Privacy Policy
Last updated: May 25, 2026 • Effective Date: January 1, 2026
Full Security Compliance Declaration
This document serves as our official privacy and security compliance register, outlining our certified systems and strict adherence to modern security regulations.
1. Data Encryption & Secure S3 Transport (Checklist #8)
To guarantee the security of candidate metrics and structural profiles, resume-builder.cv mandates end-to-end cryptographic shielding for all transactions:
- HTTPS Transport: All API telemetry and oRPC calls are transmitted over secure TLS 1.3/HTTPS sessions (Checklist #7).
- Secure WebSocket Export: PDF creation and browserless compilation are funneled through encrypted websocket sessions utilizing authorized gateway configurations.
- File Upload Isolation (Checklist #8): Files uploaded to S3-compatible endpoints are kept in private, non-public folders outside the web root.
- MIME-Type Checks: Strict server-side MIME-type and extension parsing prevent file injection or scripts from executing.
- UUID File Renaming: Every upload is automatically renamed with a cryptographic UUID, shielding original file details.
2. Data Isolation & Supabase RLS Barriers (Checklist #4)
Our database architecture is designed with tenant-level isolation boundaries. We enforce strict ownership verification on all state mutations, ensuring one candidate can never access another’s credentials:
- Supabase Row-Level Security: Every single table in our PostgreSQL database enforces active Row-Level Security (RLS) policies.
- Session Bound Checks (Checklist #4): The oRPC layer authorizes operations by matching active authenticated user sessions against record tenant IDs.
- No Wildcard Leakage: Shared links are cryptographically hashed and private portfolios are hidden until public portfolio link sharing is turned on.
3. Right to be Forgotten (GDPR & CCPA Provisions)
In compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), we grant users absolute control over their personal data assets:
- Immediate Deletion: Users can trigger a profile deletion from their dashboard settings, purging all database rows in real-time.
- Purging LLM Content: When delete is requested, all resume parameters are permanently removed, ensuring AI engines retain zero historical context.
- No Model Training: In line with our security framework, all data processed through third-party LLM APIs utilizes zero-data-retention endpoints, meaning candidate information is never used for training.