Skip to main content
StackedResume
Log inGet Started

Privacy Policy

Privacy Policy

Effective June 12, 2026

This Privacy Policy explains how Stacked Resume ("Stacked Resume," "we," "us," or "our"), a product of 117 Projects, LLC, collects, uses, shares, retains, and protects your information when you visit stackedresume.com (the "Site"), create an account, build a résumé, or subscribe to a paid plan (collectively, the "Service"). We do not sell or share your personal information for cross-context behavioral advertising, and we use the information you give us only to provide, secure, and improve the Service.

Stacked Resume is a résumé-building tool. By its nature, much of what you enter is personal: your name, contact details, and work history. We treat that content as yours and handle it accordingly. This Policy should be read together with our Terms of Use.

1. Information we collect

Account information

  • Email address (used to sign you in and to contact you about your account)
  • Password: stored only as a salted hash by our authentication provider. We never see or store your plain-text password. Sign-in uses email and password only; we do not offer social or single sign-on login.
  • An optional display name

Résumé content you create

When you build a résumé, you choose what to enter. This typically includes:

  • Your full name, phone number, email address, city/location, and links (such as LinkedIn, GitHub, or a portfolio)
  • Work experience: job titles, employers, locations, dates, and accomplishments
  • Education: schools, degrees, fields of study, dates, and (optionally) GPA
  • Projects, skills, certifications, summaries, and any other content you add to a section

You control this content and can edit or delete it at any time from your dashboard. Please include only information you are comfortable storing with us and exporting to PDF.

Résumé files you upload

You can upload an existing résumé (PDF or Word document) to import or scan it. We store the uploaded file in our file storage, extract its text so you can edit it, and let you run an AI analysis on it. You can delete an uploaded file at any time.

Job postings you add

For our ATS-match and résumé-tailoring features, you can paste or save a job description. We store it and use it to compare against, and tailor, your résumé.

Billing information

  • If you subscribe to a paid plan, payment is processed by Stripe. We never receive or store your full card number, security code, or bank details: those go directly to Stripe.
  • We store a Stripe customer ID, your plan and subscription status, the current billing-period end date, and whether a cancellation is scheduled — enough to give you the features you paid for.

Information collected automatically

  • IP address: held transiently and in memory only, to rate-limit requests and prevent abuse. We do not use it to build advertising profiles.
  • Basic device and browser information sent by your browser with each request.
  • Cookies: see Section 7.
  • Usage counters: we count how many PDF exports you have used in a period to enforce plan limits.
  • Export logs: when you export a résumé, we record that an export happened (which résumé, when, and which template) for quota and audit purposes.

Messages you send us

If you use our contact form, we collect the name, email, phone (if provided), inquiry type, and message you submit, so we can respond. The contact form is protected by Cloudflare Turnstile (see Section 4).

2. Categories of personal information, purposes, and legal bases

The table below summarizes the categories of personal information we process, why we process them, and — for users in the EEA and UK — the legal basis under the GDPR / UK GDPR. "Contract" means processing necessary to provide the Service you signed up for; "Legitimate interests" means securing, maintaining, and improving the Service; "Consent" means processing you opt into; and "Legal obligation" means processing required to comply with law.

  • Identifiers and account data (email, display name, hashed password) — to create and secure your account and to contact you about it. Legal basis: Contract; Legitimate interests.
  • Résumé content and uploaded files (name, contact details, work and education history, and any other content you add) — to store, render, analyze, and export your résumés. Legal basis: Contract; Consent for optional AI features.
  • Job descriptions you add — to run ATS matching and tailoring against your résumé. Legal basis: Contract; Consent.
  • Commercial and billing data (Stripe customer ID, plan, subscription status, period end) — to manage your subscription and unlock paid features. Legal basis: Contract; Legal obligation for tax and accounting records.
  • Internet and device activity (IP address, User-Agent, request metadata, usage counters, export logs) — to operate the Service, enforce plan limits, and prevent abuse. Legal basis: Legitimate interests; Legal obligation.
  • Communications (contact-form submissions and support messages) — to respond to and support you. Legal basis: Legitimate interests; Consent.

We do not knowingly collect special categories of sensitive personal information, and we ask that you not include them in your résumé content.

