Privacy Policy

1. Who we are

ChatMyResume.ai (“ChatMyResume”, “we”) lets people create an AI chatbot that answers questions about their professional background. You can contact us about anything in this policy at privacy@chatmyresume.ai.

Two kinds of people use ChatMyResume, and this policy covers both: profile owners, who create an account and publish a chatbot, and visitors, who chat with someone’s chatbot. One thing to know up front: when you chat with a chatbot as a visitor, your conversation is stored and the profile owner can read it. Both we and that owner have access to what you write.

2. What we collect

If you are a profile owner:

• Account details: your email address, handle, and display name. Passwords and login links are managed by our authentication provider (Supabase); we never see your password.
• The profile content you add (summary, experience, education, Q&A, and so on), plus numerical representations of that content (“embeddings”) that we generate via OpenAI so your chatbot can answer questions.
• An optional profile photo, if you upload one. It is publicly visible on your chatbot page until you remove it.
• Your notification preferences.
• Account activity events (sign-up, login, logout, password reset), recorded with your email address, IP address, and browser details.

If you are a visitor chatting with a chatbot:

• Your chat messages and the AI’s replies, linked to a random session ID stored in your browser. Transcripts are kept and are visible to the profile owner whose chatbot you used.
• Activity logs containing your IP address, browser user agent, and event details — for chat events this includes the text of your messages.
• Your email address, if you choose to submit it through the contact form. It is stored in our logs and sent to the profile owner so they can reply to you.
• Rate-limiting records keyed by IP address, eligible for deletion after about one day and removed on a best-effort basis thereafter.

Cookies and local storage:

• Authentication cookies (Supabase) to keep profile owners signed in — strictly necessary.
• Random identifiers in your browser’s local storage so a conversation holds together and abuse can be detected — strictly necessary. These persist across visits (linking your conversations over time) until you clear your browser storage.
• A PostHog analytics cookie and local-storage entry used to measure how the product is used (see Section 4).

3. Why we use it (legal bases under GDPR)

• To provide the service (performance of a contract): running accounts and chatbots, generating replies, showing owners their conversations.
• Security and abuse prevention (legitimate interest): rate limiting, activity logging, fraud detection.
• Product analytics (legitimate interest, or consent where required): understanding how the product is used so we can improve it.
• Communications: notifying owners about activity on their chatbot (contract, controlled by their notification preferences), and passing a visitor’s email to the owner when the visitor submits it (consent).

4. Who processes your data

We use the following service providers (processors). Each processes data under a data processing agreement (DPA), linked per provider:

• Supabase — database and authentication (DPA).
• OpenAI — generates chat replies (GPT-4o) and content embeddings (DPA). Visitor messages and relevant profile content are sent to OpenAI for this purpose, and profile photos are screened by OpenAI’s moderation service at upload. Per OpenAI’s API terms, data submitted through its API is not used to train OpenAI’s models by default.
• Vercel — application hosting and aggregate, cookieless page analytics (DPA).
• Resend — delivers our email: sign-in and account emails, and notification emails to profile owners (DPA).
• PostHog (EU region, DPA) — product analytics: page views, clicks, and operational events such as sign-ins, profile updates, and when a chat message is sent and to which chatbot — never the message text or captured email addresses. Events include session identifiers, browser details, and your IP address (used to derive approximate location); for signed-in owners, also your user ID and email.

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

5. How long we keep it

We have not yet adopted fixed retention periods: chat transcripts and activity logs are currently retained until deleted on request. Rate-limiting records become eligible for deletion after about one day and are removed on a best-effort basis. You can ask us to delete your data at any time (Section 7), and we will update this policy when we adopt fixed retention periods.

6. International transfers

Our service providers process data in the United States and the European Union. Where personal data of EU or UK residents is transferred to the United States, we rely on the safeguards our providers offer, such as Standard Contractual Clauses or certification under the EU–US Data Privacy Framework.

7. Your rights

If you are in the EU or UK (GDPR), you can request access to, correction of, deletion of, or a portable copy of your personal data, restrict or object to certain processing, and lodge a complaint with your supervisory authority.

If you are a California resident (CCPA/CPRA), you can ask what personal information we hold, request its deletion or correction, and you will not be discriminated against for exercising these rights. Because we do not sell or share personal information as defined by the CPRA, there is no sale or sharing to opt out of; if that ever changes we will update this policy, add an opt-out, and honor Global Privacy Control signals.

If you have an account, you can download a copy of your data — your account details, profile content, and the conversations your chatbot has had, as a machine-readable JSON file — from your Privacy Settings (in the account menu), or request it by emailing privacy@chatmyresume.ai from your account email address.

You can also delete your account from Privacy Settings (or request it by email). Your chatbot goes offline immediately, and after a 30-day grace period — during which you can sign in and restore the account — your profile content, embeddings, and sign-in are permanently removed. Chat transcripts are anonymized: the AI replies generated from your profile are erased, while visitors’ own questions are retained as anonymous usage records. Activity records are stripped of identifying details.

To exercise any other right — or to request deletion as a visitor — email privacy@chatmyresume.ai. We will verify your request — for owners, via the email address on your account; for visitors, we may ask for details like the chatbot you used and the approximate time of your conversation so we can locate your data.

8. AI-generated content

Replies from a chatbot are generated by an AI model (OpenAI’s GPT-4o) from the profile owner’s published content. They may be inaccurate or incomplete — verify anything important with the profile owner directly.

9. Children

ChatMyResume is not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.

10. Changes to this policy

When we change this policy we will post the new version here with an updated effective date, and flag material changes to profile owners. Questions? Email privacy@chatmyresume.ai.