Cookie & Storage Policy
Last updated: 30 May 2026.
Update on 30 May 2026 (later same day): added Google Analytics 4 to the analytics tier (gated through the same consent toggle as our other analytics tools), and corrected omissions of Vercel Speed Insights, Vercel Web Analytics, Ahrefs Web Analytics, and Intercom Messenger from the earlier rewrite.
This policy explains exactly what Resimay stores on your device when you use our website (resimay.ai) and our optional Chrome extension. We have broken it down by purpose so you can see what is required to make Resimay work, what is optional, and what you can turn off.
1. The short version
On the Resimay website:
- We set three secure cookies to keep you signed in and protect your account.
- We store a few small items in your browser’s localStorage so unsaved work (resume drafts, builder progress) survives a page reload.
- We load PostHog, Vercel Web Analytics, and Google Analytics 4 for product analytics, all gated behind a single “Analytics” toggle in the cookie banner.
- We load Google reCAPTCHA (bot protection on signup), Stripe (payment checkout), and Intercom Messenger (support chat). Each sets its own cookies when its script runs.
- Our hosting platform (Vercel) sets a small number of operational cookies for security and reliability, plus Vercel Speed Insights and Ahrefs Web Analytics for site performance and SEO measurement (both cookieless, no visitor identity).
On the Chrome extension:
- The extension stores your sign-in tokens locally on your device using Chrome’s built-in extension storage API (
chrome.storage.local). - It also stores a small list of recently-saved jobs and your floating Save button position. It does not store your resume content.
We do NOT use advertising cookies. We do NOT sell your data. We do NOT participate in ad networks or cross-site behavioural tracking.
You can remove everything at any time. See “How to clear it all” in section 5.
2. Cookies and storage on the Resimay website
2a. Strictly necessary (cannot be turned off)
Without these the site does not work. Under GDPR these qualify as “strictly necessary” cookies, meaning we are not legally required to ask for consent, but we still list them here so you know exactly what is on your device.
| Name | Type | Set by | Lifetime | Purpose |
|---|---|---|---|---|
accessToken | httpOnly cookie | Resimay backend | 15 minutes | Proves to our API who you are on each request. Cannot be read by JavaScript. |
refreshToken | httpOnly cookie | Resimay backend | 7 days | Used to get a new accessToken so you do not have to sign in every 15 minutes. Scoped to /api/auth/* only; never sent on regular API calls. |
oauth_state_nonce | httpOnly cookie | Resimay backend | 10 minutes | Stops a specific attack on Google/GitHub sign-in (CSRF). Set when you click “Sign in with Google” or “Sign in with GitHub,” cleared the moment you return. |
user | localStorage | Resimay frontend | Until sign-out | Cached copy of your name, email, and plan tier so the dashboard does not have to re-fetch on every page load. No passwords or sensitive data. |
rl:builder-* keys | localStorage | Resimay frontend | Until sign-out or manual clear | Resume builder drafts, your last selected template, your current step in the builder flow. Lets unsaved work survive a refresh. |
_vcrcs and similar | Cookies | Vercel (our hosting platform) | Session to short-term | Bot protection and platform reliability. Set automatically when you visit the site. We do not read these; Vercel uses them for their own security checks. |
| Vercel Speed Insights | Cookieless (no data stored in your browser) | Vercel | n/a | Measures Core Web Vitals (page load speed, layout stability) from real users so we can fix slow pages. No cookies, no visitor identity, no cross-page correlation. Runs on every page. |
| Ahrefs Web Analytics | Cookieless (no data stored in your browser) | Ahrefs | n/a | Pairs with the Ahrefs SEO toolkit so we can see which search queries bring people to the site. No cookies, no personal data. Runs on every page. |
2b. Functional (improves the experience, no tracking)
| Name | Type | Lifetime | Purpose |
|---|---|---|---|
Job-tracker demo data on /tools/job-tracker | localStorage | Until manual clear | Stores the demo job-tracker data when you use the free demo at /tools/job-tracker without signing up. Real accounts store this in our database, not your browser. |
| UX-state flags (paste-prompt dismissals, “bullets applied” timestamp, chunk-reload marker) | localStorage / sessionStorage | Varies | Remembers when you have dismissed certain prompts. None of these contain personal data. |
2c. Analytics (third-party)
We use three analytics services with different load behaviour:
- Vercel Web Analytics is gated behind the “Analytics” toggle in the cookie banner: if you decline analytics or have not yet interacted with the banner, it does not load at all.
- Google Analytics 4 loads on every visit so Google’s tag-detection and Real-Time view can verify the tag works. Its starting state depends on your region. In the EEA, UK, and Switzerland, where GDPR / UK GDPR / Swiss FADP require prior consent, GA4 starts in Google Consent Mode v2 “denied” state: no cookies are set and only aggregated, modelled consent-denied pings are sent until you accept. Outside those regions (United States, Canada outside Quebec, Australia, and other regions where opt-out is the legal standard), GA4 loads with full tracking on first paint and the
_gacookie is set. In either case, clicking Decline in the cookie banner immediately revokes tracking and stops further cookies; clicking Accept All keeps (or turns on) full tracking. - PostHog also loads on every visit, but your identity (user ID, email) is only tied to events after you consent. Anonymous browsing produces anonymous events.
