resume.coffee - Professional Resume Builder

1. Who We Are

dataWorks GmbH Seestrasse 59 8702 Zollikon Switzerland Email: hello@resume.coffee Data Protection Contact: hello@resume.coffee

2. What Data We Collect

We collect and process the following categories of personal data: Account & Registration Data - Name, email address (provided during registration) - Authentication data (managed via Firebase Authentication) Resume & Profile Data - Professional information you enter into our resume builder (work experience, education, skills, etc.) - Cover letters and other career documents you create Payment & Transaction Data - Billing name, email, address - Payment method details (processed and stored by Stripe; we do not store full payment card numbers) - Subscription and transaction history Usage Data & Analytics - IP address, browser type, device information - Pages visited, features used, interaction patterns - Collected via Google Analytics and Google Tag Manager Cookie & Tracking Data - See our Cookie Policy for details Communication Data - Support inquiries and correspondence

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose	Legal Basis (GDPR)
Providing and maintaining our service (resume builder, cover letter generator, PDF export)	Art. 6(1)(b) — Contract performance
Processing payments and managing subscriptions	Art. 6(1)(b) — Contract performance
Sending service communications (account notifications, password resets)	Art. 6(1)(b) — Contract performance
AI-powered resume optimization and suggestions	Art. 6(1)(b) — Contract performance
Analytics and service improvement	Art. 6(1)(a) — Consent (via cookie banner)
Marketing and advertising measurement	Art. 6(1)(a) — Consent (via cookie banner)
Security and fraud prevention	Art. 6(1)(f) — Legitimate interest
Legal compliance	Art. 6(1)(c) — Legal obligation

4. Cookies and Tracking

We use cookies and similar technologies. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy. We use Cookiebot as our Consent Management Platform to ensure you can control which cookies are set. Cookie categories: - Necessary: Essential for site function (authentication, consent state) - Analytics: Traffic measurement and usage patterns (Google Analytics) - Marketing: Advertising measurement and optimization - Functional: Enhanced features and preferences

5. Who We Share Data With

We share personal data with the following categories of recipients: Service Providers / Processors - Google Cloud / Firebase — Hosting, authentication, database (Firestore), file storage - Stripe — Payment processing and billing - Google (Analytics & GTM) — Website analytics and tag management - Google Generative AI — AI-powered resume optimization features - Cookiebot (Cybot A/S) — Cookie consent management For a complete list of our data processors, see our Subprocessor List. We do not sell your personal data to third parties for monetary consideration. Some uses of analytics and advertising cookies may qualify as a "sale" or "sharing" under US state privacy laws — see Section 13 (US State Privacy Rights) for your opt-out options.

6. International Transfers

Some of our service providers process data outside the EU/EEA and Switzerland. We ensure appropriate safeguards are in place: - EU Adequacy Decisions — For transfers to countries recognized as providing adequate protection - Standard Contractual Clauses (SCCs) — For transfers to the United States and other countries - EU-US Data Privacy Framework / Swiss-US Data Privacy Framework — Where applicable For details on specific transfer mechanisms per service provider, see our Subprocessor List.

7. Data Retention

We retain your personal data as follows:

Data Category	Retention Period
Account & resume data (active subscription)	Duration of your account
Account & resume data (no subscription, inactive)	Automatically deleted after 30 days of inactivity
Payment records	As required by tax and accounting law (typically 7-10 years)
Analytics data	Per Google Analytics settings (14 months)
Cookie consent records	12 months
Support correspondence	2 years after resolution

When you delete your account, all associated resume data and personal information is permanently removed from our systems (except data we are legally required to retain).

8. Your Rights

Under the GDPR, you have the following rights: - Access your personal data (Art. 15) - Rectify inaccurate data (Art. 16) - Erase your data ("right to be forgotten") (Art. 17) - Restrict processing (Art. 18) - Data portability — receive your data in a machine-readable format (Art. 20) - Object to processing based on legitimate interest (Art. 21) - Withdraw consent at any time without affecting prior processing (Art. 7(3)) - Lodge a complaint with a supervisory authority To exercise your rights, please use our Data Deletion Request form or contact us at hello@resume.coffee. We will respond within 30 days. Complex requests may be extended by up to 60 days with prior notice.

