Privacy policy
Last updated: April 7, 2026
1. Introduction
Welcome to CircleResume. This Privacy Policy ("Policy") explains how Dumitrache Florentin-Cristian Persoană Fizică Autorizată, registered in Romania under CUI 46679040, Trade Register F40/3777/2022, with registered address at 188 Iuliu Maniu Boulevard, 061124, Bucharest, Romania ("CircleResume", "we", "us", or "our") collects, uses, shares, and protects personal data when you access or use our website at circleresume.com and any related services (collectively, the "Platform").
Personal data means any information that relates to an identified or identifiable natural person. This includes, but is not limited to, names, email addresses, IP addresses, and any content you create on the Platform.
This Policy applies to all users worldwide and should be read together with our Terms and Conditions and our Cookie Policy.
By creating an account or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, please discontinue use of the Platform immediately.
2. Personal data we collect
We collect personal data from three sources: directly from you, automatically when you use the Platform, and from third-party services you choose to connect. If you use the Platform without an Account (guest mode), some information may be held only on your device, as described in subsection (d) below.
a) Data you provide directly
| Category | Data fields | Purpose |
|---|---|---|
| Account registration | Full name, email address, password (hashed — we never store your password in plain text) | Create and manage your account, authenticate you, and communicate important service updates |
| Resume content | First name, last name, job title, email, phone number, address, city, country, profile summary, employment history (job titles, company names, cities, dates, descriptions), education (degrees, schools, cities, dates, descriptions), skills, languages, hobbies, links, and custom sections | Generate, display, and export your resume documents |
| Cover letter content | Full name, job title, address, email, phone number, country, employer company name, hiring manager name, letter body (rich text) | Generate, display, and export your cover letter documents |
| Profile photos | Image files you upload as profile avatars (up to 10 per account) | Display your photo on your resume documents |
| Feedback & support | Feedback type, subject, description, severity, and optional screenshots | Investigate and resolve reported issues, improve our service |
| Preferences | Editor tutorial dismissal status, template choices, accent colours, typography settings | Personalise your experience and remember your editor configuration |
You choose what personal data to include in your resumes and cover letters. We process this data solely to provide the document creation service you have requested. We do not read, analyse, or use the content of your documents for any purpose other than delivering the service.
b) Data collected automatically
When you access the Platform, we may automatically collect:
- IP address — recorded in your authentication session and used for rate limiting to protect the Platform from abuse.
- User agent string — browser type, version, and operating system, recorded in your session.
- Page views and navigation — anonymous, aggregated analytics data collected by Vercel Web Analytics (only if you consent via our cookie banner). No personally identifiable information is captured.
- Error and diagnostic data — if an error occurs, our error tracking service (Sentry) may capture your user ID, email, name, IP address, request URL, browser information, and the error details to help us diagnose and fix issues. Additionally, Sentry may record a session replay of your screen at the time of the error (capturing DOM elements, clicks, and navigation — but not passwords or payment fields, which are masked). Session replays are only captured for error sessions and are used exclusively to reproduce and resolve bugs.
c) Data received from third parties
If you choose to sign in with Google, we receive the following data from Google:
- Your name
- Your email address
- Your profile picture URL
- Email verification status
We use this data solely to create and authenticate your account. We do not access your Google contacts, calendar, files, or any other Google services.
d) Guest mode (local browser storage)
If you create or edit a resume without registering, your draft content (which may include personal data you enter) is stored only in your browser using browser storage on your device (such as local storage and related storage APIs). It is not stored on CircleResume's servers until you create an Account and complete a flow that transfers or imports your draft. The in-product notice includes wording such as: "Guest mode — your draft is saved automatically on this browser."
Limitations on our responsibility and your risk of local data loss in guest mode are set out in our Terms and Conditions (Guest mode section).
3. How we use your personal data
We use your personal data for the following purposes:
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Account creation and authentication | Name, email, password hash, Google profile data | Performance of a contract (Art. 6(1)(b) GDPR) |
| Providing the resume and cover letter builder | All resume and cover letter content you enter | Performance of a contract (Art. 6(1)(b) GDPR) |
| PDF generation and export | Resume/cover letter content, profile photos | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing payments and subscriptions | User ID (shared with Polar as an external customer identifier) | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending transactional emails (verification, password reset) | Name, email address | Performance of a contract (Art. 6(1)(b) GDPR) |
| Error monitoring and diagnostics | User ID, email, name, IP, request URL, browser info, error details | Legitimate interest (Art. 6(1)(f) GDPR) — maintaining service reliability |
| Analytics (anonymous, aggregated) | Page views, visitor counts (no PII) | Consent (Art. 6(1)(a) GDPR) — only activated with your permission |
| Rate limiting and platform security | IP address, user ID | Legitimate interest (Art. 6(1)(f) GDPR) — preventing abuse |
| Feedback and issue reports | User ID, feedback content, screenshots | Legitimate interest (Art. 6(1)(f) GDPR) — improving the service |
4. We do not sell your personal data
CircleResume does not sell, rent, trade, or otherwise provide your personal data to third parties for monetary or other valuable consideration.
