Privacy policy

Last updated: July 9, 2026

1. Introduction

Welcome to CircleResume. This Privacy policy ("Policy") explains how Florentin-Cristian Dumitrache, trading as Dumitrache Florentin-Cristian Persoană Fizică Autorizată (PFA), registered in Romania under CUI 46679040, Trade Register no. F40/3777/2022, with registered address at 188 Iuliu Maniu Boulevard, 061124, Bucharest, Romania ("CircleResume", "we", "us", or "our"), collects, uses, shares, and protects personal data when you access or use the CircleResume platform at circleresume.com and all related websites, applications, features, and services (collectively, the "Platform").

For the purposes of the EU General Data Protection Regulation (GDPR) and equivalent laws, CircleResume is the data controller responsible for your personal data. Our full company registration and contact details are available on our Company details page.

Personal data means any information that relates to an identified or identifiable natural person. This includes, but is not limited to, names, email addresses, IP addresses, and any content you create on the Platform.

This Policy applies to all users worldwide and should be read together with our Terms and conditions and our Cookie policy.

By creating an account or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, please discontinue use of the Platform immediately.

2. Personal data we collect

We collect personal data from three sources: directly from you, automatically when you use the Platform, and from third-party services you choose to connect. If you use the Platform without an Account (guest mode), draft content you enter may be stored on your device and, if you save through the guest flow, on our servers, as described in subsection (d) below.

a) Data you provide directly

CategoryData fieldsPurpose
Account registrationFull name, email address, password (hashed — we never store your password in plain text)Create and manage your account, authenticate you, and communicate important service updates
Onboarding answersThe optional questions we may ask when you set up your account: what you want to use CircleResume for (your goals), your country, your current job title, your industry, and how you heard about us (referral source), plus any free-text detail you add to an "Other" option. You can skip onboarding or leave any question blank.Stored on your account in our database for as long as your account exists. We use answers you choose to provide to tailor onboarding and to understand, in aggregate, who uses CircleResume — for example which countries users are in and how they found us. We use this only for our own internal product analytics and quality improvements. We do not sell, rent, or share onboarding answers with advertisers, data brokers, or any other third party. If you consent to analytics cookies, non-identifying categories you provide may also be sent to our analytics provider (see Section 9). Deleted when your account is removed. See Section 3, Section 4, and Section 15.
Resume contentFirst name, last name, job title, email, phone number, address, city, country, profile summary, employment history (job titles, company names, cities, dates, descriptions), education (degrees, schools, cities, dates, descriptions), skills, languages, hobbies, links, and custom sectionsGenerate, display, and export your resume documents. Plain-text (.txt) exports are generated locally in your browser and are not transmitted to or stored on our servers.
Cover letter contentFull name, job title, address, email, phone number, country, employer company name, hiring manager name, letter body (rich text)Generate, display, and export your cover letter documents. Plain-text (.txt) exports are generated locally in your browser and are not transmitted to or stored on our servers.
Imported documents (PDF upload)The PDF file you choose to upload to import an existing resume or cover letter, and all personal data contained within it (which may include your name, contact details, employment history, education, skills, and any other information present in the file — and, where you include them, the personal data of third parties such as referees, colleagues, or former employers), together with the structured text our providers extract from itConvert your uploaded document into an editable resume or cover letter in your Account. The file is processed transiently and deleted shortly after processing (see Section 11). You are responsible for ensuring you have the right to upload the file and any third-party data it contains.
Profile photosImage files you upload as profile avatars (up to 10 per account)Display your photo on your resume documents
FeedbackStar rating (1–5), subject, and message you write in the feedback formUnderstand user satisfaction and improve the Platform based on voluntary product feedback; and potential public display on our website (first name with last initial, star rating, and message). Deleted when your account is deleted.
Report an issueSubject, severity (low, medium, high, or critical), description, and an optional screenshotInvestigate and resolve bugs or technical problems you report
PreferencesEditor tutorial dismissal status, template choices, accent colours, typography settingsPersonalise your experience and remember your editor configuration
AI rewrite requestsThe specific resume or cover letter section text you submit for AI rewriting; the context type (resume or cover letter)Transmitted to OpenAI to generate a suggested rewrite. The input text is not stored separately by us. If you choose to apply the result, the rewritten text replaces the original in your document and is stored as ordinary User Content.
Account deletion feedbackSelected reason category and optional free-text comment when you delete your accountImprove the Platform based on voluntary exit feedback. Stored separately from your User Content and retained after your account is purged (see Section 11).

