// last updated: May 2026

Privacy Policy

This Privacy Policy explains how Resimay collects, uses, and protects your information when you use our service.

Last updated: 2026-04-25. Subject to review by legal counsel before public launch. See also our Cookies Policy and Terms of Service.

1. Introduction

Resimay is an AI-powered job application tracker and resume tailoring platform operated by Resimay Labs Inc.(“Resimay,” “we,” “us,” or “our”), a corporation incorporated in the Province of Ontario, Canada. By using Resimay, you agree to the collection and use of information as described in this policy.

Our service helps you track job applications, tailor your resume to specific job descriptions, and understand why you may be getting rejected, so you can improve your chances before your next application.

2. Information We Collect

We collect the following categories of information:

  • Account information: email address and name provided at registration.
  • Onboarding profile: target job title, experience level, career motivation, search timeline, primary goal, attribution source, and any hobbies/activities/interests you choose to share to make resumes more authentic.
  • Resume content: the text of your resume(s) that you upload or paste into the platform.
  • Uploaded documents: when you upload a resume, cover letter, transcript, portfolio, or other supporting document via the file-upload surface in your profile, the binary file is stored in a private storage bucket accessible only via authenticated backend requests scoped to your user account. Files are served back to you through authenticated routes on our domain; raw bucket URLs are never exposed publicly.
  • Voice mock interview audio: when you start a voice mock interview session, your microphone audio is streamed to our backend, which relays it to our voice AI provider for real-time transcription and response generation. We do not retain the raw audio after the session ends; the session transcript (text only) is saved to your account so you can review the conversation and prep notes later.
  • Job applications: job titles, company names, job descriptions, application status, and notes you enter about your applications. Includes job postings you save via the Resimay Chrome extension from third-party job boards (LinkedIn, Indeed, Glassdoor, and similar).
  • Custom answer library:when you save a free-text answer to an application question (such as “Why are you interested in this role?”) through the Resimay Chrome extension, that question/answer pair is stored on your account so the extension can offer it on similar future questions. You can review, edit, and delete entries from this library at any time in your profile.
  • AI-generated content tied to your account: tailored resumes, cover letter drafts, follow-up email drafts, rejection analyses, interview practice transcripts, Resume Coach conversations, and voice mock interview transcripts you generate using the Service.
  • Technical data: IP address, browser type, device type, and session data collected automatically when you use the service.
  • Usage data: which features you use, how often, and your in-app activity patterns (e.g., resume tailor count, streak data).

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Resimay service.
  • Process your resume and job descriptions through AI to generate tailored content, keyword analysis, rejection insights, and follow-up drafts.
  • Manage your account, billing (for Pro subscribers), and customer support.
  • Improve and develop the product based on aggregated, anonymized usage patterns.
  • Send you transactional emails (e.g., password reset, account notifications). We do not send marketing emails without your explicit consent.

4. AI Processing

Resimay uses two third-party AI processing providers to power its AI features. Each provider handles a different surface:

  • Our primary AI provider:resume tailoring, cover letter drafts, rejection analysis, follow-up email drafts, the Resume Coach, the Interview Practice transcripts, and other long-form generation features inside the Resimay web app.
  • Our voice and research AI provider:company research briefs, voice mock interview sessions, and the Resimay Chrome extension’s autofill assistance(open-ended question drafts and structured select/radio answer suggestions when the deterministic field matcher can’t confidently fill a field on its own).

When you use an AI feature, the relevant portion of your input is transmitted to the applicable provider's API for processing. Transmission is encrypted in transit. For web-app features, that input is typically your resume text and/or the job description. For the Chrome extension’s autofill assistance, the transmitted input is a narrow slice of your profile(name, headline, bio, top experience entries, skills, education) plus the specific question being asked and the job description scraped from the page you’re on. Sensitive profile fields (full address, phone, salary expectations, work authorization, visa sponsorship, and your custom Q&A library) are NOT sent to any AI provider for autofill suggestions.

We do NOT use your content to train AI models.Our AI providers' paid API terms prohibit using API inputs to train their models without explicit consent. Your data is used only to generate the specific output you requested.

4.1 Resimay Chrome Extension

The optional Resimay Chrome extension fills job application forms on supported ATS platforms (Greenhouse, Workday, Lever, Ashby, LinkedIn Easy Apply, and others) with the data already stored on your Resimay profile. The extension is opt-in and runs only when you click its Autofill button or the equivalent in-page trigger.

How it works

When you trigger autofill on an application page:

  • The extension requests the autofill payload for your account from our backend. That payload is a slice of your profile (basic info, links, experience, education, certifications, autofill defaults, custom Q&A library) plus a link to your tailored or master resume if one exists.
  • The extension matches the page’s form fields to your profile deterministically (label vectors, ARIA hints, ATS-specific selectors). When a match is confident, the field is filled silently. When the match is uncertain, a small confidence indicator (yellow ring) appears so you can review before submitting.
  • For unmatched open-ended or multiple-choice questions, the extension can optionally request an AI suggestion (see Section 4.2 below). AI suggestions are shown to you for review and edit; nothing is sent to the form until you confirm.
  • On non-Tier-1 sites (anything outside the known ATS list), the extension uses Chrome’s built-in per-site permission prompt the first time you try to autofill. We never run on a page without your explicit permission for that origin.
  • The extension caches its autofill payload in browser-session memory for a short window (typically under 60 seconds) so a single autofill pass doesn’t re-fetch the data unnecessarily. The cache is wiped when you sign out or close the browser.

