Data Protection Policy

Last updated: 27/10/2025

1. Introduction

Resume Maker is committed to protecting your personal data and respecting your privacy rights. This Data Protection Policy outlines our comprehensive approach to data protection, security measures, and compliance with applicable laws including GDPR and Indian data protection regulations.

This policy complements our Privacy Policy and provides detailed information about our data protection practices, security measures, and your rights as a data subject.

2. Data Protection Principles

We adhere to the following data protection principles:

  • Lawfulness, fairness, and transparency: We process data lawfully and transparently
  • Purpose limitation: Data is collected for specific, legitimate purposes
  • Data minimization: We collect only necessary data
  • Accuracy: We maintain accurate and up-to-date data
  • Storage limitation: Data is kept only as long as necessary
  • Integrity and confidentiality: We ensure data security
  • Accountability: We demonstrate compliance with these principles

3. Technical Security Measures

3.1 Encryption

  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Data at Rest: AES-256 encryption for stored data
  • Database Encryption: End-to-end encryption for sensitive data
  • Backup Encryption: All backups are encrypted

3.2 Access Controls

  • Multi-factor authentication for administrative access
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and audits
  • Automated session management and timeout

3.3 Infrastructure Security

  • Secure cloud infrastructure (Supabase, Vercel)
  • Regular security patches and updates
  • Network segmentation and firewalls
  • DDoS protection and monitoring
  • Intrusion detection systems

4. Organizational Security Measures

4.1 Data Protection by Design

  • Privacy considerations integrated into system design
  • Default privacy-friendly settings
  • Regular privacy impact assessments
  • Data protection officer oversight

4.2 Staff Training and Awareness

  • Regular data protection training for all staff
  • Confidentiality agreements and NDAs
  • Clear data handling procedures
  • Incident response training

4.3 Vendor Management

  • Due diligence on third-party processors
  • Data processing agreements (DPAs)
  • Regular vendor security assessments
  • Contractual security requirements

5. Data Categories and Processing

5.1 Personal Data Categories

Identity Data

Name, email address, phone number, profile picture

Professional Data

Work experience, education, skills, certifications, projects

Technical Data

IP address, browser information, device data, usage analytics

5.2 Processing Activities

  • Account creation and authentication
  • Resume creation and editing
  • Data storage and backup
  • Export and download functionality
  • Service improvement and analytics
  • Customer support and communication

6. Data Subject Rights

6.1 Right to Information

You have the right to be informed about how your personal data is processed. This policy and our Privacy Policy provide this information.

6.2 Right of Access

You can request a copy of your personal data and information about how it's processed. We will respond within 30 days.

6.3 Right to Rectification

You can request correction of inaccurate or incomplete personal data. Most data can be updated directly in your account.

6.4 Right to Erasure

You can request deletion of your personal data in certain circumstances, including when it's no longer necessary for the original purpose.

6.5 Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service.

7. Data Breach Response

7.1 Detection and Assessment

  • 24/7 monitoring and alerting systems
  • Immediate incident response team activation
  • Risk assessment and impact analysis
  • Containment and mitigation measures

7.2 Notification Procedures

  • Supervisory authority notification within 72 hours
  • Individual notification if high risk to rights and freedoms
  • Clear communication about the breach and response
  • Regular updates during investigation

8. International Data Transfers

When we transfer data internationally, we ensure adequate protection through:

  • Adequacy decisions by relevant data protection authorities
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable
  • Additional safeguards and security measures

9. Data Retention

Account Data

Retained until account deletion or 3 years of inactivity

Resume Content

Retained until manually deleted by user or account closure

Analytics Data

Anonymized after 24 months, aggregated data retained longer

Legal Compliance

Some data may be retained longer for legal or regulatory requirements

10. Compliance and Auditing

  • Regular internal data protection audits
  • Third-party security assessments
  • Compliance monitoring and reporting
  • Documentation of processing activities
  • Regular policy reviews and updates

11. Contact Information

For data protection inquiries, exercising your rights, or reporting concerns:

Data Protection Officer: dpo@theresumemaker.net

Privacy Team: privacy@theresumemaker.net

General Support: support@theresumemaker.net

Address: Resume Maker, India

12. Supervisory Authority

If you have concerns about our data processing that we cannot resolve, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

For users in India, you may contact the relevant data protection authority or cyber security agency.