You choose what personal data to include in your resumes and cover letters. We process this data solely to provide the document creation service you have requested. We do not read, analyse, or use the content of your documents for any purpose other than delivering the service. When you voluntarily use the AI rewrite feature, the selected text section is transmitted to OpenAI solely to generate a suggested rewrite; see Section 5 and Section 16 for details.

Special category and sensitive data. A resume or cover letter may reveal information that is treated as a special category of data under the GDPR (Article 9) — such as data revealing health, religious or philosophical beliefs, trade union membership, ethnic origin, or sexual orientation — or as sensitive personal information under other laws. We do not request or require such data. If you choose to include it, you do so on your own initiative, and you consent to us processing it as part of, and only for the purpose of, producing your documents. We recommend including such information only where it is relevant to your application and you are comfortable doing so.

b) Data collected automatically

When you access the Platform, we may automatically collect:

  • IP address — recorded in your authentication session and used for rate limiting to protect the Platform from abuse.
  • User agent string — browser type, version, and operating system, recorded in your session.
  • Page views and navigation — anonymous, aggregated analytics data collected by Vercel Web Analytics (only if you consent via our cookie banner). No personally identifiable information is captured. Where you have consented, these analytics events may also include the non-identifying onboarding categories you selected (such as your country, industry, goals, and referral source) so we can see, in aggregate, how the product is used. This is for our internal analytics only — we do not attach your name, email, or any other identifier, and we do not sell or share this data with third parties for their own purposes.
  • Error and diagnostic data — if an error occurs, our error tracking service (Sentry) may capture your user ID, email, name, IP address, request URL, browser information, and the error details to help us diagnose and fix issues. Additionally, Sentry may record a session replay of your screen at the time of the error (capturing DOM elements, clicks, and navigation — but not passwords or payment fields, which are masked). Session replays are only captured for error sessions and are used exclusively to reproduce and resolve bugs.

c) Data received from third parties

If you choose to sign in with Google, we receive the following data from Google:

  • Your name
  • Your email address
  • Your profile picture URL
  • Email verification status

We use this data solely to create and authenticate your account. We do not access your Google contacts, calendar, files, or any other Google services.

d) Guest mode

If you create or edit a resume without registering, your draft content (which may include personal data you enter, such as name, contact details, or employment history) is stored in your browser while you edit, using browser storage on your device (such as IndexedDB, local storage, and related storage APIs). The in-product notice includes wording such as: "Guest mode — your draft is saved automatically on this browser."

If you continue in the guest flow and save your draft, we also store a copy on CircleResume's servers as a guest resume draft, so you can recover your work if you lose access to browser storage by mistake. At the same time, your browser keeps two matching entries: circle-resume:guest-draft (your resume content, template, and related metadata) and guestResumeDraftServerId (the unique identifier of the corresponding server-side draft). These entries allow us to link your locally stored draft to the copy on our systems and, if you later create an Account or sign in, to import that draft into your Account. Server-side guest drafts are deleted after 90 days if not claimed (see Section 11).

Limitations on our responsibility and your risk of local data loss in guest mode are set out in our Terms and Conditions (Guest mode section).

3. How we use your personal data

We use your personal data for the following purposes:

