Privacy Policy

TwoMinuteResume is an independent project. For privacy questions or requests (deletion, export, correction), email twominuteresume@gmail.com. We aim to respond within 7 days.

Account information (when you sign in)

We use Google Sign-In as our only authentication method. When you sign in, Google sends us your name, email address, profile picture URL, and your Google account ID(a numeric identifier called “sub”). We do not receive your Google password. We store this minimum profile on our servers so you can return to your saved resume.

Resume content

Anything you type, paste, or upload into the editor is sent to our servers and stored against your account: name, contact details, work history, education, skills, and any custom sections. You can edit or delete this at any time from the editor or by emailing us.

Uploaded resume files

If you upload a PDF or DOCX of an existing resume, we keep an archived copy on ImageKit(our file CDN, a third-party processor — see “Service providers” below) so you can re-process it later with our “Tailor with AI” feature. We record the file URL against your account.

Job descriptions (extension only)

When you click “Tailor for this job” in the Chrome extension, we read the visible text content of the page you are currently on. We send that text — along with your saved default resume — to our backend, which forwards it to Google Gemini for tailoring. We store a 500-character snippet of the JD and the page URL against your tailoring record so you can revisit it.

Usage telemetry

We use PostHog (privacy-respecting analytics) and Google Analytics to understand which features are used and where users get stuck. Telemetry includes page views, button clicks, error messages, and anonymised session recordings. Resume content is not sent to PostHog: form inputs are masked, and the live résumé preview renders to a <canvas> that session-replay tools cannot read.

Technical data

Standard request logs (IP address, user agent, timestamp) are kept briefly for abuse prevention and debugging.

• To let you sign in and reach your saved work across sessions and devices.
• To render, edit, and export your resume as a PDF.
• To tailor your resume to a job description when you ask us to.
• To fight abuse (rate-limits, fraud detection) and keep the service reliable.
• To understand product usage and improve the editor.

We do not sell your data. We do not show ads. We do not train machine-learning models on your resume content. Your data is used to deliver the service to you and to keep the service running.

We share data with these processors strictly to deliver the service:

• Google (Sign-In + Gemini)— Google identifies you on sign-in and Gemini processes resume + JD text to produce tailored output. Resume + JD content is sent on each tailoring request. Google's privacy policy: policies.google.com/privacy. On the Paid tier (which we use), Google does not retain your prompts/responses for training.
• Netlify hosts the website and runs serverless functions that handle requests. Standard server logs apply.
• Railway hosts our Postgres database and the import backend that calls Gemini.
• ImageKit stores uploaded resume files (PDFs/DOCX). Files are served via the same ImageKit URL whenever you re-tailor.
• PostHog + Google Analytics for product telemetry as described above.

The extension is a thin client of the website. It collects nothing on its own. On a job-description page, when you click “Tailor for this job”:

1. It reads the visible text of the currently-active tab using chrome.scripting.
2. It sends that text — together with your saved default resume — to twominuteresume.com to be tailored.
3. It receives back a tailored resume and (optionally) a PDF.

The extension does not read pages in the background, does not track which sites you visit, and does not send anything unless you press the button. It requests the identity, activeTab,scripting, storage, and downloads permissions for exactly these features.

• Access & export.Email us — we'll send you a JSON export of your resumes, tailorings, and account profile.
• Deletion. Email us asking to delete your account; we erase your row and every record linked to it (resumes, tailorings, uploads, archived files on ImageKit) within 30 days.
• Correction. You can edit anything inside the editor. Profile name/email/image come from Google — change them in your Google account.
• Telemetry opt-out.Block PostHog / GA at the browser level with any standard tracking-protection extension; we don't penalise it.
• Extension uninstall. Uninstall from chrome://extensions/ at any time — it removes the stored API token from your browser. To also revoke the token server-side, sign out from the popup before uninstalling.

Your resumes and tailorings stay in our database until you delete them or close your account. Uploaded files stay on ImageKit for the same duration. Request logs roll off after ~30 days. Sessions and API tokens stay valid until you sign out or we revoke them.

Connections are TLS-encrypted end-to-end. Passwords are not stored (Google handles authentication). Database backups are encrypted at rest by Railway. API tokens and session cookies are bound to a user record and revocable. If we ever experience a breach involving your data, we will notify affected users by email within 72 hours.

TwoMinuteResume is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe we have, email us and we'll delete the account.

We may update this policy as the service evolves. Material changes will be announced on the website and dated above. Continued use after a change constitutes acceptance.

Privacy questions, deletion requests, or anything else: twominuteresume@gmail.com.