PRIVACY POLICY

1. WHO WE ARE

RetroResume ("we", "us", or "our") is an AI-powered resume building service. We act as the data controller for personal data collected through this website.

Data Controller: RetroResume
Contact for privacy matters: support@retroresume.app

This Privacy Policy applies to all users of the Service and complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), as well as applicable data protection laws in other jurisdictions.

2. INFORMATION WE COLLECT

▍ Information You Provide Directly:

• ▶ Account information: name, email address, password (stored as bcrypt hash — never plain text)
• ▶ Resume content: work history, education, skills, projects, and other resume data you enter
• ▶ LinkedIn profile data (only if you connect LinkedIn — see section 5)
• ▶ Payment information (processed entirely by PayPal — we only store a payment confirmation ID)

▍ Information Collected Automatically:

• ▶ Usage data: pages visited, features used, time spent on the service
• ▶ Device information: browser type, operating system, anonymized IP address
• ▶ Cookies — see Section 7 for full details

▍ Information We Do NOT Collect:

• ▶ Payment card numbers or full payment details (handled entirely by PayPal)
• ▶ LinkedIn messages, connections, or private data beyond what you authorize
• ▶ Data from children under 16

3. LEGAL BASIS FOR PROCESSING (GDPR ART. 6)

For users in the EEA, we rely on the following legal bases:

• ▶ Performance of a contract (Art. 6(1)(b)): Processing your account data, resume content, and payment records to deliver the Service you signed up for.
• ▶ Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics 4) are only set after you explicitly accept via the cookie banner. You may withdraw consent at any time.
• ▶ Consent (Art. 6(1)(a)): Sending your resume content to Anthropic's API for AI processing. By using AI features, you consent to this processing. You may opt out by not using AI features.
• ▶ Legitimate interests (Art. 6(1)(f)): Security monitoring, abuse prevention, and fraud detection. Our interests do not override your fundamental rights and freedoms.
• ▶ Legal obligation (Art. 6(1)(c)): Retaining payment records to comply with financial and tax regulations (up to 7 years).

4. HOW WE USE YOUR INFORMATION

We use your information to:

• ▶ Provide, maintain, and improve the Service
• ▶ Process payments and manage your account
• ▶ Send transactional emails (account creation, payment confirmations)
• ▶ Respond to support requests and enquiries
• ▶ Monitor for security threats and abuse
• ▶ Analyze usage patterns to improve the product (only with your cookie consent)
• ▶ Comply with legal obligations

5. THIRD-PARTY PROCESSORS & AI PROCESSING

When you use AI features (resume generation, enhancement, tailoring), your resume text is sent to Anthropic, Inc. for processing via their Claude API.

• ▶ We have a Data Processing Agreement (DPA) in place with Anthropic.
• ▶ Anthropic does not use API-submitted content to train models by default.
• ▶ We send only the minimum data necessary — no account identifiers beyond resume text.
• ▶ Anthropic's privacy policy: anthropic.com/privacy

▍ All third-party processors we use:

• ▶ Anthropic — AI content generation · Data transfer to US covered by Standard Contractual Clauses (SCCs)
• ▶ PayPal — payment processing · PayPal Privacy Policy
• ▶ LinkedIn — OAuth authentication (only if you connect your account) · LinkedIn Privacy Policy
• ▶ Railway — cloud hosting and infrastructure (servers in the US)
• ▶ Google Analytics 4 — usage analytics · only loaded with your consent · IP anonymization enabled

6. DATA RETENTION

We retain your data only as long as necessary:

• ▶ Account and resume data: retained while your account is active; deleted immediately upon account deletion.
• ▶ Payment confirmation ID: retained up to 7 years for financial and tax compliance.
• ▶ OAuth exchange codes: automatically expire after 60 seconds and are deleted on first use.
• ▶ Anonymized analytics data: may be retained indefinitely (no personal data included).

When you delete your account, all personal data (account info, all resumes, LinkedIn data) is deleted immediately and permanently. This action cannot be undone.

7. COOKIES & LOCAL STORAGE

We use two categories of cookies and browser storage:

▍ Essential (always active — no consent required):

• ▶ rr_token — authentication JWT for your session
• ▶ rr_auth — local auth state (stored in localStorage)
• ▶ rr_cookie_consent — your cookie preference (stored in localStorage)

▍ Analytics (require your explicit consent):

• ▶ Google Analytics 4 (_ga, _gid, etc.) — page views and feature usage. Loaded only after you click "Accept" on the cookie banner. All IP addresses are anonymized before being sent to Google.

You can withdraw analytics consent at any time by clearing your browser's localStorage (key: rr_cookie_consent) or by contacting us. Disabling essential storage will break authentication.

8. YOUR RIGHTS UNDER GDPR

EEA users have the following rights:

• ▶ Right of Access (Art. 15): Request a copy of your personal data. Use the "Download My Data" button in your profile, or email us.
• ▶ Right to Rectification (Art. 16): Correct inaccurate data — available directly in your Profile settings.
• ▶ Right to Erasure (Art. 17): Delete your account and all data via Profile → Delete Account. Immediate and permanent.
• ▶ Right to Data Portability (Art. 20): Download all your data as a JSON file via Profile → Download My Data.
• ▶ Right to Restriction (Art. 18): Request that we limit processing of your data while a dispute is resolved.
• ▶ Right to Object (Art. 21): Object to processing based on legitimate interests.
• ▶ Right to Withdraw Consent: Withdraw cookie consent or AI processing consent at any time without penalty.

To exercise any right, email us at support@retroresume.app with subject "Privacy Request — [type]". We will respond within 30 days.

If you believe we have violated your rights, you have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany, or find your authority here).

9. INTERNATIONAL DATA TRANSFERS

Our infrastructure and AI provider are based in the United States. When personal data is transferred from the EEA to the US, we ensure appropriate safeguards are in place:

• ▶ Standard Contractual Clauses (SCCs) with Anthropic for AI processing
• ▶ PayPal complies with applicable EU–US data transfer mechanisms
• ▶ Google Analytics data is processed under Google's EU Data Processing Terms

10. DATA SECURITY

We implement industry-standard security: HTTPS/TLS encryption in transit, bcrypt-hashed passwords (cost factor 12), JWT authentication with version-based invalidation (all sessions invalidated on password change), HMAC-signed OAuth state parameters (timing-safe comparison), and rate limiting on all authentication endpoints. Despite these measures, no system is 100% secure. Use a strong, unique password and notify us immediately at support@retroresume.app if you suspect unauthorized access.

11. CHILDREN'S PRIVACY

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you become aware that a child under 16 has provided us personal data, please contact us at support@retroresume.app and we will delete it promptly.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email or a prominent in-app notice at least 30 days before changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. CONTACT & GDPR REQUESTS

For privacy questions, data access requests, or to exercise your GDPR rights:

Email: support@retroresume.app
Subject line: "Privacy Request — [type of request]"
Response time: Within 30 days