3. How we use your information

  • Provide the Service: store your résumés, render live previews, and generate PDF exports.
  • Authenticate you: keep you signed in securely.
  • Billing: start, manage, and renew your subscription, and unlock paid features.
  • Communicate with you: send account- and billing-related messages and respond to support requests. These are transactional, not marketing.
  • Protect the Service: rate limiting, bot detection, and abuse prevention.
  • Improve the Service: understand which features are used (in aggregate) and fix problems.
  • Power AI features: extract text from a résumé you upload, score your résumé against a job description (our ATS check), and generate review, rewrite, and tailoring suggestions. To do this we send the relevant content to Google's Gemini API (see Sections 4 and 6).
  • Comply with the law: meet tax, accounting, and other legal obligations.

We do not use your résumé content to train machine-learning models, and we do not sell or rent your personal information to anyone. When an AI feature sends your content to Google's Gemini API, that content is processed only to generate your result and, under the Gemini API terms, is not used to train Google's models (see Section 6).

4. Service providers (subprocessors) we share information with

Running the Service requires sharing limited information with the vendors below, each acting as our processor under contract. They may use your data only to provide their service to us, and none of them resell it. These are the only subprocessors that receive end-user data.

  • Supabase: hosts our database, authentication, and file storage; your account and résumé content live here (servers in the United States). supabase.com/privacy
  • Vercel: hosts and serves the Site and its functions. vercel.com/legal/privacy-policy
  • Stripe: processes subscription payments (PCI-DSS Level 1). We never see your card details. stripe.com/privacy
  • Browserless: a hosted headless-browser service that renders your résumé into a PDF when you export. To generate the PDF, the résumé you are exporting is sent to Browserless for rendering. The finished PDF is returned to you and is not stored on our servers. browserless.io/privacy
  • Resend: delivers transactional and contact-form email on our behalf. resend.com/legal/privacy-policy
  • Google (Gemini API): powers our AI features — résumé text extraction, ATS keyword matching, and review, rewrite, and tailoring suggestions. When you use one of these features, the relevant content (the résumé you are analyzing, any résumé file you upload for scanning, and/or the job description you provide) is sent to Google's Gemini API to generate the result. Google processes it as our service provider, and under the Gemini API terms this content is not used to train Google's models; servers in the United States. Google Privacy Policy · Gemini API Terms
  • Cloudflare Turnstile: invisible bot-detection on our contact form. To tell humans from bots, Turnstile inspects signals such as your IP address, a TLS fingerprint, and your browser's User-Agent; Cloudflare states it cannot directly identify individuals from these signals and does not use them for advertising. Use of Turnstile is subject to the Cloudflare Turnstile Privacy Addendum, incorporated here by reference: cloudflare.com/turnstile-privacy-policy/

If we ever enable optional analytics (for example, Google Analytics), we will update this Policy and the cookie list in Section 7 before doing so. We may also disclose information if required by law, to enforce our Terms, or to protect the rights, safety, or property of our users or the public. If we are ever involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, and we will notify you of any change in control or in how your information is handled.

5. PDF export and your data

When you export a résumé, it is sent to our rendering provider (Browserless) to be turned into a PDF, and the finished PDF is then delivered to you. We pass the data using a short-lived, signed link and do not retain the generated PDF on our servers. If you would prefer not to have your résumé rendered by a third-party browser service, simply do not use the PDF export feature.

6. AI features and your data

Several optional features use Google's Gemini API to process your content: résumé import/scan (extracting text from a file you upload), the ATS check (scoring your résumé against a job description), and AI review (suggested rewrites and tailoring). When you trigger one of these, the relevant content — the résumé being analyzed, an uploaded résumé file, and/or the job description you provide — is sent to Google's Gemini API to generate the result, which is returned to you and saved to your account. Under the Gemini API terms, this content is not used to train Google's models. To keep these features fast and to reduce cost, the generated result (which may include your résumé content) may be stored in a cache keyed by a one-way hash of the input, so an identical input can reuse the result. This cache is keyed by content, not by your account, and is not used to identify you. Cached entries are automatically deleted within 30 days, and when your account is deleted we also proactively purge the cached extractions of any files you uploaded. These features are optional — if you prefer not to send your content to Google, simply do not use them.

AI output can be inaccurate or incomplete, and an ATS score is an estimate, not a guarantee. You are responsible for reviewing AI-generated content before relying on it, as described in our Terms of Use.

7. Cookies, Do Not Track, and Global Privacy Control

We use only a small number of cookies, and none of them are advertising cookies:

  • Authentication cookies (first-party, set by Supabase, names beginning sb-) keep you securely signed in. They are set only after you log in and are cleared when you log out.
  • Cloudflare Turnstile cookies: set briefly during the bot-check when you submit the contact form.

