Resume Banger — Privacy Notice
Last updated · 2026-06-10
This Privacy Notice explains how Resume Banger ("we", "us") collects and processes personal data when you use Resume Banger, available at resumebanger.com (the "Service"). We are the data controller in respect of that processing under the EU General Data Protection Regulation ("GDPR"), the United Kingdom GDPR ("UK GDPR") and equivalent regimes.
We have tried to keep this Notice short and concrete. If anything is unclear, write to us at [email protected].
1. Categories of personal data we process
| Category | Examples | Source |
|---|---|---|
| Browser visitor identifier | A stable ID derived from browser characteristics by FingerprintJS, used to enforce the free-tier daily generation limit. | Computed locally in your browser; sent to us with each generation request. |
| Hashed IP address | A salted SHA-256 of your IP truncated to 32 hex characters, stored alongside each generation record. We never store raw IPs. | Inferred from request headers. |
| Account identity | Email address, display name, profile picture URL, Firebase user identifier. | Provided by Google Firebase Authentication when you sign in via Google or email magic link. |
| User Inputs | The CV text, LinkedIn About, or other text you paste, drop, or upload to the Service. | You. |
| Generated Outputs | Lyrics returned by the language model and any audio/video clips you record and choose to share. | Produced by the Service from your User Inputs. |
| Billing metadata | Paddle customer ID, Paddle transaction IDs, credit pack purchased, amount, currency, status. | Paddle's webhook events. |
| Credit ledger | Each credit purchase, each credit spend (e.g. one ACE-Step generation), with timestamps. | Generated by the Service when you buy or spend credits. |
| Newsletter opt-in audit log | Email, timestamp, source of the opt-in (sign-in modal / settings / admin). | Recorded when you tick the newsletter checkbox during sign-in. |
| Operational logs | Application error messages, request paths and HTTP status codes, abuse signals. | Generated automatically by our application. |
2. Purposes and legal bases
| Purpose | Categories | Legal basis (GDPR Article 6) |
|---|---|---|
| Operating the free tier (generation, preview, recording) | Browser visitor identifier, hashed IP, User Inputs, Outputs | Performance of a contract (Art. 6(1)(b)) and our legitimate interest in providing the Service (Art. 6(1)(f)) |
| Account management and sign-in | Account identity | Performance of a contract (Art. 6(1)(b)) |
| Selling credits and tracking your balance | Account identity, billing metadata, credit ledger | Performance of a contract (Art. 6(1)(b)); compliance with tax law (Art. 6(1)(c)) |
| Rate-limit enforcement and abuse prevention | Browser visitor identifier, hashed IP, operational logs | Our legitimate interest in protecting the Service from abuse and bearing reasonable infrastructure costs (Art. 6(1)(f)) |
| Newsletter communications | Account identity, newsletter audit log | Your consent (Art. 6(1)(a)); you can withdraw consent at any time |
| Service notices and security alerts | Account identity | Our legitimate interest in keeping you informed (Art. 6(1)(f)) |
3. How long we keep your data
- Browser visitor identifier and hashed IP: kept for 90 days from the last associated request, then deleted.
- User Inputs, Outputs, and generation history: kept for as long as your account is active. If you delete your account, removed within 30 days.
- Billing metadata and credit ledger: kept while your account is active and for seven years thereafter to comply with tax-record retention obligations.
- Shared clips: kept indefinitely while the share URL exists. You can request take-down by email and we will remove the file and the database row within 30 days.
- Newsletter audit log: kept while the subscription is active and for two years after unsubscription to evidence consent.
- Operational logs: kept for 30 days.
