Skip to main content
Back to Home

Privacy Policy

Last updated: March 12, 2026

1. Data Controller

Rezme ("we", "us", "our") is the data controller responsible for your personal data.

Contact Information:

For users in the European Union, we process your data in compliance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Data We Collect

We collect the following categories of personal data:

Account Data:

  • Email address
  • Password (encrypted/hashed)
  • Account creation date
  • Subscription status and history

Profile Data:

  • Full name
  • Phone number (optional)
  • Location/address (optional)
  • Professional summary
  • Work experience history
  • Education history
  • Skills and competencies
  • Languages spoken
  • Projects and achievements
  • Certifications
  • Profile picture (optional)

Usage Data:

  • Log data (IP address, browser type, pages visited)
  • Feature usage patterns
  • CV generation history
  • Application tracking data

Device & Security Data:

  • Device fingerprint (a unique identifier generated from your browser and device characteristics)
  • IP address at registration, login, and payment
  • User agent (browser type and version)
  • Terms of Service acceptance timestamp and IP address

Payment Data (processed by Stripe):

  • We do not store your payment card details
  • Stripe processes and stores payment information
  • We receive transaction confirmations and subscription status

3. How We Use Your Data

We process your personal data for the following purposes:

Service Delivery:

  • Creating and managing your account
  • Generating customized CVs using AI
  • Tracking your job applications
  • Providing customer support

Service Improvement:

  • Analyzing usage patterns to improve features
  • Debugging and fixing technical issues
  • Developing new features

Communications:

  • Sending transactional emails (password reset, verification)
  • Service updates and announcements
  • Marketing communications (with your consent)

Legal Compliance:

  • Responding to legal requests
  • Enforcing our terms of service
  • Fraud prevention and security
  • Device fingerprinting to detect multi-account abuse and payment fraud
  • IP address logging for chargeback dispute evidence (Visa Compelling Evidence 3.0)
  • Payment card fingerprint tracking to detect card reuse across accounts

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

Contract Performance (Article 6(1)(b)):

  • Account creation and management
  • CV generation services
  • Subscription and billing

Legitimate Interests (Article 6(1)(f)):

  • Service improvement and analytics
  • Security and fraud prevention
  • Customer support
  • Device fingerprinting and IP logging for fraud prevention and chargeback defense

Consent (Article 6(1)(a)):

  • Marketing communications
  • Optional features and integrations
  • Cookies (non-essential)

Legal Obligation (Article 6(1)(c)):

  • Tax and accounting requirements
  • Responding to legal requests

5. Data Sharing and Recipients

We share your data with the following categories of recipients:

AI Processing - OpenAI:

  • Purpose: CV content generation and customization
  • Data shared: Profile information, job descriptions
  • Location: United States
  • Safeguards: Standard Contractual Clauses (SCCs)

Payment Processing - Stripe:

  • Purpose: Processing subscription payments
  • Data shared: Email, payment information
  • Location: United States
  • Safeguards: Standard Contractual Clauses, PCI-DSS compliance

Email Services - Resend:

  • Purpose: Transactional and service emails
  • Data shared: Email address, name
  • Location: United States
  • Safeguards: Standard Contractual Clauses

We do not sell your personal data to third parties.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

For transfers to the United States:

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission
  • We conduct Transfer Impact Assessments where required
  • We implement supplementary technical measures (encryption, pseudonymization)

We ensure that any international transfer of your data is subject to appropriate safeguards in accordance with GDPR Chapter V.

7. Data Retention

We retain your data for the following periods:

Active Accounts:

  • Account and profile data: Until you delete your account
  • Generated CVs: Until you delete them or your account
  • Usage logs: 90 days

After Account Deletion:

  • Backup data: Up to 30 days
  • Anonymized analytics: Indefinitely
  • Legal/tax records: As required by law (typically 5-7 years)

Fraud Prevention Data (retained under legitimate interest — GDPR Article 6(1)(f)):

  • Device fingerprints, IP addresses, and user agent logs: 18 months from collection (chargeback dispute window)
  • Payment card fingerprints: 18 months from last transaction
  • Terms of Service acceptance records (timestamp, IP): 7 years (legal requirement)
  • This data is retained even after account deletion to defend against fraudulent chargeback claims and comply with payment processor requirements

Inactive Accounts:

  • We may delete accounts inactive for more than 24 months after notification

8. Your Rights (GDPR)

Under GDPR, you have the following rights:

Right of Access (Article 15):

  • Request a copy of your personal data
  • Understand how we process your data

Right to Rectification (Article 16):

  • Correct inaccurate personal data
  • Complete incomplete data

Right to Erasure (Article 17):

  • Request deletion of your personal data
  • "Right to be forgotten"

Right to Restriction (Article 18):

  • Limit how we process your data

Right to Data Portability (Article 20):

  • Receive your data in a structured format
  • Transfer data to another service

Right to Object (Article 21):

  • Object to processing based on legitimate interests
  • Object to direct marketing

Rights Related to Automated Decision-Making (Article 22):

  • Not be subject to solely automated decisions
  • Request human review of AI-generated content

To exercise your rights:

  • Use the account settings in your dashboard
  • Contact us at privacy@rezme.dev
  • We will respond within 30 days

9. Cookies and Tracking

Our use of cookies is minimal:

Strictly Necessary Cookies:

  • Authentication tokens (localStorage)
  • Session management
  • Security features
  • Device fingerprint (generated once, stored locally for fraud prevention)

Third-Party Cookies (Stripe):

  • Fraud prevention cookies set by Stripe during checkout
  • These are necessary for payment security

We do NOT use:

  • Analytics cookies (e.g., Google Analytics)
  • Marketing/advertising cookies
  • Social media tracking pixels

Since we only use strictly necessary cookies, we do not require cookie consent under the ePrivacy Directive. However, we inform you of cookie usage in this policy.

For more details, please see our Cookie Policy at /cookies.

10. Children's Privacy

Our Service is not intended for children under 16 years of age.

We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16 without parental consent, we will delete it promptly.

If you believe we have collected data from a child under 16, please contact us at privacy@rezme.dev.

11. Security Measures

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of sensitive data at rest
  • Secure password hashing (PBKDF2)
  • Regular security updates and patches

Organizational Measures:

  • Access controls and authentication
  • Employee security training
  • Incident response procedures
  • Regular security assessments

Despite our efforts, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but will notify you of any breaches as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending an email notification
  • Displaying a notice in the application

The "Last updated" date at the top indicates when the policy was last revised. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact and Complaints

For privacy-related inquiries:

Data Protection Authority: If you are in Poland, you have the right to lodge a complaint with:

UODO (Urząd Ochrony Danych Osobowych) ul. Stawki 2 00-193 Warszawa https://uodo.gov.pl

For other EU countries, you may contact your local data protection authority.

EU Online Dispute Resolution: https://ec.europa.eu/consumers/odr/