Privacy Policy

Last updated: January 2026

1. Introduction

Beijing Xilin Technology Co., Ltd (“we,” “us,” or “our”) operates the ResumaryAi website and services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the Service. We are committed to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) in the European Economic Area (EEA) and the United Kingdom (UK), and the California Consumer Privacy Act (CCPA) and similar laws in the United States where applicable.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data in connection with the Service is:

3. What Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, password (hashed), name, and profile information you provide when you register or update your account. We use Supabase for authentication and user management.
  • Resume and job application data: Resumes, cover letters, job descriptions (JDs) you paste or upload, optimized content, application tracking data (company name, position, status, dates, notes), and exported resume files (e.g. HTML stored in our cloud storage). This data is necessary to provide the Service.
  • Usage and technical data: Log data (e.g. IP address, browser type, pages visited, timestamps), device information, and analytics data. Our hosting and edge functions are provided by Vercel; they may collect and process such data as described in their privacy policy.
  • Payment data: Payments for paid subscriptions are processed by Paddle. We do not store your full payment card details. Paddle may collect billing name, email, address, and payment method information in accordance with their privacy policy.

4. How We Use Your Data

We use your personal data to:

  • Provide, operate, and improve the Service;
  • Authenticate you and manage your account;
  • Process and store your resumes, applications, and related content;
  • Power AI features (e.g. resume optimization, cover letter generation, interview preparation) by sending relevant content to our AI providers (see Section 5);
  • Send you transactional emails (e.g. password reset, subscription confirmations) and, with your consent where required, marketing or product updates;
  • Send interview reminders and preparation emails if you have enabled those features;
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of others;
  • Analyze usage to improve the Service and security (e.g. via Vercel and Supabase analytics).

5. Third-Party Services and AI Providers

We use the following third-party services. Each may collect or process personal data as described in their respective privacy policies:

  • Supabase (hosting: supabase.com): Authentication, database, and file storage. Your account data, resumes, applications, and exported files are stored on Supabase infrastructure. See Supabase Privacy Policy.
  • Vercel (hosting: vercel.com): Website and serverless/edge function hosting. Requests (including IP, URL, headers) may be logged. See Vercel Privacy Policy.
  • Paddle (payments: paddle.com): Payment processing for subscriptions. Paddle acts as a merchant of record and processes payment and billing data. See Paddle Privacy Policy.
  • AI providers: To power resume optimization, cover letter generation, interview preparation, and similar features, we send relevant text (e.g. your resume content, job descriptions) to AI service providers. Currently we use DeepSeek v3.2 via Tencent Cloud. We may add or change AI providers (e.g. other models or vendors) over time. Data sent to AI providers is processed according to their terms and privacy policies (e.g. Tencent Cloud). We select providers that commit to appropriate data handling; we do not use your data to train general-purpose AI models for purposes unrelated to providing the Service to you, except where you have agreed otherwise or as permitted by law.
  • Resend (email: resend.com): If we use Resend for sending emails (e.g. interview reminders), Resend processes email addresses and message content. See Resend’s privacy policy if applicable.

We enter into data processing agreements or rely on standard contractual clauses (SCCs) or other lawful transfer mechanisms where required (e.g. for transfers outside the EEA/UK).

6. Legal Basis for Processing (EEA/UK)

Where the GDPR or UK GDPR applies, we process your personal data on the following bases:

  • Contract: To perform our contract with you (e.g. providing the Service, managing your account, processing payments).
  • Legitimate interests: To operate and improve the Service, prevent fraud, ensure security, and communicate with you about the Service, where our interests are not overridden by your rights.
  • Consent: Where we ask for your consent (e.g. marketing emails, optional features). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Legal obligation: Where we must process data to comply with applicable law.

7. Data Retention

We retain your personal data only as long as necessary for the purposes set out in this Privacy Policy:

  • Account data: Until you delete your account or request deletion, plus a reasonable period for backup and legal compliance.
  • Resume and application data: Until you delete it or close your account. Exported resume files may be subject to storage limits (e.g. 20 files per user); we may delete the oldest files when the limit is exceeded.
  • Payment records: As required for accounting and tax (typically several years), in line with Paddle’s retention.
  • Logs and technical data: For a limited period (e.g. 30–90 days) unless longer retention is required for security or legal reasons.

After retention periods expire, we delete or anonymize your data where feasible.

8. Your Rights

If you are in the EEA or UK: You have the right to: access your personal data; rectify inaccurate data; request erasure (“right to be forgotten”); restrict processing; data portability; object to processing based on legitimate interests; withdraw consent; and lodge a complaint with a supervisory authority (e.g. in your country of residence). To exercise these rights, contact us at public@focustide.cn. We will respond within the timeframes required by applicable law (e.g. one month under GDPR).

If you are in California (CCPA/CPRA): You have the right to: know what personal information we collect and how it is used; request deletion of your personal information; correct inaccurate information; opt out of the “sale” or “sharing” of personal information—we do not sell your personal information as defined under the CCPA; and non-discrimination for exercising your rights. To exercise these rights, contact us at the email above. We may verify your identity before processing requests.

You may also manage your account (update profile, delete content) from within the Service where available.

9. International Transfers

Your data may be processed in the United States, the European Economic Area, and other countries where our service providers operate. When we transfer personal data from the EEA or UK to countries that are not recognized as providing an adequate level of data protection, we use appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or UK Addendum, or other mechanisms approved by applicable law.

10. Security

We implement appropriate technical and organizational measures (e.g. encryption, access controls, secure hosting) to protect your personal data against unauthorized access, loss, or alteration. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

11. Cookies and Similar Technologies

We and our providers (e.g. Supabase, Vercel) may use cookies and similar technologies (e.g. local storage) to authenticate you, remember your preferences, and analyze usage. Essential cookies are necessary for the Service to function. You can control non-essential cookies through your browser settings. Blocking certain cookies may affect the functionality of the Service.

12. Children

The Service is not directed to individuals under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from such individuals. If you believe we have collected data from a child, please contact us and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. For material changes, we will provide additional notice (e.g. by email or a prominent notice in the Service) where required by law. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

14. Contact

For privacy-related questions, requests to exercise your rights, or complaints, please contact us:

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.