Privacy Policy
Last updated: May 2026
What we collect
Account and organisation data
- Account data: your name, email address, and authentication credentials, managed by Better Auth.
- Organisation data: organisation name, slug, and member roles. Every resource in Refleum AI belongs to an organisation; there is no cross-tenant access.
- API keys: we store only the SHA-256 hash and a display prefix of each key you generate. The full key is shown exactly once at creation and is never stored or retrievable by us.
Resume and job content
- Resume files: the PDF or DOCX you upload, the Markdown we parse from it (
original_markdown, immutable after creation), and the structured JSON resume we derive. All are stored in our PostgreSQL database scoped to your organisation. - Tailored resumes: every version produced by the tailoring pipeline, together with its parent ID, strategy, and refinement statistics.
- Job descriptions: text you supply to tailor a resume. Stored alongside the corresponding tailored resume record.
- Cover letters and outreach messages: AI-generated content linked to tailored resumes. Editable and deletable at any time.
Billing and usage
- Usage records: timestamped logs of tailoring operations used for metered billing via Polar.sh. Includes operation type, organisation ID, and resume ID.
- Subscription data: your plan tier, status, and billing period, synced from Polar.sh webhooks. Payment method data is held exclusively by Polar.sh as Merchant of Record.
Technical data
- Server logs: IP addresses and request timestamps, retained for 30 days for security and debugging.
- AI provider configuration: your chosen LLM provider and model name, stored in your configuration. Provider API keys are stored encrypted and are never logged or returned in responses.
How we use it
- To provide resume tailoring, cover letter generation, outreach message generation, and PDF export.
- To send your resume and job description to the AI provider you have configured. Your content is transmitted to that provider's API and is governed by their terms of service and privacy policy.
- To meter usage and report it to Polar.sh for billing purposes.
- We do not sell, share with third parties for advertising, or use your content to train AI models.
Data isolation
Refleum AI uses row-level tenant isolation. Every database record carries anorganizationIdand every query is scoped to the organisation that owns the API key making the request. No application code path allows cross-tenant reads or writes.
Data retention
Your resume data, cover letters, and outreach messages are retained for as long as your organisation account is active. You can delete individual records at any time via the API or dashboard. Deleting a resume cascades to linked cover letters and outreach messages.
Usage records are retained for billing reconciliation for a minimum of 12 months. Server logs are retained for 30 days.
Third-party providers
- AI providers (OpenAI, Anthropic, Google, etc.): your resume text and job descriptions are transmitted to whichever provider you configure. Review their privacy policies before use.
- Polar.sh: handles subscription management, payments, and metered billing as Merchant of Record.
- Neon: our PostgreSQL database host. Data is stored in encrypted volumes.
- Vercel: our hosting and edge infrastructure provider.
- Upstash: Redis-based rate limiting. Only organisation IDs and request counts are stored; no resume content passes through Upstash.
Contact
Questions about this policy? Email us at privacy@refleum.vercel.app.