4. Recipients and sub-processors
We rely on the following processors to operate the Service. Each is bound by a written data-processing agreement that satisfies GDPR Article 28.
| Processor | Role | Region | Reference |
|---|---|---|---|
| Google Ireland Limited (Firebase Authentication) | Stores account identity; verifies sign-ins. | EU + US (with SCCs) | Firebase Privacy |
| Google LLC (Gemini API) | Receives the User Input text to draft lyrics. Output is returned to us. Per Gemini API terms, Google does not use API inputs to train models. | US (with SCCs) | Gemini Terms |
| Paddle.com Inc. | Merchant of record for credit purchases. Receives your name, email, and payment details directly; we never see card numbers. | EU/UK/US (with SCCs) | Paddle Privacy |
| Replicate, Inc. | Receives lyrics and a style prompt to generate the rapped audio (when you spend a credit). Hosts the resulting audio file. | US (with SCCs) | Replicate Privacy |
| Cloudflare, Inc. | Content delivery, TLS termination, bot mitigation, and analytics. | Global (with SCCs) | Cloudflare Privacy |
| Hetzner Online GmbH (or equivalent host) | Hosts the application server and database for Resume Banger. | EU (Germany) | Hetzner DPA |
We do not sell personal data to third parties. We will update this table when we add or remove a sub-processor; material changes will be announced in advance by email to customers with an unspent credit balance.
5. International data transfers
Several of our sub-processors operate from the United States. Where personal data is transferred outside the EEA or the UK, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. We rely on the EU–US Data Privacy Framework for participating recipients where applicable. We have assessed the safeguards in light of the recipients' jurisdictions and consider them adequate; you may request a copy of the relevant transfer impact assessment by writing to [email protected].
6. Your rights
Subject to local law you have the following rights with respect to your personal data:
- Access — confirm whether we process your personal data and receive a copy.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data where there is no longer a lawful reason to keep it.
- Restriction — limit how we process your data while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format and have it transmitted elsewhere where technically feasible.
- Object — object to processing based on our legitimate interests, including for direct marketing.
- Withdraw consent — for any processing based on consent, at any time, without affecting prior lawful processing.
To exercise any of these rights, email [email protected] from the email address tied to your account. We respond within 30 days. If you believe we have not handled your data lawfully you can also lodge a complaint with your local supervisory authority (EU/EEA) or the UK Information Commissioner's Office.
7. Automated processing and AI
Generation of lyrics, voice synthesis, and rapped delivery are produced by automated language and audio models. These are creative outputs, not decisions that produce legal or similarly significant effects concerning you, so the rules on solely automated decision-making under GDPR Article 22 do not apply. We do not use the outputs to evaluate, profile, or score you.
The models we use do not learn from your inputs at our request. We do not opt your inputs into model training programmes operated by our sub-processors.
8. Cookies and local storage
- Auth.js session cookie — strictly necessary, HttpOnly, SameSite=Lax, Secure on HTTPS. Stores your signed session token.
- Local storage entry
rb:magicLinkEmail— strictly necessary. Lets the magic-link callback page finish sign-in without asking again for your email. Cleared on completion. - Local storage entry
rb:magicLinkNewsletter— strictly necessary. Carries the newsletter preference across the email round-trip. Cleared on completion.
We do not set advertising or analytics cookies. The Cloudflare delivery edge may set its own essential cookies described in Cloudflare's policy.
9. Security
- All data in transit is encrypted via TLS 1.3.
- Account passwords are never handled by us; Firebase Authentication holds them.
- Sign-in tokens are verified server-side and never logged.
- The application database is backed by encrypted volumes.
- Shared clip files are served from an internal volume; uploads are size-capped and MIME-validated against magic bytes before being written.
- Access to the production database is limited to the operator.
10. Data breach notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and we will notify you without undue delay where the breach is likely to result in a high risk to you, as required by GDPR Articles 33 and 34.
11. Children
The Service is not directed to children under 16. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it.
12. Changes to this Notice
We will revise this Notice when our processing changes. The "Last updated" date at the top always reflects the current version. Material changes will be announced to customers with an unspent credit balance by email at least 30 days in advance where the change affects your rights.
13. Contact
Controller: Resume Banger. Contact for all privacy matters, including rights requests and data-portability exports: [email protected]. We do not have a designated Data Protection Officer because we do not meet the GDPR Article 37 thresholds; you can address all queries to the controller email above.