Last updated: July 1, 2026
This policy describes how ResumesFlow handles information in the current application: accounts, resumes, resume import, AI tools, cover letters, job tracking, PDF export, billing, emails, analytics, admin tools, Redis-backed queues, and worker processing.
ResumesFlow is a resume and career-document platform. The service includes account registration, email verification, login sessions, resume editing, encrypted resume storage, cover letters, job tracking, PDF export, optional AI review and rewrite, optional resume import, PayPal billing, and admin operations.
Saved resume JSON is encrypted at rest using AES-256-GCM fields in the database. Resume reads and PDF export decrypt resume content server-side only after session and ownership checks. PDF export uses a server-side browser to render an authenticated print page and may forward session cookies to that local render flow.
Cover letter content and job notes are stored with the app's sensitive-text encryption format. Resume titles, template IDs, timestamps, download logs, and AI review analysis are stored as database metadata.
Resume import supports PDF and DOCX files. The upload route validates file size, MIME type, extension, PDF/DOCX structure, suspicious filenames, encrypted/password-protected files, macro markers, ZIP compression behavior, and page or text limits. Scanned image-only PDFs may fail because OCR is not part of the current importer.
The Secure Resume Text Extractor V1 extracts readable text for review. By itself, that extractor does not auto-fill resume fields and does not create a resume automatically. Smart Import is a separate guided flow that can structure extracted text and save approved sections only after you choose to prepare and apply them.
Accepted files are written to a private temporary directory and processed by the resume import worker or configured fallback. Temporary files are deleted after extraction, failure, cancellation, deletion, or stale cleanup. Extracted text and structured import data are encrypted in Redis job state. Extracted text expires automatically when the import job TTL runs out. The status API returns extracted text only to the authenticated job owner when text is ready.
Smart Import is available only to paid plans and admins. It can use deterministic parsing and local AI to structure extracted text and suggest section merges. Approved import sections are saved only after user action; save-as-copy is supported, and applying to an existing resume checks ownership.
AI features are optional and user-triggered. AI Review loads and decrypts an owned saved resume, creates a Redis review job, may process it through the AI worker, calls local Ollama AI infrastructure where configured, with server-side validation, deterministic fallbacks, and safety checks, validates the result, and stores the final review analysis on the resume. Review jobs expire from Redis.
AI Rewrite sends the selected field text and nearby context you provide to the local AI service, validates the suggestion against the original evidence, and stores temporary job results in Redis. Rewrite usage also creates an AI usage log with user/IP metadata for plan limits.
AI logs are designed to avoid raw prompts, resume text, or AI output content. They may include route, model, endpoint, duration, success/failure, error type, content length, thinking length, and evaluation counts.
Payments are handled through PayPal. The app stores payment and subscription metadata needed to verify access, issue receipts, process webhooks, cancel renewal, reactivate subscriptions, and maintain billing records. We do not store full card numbers.
PayPal client approvals are not trusted by themselves. The server verifies PayPal order/subscription status, ownership through custom IDs, configured plan IDs, amount, and currency where applicable before changing a user plan.
We use transactional email for account verification, password reset, welcome messages, payment receipts, subscription cancellation/reactivation, renewal reminders, review notifications, and support-related messages. Email content may include verification codes, reset links, masked PayPal IDs, plan names, billing amounts, and billing dates.
We use cookies and similar technologies for NextAuth sessions, security checks, CSRF/origin protections, preferences such as theme, PayPal checkout, Google reCAPTCHA, and Google Analytics. NextAuth sessions use JWT cookies with a 30-day max age in current configuration.
We do not sell resume content. We share or process information with service providers and systems needed to operate the product:
The application uses session checks, owner filters, CSRF/origin validation on many unsafe routes, rate limits, Redis load guards, encrypted resume storage, sensitive-text encryption for cover letters/job notes, private upload storage, role-based admin access, CEO-only sensitive admin routes, PayPal server verification, file validation, sanitization, and admin audit logging.
No service can guarantee absolute security. Known operational metadata, payment metadata, logs, Redis payloads, and backups must still be treated as sensitive.
Account content is kept while your account is active. Temporary import and AI job records expire automatically. Payment records, download logs, AI usage logs, admin audit logs, security logs, and encrypted backups may be retained for security, fraud prevention, tax/accounting, debugging, legal, and disaster recovery needs.
You can update account profile information, export account data where available, delete individual resumes, delete import jobs, and request account deletion subject to authentication, subscription, payment-record, security-log, legal, and backup-retention limits.
ResumesFlow is not intended for children under 13. Users under the legal age in their location should use the service only with parent or guardian consent. The service may be operated from the United States and other locations where infrastructure and providers operate.
We may update this Privacy Policy when the service changes. The latest version will show a new “Last updated” date. For privacy questions or requests, contact [email protected]. For general support, use the contact page.