1. Overview — At a Glance
| What | How we use it | You can |
|---|---|---|
| Resume content | Power the AI analysis and rebuild service | Delete via account settings |
| Account info (email, name) | Authentication, billing, service emails | Update or delete anytime |
| Usage data (clicks, page views) | Improve the product; GA4 analytics | Opt out via cookie settings |
| Session results (scores, AI output) | Deliver your results; service history | Delete with account deletion |
| Payment info | Process payments via PayPal (we do not store card numbers) | Managed via PayPal account |
| Aggregate, de-identified data | Build industry benchmarks; improve AI models | Opt out via account settings |
2. Who We Are
ResRev (“ResRev,” “we,” “our,” “us”) is an AI-powered resume evaluation and rebuilding platform operated from Washington State, USA. We are the data controller for personal data collected through resrev.us.
Contact: privacy@resrev.us · ResRev, Concrete, WA 98237
3. Information We Collect
3.1 Information You Provide
- Account Registration: Email address, name, password (hashed; never stored in plain text), Google OAuth profile data if you use Google sign-in.
- Resume Content: The text extracted from your uploaded resume document (PDF, DOCX, or TXT), which may include your name, contact information, employment history, education, skills, and other personal information you choose to include.
- Job Context: Target role title, target industry, and optional job description you enter to guide the analysis.
- Payment Information: Processed by PayPal. ResRev receives only transaction confirmation, plan type, and PayPal order IDs. We do not receive or store your full credit card or bank account numbers.
- Communications: Messages you send to our support team.
- Feedback: NPS scores and optional comments you submit.
3.2 Information Collected Automatically
- Usage Data: Pages visited, features used, time on page, tab clicks, PDF downloads, session events — collected via Google Analytics 4 (GA4). No PII (name, email, resume content) is sent to GA4.
- Device and Browser Data: IP address (truncated to last octet in GA4), browser type, operating system, screen resolution, referring URL.
- Session Identifiers: Firebase UID used as a pseudonymous UserID in GA4 to associate events with a logged-in account without exposing your email or name to the analytics platform.
- Log Data: Server-side access logs retained for up to 30 days for security monitoring and debugging. Logs are not used for marketing profiling.
3.3 Information We Do Not Collect
ResRev does not collect:
- Social Security Numbers or government-issued ID numbers (do not include these in your resume upload)
- Financial account numbers or credit card numbers
- Medical or health information (beyond what you voluntarily include in a resume)
- Biometric data
- Precise geolocation data
4. How We Use Your Information
We use your information for the following purposes, each with a legal basis:
| Purpose | Legal Basis |
|---|---|
| Provide the Service (AI analysis, rebuild, PDF delivery) | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Send transactional emails (receipts, session completion) | Contract performance |
| Authenticate your account and maintain security | Legitimate interest |
| Improve and develop the Service | Legitimate interest |
| Comply with legal obligations (tax, fraud prevention) | Legal obligation |
| Send marketing emails (only with your consent) | Consent (opt-in) |
| Build aggregate data products (see Section 5) | Legitimate interest + consent (opt-out available) |
| Respond to your support requests | Contract performance / Legitimate interest |
AI Processing:Your resume content is transmitted to Anthropic (Claude AI) via an encrypted API connection for AI analysis and rebuilding. Anthropic processes this data under a data processing agreement; your content is not used by Anthropic to train its general models. See Anthropic’s privacy policy at anthropic.com/privacy.
5. Data Product & Aggregate Analytics
ResRev uses de-identified, aggregated data derived from user sessions to build industry-level benchmarks, improve AI model quality, and develop data products. This is a core part of ResRev’s business model and is disclosed at account creation.
5.1 What “De-Identified” Means
De-identified data cannot reasonably be linked back to you as an individual. We apply de-identification techniques consistent with the FTC’s 2012 Privacy Report and the expert determination method under 45 C.F.R. § 164.514(b), which includes:
- Removing all direct identifiers (name, email, contact information, employer names where they would identify an individual, school names in combination with graduation year)
- Generalizing quasi-identifiers (industry → broad category; role → role level)
- Applying k-anonymity principles (minimum group size of 50 records before any aggregate is reported)
- Technical access controls preventing re-identification
5.2 Examples of Data Product Use
- Industry benchmarks: “Average ATS compatibility score for marketing managers in 2026 is 61/100”
- Common skill gaps: “Top 10 missing keywords in healthcare technology resumes”
- AI model improvement: aggregate examples of high-quality resume rebuilds used to refine prompt engineering
5.3 What We Do Not Do
We do not sell your personal data to third parties. We do not share individual user resume content with employers, recruiters, or data brokers.
