Privacy Policy
Last Updated: 15 June 2026
1. Who We Are (Data Controller)
TrueDraft, operated by ‹Your Legal Name› (sole proprietor) based in California, United States, runs the pre-launch ATS resume scoring page at truedraft.ai. TrueDraft is the data controller for all personal data collected through this page.
Privacy contact: privacy@truedraft.ai
2. What We Collect
2a. Email address
If you choose to join our launch notification list (Purpose 1) or consent to research retention (Purpose 2), we collect your email address. We do not collect your email simply because you upload a resume for scoring; email is only collected when you actively submit it at the save step.
2b. Resume file
You can provide your resume in one of two ways, and they are handled differently:
- Pasted text. If you paste your resume text, it is processed only in memory to generate your score and is not written to disk or storage at any point.
- Uploaded file (PDF or DOCX, up to 5 MB). If you upload a file, it is written to transient encrypted storage (encrypted Azure Blob Storage) so we can generate your score. If you do not go on to consent to research retention (Purpose 2), the uploaded file is automatically deleted by an hourly clean-up job, normally within about two hours and never retained beyond it. Only if you explicitly consent to research retention (Purpose 2) at the save step is the file kept; see Section 4.
To produce your score we parse the file into sections (such as summary, experience, and skills) and compare it against a role benchmark. Your parsed sections, your ATS Readiness Score, and the gap analysis (including which commonly-listed keywords are missing from your resume) are shown back to you on the results screen. This analysis is displayed only to you, in your own browser session, and is not shared with anyone.
Important: Resume files can contain special-category personal data within the meaning of GDPR Article 9, for example health conditions, religious beliefs, trade union membership, or political opinions that may appear incidentally in a resume. You should be aware of this before consenting to research retention under Purpose 2.
3. Purpose 1: Launch Notification
What we do with your data
We store your email address so we can tell you when TrueDraft opens to the public. When you submit your email, we first send you a confirmation email (which also carries your one-click deletion link), and then a single launch email when we go live. That is two emails in total under this purpose. We do not send any other marketing, newsletters, or promotional messages under this purpose.
Lawful basis
Consent (GDPR Article 6(1)(a)).You provide this consent by ticking the checkbox labelled “Email me once when TrueDraft launches.” Consent is freely given, specific, informed, and unambiguous. It is separate from Purpose 2 consent; you can tick either, both, or neither.
Automated scoring
Your ATS Readiness Score and its sub-metric breakdown are produced automatically by our scoring software, with no human review. The score is an informational estimate only; it does not produce any legal or similarly significant decision about you, and no automated decision is made about you on the basis of it.
Retention
We retain your email for launch notification until the launch send or for 180 days, whichever comes first, or until you request deletion, whichever is earliest. If you do not consent to research retention (Purpose 2), no resume file is kept under this purpose.
What is not retained
If you consent only to Purpose 1 (notify) and decline Purpose 2 (research), your resume file is not retained; it is deleted immediately after scoring.
4. Purpose 2: Research Retention (180 Days)
What we do with your data
We retain your uploaded resume file and your email address together for up to 180 days as a research dataset. This dataset is used solely to improve our AI suggestions and ATS scoring accuracy, not for any other commercial purpose.
Lawful basis
Consent (GDPR Article 6(1)(a)).You provide this consent by ticking the checkbox labelled “Let TrueDraft keep my uploaded resume and email together for 180 days to improve our AI suggestions and ATS scoring. I can delete it anytime via the link in my email.” This is separate from Purpose 1 consent.
Retention period
Your resume file and associated email are retained for a maximum of 180 days from the date you submit. After 180 days, your data is automatically and permanently deleted.
Special-category data
Before you consent, please be aware that resume files can contain special-category (sensitive) personal data within the meaning of GDPR Article 9 (as noted in Section 2b), for example information that may reveal health conditions, disability, religious or philosophical beliefs, trade union membership, racial or ethnic origin, or political opinions. By ticking the research-retention checkbox you give your explicit consent (GDPR Article 9(2)(a)) to our processing of any such information your resume contains, solely for the stated research purpose. You can withdraw this consent at any time (see Section 7).
