Privacy Policy

1 Who We Are

ABSLT (Proprietorship Firm), operating the platform at resumestore.in (“ResumeStore”, “we”, “us”, or “our”), is the entity responsible for the collection and processing of data described in this Privacy Policy. Our principal place of business is in Udaipur, Rajasthan, India.

2 Scope of This Policy

This Privacy Policy applies to all users of the ResumeStore platform, including:

• Clients — companies, recruiters, and hiring teams that create accounts and use the platform.
• Candidates — individuals whose resumes or personal data are uploaded to the platform by Clients, or who submit applications through job links created on the platform.
• Visitors — anyone who visits resumestore.in without creating an account.

3 Data We Collect

a) Account Data (from Clients): Email address (used for magic-link authentication), company/organisation name, and team member details. ResumeStore uses passwordless authentication — we do not collect or store passwords.

b) Candidate Data (uploaded by Clients or submitted by Candidates): Resumes (PDF, DOC, DOCX files up to 10MB), and the personal information extracted from them by our AI parsing engine — including name, email, phone number, alternate phone, work experience, education history, skills, certifications, current and expected CTC, notice period, current location, preferred location, hometown, reason to change, and communication skills assessment. This data is uploaded by Clients or submitted directly by Candidates through public job application links.

c) Job Application Data (from Candidates): When candidates apply through a public job link, we collect: name, email, phone number, resume file, current CTC, expected CTC, current location, willingness to relocate, notice period, and reason for change. We also process a Google reCAPTCHA v3 token to verify the applicant is human — this involves limited data exchange with Google (see Section 10).

d) Usage Data: Information about how you interact with the platform, including pages visited, features used, search queries, timestamps, device type, browser type, and IP address.

e) Communication Data: Records of outreach messages sent through the platform (WhatsApp and email), candidate self-update interactions, and support requests.

f) AI-Generated Data: Our AI systems generate derived data from your resumes, including structured candidate profiles, skill extraction, match scores, search rankings, and vector embeddings used for semantic search. This derived data is stored within your account and is subject to the same protections as your original data.

g) Cookies & Analytics Data: See Section 11 for details.

4 How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service: Storing, parsing, indexing, and enabling search and discovery of candidate resumes within your account. This includes duplicate detection (matching candidates by email and phone to prevent duplicate records) and data freshness tracking.
• AI Processing: We use third-party AI models to: (i) parse resumes and extract structured candidate profiles; (ii) generate vector embeddings for semantic search; and (iii) rank and score candidates against search queries and job requirements. Resume content is sent to these AI providers solely for processing — they do not retain your data. See Section 7 for details on our AI sub-processors.
• Job Applications: Processing candidate applications submitted through public job links, including matching applicants to job openings and scoring fit.
• Communication: Sending authentication magic links, service notifications, support responses, and facilitating candidate outreach (WhatsApp/email) initiated by Clients. Generating LinkedIn post drafts for job openings.
• Candidate Self-Update: Sending time-limited update links (valid for 3 days) to candidates, enabling them to voluntarily refresh their profile information and upload updated resumes.
• Billing & Payments: Processing payments, managing credits and subscription status, and generating invoices.
• Anti-Fraud: Verifying job applications using Google reCAPTCHA v3 to prevent spam and bot submissions.
• Legal Compliance: Meeting our obligations under applicable law, including the Digital Personal Data Protection Act, 2023 (India).

5 Candidate Data (Uploaded by Clients)

ResumeStore processes Candidate Data on behalf of our Clients. In this capacity:

• The Client is the Data Fiduciary — they determine the purpose and means of processing candidate data.
• ResumeStore acts as the Data Processor — we process candidate data solely to provide our services to the Client.

Data Isolation: ResumeStore is a multi-tenant platform with strict logical data segregation. Each Client’s candidate database is isolated at the application level, scoped by organisation ID. No Client can access, search, or view another Client’s data. AI search and matching operate exclusively within a single Client’s dataset.

Duplicate Detection: When a new resume is uploaded, our system automatically checks for existing candidates within the same organisation using email and phone matching. This prevents duplicate records and ensures a single, unified profile per candidate within each Client’s database.

Public Job Applications: When candidates apply through a public job link created by a Client, their submitted data (name, email, phone, resume, and screening responses) is stored within that Client’s account. Candidates are informed of the Client’s identity (organisation name) on the application page.

