GDPR & EU Compliance
How ResumePlusAI protects your personal data and complies with the General Data Protection Regulation and EU privacy standards.
Last updated: April 20, 2026
1. Overview
Our commitment to data protection
ResumePlusAI ("we," "our," or "us") is committed to protecting the privacy and personal data of all users, particularly those located in the European Union (EU) and the European Economic Area (EEA). This page explains how we comply with the General Data Protection Regulation (GDPR) โ Regulation (EU) 2016/679, the ePrivacy Directive (2002/58/EC), and other applicable EU data protection laws.
We believe in transparency, data minimization, and purpose limitation. We only collect data that is strictly necessary to provide our services โ building and optimizing resumes using AI โ and we never sell your personal information to third parties.
Important: This page supplements our Privacy Policy and Terms of Service. In the event of any conflict, this GDPR-specific page takes precedence for EU/EEA users.
2. Data Controller
Who is responsible for your data
Under Article 4(7) of the GDPR, ResumePlusAI acts as the data controller for all personal data collected through our platform. This means we determine the purposes and means of processing your personal data.
Controller Details:
- Entity: ResumePlusAI
- Email: [email protected]
- Website: resumeplusai.com
3. Legal Basis for Processing
Under GDPR Article 6(1)
We process personal data only when we have a valid legal basis under Article 6(1) GDPR:
Consent โ Art. 6(1)(a)
When you voluntarily upload your resume or provide personal details for AI-enhanced resume building. You can withdraw consent at any time.
Contractual Necessity โ Art. 6(1)(b)
Processing necessary to deliver the services you requested โ creating, analyzing, and downloading your resume.
Legitimate Interest โ Art. 6(1)(f)
Fraud prevention, security monitoring, service improvement, and analytics โ only when your rights do not override our interests.
Legal Obligation โ Art. 6(1)(c)
When we are legally required to retain or disclose data โ such as tax records for paid services or responding to lawful court orders.
4. Data We Collect
Minimized to what's strictly necessary
We adhere to the GDPR principle of data minimization (Article 5(1)(c)). We only collect data that is necessary for our services:
Account Information
- Full name and email address (for authentication)
- OAuth profile data (if signing in via Google)
- Payment information (processed by secure third-party providers โ we do not store card details)
Resume Data
- Content you provide in the resume form (work experience, education, skills, etc.)
- Uploaded PDF files (for ATS score checking)
- AI-generated content and suggestions
Technical Data
- IP address and approximate geolocation (country-level only)
- Browser type, device information, and operating system
- Pages visited, time on site, and referral source
- Cookies and similar technologies (see Section 9)
Privacy by Design: We do not collect sensitive personal data (special categories under Art. 9 GDPR) such as racial/ethnic origin, political opinions, health data, biometric data, or sexual orientation.
5. How We Process Your Data
Purpose limitation in action
Under GDPR Article 5(1)(b), data is processed only for specified, explicit, and legitimate purposes:
- Resume Generation: Your provided information is processed by AI to generate, structure, and format your resume
- ATS Score Analysis: Uploaded PDFs are parsed to evaluate ATS compatibility, keyword matches, and structural quality
- Account Management: Authentication, session management, and service delivery
- Payment Processing: Handled by PCI DSS-compliant third-party payment processors
- Service Improvement: Aggregated, anonymized analytics to improve features and user experience
- Communication: Transactional emails (receipts, account notifications) โ never unsolicited marketing without consent
AI Processing Notice: When you use our AI resume builder, your resume content is processed by AI language models. This processing is performed solely to generate your resume and is not used to train AI models. You can request deletion of all AI-processed data at any time.
6. Your Rights Under GDPR
GDPR Chapter III โ Rights of the data subject
As an EU/EEA resident, you have the following rights under GDPR. You can exercise any of these rights by contacting us at [email protected].
Right of Access
Art. 15 โ Request a copy of all personal data we hold about you, free of charge.
