1. Encryption & credentials
All data in transit is protected with TLS. Passwords are never stored in plain text: they are hashed with bcrypt before storage. Session cookies are encrypted and signed (iron-session), marked Secure in production, and scoped SameSite to defend against cross-site request forgery.
2. Access control
- Every API route that touches resume data verifies the session and checks that the resume belongs to the requesting user.
- Administrative pages and APIs require an authenticated session with the ADMIN role.
- Guest sessions are isolated: each guest gets a separate account that no other visitor can access.
3. Data minimization
We collect only what the service needs: your resume content, an email for accounts, and minimal security logs. Imported files are parsed and discarded, not stored. Analytics run only with your explicit consent, with IP anonymization enabled. There are no advertising trackers.
4. Your controls
- Download a complete copy of your data at any time (Settings, Privacy & data).
- Delete your account and every associated record instantly, no support ticket needed.
- Withdraw analytics consent at any time from Settings or the footer.
- Submit access, erasure, correction, or objection requests at /data-requests.
5. Compliance
Our practices are designed to comply with India's Digital Personal Data Protection Act, 2023, including consent management (Section 6), Data Fiduciary obligations (Section 8), data principal rights (Sections 11 to 14), and breach notification duties. A Grievance Officer is appointed as required by the Act.
6. Reporting a vulnerability
Found a security issue? Email security@resumeux.com with details. We respond to security disclosures within 48 hours, fix verified issues promptly, and credit responsible disclosure. Please do not test against other users' data; use a test account.