Resume-MCP← Home

Privacy Policy

Last updated: May 22, 2026

1. Overview

Resume-MCP is an AI-powered resume creator. We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

2. Data we collect

  • Account info: name, email, profile photo from your Google account when you sign in.
  • Resume content: the text you provide for resume generation, stored encrypted at rest.
  • Generated PDFs: resumes you create or tailor, stored in Cloudflare R2 with private access.
  • Usage logs: anonymised request counts to monitor service health and prevent abuse.
  • Gmail tokens (optional): if you connect Gmail for the "Apply via Email" feature, an OAuth refresh token + short-lived access token are stored for the gmail.send scope only.
  • Email open events: if you send an application via Apply, we record the recipient address, subject, and whether/when the email was opened (via a tracking pixel) so you can see status in your notifications panel.

3. How we use your data

  • Generate and customise resume PDFs from your input.
  • Send job application emails through your Gmail account, only when you explicitly click Apply via Email.
  • Maintain your saved master and tailored resumes for re-use.
  • Keep the service running and prevent abuse.

We do not sell your data, share it with advertisers, or use it to train AI models. AI customisation is performed via OpenAI's API, which has its own data usage policy (input is not used for training).

4. Gmail access — gmail.send only

When you connect your Google account, we request only the https://www.googleapis.com/auth/gmail.send scope, plus the standard sign-in scopes openid, userinfo.email, and userinfo.profile.

We do not request gmail.readonly, gmail.modify, or any other Gmail permission. This means we cannot read, search, or access your inbox in any way — even if we wanted to, Google would reject the request.

The gmail.send scope is used exclusively to send job application emails composed by you (or by our AI from a job description you provided), and only when you click the Send Application button in the app. We never send email automatically, in bulk, or without an explicit per-message action on your part.

You can revoke access at any time via your Google Account permissions page.

5. Google API Services User Data Policy — Limited Use

Resume-MCP's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In plain terms, this means:

  • We use Google user data only to provide and improve user-facing features that are prominent in the application's user interface (i.e. sending the application emails you compose).
  • We do not transfer Google user data to third parties except as necessary to provide the feature, or comply with applicable law.
  • We do not use Google user data for advertising purposes, ever.
  • We do not allow humans to read Google user data, except (a) with your explicit consent, (b) when necessary for security investigations or to comply with applicable law, or (c) when the data has been aggregated and anonymised for internal operations.
  • We do not use Google user data to train or fine-tune generalised AI/ML models.

6. Email open tracking

When you send a job application via Apply via Email, the outbound message includes a 1×1 transparent tracking pixel hosted on our domain. If the recipient opens the email in a client that loads images, the pixel records that an open occurred, and your notifications panel shows you that the application was viewed.

The pixel records only: the timestamp, the recipient's IP address (often masked by their email provider's image proxy), and the User-Agent string of the requesting client. It is associated only with the email you sent. It does not track the recipient's activity beyond the moment the email is opened, and it does not place cookies on their device.

You may disable this in your account settings (coming soon). Recipients can prevent tracking by configuring their email client not to load remote images — a standard feature in Gmail, Outlook, and Apple Mail.

7. Data retention & deletion

Your account data and resumes are retained as long as your account is active. You may delete individual resumes from the dashboard at any time.

To delete your entire account and all associated data — including Google OAuth tokens, resumes, usage logs, and email-open records — visit the Token Balance tab in the app and click Delete Account. The deletion is irreversible and removes all personal data from our database within seconds. Generated PDFs in object storage are removed in the same operation.

8. Your rights

  • Access: view all data we hold about you via the dashboard.
  • Deletion: remove individual resumes or your entire account.
  • Portability: download your generated resumes as PDFs anytime.
  • Revoke OAuth: disconnect Gmail through your Google Account settings.

9. Security

All data is transmitted over HTTPS. Resumes are stored in Cloudflare R2 with private buckets. OAuth tokens are encrypted at rest. We never expose secrets in client-side code.

10. Third-party services

  • OpenAI — AI text generation (resume customisation, JD analysis).
  • Google Identity — sign-in (OAuth 2.0).
  • Gmail API — sending application emails (only when you click apply).
  • Cloudflare R2 — encrypted PDF storage.

11. Contact

Questions, requests, or concerns? Email us at anup2001ojha@gmail.com.

12. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top reflects the most recent change. Continued use of the service constitutes acceptance of the updated policy.