BeyondATS← Back to home

Privacy Policy

Last updated · 25 April 2026

This Privacy Policy explains what personal data BeyondATS collects, why we collect it, how we use and protect it, and the choices you have. It is written to align with the Singapore Personal Data Protection Act (PDPA) and broadly equivalent privacy laws (such as the EU GDPR and the UK Data Protection Act).

1. Who controls your data

BeyondATS (“we”, “us”) is the data controller for personal data processed through the Service. To exercise any of the rights described in this policy, or to ask a question, contact us via the “Contact us” link in the footer of any page.

1.1 Data Protection Officer

For PDPA-related queries (access requests, complaints, data-breach notifications), our designated Data Protection Officer can be reached at the same contact channels — please write “Data Protection” as the subject so we route it correctly. We acknowledge requests within three business days and complete them within thirty (30) days as required by the Singapore PDPA.

1.2 Concrete retention periods

We keep different categories of data for different periods. In summary:

  • Account profile, resumes, scans, revisions — for as long as your account is open. Individual scans / resumes can be deleted at any time from the in-app history.
  • After account deletion — a 30-day grace period (in case you change your mind), then everything is purged from our live systems within 24 hours of the grace window ending. A minimal tombstone (uid + deletion date, no PII) is retained for fraud / abuse audit.
  • Database backups — retained for up to 30 days after creation. Deleted user data may persist in a backup file for up to 30 days after the live deletion completes. We do not restore individual records from backups unless legally required.
  • Server / access logs — typically 30 days.
  • Contact-form messages — up to 12 months unless you ask us to delete them sooner.
  • Financial records — when payment is enabled, retained for the period required by tax law (7 years in Singapore).

1.3 What we do NOT do with your data

  • We do not use your CVs, scans, or revisions to train AI models— ours or our subprocessors'. The Gemini API plan we use does not retain prompts for training under its standard terms; we rely on that contractual commitment.
  • We do not sell or rent your personal data to anyone, ever.
  • We do not run third-party advertising or cross-site tracking on the Service.

2. The data we collect

2.1 Account data

When you sign in we collect your email address, your display name and profile photo (if you sign in via Google), and a unique account identifier issued by our authentication provider. We do not store passwords — authentication is handled by Firebase Authentication.

2.2 Resume content and job descriptions

When you use the scanner, we receive the resume file you upload (PDF or DOCX) or the text you paste, plus the job description you paste in. We extract the text, analyse it, and store the parsed text and the analysis result against your account so you can view your history.

2.3 Usage and credit ledger

We record the actions you take (analyses, revisions, exports), the credits consumed, and the timestamps of those events. This is needed to keep your credit balance accurate and to investigate misuse.

2.4 Technical data

Like most web services we collect basic technical data: IP address, browser type, device type, and pages visited. Server logs are retained for a short period for security and debugging.

2.5 Contact-form messages

When you write to us through the contact form, we store your name, email address, subject, and message in our support system, along with a hashed form of your IP address used solely for rate limiting.

3. Why we use your data (legal bases)

  • To provide the Service — running scans, generating revisions, maintaining your history. (PDPA: with your consent / contractual necessity. GDPR: Art 6(1)(b).)
  • To keep accounts secure — detect fraud, abuse, and credit-system gaming. (Legitimate interests / Art 6(1)(f).)
  • To process payments — when you buy a credit pack we share what is needed with our payment processor. (Contractual necessity / Art 6(1)(b).)
  • To respond to you — when you contact us. (Consent / Art 6(1)(a).)
  • To comply with law — including responding to lawful requests from authorities. (Legal obligation / Art 6(1)(c).)

4. AI processing

Generating an analysis or a revision involves sending the relevant portions of your resume and the job description to a third-party large language model (currently Google Gemini). We send only the text needed to complete the action and we do not include your account identifier or contact details in those calls. The model provider does not retain the request to train its base models when called through the API plan we use; for the most current detail, see the provider's own documentation.

We do not use your content to train our own models or to develop features benefiting other users.

5. Where your data is stored

Personal data is stored in Google Cloud regions used by Firebase Authentication, Cloud Firestore, and Cloud Storage for Firebase. Some operational tooling (for example, transactional email delivery via Resend) may process data in regions outside your country of residence. Where we transfer data internationally, we rely on contractual safeguards (such as the EU Standard Contractual Clauses) and on the provider's certifications.

6. How long we keep it

  • Active account data and resume history — for as long as your account is open. You can delete individual scans or revisions at any time from the in-app history.
  • Account closure — when you delete your account, we delete your profile, resumes, scans, revisions, and credit ledger within thirty (30) days, except where we are required by law to retain a minimum record (for example, financial transaction records may be retained for the period required by tax law).
  • Server logs — typically retained for thirty (30) days.
  • Contact-form messages — retained for up to twelve (12) months unless you ask us to delete them sooner.

7. Who we share data with

We share personal data only with service providers that help us run the Service, and only to the extent strictly necessary:

  • Google Firebase — authentication, database, and file storage.
  • Google Gemini API — model inference for analyses and revisions.
  • Resend — sending you transactional emails (such as support replies).
  • Payment processor — when you make a purchase. The processor receives the information it needs for that transaction.

We do not sell your personal data and we do not share it with advertisers.

8. Your rights

Subject to local law, you have the right to:

  • Access — ask us for a copy of the personal data we hold about you;
  • Correct — ask us to fix data that is inaccurate or incomplete;
  • Delete — ask us to delete your account and the personal data associated with it;
  • Restrict or object — ask us to limit how we use your data, or object to processing based on legitimate interests;
  • Portability — receive a structured export of the data you provided to us (resumes, scans, revisions);
  • Withdraw consent — where we rely on consent, you can withdraw it at any time, without affecting the lawfulness of processing already carried out.

To exercise any of these rights, contact us through the form. Many of these — export, deletion, password reset — are also available in-product without contacting us. If you believe we have not handled your data correctly you have the right to lodge a complaint with your local supervisory authority (in Singapore, the Personal Data Protection Commission; in the EU, your national data-protection authority).

9. Security

We use industry-standard technical and organisational measures to protect your data: HTTPS in transit, encryption at rest with our cloud providers, strict access controls on production systems, and HTTP-only session cookies for authentication. No system is perfectly secure — if you become aware of a vulnerability, please report it to us through the contact form.

10. Cookies

We use a small number of strictly necessary cookies to keep you signed in (an HTTP-only session cookie) and to remember UI preferences such as your theme. We do not use advertising cookies or third-party analytics that profile users across sites.

11. Children

The Service is not directed at children under sixteen (16) and we do not knowingly collect data from anyone under that age. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy when our practices change or when the law requires it. We will update the “Last updated” date above; for material changes we will also notify signed-in users by email or an in-app notice.

13. Contact us about privacy

For any privacy-related question or to make a request under this policy, use the “Contact us” link in the footer. Please write “Privacy” in the subject line so we can route it correctly.