Privacy Policy

Effective: 1 March 2025Last updated: 1 March 2025

This Privacy Policy describes how Rezup ("we", "our", or "us") collects, uses, stores, and shares your personal data when you use our website at www.rezup.in and related services (collectively, the "Service"). It is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Who We Are (Data Fiduciary)

Rezup is the Data Fiduciary as defined under the DPDP Act, 2023. We determine the purpose and means of processing your personal data.

Contact Email: privacy@rezup.in

2. Personal Data We Collect

2.1 Data you provide directly

Account information: full name, email address, and password (stored as a salted hash — we never store plaintext passwords).
Onboarding preferences: user type (student, professional etc.), industry, and career goal.
Resume content: work experience, education, skills, certifications, languages, and any other information you enter into the resume editor.
Job descriptions you paste for AI tailoring analysis.
Payment information: billing-related data processed by Razorpay. We do not store your card numbers, UPI handles, or bank account details on our servers.

2.2 Data collected automatically

Log data: IP address, browser type, operating system, referring URLs, and pages visited, collected when you use the Service.
Usage data: features used, buttons clicked, files uploaded, and time spent — used to improve the product.
Device identifiers collected via Sentry for error monitoring and crash reporting.
Cookies and local storage tokens for maintaining your login session (see Section 8).

2.3 Data we do NOT collect

We do not collect Aadhaar numbers, PAN numbers, or any government-issued identification.
We do not collect biometric data.
We do not collect financial data beyond what Razorpay returns as subscription status (plan, status, renewal date).
We do not knowingly collect data from children under 18 (see Section 10).

3. How We Use Your Personal Data

We use your personal data for the following purposes:

To create and manage your account and authenticate you securely.
To provide core Service features: resume editing, PDF export, ATS scoring, AI bullet improvement, and job description tailoring.
To process subscription payments via Razorpay and manage your plan status.
To send transactional emails: account verification, password reset, and payment receipts.
To improve the Service through anonymised usage analytics.
To monitor errors and fix bugs using Sentry crash reports.
To comply with applicable Indian laws, court orders, or government directives.
To detect and prevent fraud, abuse, or security incidents.

We do not use your resume content to train AI models. We do not sell your personal data to any third party.

4. Legal Basis for Processing

Under the DPDP Act, 2023, we process your personal data on the following bases:

Consent: when you create an account, you consent to our processing of your data as described in this Policy.
Contractual necessity: processing required to provide the Service you have subscribed to.
Legitimate interests: security monitoring, fraud prevention, and service improvement — where our interests do not override your fundamental rights.
Legal obligation: where required by applicable Indian law.

You may withdraw consent at any time by deleting your account (via Dashboard → Settings → Delete Account). Withdrawal does not affect lawfulness of prior processing.

5. Sharing with Third Parties

We share data only with trusted sub-processors necessary to operate the Service. We do not sell data to advertisers or data brokers.

Sub-processor	Purpose	Data location
Supabase Inc. (USA)	Database, authentication, file storage	USA (AWS us-east-1)
Anthropic PBC (USA)	AI processing of resume content for bullet improvement, parsing, and tailoring	USA
Razorpay Software Pvt. Ltd. (India)	Payment processing and subscription management	India
Sentry (Functional Software Inc., USA)	Error monitoring and crash reporting	USA
Vercel Inc. (USA)	Web hosting and serverless compute	USA / Global CDN

Cross-border data transfers: Some sub-processors (Supabase, Anthropic, Sentry, Vercel) are located outside India. By using the Service, you consent to your personal data being transferred to and processed in countries outside India that may have different data protection standards. We ensure all sub-processors maintain appropriate technical and organisational safeguards.

Law enforcement: We may disclose data if required by a valid court order, government directive, or legal process under Indian law.

6. Data Retention

Account and resume data: retained for the lifetime of your account and deleted within 30 days of account deletion.
Payment records and subscription logs: retained for 7 years as required under the Indian Accounting Standards and GST laws.
Error and crash logs (Sentry): retained for 90 days.
Server access logs: retained for 30 days.
Anonymised, aggregated analytics: retained indefinitely (cannot identify individuals).

7. Your Rights as a Data Principal

Under the DPDP Act, 2023 and IT Rules, 2011, you have the following rights:

Right to access

You may request a summary of personal data we hold about you by emailing privacy@rezup.in.

Right to correction

You can update your name and profile details directly in Dashboard → Settings. For other corrections, contact us.

Right to erasure (Right to be Forgotten)

You may delete your account at any time from Dashboard → Settings → Delete Account. This permanently removes your account, all resumes, and associated data within 30 days.

Right to data portability

You can export all your resume data as a JSON file from Dashboard → Settings → Export Data.

Right to grievance redressal

You have the right to file a complaint with our Grievance Officer (see Section 11) and, if unresolved, with the Data Protection Board of India once established under the DPDP Act, 2023.

Right to withdraw consent

You may withdraw consent by deleting your account. Withdrawal does not affect processing already performed on the basis of prior consent.

8. Cookies and Session Storage

We use the following technologies:

HttpOnly, Secure session cookies set by Supabase to maintain your login session. These are essential and cannot be disabled.
Browser sessionStorage to temporarily store your ATS score result when you use the anonymous resume checker on the home page. This data is never sent to our servers.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

To clear session cookies, log out of your account or clear browser cookies for rezup.in.

9. Security Practices

We implement reasonable security practices and procedures as required under Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:

All data in transit is encrypted using TLS 1.2 or higher.
All data at rest is encrypted using AES-256 (managed by Supabase/AWS).
Passwords are stored as bcrypt hashes — never in plaintext.
Row-Level Security (RLS) is enforced at the database layer so each user can only access their own data.
API keys and secrets are stored as environment variables, never in source code.
Regular dependency updates and security patches.
Error monitoring via Sentry to detect and respond to anomalies quickly.

Despite these measures, no system is completely secure. If you discover a vulnerability, please report it to security@rezup.in.

10. Children's Privacy

The Service is not directed to individuals under the age of 18 years. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor without verifiable parental consent, we will delete it promptly. If you believe a minor has provided us data, please contact privacy@rezup.in.

11. Grievance Officer

As required under Rule 5(9) of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Section 13 of the DPDP Act, 2023, we have designated a Grievance Officer.

Name: Grievance Officer, Rezup

Email: grievance@rezup.in

We will acknowledge your grievance within 48 hours and resolve it within 30 days of receipt, as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify registered users by email at least 7 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Governing Law

This Privacy Policy is governed by the laws of India. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts in [City], India.

14. Contact Us

For any privacy-related questions, requests, or concerns:

Email: privacy@rezup.in
Grievance: grievance@rezup.in
Security: security@rezup.in
Response time: We aim to respond within 48 hours on business days.