Privacy Policy

Last Updated: 23 May 2026

1. Data Controller and DPO

The Data Controller is Aliaksei Fezhanka, sole trader (jednoosobowa działalność gospodarcza) registered in CEIDG (Poland), trading as FZHNK.

2. What Data We Collect

When you upload your resume, we process the text extracted from the document, which may include your name, contact details, work history, and education. Special Category Data: Your resume may contain sensitive personal data (e.g., information about your health, racial or ethnic origin, or religious beliefs) which you voluntarily provide. We process this data solely to provide our resume rewriting service, based on your explicit consent under GDPR Article 9(2)(a).

For paid plans, we also process billing-related data (email, billing address, subscription identifiers). Payment card data is processed exclusively by our payment processor, Stripe (see Section 4), and never reaches our servers.

3. Why We Process Your Data

We process your data to:

  • Extract text from your resume.
  • Score your resume against applicant tracking system (ATS) criteria.
  • Generate AI-rewritten resume content using large language models.
  • Render a final PDF for you to download.
  • Process subscription payments and issue refunds via our payment processor, Stripe.
  • Comply with our legal obligations (tax records, accounting, fraud prevention).

4. Who We Share Your Data With (Subprocessors)

We use the following third-party vendors to provide our services. We have Data Processing Agreements (DPAs) in place with each:

  • Google Cloud Platform (GCP) — Backend hosting, database, and AI models (Vertex AI / Anthropic Claude). Processing occurs in the europe-west1 / europe-west4 regions.
  • Vercel Inc. — Frontend application hosting.
  • Firebase (Google LLC) — Authentication and real-time status mirroring.
  • Stripe Payments Europe Ltd — Payment processor for subscription billing and card data. Registered address: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. See Stripe's Privacy Policy for details.
  • Anthropic, PBC — LLM provider accessed via Vertex AI; no training on your data.
  • PostHog Inc. — Two distinct processing activities: (1) Product analytics: pseudonymous account identifiers and feature-usage events (e.g., pdf_downloaded, pro_gate_hit) — no resume content. (2) AI quality monitoring: for users on paid plans, approximately 10% of AI resume-optimisation calls are sampled; for each sampled call, up to 4 KB of the input prompt (which may contain resume text) and up to 4 KB of the AI output are captured as structured event properties ($ai_input, $ai_output_choices) to allow us to detect model regressions and cliché overuse. Legal basis: legitimate interest in maintaining AI output quality, balanced against data minimisation (4 KB truncation and ~10% sampling rate). Data is stored on PostHog Cloud EU (Frankfurt, Germany). Your right to erasure: deleting your account triggers automatic erasure of your PostHog person record and all associated events.
  • Jina AI GmbH — Semantic re-ranking and reader API used to extract and prioritise relevant resume sections. Processes resume text snippets for the duration of the request. No training on your data.

5. International Transfers

Some subprocessors are located outside the European Economic Area (EEA). Where applicable, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption in transit and at rest).

6. Data Retention

Your uploaded resumes and generated outputs are stored to allow you to download them and to power features such as resume history. Billing records are retained for 5 years to comply with Polish accounting law. You can delete your account at any time via the settings page, which triggers an immediate cascade deletion across our database, storage buckets, and authentication provider.

7. Your GDPR Rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (Right to be Forgotten).
  • Restrict our processing of your data (Article 18).
  • Data portability (export your data in a structured format).
  • Withdraw your consent at any time.
  • Lodge a complaint with the Polish Data Protection Authority (UODO, uodo.gov.pl).

To exercise your right to deletion or data portability, use the self-serve tools on your Settings page (account deletion and data export are available there). For all other rights or if you need assistance, contact our DPO at dpo@resumator.works.

8. Changes to This Policy

We may update this policy. Material changes will be notified by email or in-product notice at least 14 days before taking effect.