PurposeData usedLegal basis (GDPR)
Account creation and authenticationName, email, password hash, Google profile dataPerformance of a contract (Art. 6(1)(b) GDPR)
Providing the resume and cover letter builderAll resume and cover letter content you enterPerformance of a contract (Art. 6(1)(b) GDPR)
PDF generation and exportResume/cover letter content, profile photosPerformance of a contract (Art. 6(1)(b) GDPR)
Importing an existing resume or cover letter from a PDFThe PDF file you upload and the text and structured data extracted from itPerformance of a contract / taking steps at your request before entering a contract (Art. 6(1)(b) GDPR). You initiate this processing voluntarily; where the file contains special categories of data or third-party personal data, you are responsible for having a lawful basis to provide it.
Processing payments and subscriptionsUser ID (shared with Polar as an external customer identifier) and country (for billing and tax at checkout)Performance of a contract (Art. 6(1)(b) GDPR)
Sending transactional emails (verification, password reset)Name, email addressPerformance of a contract (Art. 6(1)(b) GDPR)
Error monitoring and diagnosticsUser ID, email, name, IP, request URL, browser info, error detailsLegitimate interest (Art. 6(1)(f) GDPR) — maintaining service reliability
Analytics (anonymous, aggregated)Page views, visitor counts, and the non-identifying onboarding categories you selected (country, industry, goals, referral source) — no PIIConsent (Art. 6(1)(a) GDPR) — only activated with your permission
Internal product insights (onboarding data)Aggregated onboarding categories you optionally provide (country, industry, goals, referral source) — stored in our database on your user account and viewed by us only in summary formLegitimate interest (Art. 6(1)(f) GDPR) — understanding how CircleResume is used and improving quality; we do not sell this data or share it with third parties (see Section 4)
Rate limiting and platform securityIP address, user IDLegitimate interest (Art. 6(1)(f) GDPR) — preventing abuse
FeedbackUser ID, star rating, subject, messageLegitimate interest (Art. 6(1)(f) GDPR) — improving the service based on voluntary product feedback; and potential public display on our website (first name with last initial, star rating, and message)
Issue reportsUser ID, subject, severity, description, optional screenshotLegitimate interest (Art. 6(1)(f) GDPR) — investigating and resolving reported bugs or technical problems
AI content rewriting (Pro feature)Selected resume / cover letter section text, user ID (for quota tracking)Performance of a contract (Art. 6(1)(b) GDPR) — delivering a Pro feature you explicitly activate; transmission to OpenAI is governed by your consent per our Terms and conditions - Section 7(b)
Access and data portability requestsProfile, resumes, cover letters, preferences, feedback, issue reports, avatar metadata, PDF export job metadata, subscription summaryLegal obligation (Art. 6(1)(c) GDPR) — responding to your rights under Articles 15 and 20 GDPR

4. We do not sell your personal data

CircleResume does not sell, rent, trade, or otherwise provide your personal data to third parties for monetary or other valuable consideration.

We do not share your personal data for cross-context behavioural advertising, profiling, or targeted marketing. We do not use data brokers, and we do not allow third parties to collect personal data from our Platform for their own purposes.

This applies regardless of your location. For California residents: under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), this constitutes our notice that we do not "sell" or "share" personal information as those terms are defined under California law.

5. Third-party service providers

We share personal data with the following third-party service providers who act as data processors on our behalf (or, in the case of payment providers, as independent controllers). We only share the minimum data necessary to provide our service.

ProviderPurposeData sharedLocationPrivacy policy
NeonPostgreSQL database hostingAll account data, resume/cover letter content, session data, preferencesUSALink
Cloudflare (R2)Object storage for filesProfile photos, generated PDF documents, issue report screenshotsUSALink
PolarPayment processing and subscription managementUser ID (as external customer identifier) and country (from your onboarding answers, sent for billing and tax at checkout). Polar independently collects payment card details and billing information directly from you during checkout — we never receive or store your card numbers.USA (Polar Software Inc.; HQ in Sweden)Link
ResendTransactional emailsName, email address (for email verification and password reset emails only)USALink
SentryError tracking and diagnosticsUser ID, email, name, IP address, browser/device info, request URLs, error stack traces, session replays (for error sessions only)USALink
VercelApplication hosting and anonymous analyticsAnonymous page view data (no personally identifiable information). Analytics are only active with your consent.USALink
GoogleOAuth sign-in and font deliveryOAuth: we receive your name, email, and profile picture from Google when you sign in. Fonts: font family names are requested from Google Fonts for PDF rendering.USALink
UpstashRate limiting (Redis)IP address (for public endpoints), user ID (for authenticated endpoints). Stored temporarily for rate limiting windows only.USALink
InngestBackground job orchestration (PDF generation)Job metadata, user ID, resume/cover letter content (temporarily, during PDF generation). Functions execute on our own infrastructure.USALink
LlamaIndex (LlamaCloud)PDF text extraction for resume and cover letter importThe PDF file you upload for import. LlamaCloud processes the file to extract text and structure. The file is processed via LlamaCloud's US (global) endpoint and is encrypted and retained only transiently before deletion. Data is not used to train LlamaIndex models per their DPA. Because processing occurs in the United States, your file is transferred outside the EU/EEA under appropriate safeguards (see Section 10).USALink
OpenAIAI-powered content rewriting (Pro feature); structured section extraction during PDF importFor the AI rewritefeature: the specific resume or cover letter section text you submit for rewriting, plus a context label ("resume" or "cover-letter") — we donot send your name, email, account ID, or any other identifying information. For the document importfeature: the full text extracted from the PDF you upload, which necessarily includes the personal data contained in that document (such as your name, contact details, employment history, and any third-party data present in the file), so that the structured sections can be reconstructed. We do not separately send your Account credentials. OpenAI may retain API inputs/outputs for up to 30 days for safety monitoring, after which they are deleted. Per OpenAI's API Data Usage Policy, API data is notused to train OpenAI's models.USALink

