Title Bump Privacy Policy

Effective Date: April 23, 2026 Last Updated: April 23, 2026

Introduction

Title Bump ("Title Bump," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, secure, and retain information in connection with:

• the website at titlebump.com and any subdomains;
• the Title Bump web application;
• the free, anonymous Resume Roaster;
• emails and notifications we send;
• and all related features

(collectively, the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, do not use the Service.

Scope

This Privacy Policy applies to Users and visitors of the Service, including free Resume Roaster users and paid Subscribers. It does not apply to:

• third-party services or websites the Service integrates with or links to (which have their own privacy practices);
• information your employer, a recruiter, or any other third party collects about you independently of the Service.

European Union, EEA, and UK users: the Service is NOT intended for you and we do not represent that it complies with the GDPR, UK GDPR, Digital Services Act, or other EU/UK/EEA laws. Do not use the Service if you are in these regions.

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. How We Share Your Information
4. Third-Party Services and Subprocessors
5. AI Processing
6. Data Storage and Security
7. Data Retention
8. Your Rights and Choices
9. California Privacy Rights (CCPA/CPRA)
10. Other State Privacy Rights
11. Children's Privacy
12. International Transfers
13. Cookies and Similar Technologies
14. Do Not Track and Global Privacy Control
15. Automated Decision-Making and AI
16. Breach Notification
17. Deceased Users and Lawful Access
18. Changes to This Policy
19. Contact Us

1. Information We Collect

1.1 Information You Provide

Account information. Name, email address, password (stored only as a one-way hash), authentication tokens. If you sign in with a third-party identity provider (e.g., Google or Apple, when offered), we receive your name, email address, and profile photo from that provider.

Resume content. The resume file you upload (PDF or similar) and the structured data our AI extracts from it, including: work history (company names, titles, dates, locations), education, certifications, skills, contact information contained in the resume, projects, summary, and any other fields present in the resume.

Profile and preferences. Target job titles, current/target location, work-mode preferences (remote, hybrid, onsite), industries, salary floor, willingness to relocate, seniority, dream companies, employer include/exclude lists, negative-title keywords, and related career-search preferences.

LinkedIn connections (optional). If you choose to upload your LinkedIn "Connections.csv" export, we ingest the names, current companies, titles, and connection dates. This data is used solely within your Account for warm-intro surfacing; we never contact your connections and never share this data with third parties beyond the subprocessors necessary to host and serve it to you.

Application and match activity. Jobs you view, save, mark as applied/interviewed/rejected/offered, outcomes you record, feedback you provide, and AI-generated content you request (tailored resumes, cover letters, interview prep, recruiter outreach).

Communications. Messages you send to our support, feedback, bug reports.

Anonymous Resume Roaster inputs. If you use the free Resume Roaster, we process the uploaded resume to generate a critique. If you optionally provide an email address to receive the results or follow-up communications, we store that email address with the critique.

1.2 Information Collected Automatically

Device and log data. IP address, browser type and version, operating system, referrer URL, pages visited, actions taken, timestamps, and approximate geographic location (inferred from IP, typically at the city or region level, not precise GPS).

Cookies and similar technologies. See Section 13.

Error and performance data. If you experience an application error, we may collect diagnostic data (stack traces, request IDs, redacted request payloads) via our optional error-monitoring provider to debug the issue.

1.3 Information from Third Parties

Payment data from Stripe. Your Subscription status, invoice history, and masked payment-method metadata (card brand, last four digits, expiration month/year). We do not receive your full payment-card number, CVC, or full expiration.

Public job postings. We retrieve job postings from public endpoints (LinkedIn public job search, Greenhouse, Lever, Ashby, Workday, RemoteOK, WeWorkRemotely, and others) and from the Adzuna aggregator API, based on search keywords and locations derived from your profile. This public data is stored in our database for matching and may be displayed back to you.

1.4 Categories of Data We Do NOT Intentionally Collect

• Full payment-card numbers, CVCs, or banking credentials (handled by Stripe);
• Social Security numbers (though one may appear in a resume you upload; we do not purposely request it);
• Protected Health Information subject to HIPAA;
• Precise GPS location;
• Biometric identifiers;
• Information about children under 18.

If you include any of the above in your User Content despite our recommendations, you do so at your own risk, and the License Grant in Section 10 of the Terms applies.