To deny all three: click Decline in the cookie banner, or openManage Preferences and turn the Analytics toggle off before saving. To opt out later, clear the rl_consent entry in browser storage (see section 5) — the banner reappears so you can pick again. For the most reliable opt-out across all sites, use browser-level tracker protection (Firefox Enhanced Tracking Protection, Brave Shields, Safari ITP, or a privacy extension like uBlock Origin).
| Service | What it does | What it sets |
|---|---|---|
| PostHog | Product analytics. Helps us see which features get used, where users get stuck, and which buttons are confusing. | Cookies typically named ph_<PROJECT_KEY>_posthog and entries in browser localStorage. |
| Vercel Web Analytics | Pageviews and referrer data so we know which traffic sources work. | Hashed visitor IDs (no persistent cookies on most plans). |
| Google Analytics 4 | Same pageview-and-session data as Vercel but in Google’s ecosystem, mainly for marketing-channel attribution. | Cookies typically named _ga and _ga_<PROPERTY_ID> (used to count unique visitors and sessions). |
How we have these configured (PostHog specifically):
- We mask all
<input>/<textarea>/<select>values in session recordings, so your resume text, contact info, cover letters, job notes, and interview transcripts are never captured. - We scrub auth tokens and one-time tokens out of recorded URLs before any event ships to PostHog.
?token=...and OAuth fragments never appear in our analytics. - We only identify you to PostHog after you have consented. Anonymous browsing stays anonymous.
You can change your analytics choice anytime by clearing therl_consent entry in browser storage (see section 5), which makes the cookie banner reappear. We are also building a dedicated privacy-controls panel in the dashboard for one-click opt-out.
2d. Other third-party services (loaded on specific pages)
| Service | Loaded on | What it sets | Why we use it |
|---|---|---|---|
| Google reCAPTCHA v3 | /register (signup only) | _GRECAPTCHA cookie and related Google scripts | Stops bots from creating fake accounts. Without this the signup form would be drowning in spam within hours. |
| Stripe | Pricing checkout pages (only when you start a subscription or buy a Voice Pack) | __stripe_mid, __stripe_sid cookies | Processes your payment. Stripe is the payment processor; we never see or store your card number. |
| Intercom Messenger | Every page (the chat bubble in the bottom-right) | intercom-id-*, intercom-session-* cookies plus localStorage entries | Lets you message us for support and keeps your chat history attached to your account across visits. The widget loads on every page so the chat bubble is always available, but no message data is sent until you open the chat and type. |
Google reCAPTCHA, Stripe, and Intercom each operate under their own privacy policies. See our Privacy Policy for the full list of subprocessors.
3. Chrome extension storage
If you have installed the optional Resimay Chrome extension, it uses Chrome’s built-in extension storage. This is NOT cookies or website-localStorage; it is a separate Chrome API that is only accessible to the extension itself.
| Storage area | What we store | When it is cleared |
|---|---|---|
chrome.storage.local (persistent) | Your sign-in tokens (so the extension can authenticate with our backend across browser restarts), a map of recently-saved job URLs, your floating Save button position, per-feature dismissals. | When you sign out of the extension, uninstall it, or manually clear extension data. |
chrome.storage.session (in-memory) | A short-lived cache of your profile plus the tailored resume URL used for one-click autofill (typically under 60 seconds). | When you close your browser or sign out. |
Correction from prior versions of this policy:earlier wording suggested the extension stored auth tokens only in a “message channel.” That was misleading. Sign-in tokens ARE persisted in chrome.storage.local so the extension can stay signed in across browser restarts. We are documenting this accurately now.
To remove the extension and all its storage: go to chrome://extensions, find Resimay, click Remove.
4. What we do NOT use
- Advertising cookies or ad-network pixels (no Facebook Pixel, no Google Ads conversion tracking, no LinkedIn Insight Tag, no TikTok Pixel, etc.) We use Google Analytics 4 for analytics; we do not run Google Ads campaigns or use Google’s remarketing/audience features.
- Cross-site behavioural tracking or audience-sharing across other vendors’ sites
- Selling your data to data brokers
- A/B testing platforms or other analytics outside the three named in section 2c
If we ever add anything that changes this, we will update this policy and tell you before the change goes live.
5. How to clear it all
Sign out of Resimay first: clears your auth cookies and theuser localStorage entry. Your draft builder data stays in localStorage so you do not lose work; clear browser data if you want that gone too.
Browser-level clear:
- Chrome / Edge:Settings → Privacy and security → Clear browsing data → check “Cookies and other site data” and “Cached images and files” → select “Last 24 hours” or “All time.”
- Firefox:Settings → Privacy & Security → Cookies and Site Data → Manage Data → search “resimay” → Remove Selected.
- Safari:Preferences → Privacy → Manage Website Data → search “resimay” → Remove.
Chrome extension: chrome://extensions→ Resimay → Remove. Uninstalling clears all extension-scoped storage automatically.
6. Changes to this policy
We will update this page whenever we change what we store in your browser. The “Last updated” date at the top reflects the most recent material change. We do not track who reads this policy.
7. Contact
Questions about cookies, storage, or what we have on your device? Email us at [email protected].