Privacy Policy
Effective Date: April 12, 2026
Last Updated: April 12, 2026
OneResume.ai ("OneResume," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at oneresume.ai and all related services (the "Service").
By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Name, email address, and authentication credentials when you create an account (via email/password, Google, or Apple sign-in)
- Career Data: Resume content, work history, job titles, employers, skills, education, certifications, projects, and professional summary that you upload or enter into your Master Profile
- Contact Information: Phone number, location, LinkedIn URL, and personal website as provided in your resume profile
- Job Descriptions: Text of job postings you paste into the Service for tailoring and analysis
- Payment Information: Billing details processed through Stripe (we do not store your full credit card number, CVV, or banking details on our servers)
- Communications: Emails, support tickets, and feedback you send to us
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, actions taken, timestamps, session duration, and interaction patterns
- Device Information: Browser type, operating system, device type, screen resolution, and language preferences
- IP Address: Used for security, fraud prevention, and approximate geographic location
- Cookies and Similar Technologies: See Section 7 below
1.3 Information from Third Parties
- Authentication Providers: When you sign in with Google or Apple, we receive your name, email address, and profile photo (if available) as authorized by you through their OAuth consent flow
- Payment Processor: Stripe provides us with transaction status, subscription state, and billing metadata (not full card details)
2. How We Use Your Information
We use your information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide, maintain, and improve the Service | Contract performance |
| Generate AI-tailored resumes and cover letters | Contract performance |
| Calculate ATS scores and Match Scores | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Send transactional emails (account, billing, features) | Contract performance |
| Send marketing communications (with opt-out) | Consent / Legitimate interest |
| Detect fraud, abuse, and security threats | Legitimate interest |
| Analyze usage to improve features and UX | Legitimate interest |
| Comply with legal obligations | Legal obligation |
3. AI Processing of Your Data
This section is especially important because the Service processes sensitive career data through AI systems.
- How AI is used: Your career profile data and pasted job descriptions are sent to our AI provider (currently X.ai / Grok) to generate tailored resumes, cover letters, and professional summaries.
- Data sent to AI: Only the career data and job description text needed for the specific operation is sent. We do not send your email, password, payment information, or unrelated personal data to AI providers.
- AI training: We do not use your personal career data to train, fine-tune, or improve AI models. Your data is used solely for generating your individual output.
- AI provider obligations: Our AI providers are contractually prohibited from using your data for model training. Data sent for inference is processed transiently and not retained by the AI provider beyond the request lifecycle.
- ATS scoring: ATS compatibility scoring is performed algorithmically on our servers and does not involve sending your data to external AI providers.
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:
4.1 Service Providers
We share data with third-party service providers who assist in operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Firebase (Google) | Authentication, database | Account info, career data |
| Stripe | Payment processing | Name, email, payment details |
| SendGrid (Twilio) | Email delivery | Name, email address |
| X.ai (Grok) | AI resume generation | Career data, job descriptions (transient) |
| Google Analytics | Usage analytics | Anonymized usage data, IP (truncated) |
4.2 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.
5. Data Retention
- Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
- After account deletion: Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records, fraud prevention) or for legitimate business purposes (e.g., resolving disputes).
- Backups: Residual copies in encrypted backups may persist for up to 90 days before automatic purging.
- Free score submissions: Email addresses submitted through our free ATS score tool are retained until you unsubscribe or request deletion.
6. Data Security
We implement industry-standard security measures to protect your data:
- Data encrypted in transit (TLS 1.2+) and at rest
- Firebase Security Rules restricting data access to authenticated users and their own data
- Stripe PCI-DSS Level 1 compliance for payment processing
- Regular security reviews and dependency updates
- Access to production systems limited to essential personnel
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
7. Cookies and Tracking Technologies
7.1 Types of Cookies We Use
- Essential Cookies: Required for authentication, session management, and core functionality. Cannot be disabled.
- Analytics Cookies: Help us understand how you use the Service (e.g., Google Analytics). Can be disabled via browser settings.
- Advertising Cookies: Used for Google Ads conversion tracking. Can be disabled via browser settings or ad preferences.
7.2 Managing Cookies
Most browsers allow you to control cookies through their settings. Disabling essential cookies may prevent parts of the Service from functioning correctly. You can also opt out of Google Analytics using the Google Analytics Opt-Out Browser Add-on.
8. Your Rights
8.1 All Users
Regardless of your location, you may:
- Access your personal data stored in your profile and account settings
- Correct inaccurate data through your profile editor
- Delete your account and data through account settings or by contacting support
- Export your resume data in PDF or DOCX format
- Opt out of marketing emails via the unsubscribe link in any email
8.2 European Economic Area (GDPR)
If you are in the EEA, you also have the right to:
- Restrict processing of your personal data in certain circumstances
- Object to processing based on legitimate interest
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time for consent-based processing
- Lodge a complaint with your local data protection authority
8.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information, subject to legal exceptions
- Opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising
- Non-discrimination. We will not discriminate against you for exercising your rights
To exercise any of these rights, contact us at support@oneresume.ai. We will respond within 30 days (or within the timeframe required by applicable law).
9. International Data Transfers
The Service is operated from the United States. If you are accessing the Service from outside the U.S., your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our service providers' compliance frameworks (e.g., Google's and Stripe's data processing agreements) to ensure adequate protection for international transfers.
10. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@oneresume.ai.
11. Do Not Track
Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals because there is no industry-standard protocol for compliance. We will update this policy if a standard is adopted.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:
- Email: support@oneresume.ai
- Website: oneresume.ai
For GDPR-related inquiries, you may also contact our designated data protection contact at the email above with the subject line "GDPR Request."