Privacy Policy

1. Data controller

The data controller responsible for your personal data is:

IRIXSOFT LTD
A company registered in England and Wales
Email: support@resuvia.com

If you have any questions or concerns about how we handle your personal data, or if you wish to exercise any of your data protection rights, please contact us using the details above.

2. Information we collect

2.1 Account information

When you create an account, we collect your email address for authentication purposes. We use passwordless magic-link authentication, which means we do not collect or store passwords. You may optionally provide a display name, which is stored alongside your account.

2.2 Resume and career data

When you build, edit, or import a resume, we store all content you provide. This includes but is not limited to your full name, email address, phone number, location, work experience (job titles, companies, dates, descriptions), education history, skills, certifications, languages, projects, volunteer experience, references, professional summary, and any custom sections you create. This data is stored securely in our database and is accessible only to you through your authenticated account.

2.3 Cover letters

When you generate cover letters using our AI features, the generated content is stored in our database and associated with the corresponding resume and your account.

2.4 Payment information

Payment processing is handled entirely by our third-party payment processor, Stripe. We do not collect, store, or have access to your full credit or debit card number, CVV, or card expiry date at any point. We do store your Stripe customer identifier and subscription identifier in our database to manage your plan status, process upgrades and cancellations, and reconcile payments.

2.5 Usage and technical data

We automatically collect certain technical and usage information when you interact with the Service, including:

• Pages visited and features used within the Service
• Timestamps of interactions and API requests
• AI operation logs, including the type of operation performed, token counts, and estimated cost, used for internal monitoring and fair-use enforcement
• Browser type, device type, operating system, and screen resolution (collected via Google Analytics)
• IP address (anonymised where possible)
• Referring URL and landing page

2.6 Cookies and similar technologies

We use cookies and similar technologies to maintain your authentication session and to analyse usage patterns. For full details on the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

3. How we use your data

We process your personal data for the following purposes:

• Providing the Service: to create and manage your account, store and display your resume data, generate exports (PDF, DOCX, TXT), and deliver the core functionality of the Service
• Authentication: to send magic-link emails for secure, passwordless sign-in
• AI-powered features: to process your resume content through third-party artificial intelligence services for features including resume tailoring, quality scoring, ATS compatibility analysis, inline content rewrites, AI-generated suggestions, cover letter generation, and resume import from uploaded documents
• Payment processing: to manage your subscription or one-time purchase, process payments, issue receipts, and handle cancellations via Stripe
• Transactional communications: to send you essential emails such as magic-link authentication links and payment receipts
• Service improvement: to analyse aggregate, anonymised usage patterns to improve the Service, fix bugs, and develop new features
• Security and abuse prevention: to detect and prevent fraudulent activity, enforce our Terms of Service, and protect the integrity of our infrastructure

We do not sell, rent, or trade your personal data to any third party for marketing, advertising, or any other commercial purpose. We do not use your resume content or personal information for advertising or targeted marketing.

4. Legal basis for processing

Under UK GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): processing necessary to provide you with the Service you have signed up for, including account management, resume storage, AI features, and export functionality
• Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests, including service improvement, security monitoring, fraud prevention, and internal analytics, where these interests are not overridden by your rights and freedoms
• Consent (Article 6(1)(a)): where we rely on your consent for specific processing activities such as analytics cookies, we will obtain your explicit consent before processing and you may withdraw consent at any time
• Legal obligation (Article 6(1)(c)): where we are required by law to process or retain certain data, such as financial records for tax and accounting purposes

5. AI processing and third-party services

Several features within the Service rely on third-party artificial intelligence services to function. When you use AI-powered features such as resume tailoring, quality scoring, ATS analysis, inline content rewrites, AI suggestions, cover letter generation, and resume import, your resume content, and where applicable the job description you provide, is transmitted to third-party AI service providers for processing.

This data is transmitted securely, used solely to generate the requested output, and is not stored by the AI service provider for model training, improvement, or any purpose beyond delivering the immediate response. We select AI providers that maintain appropriate data handling and security practices.

We do not disclose the specific AI providers or models used, and we reserve the right to change providers at any time to improve service quality, reduce costs, or enhance performance, without prior notice.

6. Third-party services

We use the following categories of third-party services to operate the Service. Each service processes data in accordance with its own privacy policy:

• Payment processing: Stripe processes all payment transactions, manages subscriptions, and handles card details on our behalf. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
• AI service providers: third-party AI services process your resume content to power AI features as described in Section 5 above
• Email delivery: a third-party SMTP service delivers transactional emails such as magic-link authentication links on our behalf
• Analytics: Google Analytics collects anonymised usage data to help us understand how the Service is used and identify areas for improvement. See Google's Privacy Policy.

7. International data transfers

Our primary database infrastructure is currently hosted on servers located in the United Arab Emirates. Your personal data may also be processed by third-party service providers located in different jurisdictions, including the United States and the European Economic Area.

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place to protect your data in accordance with UK GDPR. These safeguards may include adequacy decisions by the UK Secretary of State, Standard Contractual Clauses (SCCs), or other legally recognised transfer mechanisms.

8. Data storage and security

Your data is stored in a PostgreSQL database hosted on secure virtual private server infrastructure. We implement the following security measures to protect your data:

• Encryption in transit (HTTPS/TLS) for all connections between your browser and our servers
• HTTP security headers including Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and strict Referrer-Policy
• Permission restrictions on browser APIs (camera, microphone, geolocation disabled)
• Secure, HttpOnly session cookies that cannot be accessed by client-side scripts
• Rate limiting on authentication endpoints and API routes to prevent brute-force attacks and abuse
• Webhook signature verification for all incoming Stripe webhook events
• Access to the database and server infrastructure is restricted to authorised personnel only

While we take commercially reasonable steps to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

9. Data retention

We retain your personal data for as long as your account remains active and for as long as necessary to fulfil the purposes described in this policy.

• Active accounts: your account data, resume content, cover letters, and associated data are retained for as long as your account exists
• Account deletion: if you request deletion of your account, we will permanently remove all your personal data, resume content, cover letters, and associated records from our systems within 30 days of your request. Some anonymised, aggregate data that cannot be used to identify you may be retained indefinitely for analytics purposes.
• Payment records: transaction records and invoices may be retained for up to 7 years after the transaction to comply with UK tax and accounting obligations
• Security logs: authentication logs and security-related records may be retained for up to 12 months for security monitoring and abuse prevention

10. Your rights under UK GDPR

If you are located in the United Kingdom or the European Economic Area, you have the following rights in relation to your personal data:

• Right of access: you have the right to request a copy of the personal data we hold about you
• Right to rectification: you have the right to request correction of any inaccurate or incomplete personal data
• Right to erasure: you have the right to request deletion of your personal data, subject to certain legal exceptions
• Right to data portability: you have the right to receive your personal data in a structured, commonly used, and machine-readable format
• Right to restrict processing: you have the right to request that we limit the processing of your personal data in certain circumstances
• Right to object: you have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis
• Right to withdraw consent: where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact us at support@resuvia.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113

11. Children's privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at support@resuvia.com and we will take steps to delete such data from our systems.

12. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing details of the breach and the steps we are taking to address it.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

IRIXSOFT LTD
Email: support@resuvia.com