Legal

Privacy
Policy

Last updated: April 2026  ·  Effective immediately

Who we are

RoastMyResume ("we", "us", "our") is an online service that provides AI-powered resume critique. Our website is located at roasttheresume.com. For privacy questions, contact us at privacy@roasttheresume.com.

What data we collect

We collect only what's necessary to provide the service:

• First name — optionally provided by you. Used only to personalise your AI-generated critique. Not stored beyond the duration of your request.
• Email address — collected at payment, used to send your Stripe receipt. We do not add you to any marketing list without your explicit consent.
• Resume text — submitted by you for analysis. This is transmitted to Anthropic's API to generate your critique. We do not store your resume text in our database. It exists in memory only for the duration of your request.
• Payment information — handled entirely by Stripe. We never see or store your card number, expiry, or CVV. We only receive a payment confirmation and your email from Stripe.
• IP address — temporarily stored in our rate-limiting system (Redis) for up to 1 hour to prevent abuse of the free service. Not linked to your identity and not retained.
• Roast output — the AI-generated critique is cached for 24 hours against your payment reference, so you can retrieve it if your browser closes unexpectedly. It is automatically deleted after 24 hours.

How we use your data

• To generate your resume critique using Anthropic's Claude AI
• To process your payment via Stripe and send you a receipt
• To prevent abuse of the free mini-roast feature
• To temporarily cache your paid roast result for 24 hours

We do not use your data for profiling or any purpose beyond delivering and improving the service.

Third parties we share data with

We use the following third-party services to operate:

• Anthropic — your resume text and first name are sent to Anthropic's API to generate your critique. Anthropic processes this under their Privacy Policy. Anthropic states they do not use API inputs to train their models by default.
• Stripe — your email and payment details are processed by Stripe under their Privacy Policy. Stripe is PCI-DSS Level 1 certified.
• Google Analytics (GA4) — we load Google Analytics for every visitor using Google's Consent Mode v2. By default it runs in cookieless mode: aggregate pings are sent to Google (your IP address is included, but no identifier is stored on your device). If you accept cookies, we enable full Google Analytics with standard first-party cookies so we can understand page views and funnel steps. Google processes this under their Privacy Policy.
• Reddit Pixel — if you accept cookies, we load a Reddit ad-conversion pixel so we can measure the effectiveness of our Reddit ads. Reddit processes this under their Privacy Policy.
• Upstash — provides the Redis database we use for rate limiting (IP addresses) and temporary caching of roast results. Data is stored on Upstash's infrastructure and governed by their Privacy Policy.
• Vercel — hosts our website and serverless functions. All requests pass through Vercel's infrastructure. Vercel processes this under their Privacy Policy.
• jsDelivr CDN — we load two open-source JavaScript libraries (Marked.js and DOMPurify) from jsDelivr's content delivery network. When these load in your browser, your IP address and standard request headers are sent to jsDelivr's servers. jsDelivr's privacy policy is available at jsdelivr.com.

We do not sell your data.

Cookies

We use minimal cookies. Specifically:

• Cookie consent preference — if you accept the cookie notice, a single cookie (rmr_cookie_consent) is stored locally to remember your choice for 365 days. It contains no personal data. If you decline, no cookie is set.
• Google Analytics — loaded for every visitor, but in cookieless mode by default (no cookies set, no client-side identifier stored). Google Analytics cookies that distinguish users and sessions are only set if you accept. No personal data is collected beyond anonymous usage metrics.
• Reddit Pixel — loaded only if you accept. Sets a cookie so Reddit can attribute conversions to our ads. No personal data is sent by us; Reddit may link activity to your Reddit account per their privacy policy.
• Stripe.js — Stripe's JavaScript library is loaded only when you initiate payment. It may set a cookie for fraud prevention, which is strictly necessary for processing your transaction. This cookie is set by Stripe, not by us, and is governed by Stripe's Privacy Policy.

All fonts are self-hosted — no requests are made to Google or other third-party font services.

Legal basis for processing (GDPR)

If you are in the European Economic Area, UK, or another jurisdiction that requires a legal basis, we process your data under the following grounds:

• Contract performance (Article 6(1)(b) GDPR) — processing your resume text and generating your critique is necessary to deliver the service you requested.
• Legitimate interest (Article 6(1)(f) GDPR) — rate-limiting by IP address to prevent abuse (retained for no more than 1 hour), and cookieless Google Analytics pings that send aggregate, non-identifying traffic signals to Google without storing anything on your device.
• Consent (Article 6(1)(a) GDPR) — for analytics and ad-measurement cookies (full Google Analytics cookies and the Reddit Pixel), which are only set if you accept the cookie notice.

Your rights

Depending on where you live, you may have the right to:

• Request access to any personal data we hold about you
• Request deletion of your data
• Object to processing of your data
• Lodge a complaint with your local data protection authority (EU/UK users: your national DPA)

Since we retain minimal data, most requests can be fulfilled simply by contacting us. For email deletion requests, email us at privacy@roasttheresume.com from the address you used at purchase.

Data retention

• Resume text: Not stored. Deleted immediately after API response.
• Roast output: Cached 24 hours, then auto-deleted.
• IP addresses: Stored in rate-limiting cache for 1 hour, then auto-deleted.
• Email address: Retained by Stripe for receipt and tax purposes per their policy. We do not hold a separate copy.

Children's privacy

This service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data, contact us and we will delete it.

International transfers

Our service uses infrastructure hosted in the United States (Vercel, Anthropic, Upstash). By using this service, you consent to your data being processed in the US. We rely on Anthropic and Stripe's standard contractual clauses for EU/UK data transfers where applicable.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will always reflect the current version. Continued use of the service after changes constitutes acceptance.