5. Recipients and Sub-processors
We share your email address with the following sub-processors, each solely for the limited purpose shown (to validate that the address can receive email, and to deliver the confirmation and launch emails to you):
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| ZeroBounce | Email address validation (checks deliverability) | Your email address only | United States (Standard Contractual Clauses apply for EU transfers) |
| Resend | Transactional email delivery (sends your confirmation and launch emails) | Your email address and the one-click GDPR deletion link/token | United States (Standard Contractual Clauses apply for EU transfers) |
We do not sell your data to any third party. We do not share your resume file with ZeroBounce, Resend, or any other third party. ZeroBounce’s privacy policy is available at zerobounce.net/privacy-policy and Resend’s at resend.com/legal/privacy-policy.
Our hosting infrastructure (Microsoft Azure) processes your data on our behalf in the United States under a Data Processing Agreement. Any uploaded resume file is stored in encrypted Azure Blob Storage in the United States. If you are located in the European Economic Area or United Kingdom, your data is therefore processed in the United States; for any onward transfers that require them, appropriate safeguards (such as Standard Contractual Clauses) apply.
6. Your Rights
Under GDPR, you have the following rights:
Right of access
You can request a copy of the personal data we hold about you. Contact privacy@truedraft.ai.
Right to rectification
Under GDPR Article 16 (and as part of the information we provide to you under Article 13(2)(b)), you have the right to ask us to correct any personal data we hold about you that is inaccurate, and to have incomplete data completed. To request a correction, contact privacy@truedraft.ai.
Right to erasure (“right to be forgotten”)
You can request permanent deletion of your data at any time. The fastest way to exercise this right is to use the deletion link included in your confirmation email; clicking it opens a confirmation page where one click permanently deletes your email address and any retained resume file. You can also request erasure by emailing privacy@truedraft.ai.
Right to data portability
You can request a machine-readable export of your personal data by contacting privacy@truedraft.ai.
Right to restriction of processing
You can request that we restrict processing of your data in certain circumstances (for example, if you contest the accuracy of the data or object to processing while an objection is assessed). Contact privacy@truedraft.ai.
Right to object
You can object to processing based on our legitimate interests. Note that all processing described in this notice is based on your consent; you can withdraw that consent at any time (see Section 7), which is typically the most direct remedy.
Residents of US states
If you are a resident of a US state with a consumer privacy law (such as California, Colorado, Connecticut, Virginia, or others), you may have additional rights, including the right to know what personal data we hold about you, the right to access and delete it, and the right to opt out of any sale or sharing of personal data. We do not sell or share your personal data, and we use it only for the purposes described above. To exercise any of these rights, or to appeal a decision on a request, contact privacy@truedraft.ai.
7. Right to Withdraw Consent
You may withdraw your consent at any time, without any negative consequences. Withdrawing consent is as easy as giving it.
Deletion token link:Every confirmation email we send you includes a one-click deletion link. Clicking the link opens a confirmation page; clicking “Yes, delete my data permanently” on that page immediately and permanently deletes your email address and any retained resume file from our systems. This covers withdrawal of both Purpose 1 and Purpose 2 consent simultaneously.
You can also withdraw consent by emailing privacy@truedraft.aiwith “Delete my data” in the subject. We will process your request within 72 hours.
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
8. Right to Lodge a Complaint with a Supervisory Authority
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence, place of work, or the place of the alleged infringement.
In the European Union, you can find your national supervisory authority at edpb.europa.eu. In the United Kingdom, the relevant authority is the Information Commissioner’s Office (ICO) at ico.org.uk.
We encourage you to contact us first at privacy@truedraft.ai. We take all privacy concerns seriously and will respond within 72 hours.
9. Contact Us
For any questions about this privacy policy or your personal data:
‹Your Legal Name›, doing business as TrueDraft (Data Controller)
548 Market St, PMB 99938
San Francisco, CA 94104
United States
Email: privacy@truedraft.ai
Website: truedraft.ai