2. How We Use Your Information

We process the information described above for the following purposes:

2.1 Delivering the Service

• Create, authenticate, and maintain your Account;
• Parse your uploaded resume and extract structured data;
• Run automated scans of public job boards and score matches against your preferences;
• Generate tailored resumes, cover letters, interview-prep content, and recruiter-outreach drafts on demand;
• Track your applications and outcomes;
• Surface warm-intro possibilities from your LinkedIn connections (if uploaded).

2.2 AI Processing

• Transmit your User Content (resume, profile, job descriptions) to AI providers (Anthropic, OpenAI) for parsing, scoring, enrichment, and content generation. See Section 5.

2.3 Billing and Account Management

• Process payments through Stripe;
• Send transactional emails (receipts, password resets, security notices, match alerts when there are new results);
• Detect and respond to failed payments, fraud, or chargebacks.

2.4 Service Improvement

• Analyze usage patterns in aggregate to improve matching quality, fix bugs, and prioritize features.
• Use de-identified, aggregated data (e.g., adapter-success rates, average match counts per persona) to improve the Service.
• We do not use your personally identifying resume content to train third-party AI models.

2.5 Security, Fraud Prevention, and Abuse Detection

• Detect and prevent abuse, scraping, unauthorized access, denial-of-service attacks, and payment fraud;
• Enforce rate limits and spend caps.

2.6 Legal Compliance and Dispute Resolution

• Comply with applicable laws, subpoenas, court orders, and governmental requests;
• Respond to legal claims and enforce our Terms.

2.7 Communications

• Send transactional communications required to operate the Service;
• Send product updates and educational content (you may unsubscribe from non-transactional emails at any time).

3. How We Share Your Information

We do not sell your personal information. We do not share your resume, profile, or LinkedIn connections with recruiters or employers.

We share data only as described in this Section.

3.1 With Our Service Providers (Subprocessors)

See Section 4 for the full list. Subprocessors are contractually restricted to processing your data for the purpose we specify and in accordance with our instructions and applicable law.

3.2 With Stripe as an Independent Controller

Stripe acts as an independent controller for payment-card data you submit at checkout. Your use of Stripe is subject to Stripe's privacy notice (available at stripe.com/privacy).

3.3 With Your Direction

When you click an "Apply" link, you are sent to the third-party employer's site or applicant-tracking system; that third party's privacy practices govern your subsequent interaction.

3.4 Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to:

• comply with any applicable law, regulation, subpoena, court order, or governmental request;
• enforce our Terms or protect the security and integrity of the Service;
• protect the rights, property, or safety of Title Bump, our Users, or others;
• prevent or investigate possible wrongdoing;
• respond to emergency situations.

3.5 Business Transfers

If Title Bump is involved in a merger, acquisition, financing, reorganization, insolvency, receivership, bankruptcy, or sale of all or substantially all of its assets, your information may be transferred to the successor or acquirer. In such a case, we will make reasonable efforts to notify you via email or in-app notice before your information becomes subject to a different privacy policy.

3.6 Aggregated or De-Identified Data

We may share aggregated or de-identified data (data that does not reasonably identify any individual) with third parties for analytics, research, marketing, or other lawful purposes. We will not attempt to re-identify such data.

4. Third-Party Services and Subprocessors

The following subprocessors handle data on our behalf. Their role, category of data shared, and region are shown. We may add, remove, or change subprocessors at our discretion; a current list will be maintained in this Policy.

4.1 No Use for AI Training

Per Anthropic's commercial API terms and OpenAI's API policy, they do not train models on customer API data. We do not authorize any subprocessor to use your User Content to train AI models for any purpose other than providing the Service to us.

5. AI Processing

The Service sends portions of your User Content (resume content, profile preferences, job descriptions) to Anthropic and OpenAI to produce AI Output. Specifically:

• Resume parsing: the full text of your uploaded resume is sent to Anthropic to extract structured fields.
• Career research: your parsed resume plus your profile is sent to Anthropic to generate expanded job-title suggestions, target company lists, and keyword sets.
• Job enrichment: individual job postings (title, company, description, location) are sent to OpenAI GPT-4o-mini (or Anthropic in some cases) to extract structured metadata (seniority, required skills, red flags).
• Match scoring: structured representations of your profile and each job are run through our own scoring logic locally; some scoring dimensions use OpenAI embeddings computed over your title keywords.
• Tailored content: when you request a tailored resume, cover letter, interview prep, or outreach draft, your resume and the target job description are sent to Anthropic to produce the output.
• Resume Roaster: your uploaded resume is sent to Anthropic to generate the critique.

