Privacy notice

Privacy Policy

How Boost My Resume collects, stores, and processes your data. EU-hosted, never used to train models, deletable from Settings.

Last updated May 27, 2026

Boost My Resume is operated by N Marketing SASU (SIREN 890 496 565), 61 rue de Lyon, 75012 Paris, France. This policy explains what we collect, why, how long we keep it, and the rights you have over it. We are the data controller for personal data processed through the service.

What we collect

When you use Boost My Resume, we hold the following:

  • Account information. Your email address (required to sign in), an optional display name, an optional locale preference, and your current plan tier.
  • Source resumes. PDF and DOCX files you upload, stored in our managed object storage. We parse each upload into a structured profile so we can re-use it across tailorings.
  • Tailored resumes. The structured resume we generate for each job, with scores and the verbatim job description you pasted.
  • Cover letters. The generated text of each cover letter you produce.
  • Anonymized job-description analytics. Aggregate, non-personal statistics with no link back to your account, used internally to study which roles people tailor for.
  • Payment metadata from Stripe. Customer ID, subscription ID, plan and billing dates. We never see or store your card number.
  • Credit ledger. Credit balance and usage history.
  • Support and feedback. Contact-form submissions and feedback on each tailoring.

How we use it

We use this data only to:

  • run the service you signed up for (parse your resume, generate tailored output, render PDFs and DOCX files);
  • send transactional email (sign-in confirmations, password resets, email-change confirmations, receipts);
  • process payments and tax through Stripe;
  • answer your support requests and act on your feedback;
  • protect the service against abuse (rate limits, bot checks, fraud signals).

We do not sell your data, share it with advertisers, or use your resumes or job descriptions to train any machine-learning model. The AI/LLM providers we call operate under contracts that prohibit training on customer inputs.

Legal bases (GDPR Article 6)

  • Performance of a contract - to provide the tailoring, generation, billing and support you signed up for.
  • Consent - when you sign in through an OAuth provider, they share specific fields with us based on your authorisation.
  • Legitimate interest - to keep the service secure (rate limits, bot detection, abuse mitigation) and to study aggregate, non-personal usage patterns.
  • Legal obligation - to keep tax and billing records required by French and EU law.

Sub-processors

We rely on a small number of providers to deliver the service. Each is bound by a Data Processing Agreement and, where applicable, the EU Standard Contractual Clauses.

  • EU cloud hosting and managed database services - account data, source resumes, tailored outputs and authentication records are stored in the EU.
  • Payment, billing and tax processing - no card data is visible to or stored by us.
  • Transactional email delivery - sign-in confirmations, password resets, receipts.
  • AI/LLM model providers - operating under contracts that prohibit training on customer inputs. Used for resume parsing, tailoring, cover-letter generation and scoring.
  • Internal URL/PDF job-description fetch - when you paste a job URL or PDF instead of the text, we use an internal service to fetch the page or extract the document text.
  • Optional OAuth sign-in providers - only used if you choose this sign-in method.
  • CDN and bot-protection - used on the public site and authentication forms.

The current list of named sub-processors, including jurisdictions and DPA references, is available on request at contact@boostmyresume.org.

International transfers

Your account data, source resumes, tailored outputs and authentication records are stored in the EU. Some sub-processors may process limited data outside the EU under the EU Standard Contractual Clauses and their respective Data Processing Agreements. The analytics, ad-attribution and tag-management scripts described under Cookies involve transfers to the United States (Google LLC, Microsoft Corporation, Reddit, Inc.) and Singapore (Ahrefs Pte. Ltd.); these run only on the public site and, in GDPR jurisdictions, only after you accept on the cookie banner.

How long we keep it

  • Account profile - for as long as your account is open. If you request deletion, we honour the 30-day grace period described below; once the grace period ends, the profile is permanently removed without undue delay.
  • Source and tailored resumes, cover letters - for as long as your account is open, so you can re-export prior outputs. Deleted together with your account.
  • Job descriptions - kept verbatim while your account is open, so you can re-tailor against a past posting or audit how a result was produced. We do not trim, summarise or rewrite the stored text. On request via the contact form below, we permanently delete the stored verbatim text within a short delay. An anonymized analytics row, with no link back to you, may be retained indefinitely (next bullet).
  • Anonymized JD analytics - retained indefinitely. The row has no link back to your account and cannot be re-identified.
  • Stripe payment metadata and invoices - retained for the duration required by tax law (currently 10 years for accounting records under French law), then deleted.
  • Support messages and feedback - retained for as long as your account is open, then deleted with the account.
  • Operational and security logs - application and security logs use a non-reversible reference to your account and are retained for a limited period (currently up to 90 days), then deleted.

Security and fraud prevention data

To prevent fraud, defend against payment disputes and secure your account, we keep a record of key consent and payment events: technical identifiers, region, the version of the Terms and Privacy Policy you accepted, and event timestamps. Legal basis: legitimate interest (Article 6(1)(f) GDPR). Where we rely on legitimate interest, you have the right to object to the processing on grounds relating to your particular situation (Article 21) - write to contact@boostmyresume.org to exercise this right. These records are retained for 13 months from your last activity, after which the technical identifiers and region are anonymized.

