ZapResume

Privacy Policy

Last updated: May 22, 2026

This Privacy Policy explains how SoSo Resume EOOD ("we", "us", "our") collects, uses, and protects personal data when you use ZapResume — the resume-building service available at zapresume.io and its related domains.

We're committed to processing personal data lawfully, fairly, and transparently under the EU General Data Protection Regulation (GDPR), the Bulgarian Personal Data Protection Act, and other applicable privacy laws.

1. Who we are

SoSo Resume EOOD is a Bulgarian limited liability company registered at Ul. Prof. Velizar Velkov 4a, 1618 Sofia, Bulgaria. We are the controller of personal data collected through ZapResume.

For privacy enquiries, contact us at [email protected] or via the contact form at zapresume.io/contact.

2. Information we collect

2.1 Information you provide

  • Account information — email address, password hash, and optional display name when you sign up.
  • Resume content — everything you enter into the builder: name, contact details, work experience, education, skills, profile photo (optional), and any free-text fields.
  • Job-application data — companies, roles, statuses, and notes you add to the application tracker.
  • Cover letters and tailored variants — content generated through our AI flows based on inputs you provide.
  • Imported content — text from documents you upload (PDF, DOCX, LinkedIn ZIP exports) for parsing into a resume.
  • Payment information — handled by Stripe. We do not store full card numbers; we receive a tokenised reference and a card fingerprint used for anti-abuse.
  • Communications — emails you send to support, survey responses, and feedback.

2.2 Information collected automatically

  • Usage data — pages visited, features used, buttons clicked, captured via PostHog analytics.
  • Device and browser data — IP address (hashed before storage), user agent, screen size, locale.
  • Error and performance data — captured by Sentry when something goes wrong, to help us fix bugs.
  • Cookies and similar technologies — see Section 6.

3. Why we collect this data and our legal bases

Under GDPR Article 6, we process personal data on these bases:

  • Performance of a contract — to deliver the service you signed up for: hosting your resumes, processing AI requests, sending the documents you create.
  • Legitimate interests — to keep the service secure (rate limiting, fraud prevention, anti-abuse on free trials), to debug errors (Sentry), to understand product usage (anonymised analytics), and to send transactional emails.
  • Consent — for any optional marketing emails or non-essential cookies, you can withdraw consent at any time.
  • Legal obligation — to comply with Bulgarian and EU laws, including tax, anti-money-laundering, and records retention requirements.

4. How we use your information

  • To create and maintain your account.
  • To process and store your resumes, cover letters, and application tracker data.
  • To generate AI-powered suggestions (bullet improvements, tailoring, cover letters, interview prep) by sending your inputs to Anthropic Claude. We do not use your data to train their models.
  • To process payments and manage subscriptions via Stripe.
  • To send transactional emails (welcome, password reset, invoice receipts, trial conversion reminders) via Resend.
  • To detect and prevent abuse — email normalisation, payment-method fingerprinting, and IP rate limiting protect free trials and AI usage from automated abuse.
  • To improve the product through anonymised aggregate analytics (resume patterns, role distributions, salary distributions). See Section 5 on data anonymisation.
  • To respond to support enquiries and feedback.

5. How we anonymise aggregate data

When we use resume data to build aggregate datasets (skill co-occurrence, role-transition patterns, salary distributions, bullet-pattern analysis), we apply a strict anonymisation pipeline:

  • User IDs are HMAC-hashed with a per-dataset salt — the same user produces different hashes across different datasets, so cross-dataset rejoin is non-trivial.
  • Direct identifiers (email, phone, full name, street address, profile photo) are stripped before any aggregate write.
  • Free-text fields pass through a redaction step that removes obvious emails and phone numbers.
  • City and country are kept (region-level granularity), street address is dropped.
  • Statistical aggregations require a minimum bucket size (typically 5 users) before any metric is computed — sparse buckets remain null.

6. Cookies and tracking technologies

We use a small set of cookies and similar technologies:

  • Authentication cookies — set by Supabase to keep you signed in. Strictly necessary; cannot be disabled without breaking the service.
  • Analytics — PostHog stores an anonymous distinct ID and pageview events. Session recordings are disabled by default.
  • Error tracking — Sentry stores limited browser context when an error occurs.

We do not use third-party advertising cookies. We do not sell personal data to advertisers.

7. Who we share your information with

We share data only with the third-party processors necessary to run the service. Each processor signs a Data Processing Agreement (DPA) consistent with GDPR Article 28.

  • Supabase (US) — authentication, database hosting, file storage. Data is encrypted at rest.
  • Hetzner (Germany) — application hosting via Coolify.
  • Stripe (Ireland / US) — payment processing. Stripe stores card numbers; we never see them.
  • Anthropic (US) — AI text generation. Inputs are sent for inference only; not used to train models.
  • Resend (US) — transactional email delivery.
  • Brandfetch (Luxembourg) — company logo lookup when you add work experience. We pass only the company domain.
  • PostHog (US) — product analytics.
  • Sentry (US) — error monitoring.

We do not sell, rent, or trade personal data. We may disclose data if required by law, court order, or to protect our rights or the safety of users.

8. International data transfers

Several of our processors are based outside the European Economic Area (notably in the United States). When we transfer personal data internationally, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, included in each processor's DPA.
  • The EU–US Data Privacy Framework, where the processor is certified.
  • Additional technical safeguards including encryption in transit (TLS) and at rest.

9. Data retention

  • Active accounts — we retain your data for as long as your account exists.
  • Inactive accounts — resumes inactive for more than 6 months are moved to cold storage (still accessible when you sign back in) to reduce our active database footprint.
  • Account deletion — when you delete your account or request deletion under GDPR Article 17, we erase your personal data within 30 days, except for limited records we are legally required to retain (invoice and tax records for up to 10 years under Bulgarian law).
  • Anonymised aggregates — once data has been anonymised per Section 5, it is no longer personal data and may be retained indefinitely.
  • Trial-attempt logs — kept for up to 24 months for fraud prevention.
  • Stripe payment records — retained by Stripe under their own retention policy; we retain only a minimal customer reference.

10. Your rights under GDPR

If you are an EU/UK resident, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — delete your personal data, subject to limited legal exceptions.
  • Restriction of processing — pause processing while a dispute is resolved.
  • Data portability — receive your data in a structured, machine-readable format (JSON export of resumes is available in your account settings).
  • Objection — object to processing based on legitimate interests, including analytics.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
  • Lodge a complaint — with the Bulgarian Commission for Personal Data Protection (CPDP, www.cpdp.bg) or your local supervisory authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

11. Security

We apply industry-standard security measures: TLS for all data in transit, encryption at rest for stored resumes, hashed and salted passwords (handled by Supabase Auth), role-based access controls inside our infrastructure, and regular security reviews. No system is fully impenetrable; in the unlikely event of a personal data breach affecting EU residents, we notify the Bulgarian CPDP within 72 hours as required by GDPR Article 33 and notify affected users where the breach is likely to result in a high risk to their rights.

12. Children's privacy

ZapResume is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to active users via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision. Continued use of ZapResume after an update constitutes acceptance of the revised policy.

14. Contact

SoSo Resume EOOD
Ul. Prof. Velizar Velkov 4a
1618 Sofia, Bulgaria
Email: [email protected]
General contact: zapresume.io/contact