Demo
Sign inSign up free
Legal

Privacy Policy

Effective March 20, 2026

Overview

ResumeShareIQ helps job seekers share resumes via tracked links and understand who engaged with their documents. This policy explains what data we collect, how we use it, and how we protect it.

Data We Collect

From registered users (you):

  • Account information: name, email, and password (hashed with bcrypt)
  • Profile details you choose to add: title, phone, LinkedIn, GitHub, and other social links
  • Resume files you upload (stored in Supabase Storage)
  • Subscription and billing data processed by Stripe (we never store card numbers)

From resume viewers (recruiters, hiring managers):

  • Engagement signals: page views, dwell time, scroll depth, link clicks, downloads, and copy events
  • Device metadata: screen size, browser, operating system, language, timezone
  • Approximate location derived from IP address (city, region, country)
  • Organization name derived from IP enrichment (e.g. company network identification)
  • A hashed version of the IP address for returning-visitor detection. We do not store raw IP addresses in our database
  • Browser fingerprint data (via Fingerprint) for bot detection, returning-visitor identification, and fraud prevention. Raw fingerprint identifiers are hashed before long-term storage

How We Use Your Data

  • Provide resume hosting and tracked sharing links
  • Generate engagement analytics and AI-powered insights for resume owners
  • Send email notifications about resume views (configurable)
  • Detect bots and fraudulent traffic to ensure data accuracy
  • Process payments and manage subscriptions via Stripe
  • Improve the service through aggregated, anonymized analytics

Third-Party Services

We use the following services to operate ResumeShareIQ:

  • Supabase : Database hosting and file storage for resume PDFs
  • Upstash Redis : Session tracking and real-time analytics (data expires based on your plan's retention period)
  • Stripe : Payment processing (see Stripe's privacy policy for details)
  • Resend : Transactional email delivery
  • Fingerprint : Bot detection and returning-visitor identification using browser fingerprinting
  • Vercel : Application hosting and edge network

We do not sell your data to any third party. Data shared with these services is limited to what is necessary for their specific function.

IP Address & Company Detection

When someone views a resume, we use their IP address to determine approximate geographic location and organizational affiliation (e.g. “viewed from Google LLC in Mountain View, CA”). This helps resume owners understand who is engaging with their documents.

Raw IP addresses are processed server-side and hashed before storage. We retain a salted SHA-256 hash for returning-visitor detection but do not store the original IP address in our database. Organization names are derived from publicly available IP registry data.

Data Retention

  • Free plan: Engagement data retained for 3 days
  • Pro plan: Engagement data retained for 90 days
  • Telemetry data: Raw and derived telemetry (engagement analytics, fingerprint data, visitor signals) is automatically deleted after 90 days regardless of plan
  • Account data: Retained until you delete your account
  • Resume files: Deleted when you remove them or delete your account

When you delete your account, we remove all associated data including resume files, tracking sessions, notifications, and subscription records.

Cookies

We use essential cookies only: a session cookie for authentication and, for admin users, an impersonation cookie for support purposes. We do not use advertising or third-party tracking cookies.

Your Rights

You can:

  • Access and download your data from the Settings page
  • Update or correct your profile information at any time
  • Delete your account and all associated data from Settings > Danger Zone
  • Export your analytics data as CSV (Pro plan)

For data requests or privacy concerns, contact us at the email listed on our website.

Security

We protect your data with industry-standard practices: passwords are hashed with bcrypt, all connections use HTTPS/TLS, API keys and secrets are stored as environment variables (never in code), and database access is restricted to authorized server-side operations only.

Changes to This Policy

We may update this policy as we add features or change how we handle data. Significant changes will be communicated via email to registered users. The effective date at the top of this page indicates when the policy was last updated.