Privacy Policy
Contents
1. Who We Are
Resume-MCP ("we", "our", "the service") is an AI-powered resume creation and job application platform available at resume-mcp.site. The service lets you create ATS-optimised resumes using Gemini AI, tailor them to specific job descriptions, and optionally send job applications via your Gmail account.
For privacy enquiries, contact us at: privacy@resume-mcp.site
2. Data We Collect
2.1 Account & Identity Data
When you sign in with Google or connect via Telegram, we collect:
| Data point | Source | Why we collect it |
|---|---|---|
| Full name | Google OAuth | Display in dashboard; personalise generated resumes |
| Email address | Google OAuth | Send job applications from your account via Gmail |
| Profile picture URL | Google OAuth | Display in dashboard UI |
| Google OAuth tokens (access + refresh) | Google OAuth | Send emails on your behalf via Gmail API |
| Telegram user ID | Telegram Bot | Link bot sessions to your account; identify you across requests |
2.2 Resume Content
We process the resume and career information you provide (work history, education, skills, etc.) solely to generate your PDF resume. The most recently generated resume JSON is saved so you can re-tailor it later without re-entering your details.
2.3 Job Descriptions & Application Data
When you use the "Apply via Email" or Tailor features, we temporarily process the job description text you paste. This is used only to generate a tailored resume or cover email and is not stored beyond the request.
2.4 Usage & Token Data
We store a token balance (count of operations remaining) linked to your account. We log the type and timestamp of each operation (create / tailor / apply) for billing and abuse-prevention purposes.
2.5 Technical Data
Standard server logs record IP address, user agent, and HTTP request metadata for security monitoring. These logs are retained for up to 30 days.
3. How We Use Your Data
- Resume generation: Your career details are sent to Google Gemini AI to produce structured resume JSON, which is then rendered into a PDF via LaTeX.
- Email sending: Your Gmail OAuth token is used exclusively to send job-application emails you explicitly trigger. We never send emails without your instruction.
- Account management: Name and email are shown in the dashboard; token balance is tracked to limit free-tier usage.
- Security & abuse prevention: We monitor request rates and may block accounts that abuse the service.
- Analytics: Aggregate, anonymised usage statistics (e.g. total resumes created) are used to improve the product. Individual behaviour is not sold or profiled.
4. Data Sharing & Third Parties
We share your data only with the following sub-processors, each bound by their own privacy policies:
| Provider | Purpose | Data shared |
|---|---|---|
| Google LLC | OAuth 2.0 sign-in, Gmail sending, Gemini AI resume generation | Name, email, OAuth tokens; resume text sent to Gemini API |
| Telegram Messenger Inc. | Bot interface | Telegram user ID; messages you send to the bot |
We do not share data with advertisers, data brokers, or any other third parties.
We may disclose information if required by law, court order, or to protect the safety of users or the public.
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of an account deletion request.
- Generated PDFs: Stored on the server until you delete them (via dashboard or API). You have full control.
- OAuth tokens: Retained until you disconnect Gmail (sign out) or request deletion. Tokens are revoked with Google on deletion.
- Server logs: Automatically purged after 30 days.
- Resume JSON: The most recent resume JSON per user is retained to enable re-tailoring. Deleted when you delete your account.
6. Your Rights
Depending on your location, you may have the following rights under GDPR, CCPA, or similar laws:
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate data.
- Deletion ("right to be forgotten"): Request deletion of all your data. Use the Sign Out button which revokes your Google OAuth tokens, or email us.
- Portability: Request your resume JSON in machine-readable format.
- Objection / Restriction: Object to or restrict certain processing activities.
- Withdraw consent: You can disconnect Gmail at any time from the dashboard. This stops us from sending emails on your behalf.
To exercise any right, email privacy@resume-mcp.site. We will respond within 30 days.
7. Security
We implement industry-standard security measures:
- All data in transit is encrypted with TLS 1.2+
- OAuth tokens are stored encrypted in the database
- The server is hosted in a private Docker environment with restricted network access
- We do not log or store raw resume text after a PDF is generated
No method of transmission over the internet is 100% secure. If you become aware of a security vulnerability, please contact privacy@resume-mcp.site immediately.
8. Cookies & Local Storage
Resume-MCP does not use advertising or tracking cookies. We use:
- localStorage — stores your session (user ID, name, token count, theme preference) in your browser for up to 24 hours. No server-side cookie is set.
- Google Analytics 4 — collects anonymised page-view statistics (pages visited, session duration). No personal identifiers are shared. You can opt out via Google's opt-out tool.
9. Children's Privacy
Resume-MCP is intended for users aged 16 and above (or 13+ in the United States). We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify users via the dashboard or email.
Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or your data, please contact us:
Website: resume-mcp.site
Response time: We aim to respond within 5 business days.
If you are located in the European Economic Area and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.