We do not share your personal data with any parties other than those listed above. When we share data with these providers, it is only so they can perform specific tasks for us — such as hosting our database, storing your files, sending transactional emails, or processing payments — not in exchange for money, advertising, or any other benefit from them. Each provider listed above acts as a data processor on our behalf and processes your data only under our instructions, except Polar, which acts as an independent data controller for payment data (see Section 6). We do not share your personal data with any other parties, except where required by law (see Section 19).

6. Payment processing

Payments are processed by Polar (Polar Software Inc.), which acts as an independent data controller for payment data. Polar Software Inc. is a US company (Delaware) with operations in Sweden. Payment data may be processed in the United States and other countries as described in Polar's Privacy Policy. When you make a purchase:

  • You are redirected to Polar's secure checkout page where you enter your payment details directly with Polar.
  • We never receive, process, or store your credit card numbers, bank account details, or any full payment instrument data.
  • We send Polar your user ID so they can associate the subscription with your CircleResume account, and your country (from onboarding) so checkout can apply the correct billing and tax treatment.
  • A Polar customer account is automatically created when you sign up for CircleResume.

For information on how Polar handles your payment data, please review Polar's Privacy Policy.

7. Social logins

The Platform offers the ability to register and sign in using your Google account. If you choose to do this:

  • We receive your name, email address, profile picture URL, and email verification status from Google.
  • Authentication tokens (access token, refresh token, ID token) are stored securely in our database to maintain your sign-in session.
  • We do not post to your Google account, access your contacts, or request any permissions beyond basic profile information.

We are not responsible for Google's use of your data. We recommend reviewing Google's Privacy Policy and managing your permissions via your Google Account settings.

9. Cookies and tracking technologies

We use essential cookies to operate the Platform, optional functional preferences (such as your theme and sidebar layout) that you can enable in our cookie banner, and analytics technology that is activated only with your consent. Full details, including the specific cookies and similar technologies we use and how to manage them, are available in our Cookie policy.

We do not use advertising cookies, social media tracking pixels, cross-site trackers, or any similar technologies.

10. International data transfers

CircleResume is operated from Romania (European Union). However, several of our third-party service providers are located outside the European Economic Area (EEA), primarily in the United States. This means your personal data may be transferred to and processed in countries outside the EEA.

When your personal data is transferred outside the EEA, we ensure it is protected through one or more of the following legally recognised transfer mechanisms:

  • EU-US Data Privacy Framework (DPF):Several of our US-based providers are self-certified under the EU-US Data Privacy Framework with the US Department of Commerce, which has been recognised by the European Commission as providing adequate protection (Adequacy Decision of 10 July 2023). You can verify a provider's certification at dataprivacyframework.gov.
  • Standard Contractual Clauses (SCCs): Where a provider is not covered by the DPF or an adequacy decision, we rely on Standard Contractual Clauses approved by the European Commission (Decision 2021/914) or equivalent safeguards offered by the provider (for example in their data processing terms or DPA). These mechanisms impose contractual obligations on the recipient to protect your data to a standard equivalent to that within the EEA.
  • Adequacy decisions: For providers in countries that the European Commission has determined offer an adequate level of data protection (e.g., Iceland or Switzerland), no additional safeguards are required.

