Privacy Policy

Effective June 15, 2026

This Privacy Policy is published in accordance with Rule 3(1) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and is drafted with the Digital Personal Data Protection Act, 2023 ("DPDP Act") in mind for India, and the EU/UK GDPR for users in those jurisdictions. It explains how ResumeCraft ("ResumeCraft", "we", "us") — a SaaS service operated as a sole proprietorship by [[FILL: your full legal name as proprietor]] from [[FILL: operating address (city, state, India)]], India, and acting as a Data Fiduciary under the DPDP Act — collects, uses, shares, and protects personal data when you use our website at https://resumecraft.app and the ResumeCraft application.

By creating an account or using the service, you (the "Data Principal" / "you") consent to processing of your personal data as described here. You may withdraw consent at any time as set out below.

1. Personal data we collect

• Account data. Email address, name (optional), authentication identifiers, and OAuth tokens (Google) handled by our authentication provider. Passwords are stored as salted hashes, never plaintext.
• Resume content you upload or create. PDF/DOCX files, parsed text, the structured resume JSON, job descriptions you paste, optimized drafts, and ATS scores. This typically includes your name, contact details, work history, education, and skills. Some resumes may contain sensitive personal information (e.g., disability disclosure, identity documents) — please do not include data you do not want processed by AI providers.
• Payment and billing data. Subscriptions and credits are processed by Razorpay Software Private Limited ("Razorpay"), a Reserve Bank of India authorised Payment Aggregator. Razorpay collects card / UPI / netbanking details directly; we receive only transaction status, order id, payment id, amount, currency, billing country, and partial instrument metadata. We do not store full card numbers or CVV.
• Usage and device data. IP address, approximate location derived from IP (used for INR/USD currency detection), browser type, device identifiers, pages viewed, time-stamps, and error logs.
• Marketing attribution. Where you arrive on the app from our marketing site, we record the referring page and campaign parameters to understand acquisition.
• Cookies and similar technologies. Essential cookies for authentication and session; first-party analytics cookies for product usage. We do not use third-party advertising cookies. You may control cookies through your browser settings.

2. Purposes and legal basis for processing

Under DPDP Act §5–§7 we process personal data only for the following specific, lawful purposes, primarily on the legal basis of your consent (and, where relevant, "legitimate uses" under §7 such as performance of the service and compliance with law):

• Operating the core service: parsing, AI optimization, ATS scoring, version history, and export of resumes.
• Account creation, authentication, and security (fraud, abuse, and rate-limit enforcement).
• Processing payments, credits, subscriptions, refunds, and invoicing.
• Customer support and grievance redressal.
• Service improvement, aggregated analytics (no individual profiling for advertising).
• Compliance with applicable Indian law, court orders, and lawful requests by government authorities.
• Communications about your account, security, and service changes.

3. AI processing of your content

To tailor and score your resume, the text of your resume and any job description you paste are transmitted to third-party large-language-model (LLM) providers acting as our processors. We transmit only the minimum content needed for the optimization, over TLS, and rely on provider terms that prohibit training on submitted content where available. We do not train our own foundation models on your content. If you do not want a particular piece of information processed by an LLM, do not include it in the resume or job description you submit.

4. Sharing and disclosure

We do not sell, rent, or trade personal data. We share it only with the following categories of recipients, under written contracts that require equivalent protection:

• Authentication and database provider — for sign-in, account storage, and resume storage.
• Razorpay — payment processing (regulated by the Reserve Bank of India).
• LLM/AI providers — third-party inference endpoints for resume optimization and scoring.
• Hosting and CDN providers — to run and deliver the application.
• Email and customer-support tooling — for transactional and support emails.
• Government and law-enforcement authorities — only when required by valid order under Indian law, including §69 of the IT Act, 2000 or directions under the DPDP Act.

5. Cross-border transfers

Our processors and infrastructure operate globally; your personal data may be processed outside India (including in the United States and the European Economic Area). DPDP Act §16 permits cross-border transfer except to countries notified by the Central Government as restricted; we will not transfer data to any such notified country. For EU/UK users, transfers outside the EEA/UK rely on Standard Contractual Clauses or other lawful safeguards.

6. Retention and deletion

We retain your account and resume content while your account is active. Specific retention windows:

• Account profile: until you delete the account.
• Resumes and AI-generated drafts: until you delete them, subject to your active resume-slot limit.
• Payment records and invoices: retained up to 8 financial years as required by Indian tax and accounting law.
• Security and audit logs: up to 180 days under Rule 3 of the IT (Intermediary) Rules, 2021 and CERT-In Directions of April 2022.
• Aggregated analytics: indefinitely, in non-identifiable form.

On account deletion we erase personal data within 30 days, except records we are legally required to retain (e.g., financial and tax records), which we will isolate from active processing.

7. Security

We implement "reasonable security practices and procedures" within the meaning of §43A of the IT Act, 2000 and Rule 8 of the SPDI Rules, including: encryption in transit (TLS 1.2+), at-rest encryption of database and file storage, principle-of-least- privilege access controls, secret rotation, vulnerability patching, audit logging, and a written information security policy. No system is perfectly secure; in the event of a personal data breach we will notify the Data Protection Board of India and affected users in accordance with DPDP Act §8(6) and CERT-In Directions.

8. Your rights as a Data Principal

Subject to applicable law you have the following rights with respect to your personal data:

• Right to access a summary of your personal data and processing (DPDP Act §11).
• Right to correction and erasure of inaccurate or no-longer-required data (§12).
• Right to grievance redressal via the Grievance Officer named below (§13). Unresolved grievances may be escalated to the Data Protection Board of India.
• Right to nominate another person to exercise your rights in case of incapacity or death (§14).
• Right to withdraw consent at any time, with effect from withdrawal; processing already done remains lawful (§6(4)–(6)).
• Right to data portability and erasure for EU/UK users under GDPR Articles 17 & 20.

To exercise any right, write to dpo@resumecraft.app. We will respond within 30 days. Identity verification may be required.

9. Children

The service is intended for users aged 18 and above. Under DPDP Act §9, processing personal data of a child (under 18) requires verifiable parental or guardian consent and prohibits behavioural tracking or targeted advertising directed at children. We do not knowingly collect personal data of children. If you believe a child has provided us data, contact privacy@resumecraft.app for immediate deletion.

10. Grievance Officer (India)

As required by Rule 3(2) of the IT (Intermediary) Rules, 2021 and DPDP Act §10(2)(b):

• Name: [[FILL: your full legal name as proprietor]]
• Designation: Proprietor & Grievance Officer
• Email: grievance@resumecraft.app
• Phone: [[FILL: India phone with country code]]
• Postal: ResumeCraft, [[FILL: operating address (city, state, India)]]
• Hours: Monday–Friday, 10:00–18:00 IST (excluding public holidays)

We acknowledge complaints within 24 hours and resolve them within 15 days. If your complaint relates to content removal, we act on actual knowledge within the timelines prescribed by the IT Rules.

11. Changes to this policy

We may update this policy. Material changes will be notified by email or in-app notice at least 7 days before they take effect, and the "Effective" date above will be updated. Continued use after the effective date constitutes acceptance.

12. Contact

General privacy questions: privacy@resumecraft.app. Data-protection / rights requests: dpo@resumecraft.app. Grievances: grievance@resumecraft.app. See also our Terms of Service.