Back to Home

    Privacy Policy

    Last updated: March 2026

    Notice under PDPA 2010: This Privacy Policy serves as our Personal Data Protection Notice as required under the Personal Data Protection Act 2010 (Act 709) of Malaysia.

    1. Data Controller

    ResumeLab ("we", "us", "our") is the data user / data controller responsible for your personal data. Contact us at support@resumelab.my.

    2. Personal Data We Collect

    Identity & Contact Data

    Full name, email address — collected during account registration. Mandatory: required to create and maintain your account.

    Career & Professional Data

    Resume content, work history, education, skills, cover letters, and other career information you choose to enter. Voluntary: you control what you provide.

    Subscription & Transaction Data

    Subscription plan, billing status. Payment card details are handled exclusively by Stripe. Mandatory for paid plans.

    Usage Data

    Features accessed, AI tool usage frequency, and usage counts for rate-limiting purposes. Collected automatically.

    Technical Data

    IP address, browser type, device information, and error logs. Collected automatically.

    3. Purposes of Processing

    PurposeLegal Basis
    Account creation and managementContractual necessity
    Providing AI-powered career toolsContractual necessity
    Processing payments and managing subscriptionsContractual necessity
    Sending transactional emails (verification, password reset)Contractual necessity
    Enforcing usage limits and preventing abuseLegitimate interest
    Error monitoring and securityLegitimate interest
    Product analytics (feature usage, page views via PostHog using pseudonymous user IDs)Legitimate interest
    Compliance with legal obligationsLegal obligation

    We do not sell, rent, or trade your personal data to third parties.

    4. AI Processing

    Content submitted to AI tools is transmitted to Google's Gemini API. We do not use your content to train AI models. See Google's Privacy Policy.

    5. Third-Party Disclosures

    Supabase (AWS Singapore)

    Database storage and authentication. Your data resides on servers in Singapore.

    Cross-border transfer to Singapore

    Stripe (United States)

    Payment processing. Stripe handles all card data under PCI DSS compliance.

    Cross-border transfer to USA

    Google Gemini (United States)

    AI content generation for career tools.

    Cross-border transfer to USA

    PostHog (United States)

    Product analytics — tracks feature usage and page views using a pseudonymous user ID. No names or emails are sent to PostHog. You may opt out via a content blocker.

    Cross-border transfer to USA

    Sentry (United States)

    Error monitoring and crash reporting. Error data may include technical context.

    Cross-border transfer to USA

    Vercel (United States)

    Hosting and delivery of the web application.

    Cross-border transfer to USA

    6. Security

    • Encrypted connections (HTTPS/TLS) for all data in transit
    • Row-level security (RLS) policies on all database tables
    • Secure authentication managed by Supabase Auth
    • Payment data handled exclusively by PCI DSS-compliant Stripe

    Data Breach Notification: We will notify the PDPA Commissioner and affected individuals within 72 hours of becoming aware of a breach, per PDPA 2010 (amended 2024).

    7. Retention

    • Account and career data: duration of account + 30 days after deletion request
    • Transaction records: 7 years (Malaysian financial regulations)
    • Error logs: 90 days
    • Usage/rate-limiting data: 12 months

    8. Data Accuracy

    We take reasonable steps to ensure your data is accurate. You can update your profile in account settings at any time.

    9. Your Rights (PDPA 2010 + 2024 Amendments)

    Right of Access

    Request a copy of the personal data we hold about you.

    Right of Correction

    Request correction of inaccurate or incomplete personal data.

    Right to Withdraw Consent

    Withdraw consent for non-essential processing at any time.

    Right to Limit Processing

    Request that we limit the processing of your personal data in certain circumstances.

    Right to Data Portability

    Request your personal data in a structured, commonly used format (new right under 2024 amendments).

    Right to Erasure

    Request deletion of your account and associated personal data, subject to legal retention obligations.

    Submit requests to support@resumelab.my. We respond within 21 days as required by PDPA 2010.

    10. Cookies

    We use only essential cookies for authentication and PostHog analytics (pseudonymous). No advertising or profiling cookies are used.

    11. Children's Privacy

    Our Service is not directed at individuals under 18. We do not knowingly collect data from minors.

    12. Changes to This Policy

    We will notify you of material changes via email at least 14 days before they take effect.

    13. Governing Law

    This Policy is governed by the Personal Data Protection Act 2010 (Act 709) and the laws of Malaysia. Complaints may be lodged with the Department of Personal Data Protection (JPDP) at www.pdp.gov.my.

    14. Contact Us

    For privacy-related questions: support@resumelab.my. We acknowledge within 3 business days and resolve within 21 days.