Your data, your career, your call.

This policy describes what information Poker Games Interactive (“we,” “us”) collects when you use resumes.vegas, how we use it, who we share it with, and the controls you have over it. We wrote it in plain English on purpose.

What we collect

Only what’s necessary to run the service:

• Account information — email address and a hashed password, managed through Amazon Cognito. We never see or store your password in plaintext.
• Profile data — your work history, education, certifications, skills, projects, and preferences as you enter them. You are the source of truth.
• Identity check data — the name you provide at onboarding plus the names our parser extracts from resumes you upload. We use these to run our Truth Guard / Identity Guard checks (see below) and block account sharing. We store only the extracted fields and the finding outcomes, not identity documents.
• Uploaded documents — master resumes and any other files you choose to upload, stored encrypted at rest in Amazon S3 and served only through short-lived, download-only presigned URLs.
• Job descriptions you ingest — text or URLs for roles you want to tailor against. These are yours, not shared with other users.
• Generated content — tailored resumes, cover letters, interview prep, match scores, rationale logs, and the audit trail of what our AI did and why.
• Billing data— if you purchase credits, the payment itself is processed by Stripe. We receive a Stripe customer ID, subscription / payment status, and the number of credits you’re entitled to. We do not receive or store your card number, CVC, or full billing address — those stay at Stripe.
• Testimonials you submit — if you choose to leave a testimonial in Settings, the text, your display name, and your optional role/company are stored. Nothing is shown publicly until an admin approves it; you can withdraw it at any time.
• Operational metadata — timestamps, feature usage counts, error logs, IP addresses tied to sign-in and rate-limit events, and Stripe webhook deliveries. Retained for security and service reliability.

We do notcollect biometric data, precise location, ad-tracking identifiers, or anything we can’t justify as needed for the product. We do not use third-party analytics or tracking pixels.

How we use it

• To generate your tailored resumes and cover letters, score them against target jobs, and surface matching roles.
• To operate the product: authentication, session management, credit balances and billing, and customer support.
• To enforce our Truth Guard / Identity Guard safeguards — flagging name mismatches between your account and uploads, refusing to fabricate experience the AI can’t ground in your history, and preventing account sharing.
• To investigate abuse and secure the platform — detecting credential-stuffing, rate-limit violations, and inconsistencies between our identity store (Amazon Cognito) and our application database.
• To send you transactional emails — account confirmations, password resets, payment receipts, cert/billing notices, and any material changes to these policies. We don’t send marketing emails without an explicit opt-in.

Who we share it with

We share only what’s required to deliver the service, with vendors bound by confidentiality and data-processing terms:

• Amazon Web Services — hosts all of our infrastructure (compute, storage, database, authentication, queues, email). Your data stays in the us-west-2 region unless you tell us otherwise.
• OpenAI— we send your profile data and target job descriptions to OpenAI’s API (currently gpt-4o-mini for tailoring and cover letters, and text-embedding-3-smallfor semantic matching) to generate your resumes and scores. Per OpenAI’s API data-usage policy, content submitted through the API is not used to train their models and is retained only as required for abuse monitoring and applicable law.
• Stripe — processes payments when you purchase credits. Stripe handles all card data directly; we only see the outcome (charge succeeded / subscription state / amount).
• Public job-feed sources — we ingest public RSS / ATS feeds (for example Remotive, We Work Remotely, Himalayas, Jobicy, Greenhouse, Lever) on a schedule. We read from these sources; we do not send them anything about you.
• Let’s Encrypt — issues the TLS certificate for resumes.vegas. No personal data is shared; the domain itself is the only information exchanged.

We never sell your data. We don’t share it with advertisers, data brokers, or any third party for marketing purposes.

Cookies and local storage

We don’t use tracking cookies, ad cookies, or third-party analytics cookies. The site functions with a small amount of browser-side state:

• Your Cognito session— the Amazon Cognito SDK keeps your session tokens in your browser’s localStorage so you stay logged in across reloads.
• Preference state — a few UI preferences (chosen resume template, preview zoom, dismissed onboarding popups) also live in localStorage.
• No server-set cookies — resumes.vegas does not set any authentication, tracking, or personalization cookies today.

Clearing browser storage for resumes.vegas will sign you out and reset these preferences but will not delete your server-side data.

Retention

• Active accounts — we keep your profile, resumes, generated versions, and application history for as long as your account is open, so you can come back to earlier tailorings.
• Deletion — when you delete your account (or we delete a dormant / violating one), we purge your Postgres rows, S3 objects, and Cognito record within 30 days. Encrypted backups cycle out within 90 days.
• Operational logs — sign-in, webhook, and error logs are retained for up to 90 days for security and debugging.
• First-50 lifetime accounts— see Terms for the 12-month inactivity clause. If that clause triggers we’ll email you first and give you a grace period to sign back in before any access is revoked.

Your controls

• Export — you can download your profile, resumes, and generated versions from Settings. Raw master resumes are served as secure, short-lived download links that force Save as rather than inline display (a defense against anyone hosting a malicious document at a public URL).
• Delete your account— from Settings ’ “Delete my data.” This permanently purges your profile, uploads, generated content, testimonials, Stripe customer record, and Cognito user within 30 days. Backups cycle out within 90 days.
• Correct or update — you can edit any field on your profile yourself. If something seems stuck, email us.
• Withdraw a testimonial — testimonials are shown only after admin review. You can withdraw a pending or published testimonial at any time from Settings.
• Opt out of AI feedback loops — we do not currently train models on user data. If that ever changes, it will be opt-in, not opt-out.

Security

• TLS 1.2 and TLS 1.3 only. HSTS with includeSubDomains; preload so browsers refuse plaintext HTTP for resumes.vegas.
• A strict Content-Security-Policy restricting script / connect / frame origins, plus X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy headers.
• Encryption at rest for S3 uploads, Aurora databases, and AWS Secrets Manager entries.
• Authentication handled by Amazon Cognito with secure password policies and optional MFA. All admin actions are gated behind a separate admin role claim on the JWT.
• Application and auth endpoints are rate-limited at the edge; SSH is protected by fail2ban; the host applies security-only OS patches automatically.
• Least-privilege IAM for every Lambda and service. Resume downloads are signed per-request and expire in 15 minutes.
• A private VPC for the database — it’s not reachable from the public internet.
• A nightly reconciliation job that cross-checks Cognito against our Postgres user table to catch drift and surface it to admins.

No system is perfectly secure. If you believe you’ve found a vulnerability, please email security@resumes.vegas.

Children

resumes.vegas is not intended for anyone under 18. If you believe a minor has created an account, please let us know and we’ll remove it.

Jurisdiction-specific rights

If you’re in the EU/UK, California, or another region with data-protection laws (GDPR, CCPA, etc.), you have additional rights including access, portability, correction, deletion, and the right to object. Email privacy@resumes.vegasand we’ll honor them.

Changes to this policy

When we make material changes, we’ll notify you by email at least 30 days before they take effect. Non-material edits (typos, clarifications) will be noted by updating the date at the top.

Questions

Email privacy@resumes.vegas and a real person will respond. Usually within one business day.