The AI providers return the generated output to us and retain it under their own retention policies (generally short retention for abuse monitoring under API terms). We cache AI Output associated with your Account to avoid re-generating the same output.

5.1 Sensitive-Information Warning

Do not include sensitive information in AI inputs that you do not want transmitted to our AI providers. See the Terms of Service, Section 12.8 for the full warning. If your resume contains a Social Security number or other highly sensitive identifier, please remove it before uploading.

5.2 AI Provider Privacy Policies

• Anthropic Privacy Policy: https://www.anthropic.com/legal/privacy
• OpenAI Privacy Policy: https://openai.com/policies/privacy-policy

6. Data Storage and Security

6.1 Storage Locations

Your User Content is stored in Supabase (U.S.-hosted PostgreSQL and object storage). Email contents transit Resend. Payment data is stored by Stripe. AI transmissions are processed by Anthropic and OpenAI in the U.S.

6.2 Security Measures

We implement industry-standard technical and organizational measures to protect your data:

• Transport encryption. TLS 1.2+ for all connections between your browser and the Service and between the Service and subprocessors.
• At-rest encryption. Supabase encrypts data at rest using AES-256.
• Row-Level Security (RLS). Enforced at the database layer on every user-scoped table; queries are filtered by authenticated User ID, preventing User A from reading User B's data even if application code has a bug.
• HMAC signing. Sensitive email links (e.g., application-outcome links) are HMAC-signed with a server-side secret to prevent tampering.
• Rate limiting and spend caps. Per-User and global limits on AI calls protect against denial-of-wallet attacks and runaway spend.
• Secret management. API keys, signing secrets, and database credentials are stored in environment-variable secret managers and are never committed to source control.
• Access controls. Production database access is limited to engineering staff and audit-logged; non-engineering staff do not have access to resumes.
• Secret rotation. Signing keys and webhook secrets are rotated in response to potential exposure.
• Error-log scrubbing. Personally identifying data is scrubbed from error logs where technically feasible.

6.3 Limitations

No security measure is 100% effective. While we take reasonable steps, we cannot guarantee the absolute security of your data.

6.4 Your Responsibility

You are responsible for maintaining the confidentiality of your Account credentials and for any activity that occurs under your Account. Enable multi-factor authentication where offered. Report any suspected compromise immediately to contact@titlebump.com.

6.5 Backup and Your Data

We recommend you keep your own copy of any important resume or other User Content. We may lose data due to technical failure or cyberattack, and we are not responsible for that loss. See Terms Section 15.5.

7. Data Retention

7.1 Active Accounts

We retain your User Content for as long as your Account is active.

7.2 Account Deletion

When you delete your Account, we will delete your resume, profile, preferences, LinkedIn connections, match history, and AI-generated outputs within thirty (30) days. Backups are purged within an additional sixty (60) days (typically within 90 days total), except as stated below.

7.3 Resume Roaster (Anonymous Tier)

Anonymous Roaster results and uploaded resumes are retained in de-identified form for up to thirty (30) days for abuse prevention, then deleted.

7.4 Billing and Tax Records

Retained up to seven (7) years as required by U.S. tax law and similar obligations.

7.5 Aggregate Analytics

De-identified statistics (scan counts, adapter performance, feature usage, anonymous overlap metrics) may be retained indefinitely.

7.6 Legal Holds

If data is subject to a pending subpoena, court order, investigation, or legal dispute, we will retain it until the matter is resolved.

7.7 Backup Purge Timeline

Backups that include User Content are retained for no more than ninety (90) days after deletion of the primary record.

8. Your Rights and Choices

8.1 Access, Correction, Deletion

You have the right to:

• Access: request a copy of the personal information we hold about you;
• Correct: request that we correct inaccurate or incomplete data;
• Delete: request deletion of your Account and associated data (subject to the retention exceptions in Section 7);
• Export: request your profile, resume, and match history in a machine-readable format.