Below is a summary of the transfer mechanisms we rely on for each provider, based on their published privacy documentation and contractual terms as of the date of this Policy:

ProviderLocationTransfer mechanism
NeonUSADPF self-certification and/or SCCs (per provider terms)
CloudflareUSADPF self-certification and/or SCCs (per provider terms)
PolarUSA (Polar Software Inc.; operations in Sweden/EU)Polar may process payment-related data in the USA and other jurisdictions. Transfers are governed by Polar's privacy policy and applicable safeguards (e.g. SCCs and/or adequacy mechanisms as described by Polar). Polar acts as an independent data controller for payment data.
ResendUSASCCs (per provider terms)
SentryUSADPF self-certification and/or SCCs (per provider terms)
VercelUSADPF self-certification and/or SCCs (per provider terms)
GoogleUSADPF self-certification and/or SCCs (per Google terms)
UpstashUSADPF self-certification and/or SCCs (per provider terms)
InngestUSADPF self-certification and/or SCCs (per provider terms)
LlamaIndex (LlamaCloud)USASCCs (per provider terms)
OpenAIUSADPF self-certification and/or SCCs (per OpenAI's Data Processing Addendum and API terms).

11. Data retention

We retain your personal data only for as long as necessary to provide our services and fulfil the purposes described in this Policy. Specific retention periods are:

DataRetention periodNotes
Account data, resumes, cover letters, preferencesUntil you delete your accountAccess is revoked immediately when you confirm deletion. Data is permanently removed through an automated background process, typically within minutes and no later than 24 hours.
Profile photos and avatarsUntil you delete your accountDeleted from storage (R2) during the account deletion background process
Exported PDF files7 daysAutomatically deleted by a daily cleanup process after the share link expires. Also deleted during account deletion.
Uploaded PDF files for importUntil processed; max 24 hoursThe PDF you upload to import a resume or cover letter is stored temporarily in our storage (R2) only to run the import job. It is deleted automatically as soon as the import completes or fails, and in any event no later than 24 hours. The editable document created from it is then stored as ordinary User Content. Our extraction providers (LlamaIndex/LlamaCloud and OpenAI) may retain the file or extracted text briefly on their own systems as described in Section 5.
Session data7 daysSessions expire automatically. All sessions are deleted immediately when you confirm account deletion.
Guest resume drafts (server-side)90 daysCreated when you save a draft in Guest mode without an Account. Deleted automatically after 90 days if not imported into an Account. Removed when successfully claimed during sign-up or sign-in.
Feedback submissionsUntil you delete your accountDeleted from our database during account deletion.
Issue reportsUntil you delete your accountDeleted from our database during account deletion. Optional screenshots are removed from storage as described below.
Issue report screenshotsUntil you delete your accountDeleted from storage (R2) during account deletion, together with your issue reports.
Account deletion feedbackIndefinitelyOptional exit survey (reason and comment) stored separately from your User Content. Retained for internal analytics after your account is purged, with no fixed deletion date.
Error tracking data (Sentry)90 daysRetained by Sentry per their data retention settings. Automatically purged after the configured period.
Rate limiting dataMinutesStored only for the duration of the rate limiting window (typically 1 minute) and then automatically expires.
AI rewrite quota counter24 hours (resets at midnight UTC)A daily usage counter (user ID + count) is stored in Redis (Upstash) to enforce the daily usage limit of 25 rewrites. It expires automatically at midnight UTC. The input text sent to OpenAI is not stored separately by us — if you apply the result, the rewritten text is saved as part of your document (User Content). OpenAI may retain API inputs for up to 30 days per their policy.
Cookie consent preference12 monthsStored as a cookie on your device. You can reset it at any time via "Cookie settings" in the footer.

If we are legally required to retain certain data for a longer period (e.g., for tax or accounting purposes), we will retain only the minimum data necessary for the specific legal obligation.

12. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Password hashing: Passwords are securely hashed before storage — we never store passwords in plain text.
  • Secure session cookies: Authentication cookies use the Secure flag and are transmitted only over HTTPS.
  • Signed share links: PDF share links are protected with HMAC-SHA256 cryptographic signatures.
  • Rate limiting: API endpoints are protected against abuse through request rate limiting.
  • Access controls: Administrative access is restricted to authorized personnel only.

While we take all reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. If you believe your account has been compromised, please contact us immediately at contact@circleresume.com.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant data protection authority (ANSPDCP in Romania) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.
  • Document the breach, its effects, and the remedial actions taken.

We will also comply with any additional breach notification obligations under applicable local laws, including the CCPA/CPRA (California) and UK GDPR.

13. Your privacy rights

Depending on your location, you may have the following rights regarding your personal data. We honour these rights regardless of where you live, to the extent we are able.

European Union and EEA (GDPR)

If you are located in the European Union or the European Economic Area, the General Data Protection Regulation (GDPR) grants you the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification — request correction of inaccurate or incomplete personal data (you can also update most data directly in your account settings).
  • Right to erasure — request deletion of your personal data, including by deleting your account.
  • Right to restrict processing — request that we limit how we process your data in certain circumstances (for example, while we verify its accuracy).
  • Right to data portability — receive your personal data in a structured, commonly used, machine-readable format, or request that we transfer it to another controller where technically feasible.
  • Right to object — object to processing based on our legitimate interests; we will cease processing unless we have compelling legitimate grounds.
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent (for example, analytics cookies). Withdrawal does not affect the lawfulness of prior processing.
  • Right to lodge a complaint — lodge a complaint with a data protection authority. Our lead supervisory authority is the ANSPDCP (Romania). You may also contact your local EU/EEA authority.

You may exercise these rights using the methods described under How to exercise your rights below, or by emailing legal@circleresume.com.

United Kingdom (UK GDPR)

If you are located in the United Kingdom, the UK GDPR provides you with rights equivalent to those under the EU GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

You may exercise your UK GDPR rights using the methods described under How to exercise your rights below, or by emailing legal@circleresume.com. We do not currently appoint a separate UK representative.

United States

If you are a resident of the United States, your privacy rights depend on the state in which you live. Many state laws — including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and laws in Virginia, Colorado, Connecticut, Utah, Texas, and other states — provide rights such as:

  • Right to know / access — request information about the personal data we collect, use, and disclose about you, and obtain a copy.
  • Right to delete — request deletion of your personal data, including by deleting your account.
  • Right to correct — request correction of inaccurate personal data (you can also update most data directly in your account settings).
  • Right to opt out of sale or sharing — we do not sell or share your personal data for cross-context behavioural advertising; no opt-out action is required.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Platform.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.
  • Right to appeal — where your state law provides it, you may appeal our decision on a privacy request by replying to our response or contacting us.

You may exercise these rights using the methods described under How to exercise your rights below. For additional U.S.-specific disclosures, see Section 21.

The following table summarises the same rights by applicable law:

RightDescriptionApplicable laws
Right of accessRequest a copy of the personal data we hold about you and information about how we process it.GDPR, UK GDPR, CCPA/CPRA
Right to rectificationRequest correction of inaccurate or incomplete personal data. You can also update most data directly in your account settings.GDPR, UK GDPR, CCPA/CPRA
Right to erasure (deletion)Request deletion of your personal data. You can delete your account directly from your account settings. Your access is revoked immediately; permanent removal of resumes, cover letters, avatars, exported PDFs, and issue report screenshots is completed through an automated background process, typically within minutes and no later than 24 hours.GDPR, UK GDPR, CCPA/CPRA
Right to data portabilityRequest your personal data in a structured, commonly used, and machine-readable format, or request that we transfer it to another controller.GDPR, UK GDPR
Right to restrict processingRequest that we limit how we process your personal data in certain circumstances (e.g., while we verify accuracy).GDPR, UK GDPR
Right to objectObject to processing based on our legitimate interests. We will cease processing unless we have compelling legitimate grounds.GDPR, UK GDPR
Right to withdraw consentWithdraw consent at any time where processing is based on your consent (e.g., analytics). Withdrawal does not affect the lawfulness of prior processing.GDPR, UK GDPR, CCPA/CPRA
Right to opt out of sale/sharingWe do not sell or share your personal data. No opt-out action is required, but you may contact us to confirm.CCPA/CPRA
Right to non-discriminationWe will not discriminate against you for exercising any of your privacy rights (e.g., by denying service, charging different prices, or providing inferior service).CCPA/CPRA
Right to lodge a complaintYou have the right to lodge a complaint with a data protection authority. In Romania, this is the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal). In the EU/EEA, you may find your local authority. In the UK, you may contact the ICO. If you are located elsewhere, you may contact your local data protection authority.GDPR, UK GDPR