We do not share your personal data for cross-context behavioural advertising, profiling, or targeted marketing. We do not use data brokers, and we do not allow third parties to collect personal data from our Platform for their own purposes.
This applies regardless of your location. For California residents: under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), this constitutes our notice that we do not "sell" or "share" personal information as those terms are defined under California law.
5. Third-party service providers
We share personal data with the following third-party service providers who act as data processors on our behalf (or, in the case of payment providers, as independent controllers). We only share the minimum data necessary to provide our service.
| Provider | Purpose | Data shared | Location | Privacy policy |
|---|---|---|---|---|
| Neon | PostgreSQL database hosting | All account data, resume/cover letter content, session data, preferences | USA | Link |
| Cloudflare (R2) | Object storage for files | Profile photos, generated PDF documents, feedback screenshots | Global | Link |
| Polar | Payment processing and subscription management | User ID (as external customer identifier). Polar independently collects payment card details and billing information directly from you during checkout — we never receive or store your card numbers. | Sweden | Link |
| Resend | Transactional emails | Name, email address (for email verification and password reset emails only) | USA | Link |
| Sentry | Error tracking and diagnostics | User ID, email, name, IP address, browser/device info, request URLs, error stack traces, session replays (for error sessions only) | USA | Link |
| Vercel | Application hosting and anonymous analytics | Anonymous page view data (no personally identifiable information). Analytics are only active with your consent. | USA | Link |
| OAuth sign-in and font delivery | OAuth: we receive your name, email, and profile picture from Google when you sign in. Fonts: font family names are requested from Google Fonts for PDF rendering. | USA | Link | |
| Upstash | Rate limiting (Redis) | IP address (for public endpoints), user ID (for authenticated endpoints). Stored temporarily for rate limiting windows only. | Configurable | Link |
| Inngest | Background job orchestration (PDF generation) | Job metadata, user ID, resume/cover letter content (temporarily, during PDF generation). Functions execute on our own infrastructure. | USA | Link |
We do not share your personal data with any parties other than those listed above, except where required by law (see Section 19).
6. Payment processing
Payments are processed by Polar (Polar Software Inc.), which acts as an independent data controller for payment data. When you make a purchase:
- You are redirected to Polar's secure checkout page where you enter your payment details directly with Polar.
- We never receive, process, or store your credit card numbers, bank account details, or any full payment instrument data.
- We send Polar your user ID so they can associate the subscription with your CircleResume account.
- A Polar customer account is automatically created when you sign up for CircleResume.
For information on how Polar handles your payment data, please review Polar's Privacy Policy.
7. Social logins
The Platform offers the ability to register and sign in using your Google account. If you choose to do this:
- We receive your name, email address, profile picture URL, and email verification status from Google.
- Authentication tokens (access token, refresh token, ID token) are stored securely in our database to maintain your sign-in session.
- We do not post to your Google account, access your contacts, or request any permissions beyond basic profile information.
We are not responsible for Google's use of your data. We recommend reviewing Google's Privacy Policy and managing your permissions via your Google Account settings.
8. PDF share links
When you export a resume or cover letter as a PDF, we generate a time-limited shareable link that allows anyone with the link to download the PDF. These links:
- Are secured with a cryptographic signature (HMAC-SHA256) and cannot be guessed or forged.
- Expire automatically after 7 days from generation.
- Do not require the recipient to have a CircleResume account.
- Contain the full content of your resume or cover letter. You are responsible for sharing these links only with people you trust.
After the link expires, the associated PDF file is permanently deleted from our storage by an automated daily cleanup process.
9. Cookies and tracking technologies
We use a limited number of essential cookies to operate the Platform and one analytics technology that is activated only with your consent. Full details, including the specific cookies we use and how to manage them, are available in our Cookie Policy.
We do not use advertising cookies, social media tracking pixels, cross-site trackers, or any similar technologies.
10. International data transfers
CircleResume is operated from Romania (European Union). However, several of our third-party service providers are located outside the European Economic Area (EEA), primarily in the United States. This means your personal data may be transferred to and processed in countries outside the EEA.
