Resume Master

Privacy Policy - Resume Master

Effective Date: January 5, 2026
Last Updated: January 2, 2026

1. Controller Information

This privacy policy applies to the website resume-master.app and the services provided through it.

Data Controller:

Sidoroff UG (haftungsbeschränkt)
Klingenstraße 22 / E17
04229 Leipzig, Germany

Registered: Handelsregister Amtsgericht Leipzig, HRB 44764
Managing Director: Natalia Sidorova

Contact:

2. Scope and Legal Basis

This privacy policy describes how we collect, use, store, and protect your personal data when you use Resume Master services. We process your personal data in accordance with:

  • EU General Data Protection Regulation (GDPR)
  • German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG)
  • German Telemedia Act (Telemediengesetz - TMG)

3. Personal Data We Process

We process the following categories of personal data:

3.1 Account Information

Data collected: Name, email address, phone number (optional), password (encrypted)

Purpose: Account creation, authentication, service delivery, customer support

Legal basis: Performance of contract (GDPR Art. 6(1)(b))

Retention period: Duration of your subscription + 30 days after account deletion request

3.2 Resume Content and Career Data

Data collected: Work experience, education, skills, certifications, languages, personal information included in uploaded resumes (PDF or text format)

Purpose: AI-powered resume analysis, optimization, ATS compatibility checking, job matching, template application

Legal basis: Performance of contract (GDPR Art. 6(1)(b))

Retention period: Duration of your subscription + 30 days after deletion request

Special note: Resume data may contain employment-related personal data subject to additional protections under German BDSG § 26. We process this data solely to provide our resume optimization services as requested by you.

3.3 Payment Information

Data collected: Billing address, payment method details, transaction history

Purpose: Payment processing, invoicing, fraud prevention, tax compliance

Legal basis:

  • Performance of contract (GDPR Art. 6(1)(b))
  • Legal obligation (GDPR Art. 6(1)(c)) for tax and accounting records

Data processor: Stripe, Inc. (payments processed via Stripe)

Retention period:

  • Active subscription data: Duration of subscription
  • Tax/accounting records: 10 years (German tax law requirement - Abgabenordnung § 147)

Important: We do not store complete credit card numbers. Payment card data is handled by Stripe in compliance with PCI-DSS standards.

3.4 Usage Data and Analytics

Data collected: Pages viewed, features used, time spent on platform, resume creation activity, job searches, template selections, click patterns

Purpose: Service improvement, product development, user experience optimization, feature analytics

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) - improving service quality and user experience

Balancing test: Our legitimate interest in improving our service does not override your fundamental rights, as this data is used solely for internal analytics and does not involve profiling or automated decision-making affecting you.

Retention period: 13 months (analytics data)

3.5 Technical Data and Logs

Data collected: IP address, browser type and version, device information, operating system, referring URLs, access times, error logs

Purpose:

  • Security and fraud prevention
  • Technical troubleshooting
  • Service performance monitoring
  • Legal compliance

Legal basis:

  • Legitimate interest (GDPR Art. 6(1)(f)) for security and technical operations
  • Legal obligation (GDPR Art. 6(1)(c)) for security incident documentation

Retention period:

  • Security logs: 90 days
  • Analytics aggregation: 13 months (anonymized after 90 days)

3.6 Communication Data

Data collected: Email correspondence, support tickets, chat messages, feedback submissions

Purpose: Customer support, service improvement, issue resolution

Legal basis:

  • Performance of contract (GDPR Art. 6(1)(b))
  • Legitimate interest (GDPR Art. 6(1)(f)) for improving customer service

Retention period: 3 years after last communication

3.7 Marketing Data (Optional)

Data collected: Email address, communication preferences, newsletter subscription status

Purpose: Marketing communications, product updates, promotional offers (only if you opt-in)

Legal basis: Consent (GDPR Art. 6(1)(a))

Retention period: Until you withdraw consent or 3 years of inactivity

Important: You can withdraw consent at any time by clicking "unsubscribe" in emails or contacting support@resume-master.app

4. Third-Party Service Providers (Data Processors)

We work with trusted service providers who process personal data on our behalf. All processors are contractually obligated to comply with GDPR through Data Processing Agreements (DPAs).

