Privacy Policy

1. Controller and Contact

The controller responsible for data processing on this platform is:

If you have questions about how your data is handled, or wish to exercise any of your rights under applicable data protection law, please contact us at the email address above.

2. What ChatMyResu.me Does

ChatMyResu.me is a platform that lets users upload their resume and create a public portfolio page with an AI-powered chatbot. Visitors to a user's portfolio can ask the chatbot questions about the user's professional background. The chatbot is powered by Anthropic's Claude AI models.

3. Data We Collect

3.1 Account Data

When you create an account, we collect your email address and display name. If you sign up via Google OAuth, we receive your name, email, and profile picture URL from Google. We store a hashed password if you use email/password authentication.

3.2 Resume and Profile Data

When you upload a resume (PDF or DOCX), we send the file contents to Anthropic's Claude API to extract structured data (work experience, skills, education, certificates, publications). The extracted data is stored in our database. We do not permanently store the original uploaded file — it is processed in memory and discarded after extraction.

3.3 Personal Context (Optional)

You may optionally provide personal context through our "Tell Your Story" feature — such as motivations, career goals, explanations for career gaps, or interests. This data is stored in your profile and used to give the chatbot richer context when answering questions about you. You can edit or delete this content at any time.

3.4 Chat Logs

For Pro plan users, we store chat logs (visitor questions and AI responses) so that users can review what visitors are asking about their profile. Chat logs for free-tier users are not stored. Visitor chat messages are sent to Anthropic's Claude API in real time to generate responses.

3.5 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers or full payment details on our servers. We store your Stripe customer ID and subscription status to manage your plan.

3.6 Automatically Collected Data

We use Vercel Analytics, which is a privacy-friendly analytics service that does not use cookies and does not track individual users across sites. It collects aggregated, anonymized page-view data (such as page path, referrer, country, device type, and browser). No personal data is collected by Vercel Analytics.

We use IP-based rate limiting to prevent abuse of the chat API. IP addresses used for rate limiting are stored temporarily and automatically expire after a short period. They are not linked to user accounts or used for any other purpose.

4. Legal Basis for Processing (GDPR Art. 6)

We process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, resume data, and profile information is necessary to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Rate limiting and abuse prevention to protect the platform and its users. Aggregated analytics to understand service usage.
• Consent (Art. 6(1)(a)): Providing optional personal context ("Tell Your Story") is entirely voluntary and based on your explicit action. You can withdraw this at any time by deleting the content.

5. AI Processing and Third-Party Services

5.1 Anthropic (Claude AI)

Resume content and chat messages are sent to Anthropic's Claude API for processing. Anthropic acts as a data processor. According to Anthropic's data policy, API inputs and outputs are not used to train their models. For details, see Anthropic's Privacy Policy.

5.2 Supabase (Database and Authentication)

We use Supabase for database hosting and user authentication. Your account data and profile data are stored in a Supabase-managed PostgreSQL database. Supabase acts as a data processor.

5.3 Stripe (Payments)

Payment processing is handled by Stripe. When you subscribe to a paid plan, your payment information is collected and processed directly by Stripe. See Stripe's Privacy Policy.

5.4 Vercel (Hosting and Analytics)

The platform is hosted on Vercel. Vercel Analytics collects anonymized, aggregated usage data without cookies. See Vercel's Privacy Policy.

6. International Data Transfers

Some of our service providers (Anthropic, Stripe, Vercel) are based in the United States. Where personal data is transferred outside the EU/EEA, we rely on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) as appropriate to ensure an adequate level of data protection in compliance with GDPR.

7. Cookies

We use only essential cookies required for authentication (Supabase session cookies). These are strictly necessary for the platform to function and do not require consent under GDPR.

We do not use advertising cookies, tracking cookies, or any non-essential cookies.

8. Data Retention

• Account and profile data is retained for as long as your account is active.
• Chat logs (Pro users) are retained for as long as your account is active and you maintain a Pro subscription.
• Rate-limiting data (IP addresses) is stored temporarily and automatically expires within minutes to hours.
• When you delete your account, all associated data (profile, resume data, personal context, and chat logs) is permanently deleted from our systems.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You may request information about what personal data we hold about you.
• Right to rectification (Art. 16): You can correct inaccurate data through your dashboard at any time, or contact us for assistance.
• Right to erasure (Art. 17): You can delete your account and all associated data at any time through your dashboard settings.
• Right to data portability (Art. 20): You may request a copy of your data in a structured, machine-readable format. Contact us via email.
• Right to restriction of processing (Art. 18): You may request that we restrict processing of your data under certain circumstances.
• Right to object (Art. 21): You may object to processing based on legitimate interests.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The relevant authority in Germany depends on your state of residence (Landesdatenschutzbeauftragte).

To exercise any of these rights, contact us at stefano.cassola@web.de. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encrypted connections (HTTPS/TLS), secure authentication, row-level security policies on our database, and access controls. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

11. Children

ChatMyResu.me is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users or through a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

For any questions regarding this privacy policy or your personal data, please contact:

Stefano Cassola
Email: stefano.cassola@web.de