Privacy Policy

Superpower Resume ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our website and services at superpowerresume.com and app.superpowerresume.com (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

a. Account Information

When you create an account, we collect your email address and password (stored as a cryptographic hash, never in plain text). You may also sign in via Google OAuth, in which case we receive your name, email, and profile picture from Google.

b. Profile Information

You may optionally provide your full name, phone number, location, LinkedIn profile URL, personal website URL, and custom AI instructions for resume generation.

c. Career Documents and Content

You may upload resumes, cover letters, LinkedIn profile exports, and other career documents (PDF, DOCX, TXT). We also store content you create using the Service, including AI-generated resumes, cover letters, interview transcripts, career timeline events, and professional references (names, titles, companies, contact information).

d. Job Tracking Data

When you use our job tracker, we store job descriptions, company names, application statuses, notes, follow-up dates, and related information you provide.

e. Headshot Images

If you use our headshot feature, we store the original image you upload and any AI-enhanced version.

f. Interview and Assessment Data

If you use our mock interview features, we store interview conversations, your responses, scores, gap analysis results, and interview preparation materials.

g. Payment Information

We use Stripe as our payment processor. We do not store your credit card number, bank account details, or other sensitive payment information on our servers. Stripe handles all payment processing. We store your Stripe customer ID, subscription plan, billing period, and payment status in our database. See Stripe's Privacy Policy for details on how Stripe handles your payment data.

h. Feedback and Error Data

If you submit feedback (bug reports, feature suggestions), we store that along with the page URL. We also collect client-side error logs (error messages, page URLs, browser type, device type, approximate geographic location based on IP) for debugging purposes.

i. Automatically Collected Information

We collect limited technical data including browser type, device type, operating system, and approximate location (country and city, derived from your IP address by Cloudflare). We do not use third-party analytics services such as Google Analytics.

2. How We Use Your Information

• Generate personalized resumes, cover letters, and career documents using AI
• Provide mock interviews, gap analysis, and interview preparation
• Track your job applications and career progress
• Process payments and manage your subscription
• Authenticate your identity and secure your account
• Improve our services, fix bugs, and monitor performance
• Communicate with you about your account, support requests, and service updates
• Detect and prevent abuse, fraud, and prompt injection attacks

3. AI Processing and Third-Party AI Providers

Our Service uses artificial intelligence to generate resumes, cover letters, interview questions, and other career content. To provide these features, portions of your data (such as career history, job descriptions, and document excerpts) are sent to the following AI providers for processing:

• OpenAI (GPT-4.1-mini) — Resume and cover letter generation, chat-based revision, mock interviews, gap analysis
• Google AI / Gemini (Gemini 2.5 Flash-Lite) — Job description parsing, document summarization, interview compilation
• Cloudflare Workers AI — Text embeddings for document search, fallback language model

All AI requests are routed through Cloudflare AI Gateway, which provides caching, rate limiting, and request logging within our infrastructure. We apply prompt injection defenses to sanitize all inputs before sending them to AI providers.

These providers process your data according to their respective privacy policies:

• OpenAI Privacy Policy
• Google Privacy Policy
• Cloudflare Privacy Policy

We do not use your data to train AI models. OpenAI and Google AI process your data solely to generate responses and do not use API inputs for model training.

4. Sharing Your Information

We do not sell, rent, or trade your personal data to third parties. We may share information with:

• AI providers (OpenAI, Google AI, Cloudflare Workers AI) as described in Section 3, solely to provide our AI features
• Stripe for payment processing (email, name, subscription details)
• Google OAuth if you choose to sign in with Google
• Cloudflare as our infrastructure provider (hosting, database, storage, CDN)
• Legal authorities when required by law, legal process, or to protect the rights, property, or safety of our users or the public

5. Data Storage and Security

Your data is stored using Cloudflare's global infrastructure:

• Database (Cloudflare D1) — Account data, resumes, job tracking, interview records
• File storage (Cloudflare R2) — Uploaded documents, headshot images, generated PDFs
• Vector search (Cloudflare Vectorize) — Document embeddings for AI retrieval, isolated per user
• Cache (Cloudflare KV) — Session caching and rate limiting

We implement the following security measures:

• Passwords are hashed using PBKDF2 with 100,000 iterations (never stored in plain text)
• All data is transmitted over HTTPS/TLS
• Authentication uses signed JWT tokens
• Multi-tenant data isolation ensures users can only access their own data
• AI inputs are sanitized to prevent prompt injection attacks

No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

6. Cookies and Local Storage

We use minimal cookies and browser storage. For full details, see our Cookie Policy.

• Session cookie — A single authentication cookie (next-auth.session-token) containing an encrypted JWT token. This is essential for keeping you logged in.
• Local storage — We store UI preferences (e.g., job board view mode, recent searches) in your browser's local storage. This data never leaves your device.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

7. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

• Account data — Retained until you delete your account
• Resumes, cover letters, and career documents — Retained until you delete them or your account
• Job tracking data — Retained until you delete individual entries or your account
• Payment records — Retained as required for tax, legal, and accounting purposes
• Error logs — Retained for up to 90 days for debugging purposes

When you delete your account, we delete your personal data and associated content. Some data may be retained in backups for a limited period or as required by law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For All Users

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your personal data and account
• Data portability — Request your data in a portable format

For European Economic Area (EEA) / UK Residents (GDPR)

• Right to restrict processing of your data
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with your local data protection authority

Our legal basis for processing your data is: (a) performance of a contract (providing the Service you signed up for), (b) legitimate interests (improving the Service, preventing fraud), and (c) your consent (where applicable).

For California Residents (CCPA/CPRA)

• Right to know what personal information we collect and how it is used
• Right to delete your personal information
• Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

9. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us.

10. International Data Transfers

Your data is processed on Cloudflare's global network, which may involve transferring data outside your country of residence. Cloudflare provides appropriate safeguards for international data transfers. AI processing may also involve data transfers to servers operated by OpenAI (United States) and Google (global).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at: