Privacy Policy
Last Updated: March 11, 2026
This Privacy Policy describes how TrueDraft ("TrueDraft," "we," "us," or "our") collects, uses, and shares information about you when you use our website, applications, and services (collectively, the "Service").
By using the Service, you acknowledge that your information will be handled as described in this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
Information You Provide
Account Information. When you create an account, we collect your name and email address. You may register using Microsoft, Google, LinkedIn, or email authentication through Microsoft Entra External ID. When you authenticate through these providers, we receive your name and email address based on the permissions you grant.
Resume Content. When you use the Service, we collect the content you upload and create, including your resumes (Master Resume and Tailored Resumes), work history, education, skills, certifications, and other professional information contained in your resume.
Job Descriptions. We collect the job descriptions you input into the Service, whether pasted as text or imported via URL. This includes job titles, company names, requirements, and other job posting content.
Payment Information. If you purchase a subscription, our payment processor (Stripe, Inc.) collects your payment card information. TrueDraft receives only limited payment information such as the last four digits of your card, card type, and billing details. We do not store your full credit card number.
Communications. When you contact us for support or otherwise communicate with us, we collect the content of those communications.
Information We Collect Automatically
Usage Information. We collect information about your interactions with the Service, including features used, actions taken (such as tailoring sessions, suggestions accepted or rejected, exports), timestamps, and subscription usage.
Device and Connection Information. We collect information about the devices you use to access the Service, including device type, operating system, browser type, IP address (which constitutes personal data under applicable privacy law), and unique device identifiers. IP addresses are processed on the legal basis of legitimate interests (security, fraud prevention, and service reliability) and retained for 90 days.
Telemetry Data. We use Azure Application Insights to collect performance and diagnostic data, including page load times, error logs, and session telemetry. This data is collected on the basis of our legitimate interests in maintaining and improving the reliability of the Service. See Section 2 (Cookies) for information on cookies used in this context.
2. Cookies
We use cookies and similar technologies as follows:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| entra_signup_token | Maintains state during multi-step sign-up (OTP verification). HTTP-only, scoped to /api/auth, cleared when sign-up completes. | Essential | Approx. 10 minutes or until sign-up completes |
| entra_reset_token | Maintains state during password reset flow. HTTP-only, scoped to /api/auth, cleared when reset completes. | Essential | Approx. 10 minutes or until reset completes |
| ai_user | Application Insights anonymous user identifier for performance monitoring and error diagnostics. Does not contain personal data. | Analytical / Functional | 1 year |
| ai_session | Application Insights anonymous session identifier for grouping requests into a single session for performance monitoring and error diagnostics. | Analytical / Functional | Session (up to 30 minutes of inactivity) |
| __stripe_mid | Set by Stripe, Inc. during the embedded checkout flow. Used for fraud detection and to identify the user's device across payment sessions, helping ensure secure payment processing. | Strictly Necessary / Payment Processing | 1 year |
| __stripe_sid | Set by Stripe, Inc. during the embedded checkout flow. Used to identify the current browser session for fraud prevention and secure payment processing. | Strictly Necessary / Payment Processing | Session (30 minutes) |
We do not use advertising cookies, cross-site tracking cookies, or third-party marketing cookies. Essential cookies cannot be disabled as they are required for the Service to function. Analytical cookies are used on the basis of our legitimate interests in service reliability. You may block cookies through your browser settings, but doing so may impair Service functionality.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Create and maintain your account, process your resume content through our AI analysis, generate tailoring suggestions with explanations, calculate Match Scores and ATS Scores, manage resume versions, and process subscription purchases
- Improve the Service: Analyze aggregated usage patterns to improve features, fix bugs, and optimize performance
- Communicate with you: Send transactional emails (payment receipts, account notifications, subscription changes), respond to support requests, and send product updates (which you may opt out of)
- Ensure security: Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity; enforce rate limits; and protect the rights and safety of TrueDraft and our users
- Comply with law: Fulfill legal obligations and respond to lawful requests from public authorities
4. How AI Processes Your Data
TrueDraft uses artificial intelligence to power its core features. Here is what happens with your data:
What AI processes. When you request a tailored resume, our AI systems process your Master Resume content and the target job description to generate tailoring suggestions. Each suggestion includes an explanation of why the change is recommended.
AI provider: OpenAI. We use OpenAI, L.L.C. to generate suggestions. When your content is processed, it is sent to OpenAI via a secure API connection. We require OpenAI to:
- Process your data only for the purpose of providing services to TrueDraft
- Not use your data to train their general-purpose models
- Maintain appropriate technical and organizational security measures
- Delete your data after processing
We do NOT use your data for AI training. Your personal resume content, job descriptions, and career documents are never used to train general-purpose AI models. We may use aggregated, de-identified usage statistics (such as which types of suggestions users accept most often) to improve our algorithms.
