Privacy Policy

1.1 Resume Text — Individual Analysis (Processed In Memory, Not Retained)

When you submit your resume for individual analysis, the text is processed in server memory for the duration of the request. It is not written to a database or log file. It is discarded after your response is returned. We do not retain, sell, license, or otherwise process your resume content beyond completing your immediate request, and we do not use resume content to train or improve any AI model.

Before your resume text is sent to our AI provider, our server automatically attempts to remove personally identifiable information (PII). This process targets:

• ·Names
• ·Email addresses
• ·Phone numbers
• ·Physical addresses and postal codes
• ·Social and professional profile URLs
• ·National identification numbers
• ·Dates of birth

Detected values are replaced with neutral placeholder tokens before any external service receives your text. This process is automated and best-effort — it catches the vast majority of common personal data formats but may not detect all personal information if your resume uses unusual formatting or embeds personal data in unexpected locations. By submitting your resume, you acknowledge this limitation. We recommend removing any sensitive information you are not comfortable transmitting before submitting.

1.2 Account Data and Email Addresses

Google Sign-In Users: When you sign in to the Service using your Google account, we store the following in our database to provide authenticated access:

• ·Your Google display name
• ·Your email address (stored encrypted; a one-way cryptographic hash is retained for lookup — your plain email address is never stored in any form)
• ·Your Google profile image URL
• ·Authentication credentials required to maintain your signed-in session
• ·Account creation date and timestamps

For users of the paid Recruiter tier, we additionally store a billing identifier for subscription management and the date and time you accepted our Terms of Service.

Account data is retained for the lifetime of your account. You may request deletion at any time by contacting privacy@resumeautopsy.com.

Waitlist Email: If you voluntarily submit your email address to join a waitlist for paid features, that address is stored using the same encryption as described above. We use a one-way cryptographic hash solely for duplicate detection. We will use your email only to send waitlist-related communications as described in our Terms of Service. You may request deletion at any time by contacting privacy@resumeautopsy.com.

1.3 IP Address Data

We store a one-way cryptographic hash of your IP address temporarily to protect the Service from abuse. Your original IP address is never stored in any form. Records are automatically and permanently deleted shortly after collection and are not linked to any other data about you.

1.4 B2B Candidate Ranking — Recruiter-Uploaded Resumes

When a recruiter uses the paid Candidate Ranking feature and uploads candidate resumes, the following applies:

• ·Resume text is extracted from uploaded files, processed to remove personal information in accordance with Section 1.1, encrypted, and temporarily retained while awaiting analysis.
• ·Once analysis is complete, the resume text is permanently deleted. Only the analysis results are retained.
• ·Analysis results are stored encrypted and associated with the recruiter's session until the session expires.
• ·Candidate file names (as uploaded by the recruiter) are stored encrypted for the session lifetime.

Recruiter responsibility: Recruiters who use the Candidate Ranking feature are responsible for ensuring they have a lawful basis to upload and process candidates' personal data under applicable law (including CCPA and equivalent legislation). By uploading candidate resumes, the recruiter represents that they hold the necessary rights to do so. Resume Autopsy acts as a data processor on the recruiter's behalf for candidate data; the recruiter is the data controller for that data.

Data Processing Agreement: Recruiters who require a formal Data Processing Agreement (DPA) for compliance purposes may request one by contacting privacy@resumeautopsy.com. We will respond within 5 business days.

1.5 Anonymous Usage Analytics

We use Google Analytics to collect anonymous, aggregated data about page views and user interactions. This data does not identify individual users and is not linked to any resume submission or email address. Google Analytics may set cookies on your device as described in Section 5.

3.1 AI Providers

To generate your analysis, your anonymized resume text is transmitted to one or more of the following AI providers. These providers do not receive your name, contact details, or any other personal information — only the anonymized content described in Section 1.1.

• ·OpenAI — openai.com
• ·Groq — groq.com
• ·NVIDIA — nvidia.com
• ·Google (Gemini API) — ai.google.dev
• ·Cerebras — cerebras.ai

3.2 Analytics

We use Google Analytics for anonymous usage measurement. No resume content or personal information is shared. Google processes analytics data per their privacy policy at policies.google.com/privacy.

3.3 Infrastructure and Operations

We use third-party providers for database storage, hosting, payment processing, and transactional email. These providers process only the data required for their specific function — for example, our payment processor handles billing data, and our email provider handles email delivery. None of these providers receive resume content or analysis results.

5.1 Essential Cookies

We use essential session cookies to maintain your authenticated state and enable access to the Service. These cookies do not track you and are required for the Service to function. They cannot be declined while using the Service.

5.2 Analytics Cookies (Non-Essential)

Google Analytics sets cookies for anonymous usage measurement. These are non-essential.

You may opt out of Google Analytics at any time using your browser's cookie controls or Google's opt-out add-on at tools.google.com/dlpage/gaoptout.

8.1 GDPR Rights (EU / EEA / UK)

Note: The Service is not currently available to residents of EU, EEA, or UK countries. Access is restricted at the network level. This section is provided for transparency and completeness.