Your Opt-Out Right
You may opt out of the data product license at any time via Account Settings → Data & Privacy, or by emailing privacy@resrev.us. Opting out does not affect service delivery. Historical de-identified data already incorporated into aggregate products is not retroactively removed (as it cannot be re-identified), but no new data from your account will be used after opt-out.
6. Information Sharing
We share your information only in the following circumstances:
6.1 Service Providers (Data Processors)
We share data with vendors who help us deliver the Service, under data processing agreements:
| Vendor | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google Cloud Platform | Infrastructure, database, file storage | All user data (encrypted at rest) | cloud.google.com/terms/data-processing-addendum |
| Firebase / Google | Authentication, analytics | Email, UID, usage events | firebase.google.com/support/privacy |
| Anthropic | AI processing of resume content | Resume text, job context | anthropic.com/privacy |
| PayPal | Payment processing | Transaction data (not resume content) | paypal.com/us/legalhub/privacy-full |
| Google Analytics 4 | Usage analytics | Pseudonymous UID, page events (no PII) | policies.google.com/privacy |
6.2 Legal Requirements
We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others. We will notify you of such disclosure requests where legally permitted.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of ResRev’s assets, your data may be transferred to the acquiring entity. We will notify you 30 days in advance via email and provide an option to delete your account.
6.4 With Your Consent
We may share your information in other ways with your explicit consent.
7. Cookies & Tracking Technologies
7.1 What We Use
- Essential cookies: Firebase authentication session cookie (
__session). Required for the Service to function. Cannot be disabled. - Analytics cookies: Google Analytics 4 cookies (
_ga,_ga_*). Track usage patterns using a pseudonymous Client ID. Can be disabled. - Preference cookies: Theme preference (
resrev-theme). Stored in localStorage, not a cookie. Remembers your light/dark mode choice.
7.2 Your Cookie Choices
You may disable analytics cookies via the cookie consent banner (displayed on first visit), or by adjusting your browser settings. Disabling essential cookies will prevent you from logging in to the Service.
You may also opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.
7.3 Do Not Track
ResRev does not currently respond to browser “Do Not Track” signals, as there is no industry standard for how such signals should be interpreted. California users may use the opt-out mechanism described in Section 11 and Section 15.
8. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30 days after deletion request | Service delivery |
| Resume upload files (original) | 90 days after session completion, then deleted from storage | Service + security |
| Session results (AI Output, scores) | Duration of account or 2 years, whichever is shorter | Service history |
| Payment transaction records | 7 years | Tax / legal obligation (IRS, WA state) |
| Server access logs | 30 days | Security monitoring |
| Security incident records | 3 years | Legal obligation (RCW 19.255.010) |
| Terms acceptance records | 5 years after account deletion | Legal (contract enforcement) |
| Aggregate de-identified data | Indefinite (cannot be re-identified) | Data product |
9. Your Rights & Choices
Regardless of your location, ResRev honors the following rights for all users:
- Access: Request a copy of your personal data we hold.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your account and personal data (subject to legal retention requirements above).
- Data Portability: Request an export of your data in machine-readable format (JSON).
- Opt-out of Data Product: Opt out of aggregate data product use (Section 10).
- Opt-out of Marketing: Unsubscribe from marketing emails via the unsubscribe link in any email, or email privacy@resrev.us.
- Restrict Processing: In certain circumstances, request that we limit how we use your data.
To exercise any of these rights, contact privacy@resrev.usor use Account Settings → Data & Privacy. We will respond within 30 days. We may require identity verification before processing requests.
10. Data Product Opt-Out
You may opt out of the data product license described in Section 5 at any time without affecting your ability to use the Service.
To opt out:
- Account Settings → Data & Privacy → “Opt out of data product use”; or
- Email privacy@resrev.us with subject “Data Product Opt-Out” and your account email.
Requests are honored within 30 days. Historical data already incorporated into aggregate products (which cannot be re-identified) is not retroactively removed.
11. Do Not Sell / Do Not Share (CCPA/CPRA)
ResRev does not sellyour personal information to third parties for monetary consideration. ResRev does not share your personal information with third parties for cross-context behavioral advertising purposes that would constitute “sharing” under the California Privacy Rights Act (CPRA, Cal. Civ. Code § 1798.115).
The Google Analytics integration uses a pseudonymous Firebase UID (not your email or name). If you wish to opt out of any third-party analytics data sharing, use the cookie opt-out described in Section 7 or email privacy@resrev.us.
California residents have additional rights described in Section 15.
12. Children’s Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 13. If we learn that a child under 13 has provided us personal information, we will delete it promptly and terminate the associated account. If you believe a child has provided us personal information, contact privacy@resrev.us.
This commitment is made in compliance with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506).
