Privacy Policy
Last updated: May 21, 2026
Short version
Anonymous use keeps your resume in your browser only. Signing in for paid features cloud-syncs your resume to our database so you can access it across devices. Your profile photo never leaves your browser — we never receive or store it. Payment data is handled by our payment processor, not by us. We don’t sell your data, ever.
1. Who we are
This service (“VitaeKit”, “we”, “us”, “our”) provides the resume-building tool available at vitaekit.com. For any privacy question, contact us at support@vitaekit.com.
2. What data we collect, and why
2.1 Anonymous use (no account)
When you use the free editor without signing in, your resume content lives in your browser’s localStorage only. We do not receive a copy on our servers. Your draft persists across visits to vitaekit.com on the same browser. Clearing site data deletes it.
2.2 Signed-in use (free or paid)
Creating an account stores the following on our servers:
- Account identity: your email address, full name, and a securely-hashed password (or Google account identifier if you sign in with Google). Used to authenticate you and to send verification, password-reset, and receipt emails.
- Resume content: the resume(s) you create are cloud-synced so you can access them across devices. Every field you edit (personal info, work experience, education, skills, custom sections) is stored encrypted-at-rest in our PostgreSQL database.
- Profile photo: if you upload one, it stays in your browser’s localStorage only and is never transmitted to our servers (see §3 below).
- Account activity: download history, AI feature usage (credit consumption), and pass / credit balance state. Required to operate the paid features and respond to support queries.
2.3 Payment data
All payment information (card number, expiry, CVV, billing address) is collected directly by our third-party payment processor on their own infrastructure. We do not see, receive, or store your card details. We receive only the result of each transaction (success / failure, amount, currency, product purchased) and a non-sensitive payment reference (e.g. transaction ID). Refer to your payment processor’s privacy policy for how they handle your card data.
2.4 Technical / usage data
- Server logs: IP address, request timestamps, response codes, user-agent. Retained for 30 days for security (rate-limit enforcement, fraud detection) then deleted.
- Error telemetry: if an unexpected error occurs in the app, a sanitised error report is sent to our error-tracking service (Sentry). Personally identifying information (passwords, tokens, email addresses in URLs) is automatically scrubbed before transmission.
3. Profile photo — never reaches our servers
If you upload a profile photo to your resume, the image bytes live in your browser’s localStorage only. They are never transmitted to our servers, never stored in our database, and never backed up. This is a deliberate privacy design decision: face PII is unusually sensitive, and the right way to handle it is to never take possession of it in the first place.
Side effect: photos do not sync across devices. If you open your account on a new device, you’ll need to re-upload your photo. We consider this acceptable in exchange for the privacy guarantee.
4. What we never do
- Sell your data to any third party for any purpose
- Show advertising in the editor or use ad-targeting cookies
- Share your resume content with anyone — not employers, not recruiters, not partner services
- Train AI models on your resume content (the AI features call third-party LLM APIs with your prompt only and don’t store it for training)
5. Who we share data with
We share the minimum data necessary with these service providers, each bound by their own privacy commitments:
- Payment processor — to process your purchase and handle tax compliance. They become the legal seller of record for your purchase. They receive only the data needed to complete the transaction (your email, the product, the amount).
- Email provider (Resend) — to send transactional emails (verification, password reset, payment receipts). Receives your email address and the message content.
- Hosting providers — our application is hosted on Vercel (frontend) and Fly.io (backend); our database is hosted on Neon. These providers process data on our instructions only and cannot use it for their own purposes.
- Error monitoring (Sentry) — receives sanitised error reports with personally-identifying information scrubbed.
- AI providers — when you use AI features (bullet-rewriting, ATS scanning, job-description tailoring), your prompt content is sent to a third-party large-language-model provider for processing. The provider returns the generated text and does not retain your prompt for model training under our contractual terms.
6. Data retention
Account data is retained for as long as your account is active. If you delete your account, the following timeline applies:
- Resume content, account profile, activity history → deleted within 7 days
- Payment history → retained for at least 7 years for tax and accounting compliance (financial records cannot legally be deleted on demand)
- Server logs → 30 days from the time of the request, then deleted
- Backups → retained up to 7 days after deletion in our database backup snapshots; deleted permanently from backups within 30 days
7. Your rights under GDPR (EU) and UK GDPR
If you are in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure(“right to be forgotten”) — request deletion of your data, subject to the retention exceptions in §6 above
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format (we provide JSON export of your resumes in the editor)
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
- Complaint to a supervisory authority — if you believe we are processing your data unlawfully
Our legal bases for processing under GDPR Article 6 are: (a) contract — for account, resume cloud-sync, and paid-product fulfilment (necessary to provide the service you signed up for); (b) legitimate interests — for security logs, error monitoring, and fraud prevention (necessary to operate the service safely); and (c) legal obligation — for retaining payment records for tax compliance.
To exercise any of these rights, email support@vitaekit.com. We respond within 30 days.
8. Your rights under US state privacy laws
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you have rights under your state’s privacy law (CCPA, CPA, CTDPA, etc.) including the right to:
- Know what categories of personal information we collect
- Access the specific personal information we hold about you
- Request deletion of your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of your personal information
- Limit the use and disclosure of sensitive personal information
- Non-discrimination for exercising any of the above rights
We do not sell or share personal information. No opt-out is necessary because no sharing for behavioural advertising occurs. To exercise the access / deletion / correction rights, email support@vitaekit.com.
9. International data transfers
Our infrastructure providers operate data centres in multiple regions. Application servers run in Frankfurt (EU), the database in Frankfurt (EU), the frontend on Vercel’s global edge network. When you use VitaeKit from outside the EU, your data may transit between regions. We rely on the EU Standard Contractual Clauses (SCCs) and equivalent safeguards in our agreements with these providers for cross-border transfers.
10. Cookies
We use a minimal set of cookies and storage:
- Authentication tokens (localStorage) — required to keep you signed in across page reloads. Cleared on sign-out.
- Resume drafts(localStorage) — your in-progress edits. Cleared by the editor’s “Clear” button or by clearing site data in your browser.
- Template + theme preferences (localStorage) — so you return to the same design.
We do not use third-party advertising cookies, analytics cookies, or remarketing pixels.
11. Children’s privacy
VitaeKit is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, contact us and we will delete it.
12. Security
Account passwords are stored using BCrypt one-way hashing. All traffic to vitaekit.com and our API endpoints is encrypted in transit via TLS 1.2 or higher. Database connections use TLS. Sensitive credentials (API keys, secrets) are stored in the provider’s secret-management system and never committed to source code. We follow industry-standard security practices and continuously update our defences. No system is perfectly secure; if you believe your account has been compromised, email us immediately.
13. Changes to this policy
We may update this policy when our data practices change. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced via in-app notice or email to registered users at least 30 days before they take effect.
14. Contact
Privacy questions, data subject access requests, or anything else related to this policy: support@vitaekit.com. We aim to respond within 2 business days, and always within 30 days for formal data-subject requests.