you have enabled those features, using your stored interview time and timezone;
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of others;
  • Analyze usage to improve the Service and security (e.g. via Vercel and Supabase analytics).

5. Third-Party Services and AI Providers

We use the following third-party services. Each may collect or process personal data as described in their respective privacy policies:

  • Supabase (hosting: supabase.com): Authentication, database, and file storage. Your account data, resumes, applications, and exported files are stored on Supabase infrastructure. See Supabase Privacy Policy.
  • Vercel (hosting: vercel.com): Website and serverless/edge function hosting. Requests (including IP, URL, headers) may be logged. See Vercel Privacy Policy.
  • Payment processors: Payment processing for subscriptions, fraud checks, charge handling, tax/VAT handling (where applicable), and billing operations. The processor used for your purchase is displayed at checkout and on your receipt, together with the relevant terms and privacy notice.
  • AI providers: To power resume optimization, cover letter generation, interview preparation, and similar features, we send relevant text (e.g. your resume content, job descriptions) to AI service providers. Currently we use DeepSeek v3.2 via Tencent Cloud. We may add or change AI providers (e.g. other models or vendors) over time. Data sent to AI providers is processed according to their terms and privacy policies (e.g. Tencent Cloud). We select providers that commit to appropriate data handling; we do not use your data to train general-purpose AI models for purposes unrelated to providing the Service to you, except where you have agreed otherwise or as permitted by law.
  • Resend (email: resend.com): We use Resend for sending transactional emails such as interview reminders and AI-generated preparation guides. Resend processes email addresses and message content. See Resend Privacy Policy.

We enter into data processing agreements or rely on standard contractual clauses (SCCs) or other lawful transfer mechanisms where required (e.g. for transfers outside the EEA/UK).

6. Legal Basis for Processing (EEA/UK)

Where the GDPR or UK GDPR applies, we process your personal data on the following bases:

  • Contract: To perform our contract with you (e.g. providing the Service, managing your account, processing payments).
  • Legitimate interests: To operate and improve the Service, prevent fraud, ensure security, and communicate with you about the Service, where our interests are not overridden by your rights.
  • Consent: Where we ask for your consent (e.g. marketing emails, optional features). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Legal obligation: Where we must process data to comply with applicable law.

7. Data Retention & Deletion

We retain your personal data only as long as necessary for the purposes set out in this Privacy Policy:

  • Account data: Until you delete your account or request deletion, plus a reasonable period for backup and legal compliance. You can delete your account at any time from the Settings > Privacy & Data page; this permanently removes your profile, resumes, applications, cover letters, and stored files.
  • Resume and application data: Until you delete it or close your account. You can delete individual resumes from the Settings page or all applications at once. Exported resume files may be subject to storage limits (e.g. 20 files per user); we may delete the oldest files when the limit is exceeded.
  • Credits and usage data: Credit balances and consumption history are maintained while your account is active and are deleted when you delete your account.
  • Payment records: As required for accounting, tax, anti-fraud, and legal compliance (typically several years). Retention periods may also be determined by the applicable payment processor and statutory obligations in relevant jurisdictions.
  • Logs and technical data: For a limited period (e.g. 30-90 days) unless longer retention is required for security or legal reasons.

After retention periods expire, we delete or anonymize your data where feasible.

8. Your Rights

Self-service data management: You can manage your data directly from within the Service: update your profile and personal information in Settings; delete individual resumes; delete all applications; and permanently delete your entire account and all associated data. These actions take effect immediately.

If you are in the EEA or UK: You have the right to: access your personal data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests; withdraw consent; and lodge a complaint with a supervisory authority (e.g. in your country of residence). To exercise these rights, you may use the self-service features above or contact us at help@resumaryai.com. We will respond within the timeframes required by applicable law (e.g. one month under GDPR).

If you are in California (CCPA/CPRA): You have the right to: know what personal information we collect and how it is used; request deletion of your personal information; correct inaccurate information; opt out of the "sale" or "sharing" of personal information - we do not sell your personal information as defined under the CCPA; and non-discrimination for exercising your rights. To exercise these rights, use the self-service features or contact us at the email above. We may verify your identity before processing requests.

9. International Transfers

Your data may be processed in the United States, the European Economic Area, and other countries where our service providers operate. When we transfer personal data from the EEA or UK to countries that are not recognized as providing an adequate level of data protection, we use appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or UK Addendum, or other mechanisms approved by applicable law.

10. Security

We implement appropriate technical and organizational measures (e.g. encryption in transit and at rest, access controls, row-level security policies, secure hosting on Supabase and Vercel) to protect your personal data against unauthorized access, loss, or alteration. Account deletion uses a secure server-side process that removes all associated data across authentication, database, and storage layers. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

11. Cookies and Similar Technologies

We and our providers (e.g. Supabase, Vercel) may use cookies and similar technologies (e.g. local storage) to authenticate you, remember your preferences, and analyze usage. Essential cookies are necessary for the Service to function. You can control non-essential cookies through your browser settings. Blocking certain cookies may affect the functionality of the Service.

12. Children

The Service is not directed to individuals under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from such individuals. If you believe we have collected data from a child, please contact us and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will provide additional notice (e.g. by email or a prominent notice in the Service) where required by law. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

14. Contact

For privacy-related questions, requests to exercise your rights, or complaints, please contact us:

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.