5. Automated Decision-Making and Profiling
The Service uses automated algorithms to calculate a Match Score and ATS Score for your resume relative to a job description. These scores estimate how well your resume aligns with a job posting based on keyword analysis, formatting assessment, relevance evaluation, and quantification metrics.
No significant automated decisions. These scores are informational tools provided solely to help you improve your resume. They do not constitute automated decisions that produce legal effects or similarly significant effects concerning you. TrueDraft does not make hiring decisions, does not share your scores with employers, and does not use these scores to determine access to any service or benefit beyond the tailoring suggestions shown to you within the Service.
How scores are calculated. ATS Scores are composite 0–100 estimates based on: keyword match rate (40%), formatting compliance (20%), content relevance to the job (25%), and quantification of achievements (15%). Match Scores provide a categorical HIGH / MEDIUM / LOW assessment of overall alignment. These are approximations and may not reflect the evaluation methodology of any specific employer or applicant tracking system.
Your right to contest. If you believe a score is incorrect or wish to understand more about how it was calculated, please contact us at support@truedraft.ai. You may also adjust your resume manually without accepting any AI suggestion.
6. How We Share Your Information
We do not sell your personal information. We never have and never will.
We share information only in the following limited circumstances:
Service Providers. We share information with trusted service providers who perform services on our behalf, under data processing agreements that restrict use to the stated purpose:
| Provider | Purpose | Data Shared |
|---|---|---|
| Microsoft Azure | Cloud hosting, file storage, authentication (Entra External ID) | Account data, resume files, usage data |
| Stripe, Inc. | Subscription payment processing | Billing information, purchase details |
| Azure Application Insights | Performance monitoring, error tracking | Telemetry data, anonymized usage data |
| OpenAI, L.L.C. | AI-powered suggestion generation — your resume content and job descriptions are transmitted to OpenAI's API to produce tailoring suggestions. OpenAI processes this data under its Data Processing Agreement and API usage policies. Data is not used to train OpenAI's general-purpose models. See OpenAI's Privacy Policy. | Resume content, job descriptions (for processing only, not retained by OpenAI beyond the API request) |
| Resend | Transactional email delivery | Email address, name |
Legal Requirements. We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of TrueDraft, our users, or the public.
Business Transfers. If TrueDraft is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service at least 30 days before your information becomes subject to a different privacy policy.
With Your Consent. We may share information with third parties when you give us explicit consent to do so.
7. International Data Transfers
TrueDraft is based in California, United States and your data is stored on Microsoft Azure infrastructure in the United States. If you are located outside the United States, including in the European Economic Area (EEA) or United Kingdom (UK), your personal data will be transferred to and processed in the United States.
The United States has not received an adequacy decision from the European Commission or the UK authorities. We rely on the following safeguards for international transfers:
- EEA transfers: Transfers of personal data from the EEA to the United States are made pursuant to the Standard Contractual Clauses adopted by the European Commission (Commission Decision 2021/914/EU, as updated from time to time)
- UK transfers: Transfers from the United Kingdom are made pursuant to the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, as issued by the UK Information Commissioner's Office
You may request a copy of the relevant transfer safeguards by contacting us at support@truedraft.ai.
8. Data Storage and Security
Security measures. We implement appropriate technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS) and at rest (AES-256)
- Authentication via Microsoft Entra External ID with JWT token validation
- Role-based access controls limiting employee access to personal data
- Regular security assessments
- Secure cloud infrastructure with Azure's compliance certifications
- Private blob storage with time-limited SAS token access for resume files
No guarantee. While we take security seriously, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
Data Breach Notification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where required by law, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, including information about the nature of the breach and steps you can take to protect yourself.
9. Data Retention
We retain your information for as long as your account is active and as needed to provide the Service. The table below sets out specific retention periods for each category of data:
| Data Category | Retention Period | Notes |
|---|---|---|
| Account data (name, email, profile) | Until account deletion + 30-day grace period | Permanently deleted after the 30-day soft-delete window expires |
| Resume content (Master and Tailored Resumes) | Until account deletion + 30-day grace period | Permanently deleted after the 30-day soft-delete window expires |
| Job descriptions | Until account deletion + 30-day grace period | Permanently deleted after the 30-day soft-delete window expires |
| AI analysis results (ATS scores, match scores, suggestions) | Until account deletion + 30-day grace period | Permanently deleted after the 30-day soft-delete window expires |
| Billing records (invoices, payment history) | 7 years from transaction date | Retained as required by US tax and accounting law; managed by Stripe, Inc. |
| Audit logs (action trail) | 90 days | Purged automatically on a rolling basis |
| Support tickets and communications | 3 years from ticket closure | Retained for legal and quality-assurance purposes |
| Email delivery logs | 90 days | Retained by Resend for delivery verification; purged on a rolling basis |
| Telemetry and analytics (Azure Application Insights) | 60 days | Retained in Application Insights workspace; purged automatically |
| Aggregated, de-identified analytics | Indefinitely | No personal data; used for aggregate product analytics only |
Account deletion. When you request account deletion:
- Your account enters a 30-day soft-delete period, during which you may reactivate it
- After 30 days, all personal data, resumes, job descriptions, tailored versions, and usage data are permanently deleted
- Billing records are retained for 7 years as required by tax and accounting laws
- Audit logs are retained for 90 days, after which they are purged automatically
- Aggregated, de-identified analytics data may be retained indefinitely
Inactive accounts. We may contact you if your account has been inactive for an extended period. We will not delete your account without prior notice.
