Privacy Policy

Last updated: May 31, 2026

1. Introduction

PrismResume (“PrismResume”, “we”, “us”, or “our”) operates the online resume builder at prismresume.com, which lets you write, store, and export resumes with AI-assisted polishing and rewriting, track job applications, and practice mock interviews. This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights you have over it. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (collectively, “CCPA”).

This policy applies to the prismresume.com service and to the personal data we process as a controller. It does not cover third-party websites you may reach through links from our service.

2. Data Controller and International Transfers

We want to be transparent about where your data is handled: PrismResume is operated by an independent developer based in China, who is the data controller responsible for your personal data. Your account and resume data are stored and processed on cloud servers located in the United States. The exception is your payment data, which is handled by our payment provider, Creem (see Section 5). You can reach us about any privacy matter at [email protected].

If you access PrismResume from the European Economic Area (EEA), the United Kingdom, or other regions with data-transfer restrictions, your data is transferred to and stored in the United States. Where required, such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) with the relevant processors, together with technical measures such as encryption in transit. By creating an account and using the service, you understand that your account and resume data are stored in the United States and processed as described here.

For any data-protection question, or to exercise your rights, contact us at [email protected].

3. Personal Data We Collect

We collect only the data needed to run the service. Most of it is data you actively provide; a small amount is generated automatically when you use the product.

  • Account data: your email address, which is used to create your account and to sign you in (sign-in is by email verification code, with an optional password). If you set a password, we store only an irreversible bcrypt hash of it, never the password itself. If you choose to add a phone number to your profile, we store that too.
  • Referral data: a personal invite code, and a record of who invited you, used to operate our referral rewards.
  • Resume content: everything you enter into or import into a resume — for example your name, contact details (email, phone, social handles), education, work history, projects, skills, summaries, and any optional fields you fill in. Some of these fields can reveal information that certain jurisdictions treat as sensitive or “special category” data (for example details that reveal nationality, ethnicity, or political affiliation). You decide entirely what to include; we do not require any of it.
  • Uploaded files: if you upload a profile photo / avatar, the image is stored on our servers and attached to your resume. If you import a resume from a PDF, the file is processed in memory only to extract its text and is not stored as a file; the extracted text then becomes part of your resume content.
  • AI interaction content: the text you submit when you trigger an AI feature (polish, rewrite, summarize, translate, JD-based rewrite, JD diagnosis, or resume health check) and the suggestions returned to you. Because edits are saved into your resume, your AI-assisted results are retained as part of that resume. We also keep operational logs of AI usage (which feature and engine you used and how much quota it consumed) for billing, abuse-prevention, and capacity planning; these logs do not contain your resume text.
  • Job-application tracking data: if you use the application tracker, the details you record — company, position, location, salary range, the job description and its URL, application channel, status history, interview notes, offer details, and your own ratings and notes.
  • Mock-interview data: if you use AI mock interviews, the target role and job description you provide, the full transcript of questions and your answers, and the generated evaluation report.
  • Sharing data: if you create a public share link for a resume, we store a snapshot of that resume so it can be viewed at the link until it expires or you delete it.
  • Support and feedback data: the content of feedback or support messages you send us, plus any optional contact detail you include, and our reply.
  • Blog comments: if you comment on our blog, your comment text and the email address associated with your account.
  • Payment and order data: records of your orders and subscriptions — order number, the plan purchased, amount, currency, status, the provider’s transaction reference, and timestamps — together with your membership type and entitlement balances. Your card number, bank credentials, and payment passwords are handled by our payment provider and are not stored on our servers.
  • Usage and device data: when you browse the site we record first-party analytics — pages viewed, key feature events, a randomly generated session ID, your browser’s user-agent string, and page-load timings. To understand roughly where our visitors are, we resolve your IP address to a country (and, for visitors in China, a province) at the moment of collection and store only that coarse location label. We do not store your raw IP address, and these analytics are not linked to your resume content. We also keep short-lived backend request logs (route, method, status, latency) to monitor service health.

4. How and Why We Use Your Data (Lawful Basis)

Under the GDPR we rely on the following lawful bases for each purpose:

  • Performance of a contract (Art. 6(1)(b)): to create and authenticate your account; store, sync, and let you edit and export your resumes; run the AI features you request; operate the job-application tracker, mock interviews, and resume sharing; manage your membership and usage entitlements; and process the orders and subscriptions you purchase.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, detect and prevent fraud and abuse (including referral abuse and disposable-email sign-ups), debug and maintain reliability through short-lived request logs, respond to your support requests, and improve the product using first-party, coarse usage statistics. We balance these interests against your rights and use the least amount of data needed.
  • Consent (Art. 6(1)(a)): where we ask for it explicitly — for example any future non-essential cookies or third-party integrations that require opt-in. You may withdraw consent at any time without affecting processing already carried out. (Our current first-party analytics run under legitimate interests above, with an opt-out.)
  • Legal obligation (Art. 6(1)(c)): where we must keep certain records (for example transaction and tax records related to your purchases) to comply with applicable law.

We do not sell your personal data, we do not use your resume content for advertising, and we do not use your content to train AI models.

