Privacy Policy

1. Introduction

Profile Roaster (“profileroaster.in”, “the Service”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service, including the LinkedIn Profile Rewrite, ATS Resume Builder, and User Dashboard features.

By using the Service, you consent to the data practices described in this policy. If you do not agree with any part of this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Email address: Required for order creation, delivery of results, dashboard login, and OTP verification
• LinkedIn headline: Submitted for free teaser analysis
• LinkedIn profile data: Raw text pasted from your LinkedIn profile including headline, about section, experience, education, skills, and certifications (Profile Rewrite)
• Personal details: Full name, phone number, location, career stage, target role, target industry
• Education data: Institution, degree, field of study, year, GPA
• Experience data: Company names, roles, dates, descriptions
• Skills and certifications: Technical skills, soft skills, professional certifications
• Resume uploads: PDF or DOCX files uploaded for auto-fill or reference (ATS Resume Builder)
• Job description: Target job descriptions submitted for resume targeting and JD matching
• Feedback and ratings: Optional feedback and 1–5 star ratings you provide after receiving results

2.2 Information Collected Automatically

• Order metadata: Order ID, plan type, payment status, processing status, timestamps
• Payment information: Razorpay order ID and payment ID (we do NOT store card numbers, UPI IDs, or banking credentials)
• Session tokens: Encrypted session identifiers stored in Redis for dashboard authentication (7-day expiry)
• IP address: Collected for rate limiting and fraud prevention only; not used for profiling or tracking
• Referral data: Referral codes and conversion tracking
• Usage data: Page views, teaser attempts, and conversion events for internal analytics

2.3 Information We Do NOT Collect

• We do NOT access your LinkedIn account directly
• We do NOT require LinkedIn login or OAuth authentication
• We do NOT scrape or crawl LinkedIn profiles
• We do NOT store credit card, debit card, or banking credentials
• We do NOT store passwords (authentication is OTP-based only)
• We do NOT use cookies for advertising or third-party tracking

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To parse, analyse, rewrite, and score your LinkedIn profile; to build ATS-optimized resumes and cover letters
• Result delivery: To send you unique results URLs, email notifications, and downloadable documents
• Dashboard access: To authenticate you via OTP and display your order history, results, and resumes
• Card generation: To create shareable score card images from your profile scores
• Payment processing: To create and verify Razorpay payment orders
• Quality improvement: To monitor AI output quality and improve our prompts, scoring algorithms, and resume templates
• Customer support: To respond to your inquiries, feedback, or refund requests
• Fraud prevention: To detect and prevent fraudulent orders, rate limit abuse, or referral programme abuse
• Analytics: To understand usage patterns, conversion rates, and improve the Service (aggregated, non-personal data)

4. Data Processing by AI

Your data is processed by the following AI services:

• Google Gemini: Used for profile parsing (extracting structured data from raw text), analysis scoring, and quality checking
• Anthropic Claude: Used for profile analysis, profile rewriting, resume generation, and cover letter creation

Your data is sent to these AI providers via their APIs for processing. Both Anthropic and Google have data processing agreements in place. Your data is used solely for generating your results and is not used to train AI models, as per the API terms of both providers.

For Profile Rewrite, profile text content is transmitted. For Resume Builder, your profile data is sent to generate the resume.

5. Data Storage and Security

5.1 Where Your Data is Stored

• Database: Supabase (PostgreSQL) hosted on AWS ap-south-1 (Mumbai, India)
• Card images: Supabase Storage (S3-compatible object storage)
• Queue and sessions: Upstash Redis for job processing and dashboard session management
• Backend server: Railway (cloud hosting)
• Frontend: Vercel (global CDN)

5.2 Security Measures

• All data is transmitted over HTTPS/TLS encryption
• Database connections use SSL encryption
• Payment processing is handled by PCI-DSS compliant Razorpay
• API keys and secrets are stored as environment variables, never in source code
• Dashboard authentication uses cryptographically secure OTP codes with 10-minute expiry
• Session tokens are stored in Redis with 7-day TTL and are cryptographically random (256-bit)
• Razorpay webhooks are verified using HMAC-SHA256 signature verification
• Error monitoring via Sentry with personal data scrubbing enabled
• No human reads your profile data during normal operations — processing is fully automated by AI

5.3 Data Retention

• Profile data (raw paste / form input): Retained for 30 days, then deleted via automated daily cleanup
• Generated results (rewrite, profiles): Retained for up to 90 days to allow user access via dashboard
• Resumes and cover letters: Retained indefinitely until deleted by user or admin
• Uploaded resume files: Text extracted for processing; original files are not stored permanently
• Card images: Retained indefinitely (public shareable images)
• Email addresses: Retained for customer support, dashboard access, and communication purposes
• Payment records: Retained as required by Indian tax and accounting regulations (minimum 7 years)
• Dashboard sessions: Automatically expire after 7 days
• OTP codes: Automatically expire after 10 minutes
• Teaser data (headline only): Deleted after 30 days for non-converted users

Users can delete their results at any time by visiting profileroaster.in/recover and using the “Delete my data” option after OTP verification.

6. Data Sharing

We do NOT sell, rent, or trade your personal information. We share data only with:

• Razorpay: Email address and order amount for payment processing
• Anthropic: Profile text, form data, and resume data for AI generation
• Google: Profile text content for AI parsing and quality checking
• Supabase: All order data for database storage
• Resend: Email address for transactional email delivery (results, OTP, follow-ups)
• Sentry: Error data with personal information scrubbed
• Upstash: Order IDs and session tokens for queue processing and authentication

We may disclose your information if required by law, court order, or government request, or to protect the rights, property, or safety of Profile Roaster, its users, or the public.

7. Your Rights

You have the following rights regarding your personal data:

• Right to access: Request a copy of all personal data we hold about you
• Right to correction: Request correction of inaccurate personal data
• Right to deletion: Request deletion of your personal data (subject to legal retention requirements). Use the /recover page or contact support.
• Right to data portability: Request your data in a structured, machine-readable format
• Right to withdraw consent: Withdraw your consent for data processing at any time
• Right to object: Object to the processing of your personal data for specific purposes

To exercise any of these rights, contact us at support@profileroaster.in with your email address and order ID. We will respond within 30 business days.

8. Cookies and Local Storage

The Service uses minimal cookies and local storage:

• Essential cookies: Used by Next.js framework for page routing
• Razorpay cookies: Set by Razorpay during payment processing for security and fraud prevention
• Dashboard session: Authentication token stored in browser localStorage (7-day expiry)
• Rate limiting: Teaser attempt count stored in localStorage to prevent abuse
• No advertising cookies: We do not use Google Analytics, Facebook Pixel, or any ad tracking cookies
• No cross-site tracking: We do not track your activity on other websites

9. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

10. International Data Transfers

Your data is primarily stored and processed in India (AWS Mumbai region). However, AI processing involves data transfer to servers operated by Anthropic (United States) and Google (global infrastructure) via their APIs.

These transfers are necessary for the performance of the Service. Both providers maintain appropriate data protection measures and comply with applicable data protection regulations.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach
• Provide details about the nature of the breach, the data affected, and steps taken to mitigate it
• Report the breach to relevant authorities as required by applicable law including CERT-In
• Take immediate steps to contain and remediate the breach

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting a notice on the website and updating the “Last updated” date at the top of this page.

13. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Profile Roaster
Email: support@profileroaster.in
Website: profileroaster.in

If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority in your jurisdiction.