10. Your Rights and Choices
All Users
Access and export. You may access and export your resume data at any time through the Service's export features (PDF/DOCX). You may also download a structured JSON export of all your personal data through Settings › Privacy › "Download My Data" — this is the machine-readable data portability export for the purposes of data portability rights under GDPR and CCPA.
Correction. You may update or correct your account information at any time through your account settings.
Deletion. You may request deletion of your account and personal data through your account settings or by contacting support@truedraft.ai.
Marketing opt-out. You may opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email, or through Settings › Communication Preferences › "Marketing emails". Opting out does not affect transactional emails required to provide the Service.
Withdraw consent. Where we rely on your consent as a legal basis for processing, you may withdraw that consent at any time by contacting support@truedraft.ai or using the controls in your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
California Residents (CCPA / CPRA)
If you are a California resident, you have the following additional rights:
Right to Know. You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete. You may request deletion of your personal information, subject to certain legal exceptions.
Right to Correct. You may request correction of inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing. We do not sell your personal information and do not share it for cross-context behavioral advertising. We have never done so.
Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those necessary to provide the Service.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.
Shine the Light. California Civil Code §1798.83 permits California residents to request information about personal information disclosed to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
Do Not Track. We do not respond to browser Do Not Track (DNT) signals. See Section 11 for our full Do Not Track statement.
To exercise any of these rights, contact us at support@truedraft.ai. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).
European Economic Area and UK Residents (GDPR / UK GDPR)
Legal basis for processing. We process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (account, resume analysis, suggestions, scoring) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and subscription management | Performance of contract (Art. 6(1)(b)) |
| Security, fraud prevention, and audit logging | Legitimate interests (Art. 6(1)(f)) — protecting users and the Service |
| Service analytics, telemetry, and performance monitoring | Legitimate interests (Art. 6(1)(f)) — improving reliability and diagnosing issues |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only; withdrawable at any time |
| Retaining billing records | Legal obligation (Art. 6(1)(c)) |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) |
Your rights. You have the right to: access your personal data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; port your data in a machine-readable format (see JSON export above); object to processing based on legitimate interests; and not be subject to solely automated decisions that significantly affect you (see Section 5).
Response timeline. We will respond to data subject requests within one month of receipt. We may extend this by a further two months for complex or numerous requests, in which case we will notify you within the first month and explain the reason for the extension.
Data protection authority. You have the right to lodge a complaint with your local supervisory authority. For EEA residents, this is the data protection authority in your EU member state. For UK residents, this is the Information Commissioner's Office (ICO), accessible at ico.org.uk.
To exercise any of these rights, contact us at support@truedraft.ai.
11. Do Not Track
Some web browsers offer a "Do Not Track" (DNT) setting that signals to websites that you do not want to be tracked across sites. Because there is currently no universally accepted standard for how to respond to DNT signals, TrueDraft does not alter its data collection or use practices in response to DNT browser signals. We do not engage in cross-site tracking of users for advertising purposes. Our data collection is limited to what is described in this Privacy Policy.
12. Children's Privacy
The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at support@truedraft.ai.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page. If we make material changes, we will notify you via email at least 14 days before the changes take effect. Your continued use of the Service after the effective date of any material change constitutes your acceptance of the revised Privacy Policy.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us:
TrueDraft (Data Controller)
548 Market St, PMB 99938
San Francisco, CA 94104
United States
Email: support@truedraft.ai
Website: truedraft.dev
Data Protection Officer. TrueDraft is a small business and does not meet the thresholds requiring mandatory designation of a Data Protection Officer under GDPR Article 37 (we are not a public authority, we do not carry out large-scale systematic monitoring of individuals, and we do not process special categories of data at large scale). Privacy inquiries, data subject access requests, and complaints from EEA and UK residents may be directed to support@truedraft.ai and will be handled in accordance with applicable data protection law.