Cookies

We run a small number of strictly necessary cookies plus a short list of analytics, ad-attribution and tag-management scripts on the public site. If you are in the EU, the UK, Norway, Iceland or Liechtenstein, none of the analytics, ad-attribution or tag-management scripts load until you click Accept on the cookie banner at the bottom of the page. If you decline, none of them load and none of their cookies are set. Outside those jurisdictions, the scripts load by default and you can opt out through your browser's cookie controls.

The signed-in product area (your dashboard, the tailoring workbench, settings, billing) does not load any analytics, ad-attribution or tag-management script - only the strictly necessary cookies below.

Strictly necessary

These are set regardless of consent because the service cannot function without them.

  • Authentication session - set when you sign in. Required to keep you signed in across requests.
  • Theme preference - a first-party cookie remembering your light or dark setting.
  • Consent choice (bmr_consent) - a first-party cookie that records your Accept or Decline click on the cookie banner so we do not ask again on every page. Values: accepted or refused. Lifetime: 1 year. SameSite=Lax.
  • Stripe checkout - set inside the Stripe iframe during checkout. Stripe is the controller for this cookie.
  • Cloudflare Turnstile - set on sign-up, forgot-password, reset and contact forms to confirm you are not a bot. Cloudflare is the controller for this cookie.
  • Google Tag Manager - Google LLC (United States) under the EU Standard Contractual Clauses. Loads a lightweight container script from googletagmanager.com that decides which of our downstream tags to fire based on your consent state. The container script itself does not set any tracking identifiers; it only delivers and gates the tags listed below.
  • Google Ads conversion tracking - Google LLC (United States) under the EU Standard Contractual Clauses, fired from inside the Google Tag Manager container above. Sends three conversion events to Google Ads to enable keyword-level attribution for our paid search campaigns: account creation (sign_up), tailoring submission (tailoring_submitted) and successful purchase (purchase). Each event carries an event name, a value in cents, a currency, and an anonymous transaction ID; no email, name or resume content is sent.
  • Google Analytics 4 - Google Ireland Limited (EU) with onward transfers to Google LLC (United States) under the EU Standard Contractual Clauses. Visitor analytics and conversion import into Google Ads. Sets first-party _ga and _ga_* cookies (2 years).
  • Microsoft Clarity - Microsoft Corporation (United States), with EU-region collection where available, under the EU Standard Contractual Clauses. Session recording and heatmaps on public pages only - we deliberately do not record any signed-in product surface. Sets _clck (1 year) and _clsk (1 day) first-party cookies.
  • Reddit Pixel - Reddit, Inc. (United States) under the EU Standard Contractual Clauses. Conversion attribution for Reddit Ads. Sets cookies on the redditstatic.com and alb.reddit.com domains.
  • Ahrefs Web Analytics - Ahrefs Pte. Ltd. (Singapore). Privacy-friendly visitor analytics for SEO. Marketed as cookieless; Ahrefs uses a hashed fingerprint of request signals instead of a cookie.

Google Tag Manager uses four consent categories defined by Google: ad_storage, ad_user_data, ad_personalization and analytics_storage. In GDPR jurisdictions, the container loads in the default-denied state on your first visit, which means none of the Google tags above store identifiers or send personal data until consent is given. Our cookie banner is binary - a single Accept click sets all four categories to granted at once, and a single Decline click leaves all four denied. We do not currently offer per-category granular control; you either accept or decline the whole set.

How to change your mind

In GDPR jurisdictions, clear the bmr_consent cookie for boostmyresume.org in your browser and the banner will show again on your next visit. We do not currently expose an in-app button to re-open the banner. Anywhere in the world, blocking third-party cookies, using your browser's tracking-protection mode, or installing a content blocker stops these scripts from loading even on visits where they would otherwise run.

Switzerland is treated as a non-GDPR jurisdiction for the purpose of this banner: Swiss visitors do not see the consent banner and the scripts load by default. Swiss residents can still object at any time under the Swiss Federal Act on Data Protection by writing to contact@boostmyresume.org.

Account deletion

You can request deletion of your account from Settings → Danger zone. We mark your account as pending deletion, then allow a 30-day grace period during which you can cancel the request simply by signing in again. After the grace period ends, your account is closed and your data is queued for permanent removal: profile, source resumes, tailored resumes, cover letters, contact messages and feedback. Removal is completed on an operator-run schedule rather than instantly; if you need written confirmation that removal has been completed for your account, write to contact@boostmyresume.org. Stored verbatim job descriptions are kept beyond account closure for the security and dispute-prevention purposes described above; to delete those, write to the same address. Anonymized JD analytics (which carry no link to you) are not affected.

Your rights

Under the GDPR, you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and the right to data portability (Articles 15 to 22). To exercise any of these rights - access, rectification, deletion, portability, restriction or objection - write to us at contact@boostmyresume.org or use the contact form. Data protection requests can also be sent directly to dpo@boostmyresume.org. For convenience, account deletion can also be initiated directly from Settings → Danger zone. We acknowledge requests within one business day and respond within one month, as set out in Article 12(3) of the GDPR. You also have the right to lodge a complaint with a supervisory authority, for users in France the CNIL.

Children

The service is not intended for users under 16. If we learn that we have collected personal data from a child under 16, we will delete it (GDPR Article 8).

Changes to this policy

When we update this policy, the "Last updated" date at the top changes. Material changes will be announced in the app and by email to active users.

Contact

For any question about this policy or how we handle your data, email us at contact@boostmyresume.org.