9. Automated Decision-Making

Our AI-powered features (resume optimization, professional summary generation, skill suggestions, cover letter generation) use automated processing to provide suggestions. However: - These are suggestions only — you always have full control over your content - No legally significant decisions are made automatically - You can choose not to use AI features at any time

10. Security

We implement appropriate technical and organizational measures to protect your data: - Data encryption in transit (TLS/HTTPS) and at rest - Firebase Authentication with secure token management - Access controls and principle of least privilege - Regular security reviews - Secure payment processing via PCI DSS-compliant Stripe

11. Children's Data

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

12. Swiss Data Protection (nDSG)

This policy also complies with the Swiss Federal Act on Data Protection (nDSG / Datenschutzgesetz), effective September 1, 2023. Data protection supervisory authority: Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1, CH-3003 Bern https://www.edoeb.admin.ch Cross-border transfers: We transfer personal data outside Switzerland only to countries with an adequate level of data protection as recognized by the Swiss Federal Council, or with appropriate safeguards (Standard Contractual Clauses, binding corporate rules, or explicit consent). Your additional rights under nDSG: - Right to information about data processing (Art. 25 nDSG) - Right to data portability (Art. 28 nDSG) - Right to object to automated individual decisions (Art. 21 nDSG)

13. US State Privacy Rights (CCPA/CPRA)

If you are a resident of the United States — in particular California — the following disclosures and rights apply to the extent US state privacy laws (such as the California Consumer Privacy Act, as amended by the CPRA) cover you. Comparable rights exist under other state laws (e.g., Virginia, Colorado, Connecticut, Utah). Notice at Collection We collect the categories of personal information described in Section 2: identifiers (such as name and email), commercial information (such as subscription and transaction history), internet and device activity (such as IP address and usage data), and the resume and profile content you choose to provide. We use it to provide and improve our service, process payments, communicate with you, and — only with your permission — measure analytics and advertising. We retain each category for the periods set out in Section 7. We do not use sensitive personal information to infer characteristics about you. "Sale" and "Sharing" of Personal Information We do not sell your personal information for money. However, when analytics and advertising cookies are active, we may disclose online identifiers to analytics and advertising partners (such as Google) in ways that California law may treat as a "sale" or as "sharing" for cross-context behavioral advertising. We do not knowingly sell or share the personal information of consumers under 16 years of age. Your Right to Opt Out You can opt out of this sale or sharing at any time: - Use the "Your Privacy Choices" link in our footer to set your preferences. - We honor the Global Privacy Control (GPC): if your browser or an extension sends a GPC signal, we automatically treat it as a valid opt-out for that browser. Your Other Rights Subject to identity verification and legal limits, you have the right to: - Know and access the categories and specific pieces of personal information we have collected about you - Delete personal information we have collected - Correct inaccurate personal information - Opt out of the sale or sharing of personal information (see above) - Limit the use of sensitive personal information (we do not use sensitive information for purposes that trigger this right) - Non-discrimination — we will not deny you service, charge a different price, or provide a different quality of service because you exercised your privacy rights How to Exercise Your Rights Submit access, deletion, or correction requests through our Data Deletion Request form or by emailing hello@resume.coffee. You may use an authorized agent to submit a request on your behalf, in which case we may require proof of the agent's authority. We will respond within the timeframe required by applicable law (generally 45 days, extendable once where permitted).

14. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. For significant changes, we may also send you a notification via email.

15. Contact Us

If you have questions about this privacy policy or our data practices: dataWorks GmbH Seestrasse 59 8702 Zollikon Switzerland Email: hello@resume.coffee Supervisory Authority (EU): You have the right to lodge a complaint with your local data protection authority. Supervisory Authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1, CH-3003 Bern https://www.edoeb.admin.ch

Privacy Policy