5. AI Processing and Third-Party Service Providers

When you trigger an AI feature, the relevant text from your resume (and, for some features, the job description you provided) is sent to a third-party AI processing provider, processed, and the result is returned to you. We send only the text involved in the specific AI action you trigger, and we instruct our AI providers not to use your content to train their models.

No automated decision-making about you. Our AI helps you write and improve your own materials. Some features give you feedback or a numeric score on your own resume or interview answers (for example a match estimate against a job description) — these are self-assessment aids for your benefit. You review and edit every AI suggestion and remain responsible for the final content. We do not use these outputs to make decisions about you, we do not share them with employers, and they do not produce legal or similarly significant effects about you within the meaning of Article 22 of the GDPR. See our Terms of Service for the full AI disclosure.

We rely on the following categories of service providers (processors / sub-processors) to deliver the service:

  • Cloud infrastructure: hosting, storage, and database services located in the United States that store your account, resume, and related data.
  • Third-party AI processing providers: compliant cloud-based language-model services that process the text you submit to AI features. We instruct them not to retain your content beyond what is needed to return a result, and not to train on it.
  • Payment provider: Creem, which acts as our Merchant of Record. Creem hosts the checkout, collects and processes your payment details, charges your card, and handles applicable taxes; we receive only the resulting order and transaction records. Creem processes your data under its own privacy policy.
  • Email delivery: the email-sending infrastructure we use to send verification codes and transactional account emails (such as support replies and expiry reminders).
  • Analytics: our analytics are first-party and run on our own infrastructure; we do not embed third-party advertising or cross-site tracking analytics.

A current list of our sub-processors is available on request at [email protected].

6. Data Retention and Deletion

We keep different categories of data for different periods:

  • Account, resume, application, interview, and share data: kept for as long as your account is active. If you delete a specific resume, share link, application, or interview, it is removed from our active systems.
  • Exported PDF files: generated export files and their history are automatically deleted after 7 days.
  • Raw analytics and logs: raw page-view records are deleted after 14 days, raw event records after 30 days, and backend request-latency logs after about 3 days. AI usage logs are kept for about 90 days. Beyond these windows we keep only day-level aggregate counts that do not identify you.
  • Payment and order records: kept for as long as needed to provide the service and to meet our legal, accounting, and tax obligations.

If you close your account, we hard-delete your personal data, including from our backups, within 30 days, except where we must retain limited records (such as transaction records) to meet a legal obligation. To request account closure and deletion, email [email protected].

7. Data Security

We protect your data with measures appropriate to its sensitivity, including: passwords hashed irreversibly with bcrypt; all traffic served over HTTPS; least-privilege database access; idempotent, signature-verified handling of payment webhooks; and regular security review and dependency maintenance. No method of transmission or storage is completely secure, but we work to protect your data and to limit access to it.

8. Your Rights Under the GDPR

If you are in the EEA or the UK, you have the right to:

  • Access and portability (Art. 15 & Art. 20): request a copy of the personal data we hold about you in a portable format, including your account data, resume content, AI-generated content saved to your resumes, job-application and interview records, payment records, and coarse usage logs. We respond within 30 days.
  • Rectification (Art. 16): correct inaccurate data, which you can also do directly in the editor and your account settings.
  • Erasure (Art. 17): request deletion of your personal data (“right to be forgotten”). We hard-delete, including from backups, within 30 days, subject to legal-retention exceptions.
  • Restriction and objection (Art. 18 & Art. 21): restrict or object to certain processing, including processing based on our legitimate interests.
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting processing already carried out.
  • Lodge a complaint: with your local supervisory authority (Data Protection Authority).

To exercise any of these rights — including closing your account and erasing your data — email [email protected] and we will action it. You can also delete individual resumes, share links, applications, and interviews yourself at any time from within the app.

9. Your Rights Under the CCPA (California Residents)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it (all described above).
  • Access the specific pieces of personal information we have collected about you.
  • Delete your personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under the CCPA, and we do not knowingly process the data of consumers under 16 for such purposes.
  • Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise these rights, email [email protected]. You may use an authorized agent to submit a request on your behalf, and we will verify the request against the account information we hold.

10. Cookies and Anonymous Analytics

We classify the browser storage and cookies we use as follows:

  • Essential (no consent required): we use localStorage to store your sign-in token (JWT) so you stay logged in, and sessionStorage for temporary session information. These are strictly necessary for the service to function.
  • First-party analytics (opt-out): our own usage analytics are on by default to help us improve the product, and you can turn them off at any time using the control below. They set no advertising cookies. We do not use third-party advertising or cross-site tracking cookies. (For visitors in the EEA/UK we may add a consent prompt where required — see the note in our launch checklist.)

To understand which features are used most, we run our own first-party analytics: page views, key feature events, a randomly generated session ID, your browser’s user-agent, and a coarse country/region label derived from your IP at the moment of collection. We do not store your raw IP address, and we do not record your resume content, name, or phone number in analytics. You can opt out below at any time:

11. Children’s Privacy

PrismResume is intended for adults and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. We will post the updated version on this page with a new “Last updated” date and, for material changes, notify you through in-app notice or other reasonable means.

13. Contact Us

For any privacy question, or to exercise your data-protection rights, contact us:

Email: [email protected]