How to exercise your rights

You can exercise your rights by:

  • Self-service: Edit or delete your data directly in your account settings, including deleting your entire account. Account deletion closes your access immediately; full data erasure completes shortly thereafter via a background process. You can also download a JSON export of your personal data from account settings — see Personal data export below for details.
  • Email: Send a request to contact@circleresume.com with your name, email address, and a description of the right you wish to exercise.

We will respond to your request within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period. We may need to verify your identity before fulfilling your request.

Personal data export

From your account settings (Privacy & Data), you can download a machine-readable JSON file containing the personal data we hold about you. This self-service export helps you exercise your right of access and your right to data portability under the GDPR and equivalent laws.

Included in the export:

  • Account profile (name, email, email verification status, profile image URL, account creation and update dates)
  • Resumes and cover letters (full document content)
  • Editor preferences and tutorial settings
  • Feedback you have submitted
  • Issue reports you have submitted
  • Avatar metadata (URLs and ordering — not the image files)
  • PDF export job metadata (timestamps, document type, share link status — not the PDF files themselves)
  • Subscription summary from Polar (status, product, billing period dates — not payment card details)
  • Connected sign-in providers (e.g., Google — provider name and linked account ID only)

Not included in the export:

  • Passwords (stored only as secure hashes — never exported or disclosed)
  • Session tokens and authentication credentials
  • Payment card numbers and full billing details (managed independently by Polar)
  • Avatar image files and generated PDF files (metadata and URLs are included; binary files are stored separately)

Exports are limited to one download per hour per account to prevent abuse. The file is delivered as a .json download in your browser. For invoices, payment methods, and full billing records, use the billing portal in your account settings or contact Polar directly.

If the self-service export does not meet your needs, or you need data in a different format, contact us at contact@circleresume.com.

14. Children's privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from children or minors under 18 years of age.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@circleresume.com. We will promptly investigate and delete the data if confirmed. If we learn that we have collected personal data from a person under 18, we will delete that data without undue delay. This is consistent with our obligations under the GDPR (EU), UK GDPR, and other applicable laws. In the United States, the Children's Online Privacy Protection Act (COPPA) applies to children under 13; our Platform is not directed to children under 18 and we do not knowingly collect data from minors.

15. De-identified and aggregate data

We may create de-identified (anonymised) or aggregated data from personal data by removing information that makes the data personally identifiable. Such data is no longer considered personal data under applicable laws.

We may use de-identified data for internal analytics, improving our services, and other lawful business purposes. We commit to maintaining and using such information in de-identified form and will not attempt to re-identify it.

For example, we may look at aggregated onboarding trends — such as which countries users select, how they heard about us, and what goals they choose — to improve CircleResume and understand whether the product is meeting user needs. This is strictly for our own internal use. We do not sell, rent, or share this information with advertisers, data brokers, or any other third party, and we do not use it to build individual advertising profiles about you (see Section 4).

16. Automated decision-making, profiling, and AI features

CircleResume does not use automated decision-making or profiling that produces legal or similarly significant effects on you.

We do not analyse your personal data to create profiles, make predictions about your behaviour, or make automated decisions that affect your access to our services. All decisions regarding your account (such as subscription management) are based on objective criteria (e.g., payment status) and are not the result of automated profiling. This disclosure is made in accordance with Article 22 of the GDPR and equivalent provisions under UK GDPR.

Note on AI rewriting features. The AI rewrite feature available to Pro subscribers is a user-initiated, assistive tool. It does not make any automated decisions about you, your account, or your access to the Platform. It simply generates a suggested rewrite of document text that you have voluntarily selected and submitted. You retain full control over whether to accept, modify, or discard any AI-generated suggestion. No profiling or automated decision-making within the meaning of Article 22 GDPR occurs in connection with this feature.