4.1 Payment Processing

Provider: Stripe, Inc.
Location: USA (with EU operations)
Data transferred: Payment information, billing address, transaction data
Purpose: Payment processing, fraud prevention
Safeguards: Standard Contractual Clauses (SCCs), Stripe is certified under EU-U.S. Data Privacy Framework

Stripe Privacy Policy: https://stripe.com/privacy

4.2 Cloud Hosting and Infrastructure

Provider: Hetzner Online GmbH
Location: Germany (EU)
Data transferred: All platform data
Purpose: Application hosting, data storage, content delivery
Safeguards: EU-based provider, no international data transfer required

4.3 AI and Resume Analysis Services

Provider: Anthropic, OpenAI, Google (Gemini), Perplexity
Location: USA
Data transferred: Resume content, job descriptions
Purpose: AI-powered resume analysis, optimization suggestions
Safeguards: Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs) with each provider

Important: Resume data sent to AI providers is processed solely for analysis purposes and is not used to train AI models (as per our agreements with providers).

4.4 Email Communications

Provider: Resend, Inc.
Location: USA
Data transferred: Email addresses, message content
Purpose: Transactional emails, customer communications
Safeguards: Standard Contractual Clauses (SCCs)

5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place:

5.1 Transfers to USA

Safeguards used:

  • Standard Contractual Clauses (SCCs) approved by EU Commission (2021/914)
  • EU-U.S. Data Privacy Framework certification (where applicable)
  • Binding Corporate Rules (where applicable)

Providers with USA transfers:

  • Stripe, Inc. (payment processing) - EU-U.S. DPF certified + SCCs
  • Anthropic, Inc. (AI services) - SCCs + DPA
  • OpenAI, LLC (AI services) - SCCs + DPA
  • Google LLC (Gemini AI services) - EU-U.S. DPF certified + SCCs
  • Perplexity AI, Inc. (AI services) - SCCs + DPA
  • Resend, Inc. (email services) - SCCs
  • Google LLC (Google Analytics via Google Tag Manager) - EU-U.S. DPF certified + DPA
  • Microsoft Corporation (Microsoft Clarity) - SCCs + DPA

5.2 Your Rights Regarding International Transfers

You have the right to:

  • Obtain a copy of the safeguards we use (SCCs available upon request)
  • Object to transfers if you believe safeguards are insufficient

To request copies: Email support@resume-master.app

6. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services.

6.1 Essential Cookies (Always Active)

Purpose: Authentication, security, basic functionality
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) - necessary for service operation
Duration: Session or up to 1 year
Cannot be disabled: These cookies are necessary for the website to function

Examples:

  • Session authentication tokens
  • CSRF protection tokens
  • Language preferences
  • Cookie consent preferences

6.2 Analytics Cookies (Optional - Requires Consent)

Purpose: Understanding user behavior, improving service
Legal basis: Consent (GDPR Art. 6(1)(a))
Duration: Up to 24 months
Can be disabled: Yes, via cookie settings

Providers:

  • Google Analytics (via Google Tag Manager)
  • Microsoft Clarity
  • IP anonymization enabled for both services
  • Advertising features disabled

Google Analytics Privacy Policy: https://policies.google.com/privacy
Microsoft Clarity Privacy Policy: https://privacy.microsoft.com

6.3 Marketing Cookies (Optional - Requires Consent)

Purpose: Advertising attribution, retargeting
Legal basis: Consent (GDPR Art. 6(1)(a))
Duration: Up to 90 days
Can be disabled: Yes, via cookie settings

Providers:

  • Facebook Pixel [if used]
  • Google Ads conversion tracking [if used]
  • LinkedIn Insight Tag [if used]

6.4 Managing Cookie Preferences

You can manage your cookie preferences at any time:

  1. Cookie Settings Panel: Click "Cookie Settings" in the footer
  2. Browser Settings: Configure your browser to block or delete cookies
  3. Opt-out Tools: Use browser extensions or opt-out services

Note: Disabling essential cookies may prevent you from using certain features.

7. Automated Decision-Making and AI Processing

7.1 AI Resume Analysis

Resume Master uses artificial intelligence to analyze and optimize your resume. This involves automated processing, but does not constitute automated decision-making with legal effects under GDPR Art. 22.

How it works:

  • AI analyzes resume content for ATS compatibility
  • Suggests improvements for keywords, formatting, structure
  • Matches resume against job descriptions
  • Provides skill gap analysis

Human oversight:

  • You retain full control over whether to accept AI suggestions
  • All changes require your manual approval
  • No automated decisions are made about employment or opportunities
  • AI provides recommendations only; you make final decisions

Transparency:

  • AI uses natural language processing and machine learning models
  • Analysis considers: keyword density, formatting structure, ATS compatibility patterns, industry standards
  • No personal characteristics (age, gender, ethnicity) are used in analysis

7.2 Your Rights Regarding AI Processing

You have the right to:

  • Receive human review of AI suggestions if you disagree
  • Opt out of certain AI features (contact support@resume-master.app)
  • Understand how AI decisions are made (information provided above)

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

8.1 Technical Measures

  • Encryption in transit: TLS 1.3 for all data transmission
  • Encryption at rest: AES-256 encryption for stored data
  • Password security: Bcrypt hashing with salt for password storage
  • Access controls: Role-based access control (RBAC) for internal systems
  • Network security: Firewalls, intrusion detection, DDoS protection
  • Secure development: Regular security audits, penetration testing [if applicable]

8.2 Organizational Measures

  • Access limitation: Data access restricted to authorized personnel only
  • Confidentiality agreements: All employees sign confidentiality agreements
  • Training: Regular data protection training for staff
  • Incident response: Documented procedures for data breach handling
  • Vendor management: Data Processing Agreements with all processors

8.3 Data Security Disclaimer

While we use industry-standard security measures, no method of electronic storage or internet transmission is 100% secure. We cannot guarantee absolute security but commit to:

  • Promptly notifying you of any data breach affecting your rights
  • Taking immediate action to contain and remediate security incidents
  • Cooperating with supervisory authorities as required

9. Data Retention and Deletion

9.1 Retention Principles

We retain personal data only as long as necessary for the purposes stated in this policy, unless a longer retention period is required by law.

9.2 Retention Periods Summary

Data CategoryRetention PeriodLegal Basis
Account dataSubscription duration + 30 daysContract fulfillment
Resume contentSubscription duration + 30 daysContract fulfillment
Payment records10 yearsGerman tax law (AO § 147)
Support tickets3 yearsLegitimate interest
Analytics data13 months (anonymized after 90 days)Legitimate interest
Marketing consentUntil withdrawn or 3 years inactivityConsent duration
Security logs90 daysSecurity/legal compliance

9.3 Account Deletion

When you delete your account:

  1. Immediate deletion: Account access is immediately revoked
  2. 30-day grace period: Data retained for 30 days to allow recovery if deletion was accidental
  3. Permanent deletion: After 30 days, all personal data is permanently deleted
  4. Exceptions: Payment records retained for 10 years per German tax law

To delete your account:

  • Log in → Settings → Account → Delete Account
  • Or email: support@resume-master.app with subject "Account Deletion Request"

9.4 Data Deletion Verification

Upon request, we will provide confirmation of data deletion. Email support@resume-master.app.