Right to Rectification
Art. 16 โ Correct any inaccurate or incomplete personal data we hold.
Right to Erasure
Art. 17 โ "Right to be forgotten." Request deletion of all your personal data from our systems.
Right to Restriction
Art. 18 โ Restrict how we process your data in certain circumstances.
Right to Portability
Art. 20 โ Receive your data in a structured, machine-readable format (JSON/CSV).
Right to Object
Art. 21 โ Object to processing based on legitimate interests or direct marketing at any time.
Withdraw Consent
Art. 7(3) โ Withdraw previously given consent at any time without affecting prior lawful processing.
Automated Decisions
Art. 22 โ Right not to be subject to decisions based solely on automated processing that significantly affect you.
Response Time: We will respond to all rights requests within 30 days as required by GDPR. In complex cases, this may be extended by an additional 60 days, and we will notify you of any such extension.
7. Data Retention
Storage limitation principle โ Art. 5(1)(e)
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Until account deletion | Service delivery |
| Resume content | Until account deletion or user request | Contractual necessity |
| ATS uploaded PDFs | Deleted immediately after analysis | Data minimization |
| Payment records | 7 years | Tax & legal obligation |
| Server logs | 90 days | Security & debugging |
| Analytics (anonymized) | 26 months | Service improvement |
8. International Data Transfers
GDPR Chapter V โ Cross-border data flow
When your data is transferred outside the EU/EEA, we ensure it receives an equivalent level of protection through one or more of the following safeguards under GDPR Articles 44โ49:
- Adequacy Decisions: Transfers to countries deemed adequate by the European Commission (Art. 45)
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with data processors (Art. 46(2)(c))
- Data Processing Agreements (DPAs): Binding agreements with all third-party sub-processors ensuring GDPR-equivalent protections
- EU-U.S. Data Privacy Framework: Where applicable, for transfers to certified U.S. organizations
Third-Party Sub-Processors
We use a limited number of carefully vetted sub-processors:
| Provider | Purpose | Safeguard |
|---|---|---|
| Google Cloud / Firebase | Authentication, hosting | SCCs + DPA |
| OpenAI | AI resume generation | DPA + EU-US DPF |
| Razorpay / Stripe | Payment processing | PCI DSS + SCCs |
| Google Analytics | Anonymized analytics | Consent-based + SCCs |
10. Security Measures
Art. 32 โ Security of processing
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:
TLS 1.3 encryption for all data in transit (HTTPS)
AES-256 encryption for data at rest
CSRF protection on all forms and state-changing requests
Secure OAuth 2.0 authentication flows
Role-based access controls and principle of least privilege
Regular security assessments and vulnerability scanning
Automated backups with encrypted storage
Input validation and sanitization against injection attacks
11. Children's Privacy
Art. 8 โ Conditions for child's consent
Our services are not directed at individuals under 16 years of age (or the applicable age of digital consent in their EU member state). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will delete it immediately.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected]/a> and we will take prompt action.
12. Data Breach Notification
Art. 33 & 34 โ Notification obligations
In the event of a personal data breach, we commit to the following procedure in full compliance with GDPR Articles 33 and 34:
- Supervisory Authority Notification: We will notify the relevant EU Data Protection Authority within 72 hours of becoming aware of a breach that poses a risk to the rights and freedoms of data subjects (Art. 33)
- User Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay via email, describing the nature of the breach, likely consequences, and mitigation measures taken (Art. 34)
- Internal Documentation: All breaches, regardless of risk level, are documented internally including facts, effects, and remedial actions (Art. 33(5))
13. Contact & Data Protection Officer
Reach us for any privacy concern
For any questions about this GDPR compliance page, your personal data, or to exercise any of your rights, please contact us:
Right to Lodge a Complaint: If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local EU Supervisory Authority (Data Protection Authority). A list of all EU DPAs is available at edpb.europa.eu.
Your Privacy Matters
Have questions about your data? We're here to help. Reach out anytime.