For the AI rewrite feature, the third-party AI model provided by OpenAI processes only the text you explicitly submit via the rewrite button. It does not have access to your account information, identity, subscription status, or any other personal data beyond the text of the section being rewritten.

Note on the document import feature. Importing a resume or cover letter from a PDF is likewise a user-initiated, assistive tool. It does not make any automated decision about you, your account, or your access to the Platform; it only converts a file you choose to upload into editable text that you review and control. Because the purpose of the feature is to reproduce your document, the full text extracted from the file you upload — including any personal data it contains — is processed by our extraction providers (LlamaIndex and OpenAI) for that limited purpose, as described in Section 5. No profiling or automated decision-making within the meaning of Article 22 GDPR occurs in connection with this feature.

17. Business transfers

If CircleResume is involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal data may be transferred as part of that transaction. In such event, we will notify you via email and/or a prominent notice on the Platform before your personal data is transferred and becomes subject to a different privacy policy. The acquiring entity will be required to honour the commitments made in this Policy or obtain your separate consent for any materially different processing.

19. Disclosure required by law

We may disclose your personal data if required to do so by law, or if we believe in good faith that such action is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Platform; (d) protect the personal safety of users of the Platform or the public. Where legally permitted, we will make reasonable efforts to notify you before disclosing your data.

20. Do-Not-Track signals

Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting that your browsing activity not be tracked. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. However, our analytics are already consent-based: we do not load analytics technologies unless you explicitly consent via our cookie banner. This means that your privacy preferences are respected regardless of your browser's DNT setting.

21. Additional disclosures for U.S. residents

a) California

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

  • Categories of personal information collected: Identifiers (name, email, IP address), internet activity (page views, browser type), professional information (employment history, education — only as entered by you in your resume), and inferences (none — we do not create profiles or inferences about you).
  • Sale of personal information: We do not sell your personal information.
  • Sharing for cross-context behavioural advertising: We do not share your personal information for cross-context behavioural advertising.
  • Sensitive personal information: We do not intentionally collect sensitive personal information as defined by the CCPA/CPRA. Your resumes may contain information you choose to include; we do not use such information for purposes other than providing the document creation service.
  • Shine the Light (Cal. Civ. Code § 1798.83): We do not share personal information with third parties for their direct marketing purposes.

b) Other U.S. states

Several other U.S. states have comprehensive consumer privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA), with more taking effect over time. If you are a resident of such a state, you have rights comparable to those described in Section 13 — including the rights to access, correct, and delete your personal data, and to opt out of its sale or of targeted advertising.

As stated in Section 4, we do not sell your personal data, do not share it for targeted or cross-context behavioural advertising, and do not use it for profiling that produces legal or similarly significant effects (see Section 16). You may exercise any of your rights, regardless of your state, using the methods described in Section 13. We do not discriminate against you for exercising these rights. Where your state grants a right to appeal a decision on your request, you may do so by replying to our decision or contacting us at legal@circleresume.com.

22. Changes to this policy

We may update this Privacy policy from time to time to reflect changes in our practices, technologies, or legal requirements. The updated version will be indicated by the "Last updated" date at the top of this page.

If we make material changes that significantly affect how we process your personal data, we will notify you by reasonable means (such as a notice on the Platform or an email to the address associated with your account) before the changes take effect. We encourage you to review this Policy periodically.

23. Contact us

If you have any questions, concerns, or requests regarding this Privacy policy or our data practices, please contact us:

Operator (data controller): Florentin-Cristian Dumitrache, trading as Dumitrache Florentin-Cristian Persoană Fizică Autorizată (PFA)

Address: 188 Iuliu Maniu Boulevard, 061124, Bucharest, Romania

Trade Register: Trade Register of Bucharest (Registrul Comerțului București), registration no. F40/3777/2022

CUI (Tax ID): 46679040

Privacy & data protection inquiries: legal@circleresume.com

General inquiries: contact@circleresume.com

Full company registration details are also available on our Company details page. We aim to resolve all privacy-related inquiries within 30 days of receipt.