Legal

Privacy
Policy

Last updated: April 2026  ·  Effective immediately

Who we are

RoastMyResume ("we", "us", "our") is an online service that provides AI-powered resume critique. Our website is located at roasttheresume.com. For privacy questions, contact us at privacy@roasttheresume.com.

What data we collect

We collect only what's necessary to provide the service:

• First name — optionally provided by you. Used only to personalise your AI-generated critique. Not stored beyond the duration of your request.
• Email address — collected at payment, used to send your Stripe receipt. We do not add you to any marketing list without your explicit consent.
• Resume text — submitted by you for analysis. This is transmitted to Anthropic's API to generate your critique. We do not store your resume text in our database. It exists in memory only for the duration of your request.
• Payment information — handled entirely by Stripe. We never see or store your card number, expiry, or CVV. We only receive a payment confirmation and your email from Stripe.
• IP address — temporarily stored in our rate-limiting system (Redis) for up to 1 hour to prevent abuse of the free service. Not linked to your identity and not retained.
• Roast output — the AI-generated critique is cached for 24 hours against your payment reference, so you can retrieve it if your browser closes unexpectedly. It is automatically deleted after 24 hours.

How we use your data

• To generate your resume critique using Anthropic's Claude AI
• To process your payment via Stripe and send you a receipt
• To prevent abuse of the free mini-roast feature
• To temporarily cache your paid roast result for 24 hours

We do not use your data for advertising, profiling, or any purpose beyond delivering the service you paid for.

Third parties we share data with

We use the following third-party services to operate:

• Anthropic — your resume text and first name are sent to Anthropic's API to generate your critique. Anthropic processes this under their Privacy Policy. Anthropic states they do not use API inputs to train their models by default.
• Stripe — your email and payment details are processed by Stripe under their Privacy Policy. Stripe is PCI-DSS Level 1 certified.
• Upstash — provides the Redis database we use for rate limiting (IP addresses) and temporary caching of roast results. Data is stored on Upstash's infrastructure and governed by their Privacy Policy.
• Vercel — hosts our website and serverless functions. All requests pass through Vercel's infrastructure. Vercel processes this under their Privacy Policy.
• jsDelivr CDN — we load two open-source JavaScript libraries (Marked.js and DOMPurify) from jsDelivr's content delivery network. When these load in your browser, your IP address and standard request headers are sent to jsDelivr's servers. jsDelivr's privacy policy is available at jsdelivr.com.

We do not sell your data. We do not use advertising networks or tracking services.

Cookies

We use minimal cookies. Specifically:

• Cookie consent preference — if you accept the cookie notice, a single cookie (rmr_cookie_consent) is stored locally to remember your choice for 365 days. It contains no personal data. If you decline, no cookie is set.
• Stripe.js — Stripe's JavaScript library is loaded only when you initiate payment. It may set a cookie for fraud prevention, which is strictly necessary for processing your transaction. This cookie is set by Stripe, not by us, and is governed by Stripe's Privacy Policy.

We do not use Google Analytics, Facebook Pixel, or any other tracking or advertising cookies. All fonts are self-hosted — no requests are made to Google or other third-party font services.

Legal basis for processing (GDPR)

If you are in the European Economic Area, UK, or another jurisdiction that requires a legal basis, we process your data under the following grounds:

• Contract performance (Article 6(1)(b) GDPR) — processing your resume text and generating your critique is necessary to deliver the service you requested.
• Legitimate interest (Article 6(1)(f) GDPR) — rate-limiting by IP address to prevent abuse. The data is minimal, non-identifying, and retained for no more than 1 hour.
• Consent (Article 6(1)(a) GDPR) — for the cookie consent preference cookie, which is set only if you accept the cookie notice.

Your rights

Depending on where you live, you may have the right to:

• Request access to any personal data we hold about you
• Request deletion of your data
• Object to processing of your data
• Lodge a complaint with your local data protection authority (EU/UK users: your national DPA)

Since we retain minimal data, most requests can be fulfilled simply by contacting us. For email deletion requests, email us at privacy@roasttheresume.com from the address you used at purchase.

Data retention

• Resume text: Not stored. Deleted immediately after API response.
• Roast output: Cached 24 hours, then auto-deleted.
• IP addresses: Stored in rate-limiting cache for 1 hour, then auto-deleted.
• Email address: Retained by Stripe for receipt and tax purposes per their policy. We do not hold a separate copy.

Children's privacy

This service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data, contact us and we will delete it.

International transfers

Our service uses infrastructure hosted in the United States (Vercel, Anthropic, Upstash). By using this service, you consent to your data being processed in the US. We rely on Anthropic and Stripe's standard contractual clauses for EU/UK data transfers where applicable.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will always reflect the current version. Continued use of the service after changes constitutes acceptance.