Capture prompt

If you manually fill a field that the extension could not match, after you submit the form the extension may surface a small prompt asking whether to save that value to your Resimay profile (e.g., a custom Q&A answer for “Why are you interested in this role?”). Nothing is stored without your explicit click. You can dismiss the prompt, and the extension will not ask about the same canonical field type again until you opt back in.

What the extension does NOT do

Resimay never auto-submits an application on your behalf. Every submission requires you to click the site’s submit button. The extension does not exfiltrate page content beyond what is necessary for matching (form field labels and surrounding context). It does not send keystrokes to a third party. It does not run on pages outside the approved ATS list without your explicit per-site grant.

4.2 Chrome Extension AI Assistance

The Resimay Chrome extension can suggest answers to open-ended ATS application questions (such as “Why are you interested in this role?”) and to select/radio multiple-choice questions that our deterministic matcher can’t confidently fill on its own. Two important protections apply:

  • User-review gate.AI-suggested drafts and picks render inside a side panel for you to review and edit. Nothing reaches the actual application form until you explicitly click “Use this answer.” AI-touched fields are marked with a yellow indicator so you can review them at a glance before submitting. Resimay never auto-submits an application on your behalf.
  • Demographic blocklist.Resimay’s autofill assistance will never generate or pick answers for voluntary self-identification questions about gender, race, ethnicity, Hispanic/Latino origin, veteran status, disability status, or age. Those answers are yours to give and yours alone. The blocklist is enforced both in the extension and on our backend so an AI answer cannot reach those fields even if a question phrasing slips past one layer.

For structured select/radio questions, the AI is constrained to pick exactly one option from the list the page provides. Our backend rejects any AI response that invents an option not in that list, so a hallucinated answer cannot reach you for review.

5. Third-Party Services

Resimay relies on the following trusted third-party sub-processors to operate:

  • Primary AI provider:powers web-app AI features (resume tailoring, cover letters, rejection analysis, follow-up emails, Resume Coach, Interview Practice). Your resume text and job descriptions are sent to this provider’s API for generation. This provider contractually does not use API inputs to train its models.
  • Voice and research AI provider:powers company research briefs, the voice mock interview, and the Chrome extension’s autofill assistance (open-ended drafts + structured select picks; demographic-blocklisted per Section 4.1). A narrow slice of your profile plus the specific question and job description are sent to this provider’s API for generation. This provider’s paid API terms prohibit using API inputs to train their models.
  • Managed PostgreSQL database provider:your account data, job applications, resumes, and AI outputs are stored in an encrypted PostgreSQL instance hosted by our database provider.
  • Application hosting provider:runs the Resimay backend API and scheduled jobs (data purge, job-board refresh).
  • Frontend hosting and edge provider:hosts the Resimay web application and serves static assets. If you consent to analytics, this provider also captures cookieless, aggregate page-view and performance metrics (no PII).

Each sub-processor has its own privacy policy. We select providers with strong data protection commitments and review that list periodically.

Sub-processor changes

If we add a new sub-processor that will process your personal data, we will notify you at least 30 days in advance via email or an in-app announcement so you have an opportunity to object before the change takes effect.

6. International Data Transfers

Resimay Labs Inc. is incorporated in Ontario, Canada, but some of the sub-processors listed above are headquartered in the United States and may store or process your data on servers outside of Canada and the European Economic Area. Specifically:

  • Primary AI provider:AI inference happens on United States infrastructure.
  • Voice and research AI provider:AI inference happens on globally distributed infrastructure (primarily United States).
  • Database hosting:your database project is hosted in a region we select at provisioning time (currently United States); the operator can migrate between regions as infrastructure requirements change.
  • Frontend hosting and edge:frontend edge and analytics infrastructure is distributed globally, including the United States.

All transfers are encrypted in transit (TLS 1.2 or higher). Where GDPR applies, we rely on each provider's published Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. By using Resimay you consent to your data being transferred to, stored in, and processed in these jurisdictions. If this is a concern for you, please do not upload sensitive content and contact us at [email protected] to discuss alternatives.

7. Data Retention

Your account data is retained for as long as your account is active. If you delete your account (in-app or by written request), all associated personal data (your profile, master resume, job applications, tailored resumes, rejection analyses, cover letters, and interview sessions) is permanently purged from our primary database within 30 days by an automated cleanup job.

Anonymized, aggregated usage statistics (e.g., keyword match rates for a given job title) may be retained indefinitely as they cannot be used to identify you, and only when you explicitly opted in (see Section 11, Global Insights). Encrypted backups held by our database provider for disaster recovery retain deleted rows for up to 7 days before rotating out automatically; those backups are not queryable by the Resimay application and cannot be used to restore individual records on request.

8. Data Security

We take reasonable technical and organizational measures to protect your personal data:

  • Encryption in transit. All data flowing between you, Resimay, and our sub-processors is protected by TLS 1.2 or higher. Browsers are pinned to HTTPS-only access via HSTS with a two-year max-age, includeSubDomains, and HSTS preload.
  • Encryption at rest. Your data is encrypted at rest in our database using AES-256 (provided by our managed database provider).
  • Password storage. Passwords are never stored in plaintext. We hash them with argon2id (the current OWASP-recommended password key derivation function) using OWASP-recommended cost parameters. We do not see or retain your plaintext password at any point: not in logs, not in backups, not in memory beyond the milliseconds it takes to verify and discard.
  • Token handling. Web-app authentication tokens (access and refresh JWTs) are issued as httpOnly cookies, which the browser refuses to expose to JavaScript. This blocks the most common token-theft path (cross-site scripting). Access tokens are short-lived (typically 15 minutes); long-lived refresh tokens can be revoked instantly when you sign out or change your password.
  • Access controls.Database access is restricted to a minimal set of authenticated service roles, with row-level security policies enforcing per-user data isolation so one account cannot read another account's data.
  • Backups. Encrypted backups are retained by our database provider for up to 7 days for disaster recovery and rotate out automatically.

Data breach notification

If we discover a security incident affecting your personal data, we will notify you within 72 hours of confirming the breach via email and an in-app notice. The notification will describe what happened, what data was involved, and what steps we are taking in response.

What we cannot defend against

No web service can protect against a compromised device. If malware or spyware is running on your computer with administrator privileges, it can read browser data and tokens regardless of any application-layer protection. The same exposure applies to your bank, your email, and your password manager. We strongly recommend keeping your operating system and browser up to date, avoiding browser extensions you don't fully trust, and treating account-recovery emails as sensitive (so an attacker who briefly accesses your email cannot trivially take over your Resimay account).

No security system is perfect. While we use industry-standard practices, we cannot guarantee absolute security of any data transmitted online.

9. Your Rights

You have the right to:

  • Access & portability:download a machine-readable JSON copy of every piece of your personal data at any time from the account settings menu (“Export my data”), or request one by email.
  • Correction:update your profile, master resume, and application records in-app at any time, or request correction of data you cannot change yourself.
  • Deletion (erasure):delete your account in-app from the settings menu. Your data is purged within 30 days as described in Section 7.
  • Objection & restriction:ask us to stop processing your data for a specific purpose (e.g., opt out of Global Insights).
  • Complaint:lodge a complaint with your local data-protection authority. In Canada that is the Office of the Privacy Commissioner (priv.gc.ca); in the EU/EEA, your national supervisory authority.

To exercise any right that isn't self-serve, contact us at [email protected]. We will respond within 30 days.

10. California Residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), in addition to the rights listed in Section 9:

  • Right to Know the categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it (each disclosed in Sections 2, 3, 5, and 6).
  • Right to Delete personal information we have collected (already covered globally; see Section 9, Deletion).
  • Right to Correct inaccurate personal information.
  • Right to Opt Out of Sale or Sharing:California residents have the right to opt out of the sale or sharing of personal information. Resimay does not sell or share personal information as those terms are defined under CCPA/CPRA. There is nothing to opt out of, but if this ever changes you will be notified and given an opt-out mechanism before the change takes effect.
  • Right to Limit Use of Sensitive Personal Information:Resimay does not collect “sensitive personal information” as defined by CPRA (e.g., precise geolocation, biometric data, racial or ethnic origin, religious beliefs, union membership, health information, sexual orientation).
  • Right to Non-Discrimination:we will not deny service, charge a different price, or provide a lower quality of service because you exercised any of these rights.

To exercise any California privacy right, email us at [email protected]. We will verify your identity and respond within 45 days as required by CCPA.

11. Global Insights (opt-in)

Resimay may surface aggregated market insights (e.g., trending job titles, in-demand skills) derived from anonymized application data across the platform.

Your data is only included in Global Insights if you have explicitly opted in (insights_consent = true in your account settings). No personally identifiable information (PII), including your name, email, resume text, or specific job applications, is ever included in insights data.

When consent is given, we retain de-identified metadata (normalized job title, experience level, matched keywords, outcome) at month-level granularity (never an exact timestamp), so it cannot be correlated back to you. When you delete your account, all your personal data is removed; these anonymized insight rows are retained because they contain no personal identifiers and continue to power insights for other job seekers.

What we never do

Some commitments worth calling out separately:

  • We never sell your data:to anyone, for any reason.
  • We never run ads:there are no advertising trackers on Resimay.
  • We never share your resume text with third parties, other than the AI provider required to generate the output you requested (see Section 4).
  • We never share your interview transcripts or AI coaching feedback. Those stay private to your account.

12. Children's Privacy

Resimay is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or via an in-app notice, and update the “Last updated” date at the top of this page. Continued use of Resimay after changes take effect constitutes your acceptance of the updated policy.

14. Contact

For any privacy-related questions or requests, contact us at:

[email protected]