We do not currently use analytics or marketing cookies. If that changes, we will update this section first. Because we do not track you across third-party sites or serve targeted advertising, there is no cross-site tracking to disable. We honor browser-based Do Not Track (DNT) and Global Privacy Control (GPC) signals to the extent they apply, but since we do not sell or share personal information for cross-context behavioral advertising, these signals do not change how we handle your data.

8. Email

  • We send transactional email related to your account and subscription (for example, a password reset you request, or a billing notice).
  • We do not send marketing newsletters at this time. If we introduce them, every marketing email will include an unsubscribe link and you can opt out at any time.

9. Your privacy rights

Everyone

Wherever you live, you can:

  • Access and edit your résumé content directly from your dashboard
  • Request a copy of the personal information we hold about you
  • Delete your account and all associated data yourself, at any time, from your Account settings (or ask us to)
  • Contact us with any privacy question (Section 15)

California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request a copy, to request deletion, to correct inaccurate information, and to opt out of any "sale" or "sharing" of your personal information. We do not sell or share your personal information for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We will not discriminate against you for exercising any of these rights.

For transparency, in the past 12 months:

  • Categories collected: identifiers (such as email and display name); résumé and uploaded-file content; commercial/billing information (Stripe customer ID, plan, status); and internet or other electronic network activity (IP address, User-Agent, usage counters, export logs).
  • Disclosed for a business purpose: the categories above are disclosed only to the subprocessors listed in Section 4, each under contract and only to provide the Service to us.
  • Sold or shared: none. We do not sell or share any category of personal information.

You may use an authorized agent to make a request on your behalf; we will ask for proof of authorization and may still verify your identity directly.

EEA / UK residents (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, you have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority. Our legal bases for processing are described in Section 2: performance of a contract, legitimate interests, consent (where we ask for it, including for optional AI features), and legal obligation. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

How to exercise your rights

To exercise any right, contact us (Section 15) from the email address on your account. To protect your data, we will verify your identity — generally by confirming you control the account email — before acting on a request. We will respond within the time required by applicable law (generally within 30 days, and up to 45 days where the law permits an extension for complex requests, in which case we will tell you). There is no fee for a reasonable request. Many actions, including full account deletion, can be completed instantly by you from your Account settings.

10. International data transfers

We are based in the United States and our providers process data in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. Where required, transfers of personal data from the EEA or UK rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, which our major providers (including Supabase, Vercel, Stripe, and Google) maintain. You may request more information about these safeguards using the contact details in Section 15.

11. Data retention and deletion

We keep personal information only for as long as we need it for the purposes described in this Policy, and then delete or anonymize it. Our retention schedule:

  • Account and résumé content: kept for as long as your account is active. You can delete individual résumés and sections at any time from your dashboard.
  • Uploaded files: kept until you delete them or delete your account.
  • Cached AI results (from résumé scans, ATS checks, and AI review): keyed by a hash of the input content rather than by your account, not used to identify you, and automatically deleted within 30 days.
  • Billing and tax records: retained as required by law (for example, Stripe billing and tax records), even after account deletion.
  • Rate-limit data: held in memory only and not stored long-term.
  • Export and audit logs: retained for a limited period for quota enforcement and security.

You can delete your entire account yourself at any time from your Account settings (or ask us to). Deletion removes your résumé content, uploaded files, and account data, proactively purges the cached extractions of your uploaded files, and cancels any active subscription immediately (with no refund for the remainder of the period), except for limited records we are legally required to keep.

12. Security and breach notification

We use HTTPS everywhere, encryption at rest at our database provider, hashed passwords, row-level security so users can only access their own data, signed and time-limited tokens for PDF rendering, signature-verified billing webhooks, and rate limiting on public endpoints. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately and change your password.

If we ever become aware of a data breach affecting your personal information, we will notify affected users and the relevant authorities as required by applicable law, and we will describe the nature of the incident and the steps we are taking in response.

13. Children's privacy

The Service is intended for job seekers and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected by a new "Effective" date at the top of this page, and where appropriate we will provide additional notice (for example, by email or an in-app notice). We encourage you to review this Policy periodically. Your continued use of the Service after a change takes effect constitutes acceptance.

15. Contact us

Questions, requests, or concerns about your privacy? We're happy to help.

Related

This Privacy Policy was prepared as a good-faith starting point and has not been reviewed by legal counsel. Stacked Resume is a product of 117 Projects, LLC. We recommend consulting an attorney before relying on it for formal compliance.