When your personal data is transferred outside the EEA, we ensure it is protected through one or more of the following legally recognised transfer mechanisms:
- EU-US Data Privacy Framework (DPF):Several of our US-based providers are self-certified under the EU-US Data Privacy Framework with the US Department of Commerce, which has been recognised by the European Commission as providing adequate protection (Adequacy Decision of 10 July 2023). You can verify a provider's certification at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): Where a provider is not covered by the DPF or an adequacy decision, we rely on Standard Contractual Clauses approved by the European Commission (Decision 2021/914), which are incorporated into the Data Processing Agreements (DPAs) we have with each provider. These clauses impose contractual obligations on the data recipient to protect your data to a standard equivalent to that within the EEA.
- Adequacy decisions: For providers in countries that the European Commission has determined offer an adequate level of data protection (e.g., Sweden, where Polar is based), no additional safeguards are required.
Below is a summary of the transfer mechanism applicable to each of our providers:
| Provider | Location | Transfer mechanism |
|---|---|---|
| Neon | USA | DPF certified; SCCs in DPA |
| Cloudflare | USA / Global | DPF certified; SCCs in DPA |
| Polar | Sweden (EU) | Within the EEA — no additional safeguards required. Polar acts as an independent data controller for payment data. |
| Resend | USA | SCCs in DPA |
| Sentry | USA | DPF certified; SCCs in DPA |
| Vercel | USA | DPF certified; SCCs in DPA |
| USA | DPF certified; SCCs in Terms of Service | |
| Upstash | Configurable | SCCs in DPA |
| Inngest | USA | SCCs in DPA |
11. Data retention
We retain your personal data only for as long as necessary to provide our services and fulfil the purposes described in this Policy. Specific retention periods are:
| Data | Retention period | Notes |
|---|---|---|
| Account data, resumes, cover letters, preferences | Until you delete your account | Immediately deleted upon account deletion (cascade delete) |
| Profile photos and avatars | Until you delete your account | Deleted from storage (R2) upon account deletion |
| Exported PDF files | 7 days | Automatically deleted by a daily cleanup process after the share link expires. Also deleted upon account deletion. |
| Session data | 7 days | Sessions expire automatically. All sessions are deleted upon account deletion. |
| Feedback screenshots | Until you delete your account | Deleted from storage (R2) upon account deletion, together with your feedback entries. |
| Error tracking data (Sentry) | 90 days | Retained by Sentry per their data retention settings. Automatically purged after the configured period. |
| Rate limiting data | Minutes | Stored only for the duration of the rate limiting window (typically 1 minute) and then automatically expires. |
| Cookie consent preference | 12 months | Stored as a cookie on your device. You can reset it at any time via "Cookie settings" in the footer. |
If we are legally required to retain certain data for a longer period (e.g., for tax or accounting purposes), we will retain only the minimum data necessary for the specific legal obligation.
12. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data is transmitted over HTTPS/TLS.
- Password hashing: Passwords are securely hashed before storage — we never store passwords in plain text.
- Secure session cookies: Authentication cookies use the
Secureflag and are transmitted only over HTTPS. - Signed share links: PDF share links are protected with HMAC-SHA256 cryptographic signatures.
- Rate limiting: API endpoints are protected against abuse through request rate limiting.
- Access controls: Administrative access is restricted to authorized personnel only.
While we take all reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@circleresume.com.
Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant data protection authority (ANSPDCP in Romania) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.
- Document the breach, its effects, and the remedial actions taken.
We will also comply with any additional breach notification obligations under applicable local laws, including the CCPA/CPRA (California), UK GDPR, and LGPD (Brazil).
13. Your privacy rights
Depending on your location, you may have the following rights regarding your personal data. We honour these rights regardless of where you live, to the extent we are able.
| Right | Description | Applicable laws |
|---|---|---|
| Right of access | Request a copy of the personal data we hold about you and information about how we process it. | GDPR, UK GDPR, CCPA/CPRA, LGPD |
| Right to rectification | Request correction of inaccurate or incomplete personal data. You can also update most data directly in your account settings. | GDPR, UK GDPR, LGPD |
| Right to erasure (deletion) | Request deletion of your personal data. You can delete your account directly from your account settings, which permanently removes all your data including resumes, cover letters, avatars, exported PDFs, and feedback screenshots. | GDPR, UK GDPR, CCPA/CPRA, LGPD |
| Right to data portability | Request your personal data in a structured, commonly used, and machine-readable format, or request that we transfer it to another controller. | GDPR, UK GDPR, LGPD |
| Right to restrict processing | Request that we limit how we process your personal data in certain circumstances (e.g., while we verify accuracy). | GDPR, UK GDPR, LGPD |
| Right to object | Object to processing based on our legitimate interests. We will cease processing unless we have compelling legitimate grounds. | GDPR, UK GDPR, LGPD |
| Right to withdraw consent | Withdraw consent at any time where processing is based on your consent (e.g., analytics). Withdrawal does not affect the lawfulness of prior processing. | GDPR, UK GDPR, CCPA/CPRA, LGPD |
| Right to opt out of sale/sharing | We do not sell or share your personal data. No opt-out action is required, but you may contact us to confirm. | CCPA/CPRA |
| Right to non-discrimination | We will not discriminate against you for exercising any of your privacy rights (e.g., by denying service, charging different prices, or providing inferior service). | CCPA/CPRA, LGPD |
| Right to lodge a complaint | You have the right to lodge a complaint with a data protection authority. In Romania, this is the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal). In the EU/EEA, you may find your local authority. If you are located elsewhere, you may contact your local data protection authority. | GDPR, UK GDPR, LGPD |
How to exercise your rights
You can exercise your rights by:
- Self-service: Edit or delete your data directly in your account settings, including deleting your entire account.
