Privacy Policy

Last updated: May 2026

What we collect

When you create an account we store your email address, display name, phone number, and a hashed password (argon2id, we never store the plaintext). We also store a SHA-256 hash of each resume you upload, the extracted text from that resume, and the analysis results attached to your account.

We do not store the original resume file. The PDF or DOCX you upload is parsed in memory and the binary bytes are discarded the moment text extraction is complete.

How we use your data

  • To authenticate your sessions and keep your analyses private to your account.
  • To run ATS scoring, keyword analysis, and rule-based feedback, entirely with local, deterministic rules on our own servers. No resume text leaves our infrastructure for this step. If you never use the AI features, no third party ever sees your resume content.
  • To generate AI rewrites and suggestions, only when you explicitly tap those buttons. Before any text is sent to Google's AI service, we automatically redact email addresses, phone numbers, and URLs (including LinkedIn and GitHub links) and replace them with placeholders. We restore them only when displaying results back to you.
  • To send a one-time email verification code when you register.

How the AI features work, full disclosure

We use Google Gemma 4 (via Google AI Studio's free tier) for the two AI features in OptiResume: bullet rewrites and resume suggestions. Honest details so you can make an informed choice:

  • What we send: Snippets of your resume text and (where relevant) the job description you pasted, after we strip email addresses, phone numbers, and URLs.
  • What we do not strip: Names of people, schools, and companies. Detecting names automatically without an NLP dependency is unreliable, so we don't pretend to. The model is instructed not to address you by name in its output.
  • Free-tier reality: Google's free tier may use the prompts we send for service improvement, including model training. We are on the free tier because it lets us offer AI features to students at no cost. The redaction step means what Google could see is anonymized fragments, not your full identified resume, but we want you to know exactly what the trade-off is.
  • If you would rather not: Just don't use the "Improve weak bullets" or "Get AI suggestions" buttons. The ATS score, keyword analysis, formatting checks, and rule-based feedback are always available with no third party in the loop.

What we do NOT do

  • We do not sell, rent, or share your data with recruiters, employers, or data brokers.
  • We do not train our own AI models on your resume data, we don't train models at all.
  • We do not run advertising or install tracking pixels.
  • We do not store the original resume file after parsing.
  • We do not send any resume content to Google when you are only using the ATS score and rule-based feedback, those run entirely on our servers.

Third-party services

We use the following third-party services. Each operates under its own privacy policy:

  • Google AI Studio (Gemma 4), AI rewrite and suggestion generation. Only PII-redacted resume snippets are sent, and only when you explicitly trigger an AI feature. Free-tier prompts may be used by Google for service improvement. Google's privacy policy and AI Studio terms apply.
  • Neon Postgres, hosted database for account and analysis storage.
  • Fly.io, backend hosting. Your data is processed within Fly.io infrastructure.
  • Vercel, frontend hosting.
  • Resend, transactional email (verification codes only).

Data retention and deletion

Your account data, analyses, and resume text are retained for as long as your account is active. You can permanently delete your account and all associated data at any time from Settings → Danger zone. When you delete your account, all your resume text, analyses, and personal information are marked for deletion and will not be accessible.

Cookies and sessions

We use one HttpOnly, Secure, SameSite=Lax cookie to hold your refresh token, scoped only to the auth endpoint. We do not use advertising cookies or cross-site trackers. Access tokens are held in browser memory only and are not persisted to localStorage or IndexedDB.

For product analytics we use a privacy-friendly, cookieless service that counts aggregate usage (which pages are visited, whether a resume was analyzed) without cookies, without personal data, and without building a profile of you across the web. It cannot identify you individually.

Contact

Questions or requests? Reach us at hello@yashadake.com or via https://yashadake.com.