10. Your Rights Under GDPR

As a data subject, you have the following rights:

10.1 Right of Access (Art. 15 GDPR)

You can request:

  • Confirmation of whether we process your personal data
  • Copy of your personal data
  • Information about processing purposes, categories, recipients, retention periods

How to exercise: Email support@resume-master.app with subject "Data Access Request"

10.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

How to exercise:

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data when:

  • Data no longer necessary for original purpose
  • You withdraw consent (where processing based on consent)
  • You object and no overriding legitimate grounds exist
  • Data processed unlawfully

Exceptions: We may retain data if required by law (e.g., tax records)

How to exercise: Account settings or email support@resume-master.app

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request we limit processing of your data when:

  • You contest accuracy of data
  • Processing is unlawful but you oppose deletion
  • We no longer need data but you need it for legal claims
  • You objected and verification of legitimate grounds is pending

How to exercise: Email support@resume-master.app

10.5 Right to Data Portability (Art. 20 GDPR)

You can request your data in a structured, commonly used, machine-readable format (JSON).

Applies to: Data provided by you and processed based on consent or contract

How to exercise:

10.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests (e.g., analytics, marketing).

How to exercise:

  • Marketing: Click "unsubscribe" in emails
  • Analytics: Disable cookies in cookie settings
  • Other objections: Email support@resume-master.app

10.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting lawfulness of processing before withdrawal.

How to exercise:

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we violate data protection laws.

Competent supervisory authority for Saxony, Germany:

Sächsischer Datenschutzbeauftragter
Devrientstraße 5
01067 Dresden, Germany

Phone: +49 351 85471-101
Fax: +49 351 85471-109
Email: saechsdsb@slt.sachsen.de
Website: https://www.saechsdsb.de

Note: You may also contact the supervisory authority in your EU country of residence.

10.9 Response Timeline

We will respond to your requests:

  • Within 30 days of receiving your request
  • Extension possible: Up to 60 additional days for complex requests (we will inform you)
  • Free of charge for reasonable requests
  • May charge fee for manifestly unfounded or excessive requests

11. Data Breach Notification

11.1 Our Obligations

If we become aware of a data breach that poses risks to your rights and freedoms, we will:

  1. Notify supervisory authority within 72 hours of becoming aware
  2. Notify affected users without undue delay if breach poses high risk
  3. Provide information about nature of breach, likely consequences, measures taken

11.2 What We Will Tell You

Breach notifications will include:

  • Nature of the personal data breach
  • Contact point for more information (support@resume-master.app)
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm

11.3 How We Will Notify You

  • Email: To your registered email address
  • Website notice: Prominent notice on resume-master.app
  • Account notification: Alert in your dashboard

12. Children's Privacy

Resume Master is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16.

If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly.

Parents/Guardians: If you believe your child has provided us with personal data, contact support@resume-master.app immediately.

13. Changes to This Privacy Policy

13.1 Updates

We may update this privacy policy from time to time to reflect:

  • Changes in our data processing practices
  • New legal requirements
  • Improved data protection measures

13.2 Notification of Changes

Material changes (affecting your rights or data processing):

  • Email notification to registered users
  • Prominent notice on website
  • 30 days notice before changes take effect

Minor changes (clarifications, formatting):

  • Updated "Last Updated" date
  • Website publication only

13.3 Your Options

If you disagree with changes:

  • You may object or delete your account before changes take effect
  • Continued use after changes constitutes acceptance

Version history: Available upon request at support@resume-master.app

14. Contact Us

14.1 Privacy Inquiries

For questions about this privacy policy or our data practices:

Email: support@resume-master.app
Response time: Within 5 business days

14.2 Data Protection Requests

To exercise your GDPR rights:

Email: support@resume-master.app
Subject line: Include request type (e.g., "Data Access Request," "Deletion Request")
Include: Your registered email and account details for verification

14.3 General Support

Email: support@resume-master.app

15. Legal Framework References

This privacy policy complies with:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • German Federal Data Protection Act (BDSG) - Bundesdatenschutzgesetz
  • German Telemedia Act (TMG) - Telemediengesetz
  • ePrivacy Directive - Directive 2002/58/EC

Document Information:

  • Version: 1.0
  • Effective Date: January 5, 2026
  • Last Updated: January 2, 2026
  • Language: English (German version available at /de/privacy)
  • Jurisdiction: Germany, European Union

© 2025-2026 Sidoroff UG (haftungsbeschränkt). All rights reserved.