- Email: Send a request to privacy@circleresume.com with your name, email address, and a description of the right you wish to exercise.
We will respond to your request within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period. We may need to verify your identity before fulfilling your request.
14. Children's privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from children or minors under 18 years of age.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@circleresume.com. We will promptly investigate and delete the data if confirmed. If we learn that we have collected personal data from a person under 18, we will delete that data as soon as possible. This is consistent with our obligations under COPPA (USA), GDPR (EU), UK GDPR, and LGPD (Brazil).
15. De-identified and aggregate data
We may create de-identified (anonymised) or aggregated data from personal data by removing information that makes the data personally identifiable. Such data is no longer considered personal data under applicable laws.
We may use de-identified data for internal analytics, improving our services, and other lawful business purposes. We commit to maintaining and using such information in de-identified form and will not attempt to re-identify it.
16. Automated decision-making and profiling
CircleResume does not use automated decision-making or profiling that produces legal or similarly significant effects on you.
We do not analyse your personal data to create profiles, make predictions about your behaviour, or make automated decisions that affect your access to our services. All decisions regarding your account (such as subscription management) are based on objective criteria (e.g., payment status) and are not the result of automated profiling. This disclosure is made in accordance with Article 22 of the GDPR and equivalent provisions under UK GDPR and LGPD.
17. Business transfers
If CircleResume is involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal data may be transferred as part of that transaction. In such event, we will notify you via email and/or a prominent notice on the Platform before your personal data is transferred and becomes subject to a different privacy policy. The acquiring entity will be required to honour the commitments made in this Policy or obtain your separate consent for any materially different processing.
18. Third-party links
The Platform may contain links to third-party websites, services, or resources that are not owned or controlled by CircleResume (e.g., Polar checkout, Google sign-in). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through or in connection with the Platform. This Policy applies solely to data collected by CircleResume.
19. Disclosure required by law
We may disclose your personal data if required to do so by law, or if we believe in good faith that such action is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Platform; (d) protect the personal safety of users of the Platform or the public. Where legally permitted, we will make reasonable efforts to notify you before disclosing your data.
20. Do-Not-Track signals
Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting that your browsing activity not be tracked. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. However, our analytics are already consent-based: we do not load analytics technologies unless you explicitly consent via our cookie banner. This means that your privacy preferences are respected regardless of your browser's DNT setting.
21. Additional disclosures for California residents
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:
- Categories of personal information collected: Identifiers (name, email, IP address), internet activity (page views, browser type), professional information (employment history, education — only as entered by you in your resume), and inferences (none — we do not create profiles or inferences about you).
- Sale of personal information: We do not sell your personal information. We have not sold personal information in the preceding 12 months.
- Sharing for cross-context behavioural advertising: We do not share your personal information for cross-context behavioural advertising.
- Sensitive personal information: We do not intentionally collect sensitive personal information as defined by the CCPA/CPRA. Your resumes may contain information you choose to include; we do not use such information for purposes other than providing the document creation service.
- Shine the Light (Cal. Civ. Code § 1798.83): We do not share personal information with third parties for their direct marketing purposes.
22. Additional disclosures for Brazil residents
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights as described in Section 13 of this Policy. We process your data based on the legal bases of contract performance, consent, and legitimate interest, as applicable. You may exercise your rights or file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.
23. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. The updated version will be indicated by the "Last updated" date at the top of this page.
If we make material changes that significantly affect how we process your personal data, we will notify you by reasonable means (such as a notice on the Platform or an email to the address associated with your account) before the changes take effect. We encourage you to review this Policy periodically.
24. Contact us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Operator: Dumitrache Florentin-Cristian Persoană Fizică Autorizată
Trade Register: F40/3777/2022
CUI: 46679040
Address: 188 Iuliu Maniu Boulevard, 061124, Bucharest, Romania
Email: privacy@circleresume.com
We aim to resolve all privacy-related inquiries within 30 days of receipt.