Candidate Self-Update: Clients may send candidates a self-update link via WhatsApp or email. These links are time-limited (valid for 3 days) and allow candidates to voluntarily update their profile information (CTC, location, experience, etc.) and upload a new resume. Self-update actions are attributed to the originating Client’s account. Candidates can see which organisation sent the update request.

Candidates’ Rights: If you are a candidate and wish to access, correct, or delete your personal data from the platform, please contact the organisation (Client) that uploaded your data.

6 Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

• Consent: Where candidates have consented to the processing of their data (e.g., submitting an application through a job link).
• Contractual Necessity: Where processing is necessary to fulfil our obligations under the Service Agreement with a Client.
• Legitimate Interest: Where processing is necessary for our legitimate business interests (e.g., product improvement through anonymised data), provided such interests do not override the rights of data subjects.
• Legal Obligation: Where processing is required to comply with applicable law.

7 Data Sharing & Third Parties

We share data only with the following categories of service providers, solely to operate the platform:

• Cloud Infrastructure (AWS): We use Amazon Web Services (ap-south-1 / Mumbai region) for server hosting, file storage (S3), and transactional email delivery (SES). Resume files are stored in an S3 bucket within India.
• AI Processing Providers: Resume content is sent to Anthropic (Claude) for AI-powered resume parsing and to OpenAI for generating search embeddings and candidate match rankings. These providers process data transiently to fulfil API requests and do not retain your data for their own purposes.
• Anti-Spam (Google reCAPTCHA): Public job application pages use Google reCAPTCHA v3. This involves Google collecting limited device and interaction data to generate a bot-detection score. Google’s privacy policy applies to this data.
• Payment Processors: Billing information is shared with payment gateway providers solely for payment processing.
• Legal Requirements: We may disclose data if required by law, regulation, court order, or governmental authority.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred as part of the transaction, subject to the same privacy protections.

All sub-processors are bound by data protection agreements and are required to process data solely on our instructions.

8 Data Storage & Security

We take the security of your data seriously and implement the following measures:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS S3 server-side encryption).
• Passwordless Authentication: Client accounts use magic-link email authentication with JWT tokens. We do not store passwords, eliminating an entire class of credential-based attacks.
• Access Controls: Role-based access controls restrict internal access. Client data is scoped by organisation ID at the application layer — database queries enforce multi-tenant isolation.
• Data Residency: All data is stored on AWS infrastructure in the ap-south-1 (Mumbai) region. Resume files, database records, and AI-generated embeddings all reside in India. Note: AI processing requests are sent to Anthropic and OpenAI API endpoints, which may process data on servers outside India, but do not persistently store your data.
• Rate Limiting: API endpoints are protected by rate limiting (e.g., 30 searches per minute per organisation) to prevent abuse.
• Audit Logging: Access to production systems is logged and auditable.
• Incident Response: We maintain documented procedures for detecting, reporting, and remediating security incidents. In the event of a confirmed data breach, affected Clients are notified within 72 hours.

While we implement industry-standard security measures, no system is 100% secure. We encourage Clients to safeguard their email accounts (used for magic-link login) and promptly deactivate team members who leave their organisation.

9 Data Retention & Deletion

Active Accounts: We retain your data for as long as your account is active and as needed to provide the Services.

Post-Termination: Upon account termination or non-renewal:

• We retain Client Data for 30 days to allow data export.
• After the 30-day window, data is permanently deleted from active systems within 30 days.
• Residual copies in encrypted backups are purged through normal rotation within a further 90 days.
• Written confirmation of deletion is available upon request.

10 Your Rights

Under the Digital Personal Data Protection Act, 2023 (India) and other applicable laws, you may have the following rights:

• Right to Access: Request a copy of your personal data that we hold.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data, subject to legal and contractual obligations.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).
• Right to Grievance Redressal: You may raise concerns with us or with the relevant data protection authority.

To exercise any of these rights, contact us at mansi@resumestore.in. We will respond within 30 days.

11 Cookies & Tracking

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for the platform to function (authentication, session management).
• Analytics Cookies: Help us understand usage patterns and improve the platform. These collect anonymised data only.

We do not use advertising or third-party tracking cookies. We do not serve ads on the platform.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the “Effective Date” at the top of this page.
• Notify registered Clients via email or in-app notification.

We encourage you to review this page periodically. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

13 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: