Privacy Policy

Account data. If you register, we store your email address and a bcrypt hash of your password. Passwords are never stored in plain text.

Resumes (logged-in users). When you upload a PDF for a saved resume, the file bytes and filename are stored in our database so you can re-run analyses without uploading again. You can delete a saved resume from your dashboard.

Guest analyses (no account). If you run an analysis without signing in, you upload your PDF in the browser to our API for that request. The file is validated and processed for scoring; it is not persisted as a saved resume unless you later create an account and upload it there.

Job advertisement text. Text you paste or save for an analysis is stored so authenticated users can revisit past runs. Saved job ads are capped per account (older entries are replaced when you exceed the limit, per product behaviour).

Analysis results. We store scores, engine outputs, and related metadata linked to your account (or to a guest request during processing) so you can view history in the dashboard.

Technical data. Our API applies rate limiting using your account id when you are signed in, or your IP address when you are not. We may log errors and operational events to run and secure the service.

To run the three analysis engines you request: semantic (AI), keyword extraction/matching, and rule-based checks.

To operate accounts, resumes, saved job ads, and analysis history inside the product.

To send transactional email only (verification codes, password reset, login codes if you use that flow). Marketing email is not sent unless we add explicit opt-in and say so here.

To detect abuse, enforce rate limits, and protect the service.

Active accounts. Your account data, saved resumes, job ad text, and analysis history remain until you delete them or delete your account.

Guest runs. Guest PDFs are processed for the request and are not kept as a user library entry unless you later save them under an account (as described above).

Deletes. When you delete a resume, job advertisement, or analysis from the product, we remove that record from our database as implemented in the application.

Account deletion. Closing your account removes your personal data from our systems as implemented when you use the delete-account flow.

Verification / reset codes. One-time codes (email verification, password reset, optional login codes) are short-lived (on the order of minutes) and marked used when consumed.

We do not sell your personal data.

Google Gemini (AI). Extracted resume text and job ad text are sent to Google's Gemini API to produce the semantic analysis. Processing is subject to Google's terms for API customers. We use the API for inference, not to build a separate marketing profile about you.

Email delivery. Transactional email is sent through our configured email provider (e.g. Resend) using the address you gave us.

Hosting & database. The application and database run on infrastructure providers you configure for deployment (for example Railway and a managed PostgreSQL instance). Data may be stored in regions your provider assigns unless you configure otherwise.

Site analytics. The frontend may load Vercel Analytics / Speed Insights for aggregate performance and usage metrics on the site. See Vercel's documentation for what those tools collect.

Legal. We may disclose information if required by law or to protect our users and the integrity of the service.

Traffic between your browser and our API should use HTTPS in production.

Passwords are hashed with bcrypt before storage.

JWT access tokens are short-lived; refresh tokens are rotated when used and can be invalidated in the database.

When you opt in to functional cookies, the API can store access and refresh tokens in HttpOnly cookies on the API host so JavaScript on the page cannot read them. If you decline, tokens are kept in localStorage in the browser instead (less resistant to XSS exfiltration than HttpOnly cookies).

We work to keep the service secure, but no online system is perfect. If you find a vulnerability, please contact us via the contact page.

Access & deletion. Logged-in users can inspect and delete resumes, job ads, and analyses, and can delete the entire account from the dashboard where those features exist.

Correction. If account data is wrong, contact us and we will correct it where appropriate.

EU/EEA. If applicable law grants you rights over personal data (access, erasure, portability, objection, etc.), you may contact us to exercise them. You may also complain to your local supervisory authority.

We do not use advertising or third-party tracking cookies for sign-in. We may use privacy-focused, aggregate analytics scripts as noted above.

Consent banner. The site asks whether you accept storing your session with HttpOnly cookies on our API origin. The choice is remembered in `glint.cookie-consent` in localStorage.

HttpOnly session (if you accept). The API may set `glint_access` and `glint_refresh` (names configurable on the server) as HttpOnly, SameSite=Lax cookies on the API host, scoped to that host. The browser sends them automatically on credentialed requests.

localStorage (if you decline or for UI hints). We may store `glint.auth` (tokens when not using HttpOnly), `glint.session-transport`, and small UI/session hints. Declining HttpOnly while already signed in with HttpOnly cookies signs you out so server cookies are cleared.

Readable mirror cookie. If promotion to HttpOnly fails (for example some strict cross-origin dev setups), the app may fall back to a non-HttpOnly `glint_auth` cookie that mirrors the same JSON as `glint.auth` — this is weaker than HttpOnly and should only be used when necessary.

Glint is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date on this page and, where appropriate, notify account holders by email. Continued use after changes means you accept the updated policy.

Questions or data requests can be sent via the contact form or the email address listed on the contact page. We aim to respond within a few business days.