# Privacy Policy
**Effective date:** 2026-06-27
**Version:** 1.2
ResumeCallBack ("we", "our", "the Service") is an AI-powered career toolkit
operated as a sole-proprietor product. This Privacy Policy describes what we
collect, how we use it, who we share it with, and the controls you have.
---
## 1. What we collect
We collect only what's needed to operate the Service.
**Account information**
- Email address
- Name (if you provide one)
- Encrypted password (we never see your plaintext password)
- The plan you're on and Stripe customer ID (for billing)
**Career data you upload or enter**
- Resume content (text, PDF, or DOCX you upload — parsed to structured fields and stored on our servers)
- Job descriptions you save
- LinkedIn profile PDF (if you upload one to the LinkedIn Profile Enhancer — stored in private cloud storage scoped to your user ID; parsed to structured fields)
- Target roles you enter
- Gap-question answers you write
- Tailored resumes and other AI outputs we generate for you
**LinkedIn Visibility data (Pro and Power plans)**
- LinkedIn OAuth access token and refresh token (encrypted at rest; used only to publish posts on your behalf)
- LinkedIn member ID and display name (returned by LinkedIn at connection time)
- Post drafts, approved posts, scheduled posts, and post history you create or approve in the Visibility Assistant
- Engagement reminder schedules and completion status
**Usage data**
- Which AI actions you've run, when, and the number of credits consumed
- Estimated AI cost per call (for our internal accounting)
- Application status of jobs you track
**Technical data**
- Standard server logs (IP address, browser user-agent, request path) — used for security and debugging, retained for a limited window
- Vercel deployment logs
- Supabase database logs (for incident response)
We do **not** collect: payment card numbers (Stripe handles these directly),
biometric data, precise device location, or content from any service other
than what you explicitly upload.
---
## 2. How we use it
- **To deliver the Service** — store and process your resume, jobs, LinkedIn snapshot, target roles, etc. so the AI features can act on them.
- **To bill you** — Stripe processes payments; we record your plan and subscription status.
- **To improve reliability** — server logs, error monitoring, and debugging.
- **To communicate with you** — transactional emails about your account, password resets, payment receipts.
We do **not** sell your data, share it with advertisers, or use your resume /
LinkedIn / job content to train AI models. The AI providers we use (see §3)
operate under zero-data-retention agreements where available.
---
## 3. Third parties we share data with
We use a small number of trusted third-party services. Each receives only the
data necessary for its function:
| Provider | What they get | Why |
|---|---|---|
| **Supabase** (database + auth + storage) | All account + career data | Our primary backend |
| **Vercel** (hosting) | Server logs, request metadata | Web hosting + analytics |
| **Anthropic** (Claude API) | The specific text content of an AI request (e.g. your resume + a job description, at the moment you run an AI action) | AI generation. Operates under Anthropic's enterprise data-handling terms; no training on user data. |
| **Stripe** (billing) | Email, name, payment details | Subscription billing |
| **LinkedIn API** (OAuth 2.0 + UGC Posts) | OAuth tokens + post text you approve for publishing | Publishing posts to LinkedIn on your behalf (Pro/Power only). LinkedIn's own Privacy Policy applies to their platform. |
| **Resend / Supabase Mail** (email) | Email address + email contents | Transactional email (password resets, receipts, engagement reminders) |
We do not enable cross-service tracking pixels, advertising SDKs, or analytics
products that profile individual users. We may add lightweight, privacy-
preserving analytics (Vercel Analytics, PostHog) before public launch — if so,
this policy will be updated and the version bumped.
---
## 4. Where data is stored
- Primary data store: Supabase (PostgreSQL) hosted in their managed cloud (currently US region).
- File uploads (LinkedIn PDFs): Supabase Storage, in a private bucket scoped to your user ID.
- Hosting + execution: Vercel (multi-region for performance).
- AI inference: Anthropic (US-hosted endpoints).
If you're outside the US (especially EU / UK / Canada), this means your data
is transferred to and processed in the United States. By using the Service
you consent to this transfer. We're working toward adding region-controls
prior to expanding into regulated markets.
---
## 5. How long we keep it
- **Account + career data**: kept for as long as your account is active. When you delete your account (via Settings → Danger Zone, or by emailing us), we wipe your Resume Vault, saved jobs, tailored resumes, LinkedIn data, posts, AI usage history, and credit balance immediately. Some backups may persist in encrypted form for up to 90 additional days before they roll off. Your email address is retained as a historical record so we can verify the deletion if you contact us again.
- **Server logs**: 30 days
- **Stripe records**: as long as required by tax / accounting law (typically 7 years)
- **Cancelled subscriptions**: your Resume Vault and saved jobs may be retained for a limited period before deletion. This window is currently disclosed in the EULA but not yet enforced in code — a CRON to actually purge data on subscription cancellation is on our pre-launch checklist.
- **LinkedIn Visibility data after subscription ends**: retained for **60 days** after your Pro or Power plan expires or is cancelled. After that window, all LinkedIn OAuth tokens, post history, scheduled posts, and engagement reminders are permanently deleted. A warning email is sent approximately 7 days before deletion.
---
## 6. Your rights
You can, at any time:
- **Access your data** — everything you've entered is visible in the app. You can also email us for an export.
- **Edit or delete content** — Resume Vault edits, individual job deletes, individual gap-answer deletes, LinkedIn snapshot replace, and post-strategist deletes are all in-app.
- **Delete your account** — self-service from Settings → Danger Zone. Type your email to confirm, click Delete forever. This immediately cancels any active subscription, wipes all your career data + LinkedIn data + AI usage history, and disables the account. Your email address is retained as a historical record and you will not be able to sign back in.
- **Cancel your subscription (without deleting your account)** — Settings → Danger Zone → Cancel subscription. Opens Stripe's billing portal. Your access continues until the end of your current billing cycle, then you drop to the free tier with no further charges. Your data is retained.
- **Object to processing / withdraw consent** — stop using the Service and your subscription stops. Use Delete your account above for immediate effect.
- **Request a copy of your data** — email us. We'll provide a machine-readable export within 30 days.
- **Lodge a complaint with a supervisory authority** — if you're in the EU / UK, you have this right under GDPR.
To exercise any right, contact us at the address in §10.
---
## 7. Children
The Service is not directed at children under 16. We don't knowingly collect
data from anyone under 16. If you believe we've collected such data, contact
us and we'll delete it.
---
## 8. Security
- All traffic between your browser and our servers is encrypted in transit (HTTPS / TLS 1.2+).
- Database content is encrypted at rest by Supabase.
- AI credit operations run with database-level access controls (Row-Level Security + service-role functions) so no user can grant themselves credits via the public API.
- Passwords are hashed and salted by Supabase Auth.
- We do not log passwords, raw resume content in production logs, or other sensitive content.
No system is perfectly secure. If we become aware of a breach affecting your
data, we will notify you within 72 hours where required by law.
---
## 9. Changes to this policy
We may update this policy from time to time. When changes are material we'll
bump the version number above and either email you or surface a notice in the
app. Continued use of the Service after a material update constitutes
acceptance of the revised policy.
---
## 10. Contact
Privacy inquiries, data export requests, and account deletion requests:
**Email:** resumecallback1001@gmail.com
We aim to respond within 5 business days.
---
*This policy is a working draft pending legal review. The behaviors described
above reflect how the Service currently operates as of the effective date.*