If you are located in the EU or EEA, you have the following rights:

• ·Right of access — confirmation of whether we process your data and a copy of it.
• ·Right to rectification — correction of inaccurate personal data.
• ·Right to erasure — deletion of your personal data, subject to legal exceptions.
• ·Right to restriction — limiting processing in certain circumstances.
• ·Right to data portability — receiving your data in a structured, machine-readable format.
• ·Right to object — objecting to processing based on legitimate interests, including direct marketing.
• ·Right to withdraw consent — where processing is consent-based, you may withdraw at any time without affecting prior lawful processing.
• ·Right to lodge a complaint — with the supervisory authority in your EU member state or country of habitual residence.

We will respond to GDPR rights requests within one calendar month of receipt. This period may be extended by up to two additional months where necessary, with written notice to you before the initial month expires.

8.2 CCPA / CPRA Rights (California Residents)

California residents have the following rights under CCPA and CPRA:

• ·Right to know — categories and specific pieces of personal information collected, purposes of collection, and categories of third parties to whom information is disclosed.
• ·Right to delete — deletion of personal information we hold, subject to exceptions.
• ·Right to correct — correction of inaccurate personal information.
• ·Right to opt-out of sale or sharing — opt-out of sale or sharing for cross-context behavioral advertising.
• ·Right to non-discrimination — we will not discriminate against you for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.

Categories of personal information collected: Email addresses (account holders and waitlist subscribers, stored encrypted); IP address data (not individually identifiable, retained temporarily); anonymous analytics data (does not identify individuals); for the B2B Candidate Ranking service, encrypted analysis results and session metadata for recruiter-uploaded candidates. Raw resume text is not retained after analysis completes.

Third-party disclosures: Personal information is disclosed only to technology service providers (AI/LLM processors, database provider, analytics provider) for service provision purposes only, under service provider agreements.

To submit a CCPA/CPRA rights request, contact privacy@resumeautopsy.com. We will respond within 45 days of a verifiable request, with a possible 45-day extension upon notice.

8.3 Florida Residents (FIPA)

Florida residents have rights under the Florida Information Protection Act (Fla. Stat. § 501.171), including the right to timely notification of a data breach affecting their personal information as described in Section 6. If you believe your rights under Florida law have been violated, you may contact the Florida Attorney General's Consumer Protection Division.

If the Florida Digital Bill of Rights (Fla. Stat. § 501.701 et seq.) becomes applicable to our operations as the business scales, this policy will be updated to include all required FDBR disclosures and consumer rights.

8.4 LGPD Rights (Brazil)

If you are located in Brazil, you have the following rights under the LGPD (Law No. 13.709/2018):

• ·Right of confirmation and access — to confirm whether we process your personal data and to receive a copy.
• ·Right to correction — of incomplete, inaccurate, or outdated data.
• ·Right to anonymization, blocking, or deletion — of unnecessary, excessive, or non-compliant data.
• ·Right to portability — to receive your data in a structured format for transfer to another provider.
• ·Right to deletion — of data processed with your consent, except where retention is required by law.
• ·Right to information — about third parties with whom we have shared your data.
• ·Right to information about denying consent — and the consequences of doing so.
• ·Right to revoke consent — at any time, without affecting prior lawful processing.
• ·Right to petition the ANPD — regarding any violation of your rights under LGPD.

We will respond to LGPD rights requests within 15 days of receipt. An Encarregado (Data Protection Officer) will be designated as required by law as operations in Brazil scale.

9.1 Lawful Basis for Processing (GDPR)

We process personal data under the following lawful bases under GDPR Article 6:

• —Waitlist email storage and communication — Consent (Art. 6(1)(a)). You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
• —AI processing of your anonymized resume content — Performance of a contract / provision of the requested service (Art. 6(1)(b)).
• —Anonymous usage analytics — Legitimate interests in understanding how the Service is used (Art. 6(1)(f)), subject to your prior consent for cookie placement where required.
• —Hashed IP rate limiting — Legitimate interests in preventing abuse and maintaining service security (Art. 6(1)(f)).

9.2 Lawful Basis Under LGPD (Brazil, Art. 7)

For users located in Brazil, we process personal data under the following lawful bases:

• —Waitlist email storage — Consent of the data subject (Art. 7(I)).
• —AI processing of your anonymized resume content — Execution of a contract or preliminary procedures at the request of the data subject (Art. 7(V)).
• —Analytics and rate limiting — Legitimate interests of the controller, where such interests do not override the data subject's fundamental rights and freedoms (Art. 7(IX)).

9.3 International Data Transfers

Resume Autopsy is operated from the United States. Data transmitted to U.S.-based processors is listed at resumeautopsy.com/subprocessors. For Brazilian users, international data transfers are conducted in compliance with LGPD Articles 33–36. You may request information about the specific transfer mechanisms applicable to your data by contacting privacy@resumeautopsy.com.

9.4 Automated Decision-Making (GDPR Art. 22 / LGPD Art. 20)

Resume Autopsy uses large language models to generate a scored analysis of your submitted resume. This constitutes solely automated processing. The output is for informational and entertainment purposes only, is explicitly disclaimed as non-professional, and is not intended to produce legal or similarly significant effects on you.

If you have concerns about any automated analysis you received, you may contact privacy@resumeautopsy.com to discuss the output.