13. Security
We implement industry-standard security measures to protect your personal information:
- Encryption in transit: TLS 1.3+ for all data transmission
- Encryption at rest: AES-256 encryption for data stored in Google Cloud
- Authentication: Firebase Authentication with industry-standard password hashing (bcrypt)
- Access controls: Principle of least privilege; employee access to user data is limited to authorized personnel for support/security purposes
- Infrastructure: Google Cloud Platform with SOC 2 Type II certification, ISO 27001, and FedRAMP authorization
- Secret management: API keys and credentials stored in GCP Secret Manager; never hardcoded
- Security monitoring: Automated security incident detection; Cloud Armor WAF for DDoS and injection protection
No security measure is perfect. While we use industry-standard protections, we cannot guarantee absolute security of your data.
14. Data Breach Notification
In the event of a data breach affecting your personal information, ResRev will:
- Notify affected Washington State residents within 30 days of discovery, as required by RCW 19.255.010
- Notify affected California residents as required by Cal. Civ. Code § 1798.29 and § 1798.82
- Notify other affected users within a reasonable time as required by applicable law
- Report to the Washington State Attorney General for breaches affecting 500+ state residents (RCW 19.255.010(8))
Breach notifications will be sent to your registered email address and posted to resrev.us/security.
15. California Residents — CCPA/CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Cal. Civ. Code §§ 1798.100–1798.199.100, grant you specific rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., fraud prevention, legal compliance).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: Opt out of sale or sharing of personal information for cross-context behavioral advertising. ResRev does not sell or share personal information as defined under CPRA.
- Right to Limit Use of Sensitive Personal Information: Sensitive personal information (as defined by CPRA) is used only to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of Personal Information Collected: Identifiers (name, email, IP address); Internet activity (browsing/search history within the Service); Professional/employment-related information (resume content); Inferences (AI-generated scores).
To exercise your California rights, contact privacy@resrev.us or use Account Settings → Data & Privacy. You may also designate an authorized agent. We will respond within 45 days (extendable by 45 days with notice).
California Shine the Light: California Civil Code § 1798.83 permits California residents to request certain information regarding disclosure of personal information to third parties for direct marketing purposes. ResRev does not disclose personal information to third parties for their direct marketing purposes.
Auto-Renewal Disclosure (California): See Section 5.3 of the Terms of Servicefor subscription auto-renewal disclosures required by California Business & Professions Code §§ 17600–17606.
16. Washington Residents
ResRev is headquartered in Washington State and complies with all applicable Washington state privacy and consumer protection laws:
- Washington Consumer Protection Act (RCW 19.86): We do not engage in unfair or deceptive trade practices.
- Washington Data Breach Notification (RCW 19.255.010): We notify affected Washington residents within 30 days of breach discovery.
- Washington My Health MY Data Act (HB 1155): To the extent the Service processes health-related personal data, we comply with applicable requirements including opt-in consent for collection and opt-out rights.
Washington residents may exercise the same rights described in Section 9 by contacting privacy@resrev.us.
17. International Users
ResRev is operated from the United States. If you access the Service from outside the United States, your data is transferred to and processed in the United States, which may have different data protection laws than your country.
EU/EEA/UK Residents: We process your data under the following GDPR legal bases: contract performance (service delivery), legitimate interest (security, product improvement), consent (analytics, marketing). You have the right to lodge a complaint with your local data protection authority. Our EU AI Act disclosure is in Section 6.2 of the Terms of Service.
By using the Service, you consent to the transfer of your information to the United States and acknowledge that US privacy laws may not provide the same protections as the laws of your jurisdiction.
18. Contact & Data Requests
For privacy questions, data access requests, opt-out requests, or data deletion requests:
- Email: privacy@resrev.us
- Subject line for data requests: Include “[Data Request]” and your account email
- Mail: ResRev, Privacy Request, Concrete, WA 98237
- Response time: 30 days (45 days for California CCPA requests)
We may need to verify your identity before processing a data request. Verification will be done through the email address associated with your account.
19. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 30 days before the effective date. We will also update the “Effective Date” at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
You may review prior versions of this Policy by contacting privacy@resrev.us.
- Version:
- v1.0.0 · Effective April 4, 2026
- Controller:
- ResRev, Concrete, WA 98237
- Federal law:
- 15 U.S.C. § 45, 15 U.S.C. §§ 6501–6506, GDPR (EU) 2016/679, EU AI Act (EU) 2024/1689
- State law:
- RCW 19.86, RCW 19.255.010, HB 1155, Cal. Civ. Code §§ 1798.100 et seq.
- Benchmarked against:
- LinkedIn, Indeed, Grammarly, Canva
- Legal reference:
- docs/LEGAL_REFERENCE.md