To exercise these rights, email contact@titlebump.com from the email address associated with your Account, or use the account-settings flow where available.

8.2 Response Times

We will respond to verified requests within the timelines required by applicable law (generally 30–45 days).

8.3 Verification

To protect you, we may require identity verification before fulfilling a request. Authenticated sign-in via your Account email is typically sufficient. For requests by authorized agents, we require written proof of authorization.

8.4 Appeals

If we deny your request, you may appeal by emailing contact@titlebump.com. We will provide the result of the appeal and the reason within forty-five (45) days.

8.5 Non-Discrimination

We will not discriminate against you for exercising your privacy rights. This means we will not deny, charge different prices for, or provide a different level or quality of Service because you exercise your rights, except where the difference is reasonably related to the value provided by your data.

8.6 Marketing Communications

You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any such email. Transactional emails (account, billing, security, legal notices) are required to operate the Service and cannot be opted out of while you have an active Account.

8.7 Analytics Opt-Out

Because we do not currently deploy third-party advertising or cross-site tracking analytics, there is nothing to opt out of at this time. If we add analytics, we will update this Policy and provide an opt-out mechanism where required by law.

9. California Privacy Rights (CCPA / CPRA)

This Section describes rights that apply if you are a California resident, under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

9.1 Categories of Personal Information We Collect

In the past twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

9.2 We Do Not Sell or "Share" Personal Information

We do not sell personal information as defined by the CCPA, and we do not "share" personal information for cross-context behavioral advertising as defined by the CPRA. We do not engage in targeted advertising using your personal information.

9.3 Your CCPA/CPRA Rights

• Right to Know. Request the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with whom it is shared.
• Right to Delete. Request deletion of personal information we have collected from you.
• Right to Correct. Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing. Not applicable. We do not sell or share.
• Right to Limit Use of Sensitive Personal Information. You may request that we limit the use and disclosure of your sensitive personal information to what is necessary to provide the Service.
• Right to Non-Discrimination. We will not discriminate against you for exercising your rights (see Section 8.5).

9.4 How to Exercise CCPA Rights

• Email: contact@titlebump.com
• In-app: account settings → Privacy

We will verify your identity as described in Section 8.3.

9.5 Authorized Agents

California residents may designate an authorized agent to make a request on their behalf. The agent must provide written authorization signed by you, along with proof of the agent's identity. We may additionally require verification from you directly.

9.6 Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal where applicable. Because we do not sell or share personal information, GPC does not change the behavior of the Service, but we treat GPC as an opt-out request of any future sale or sharing.

9.7 "Shine the Light" (Cal. Civ. Code § 1798.83)

California residents may request, once per year, a list of personal information we disclosed to third parties for their own direct marketing purposes. We do not currently disclose personal information for such purposes.

9.8 CalOPPA (Cal. Bus. & Prof. Code § 22575)

This Privacy Policy is accessible via a conspicuous link on every page of the Service.

9.9 Financial Incentives

We do not currently offer financial incentives in exchange for personal information.

9.10 Retention

See Section 7. Each category of personal information is retained no longer than is reasonably necessary for the purpose it was collected.

10. Other State Privacy Rights

10.1 Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of those opt-out-triggering activities. You may exercise your other rights by emailing contact@titlebump.com. To appeal a denial, email contact@titlebump.com.

10.2 Colorado (CPA)

Colorado residents have substantially the same rights as Virginia residents. Same exercise and appeal process as Section 10.1.

10.3 Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), New Jersey (NJDPA), Delaware (DPDPA), New Hampshire, Minnesota, Maryland, Nebraska, and other states

Residents of states with comparable privacy laws have rights similar to the CCPA/CPRA (access, correct, delete, portability, and in some cases opt-out of sale/sharing/profiling). We honor these rights to the extent required by each state's law. To exercise, email contact@titlebump.com.

10.4 Nevada (NRS § 603A)

Nevada residents may submit a verified request to opt out of the sale of their covered information to any person to license or sell the information to third parties. We do not sell covered information; however, Nevada residents may submit opt-out requests to contact@titlebump.com.

10.5 Washington "My Health My Data" Act

If we learn that any data collected constitutes "consumer health data" under Washington's law, we will apply the additional consent and access rights required by that law.

11. Children's Privacy

The Service is not directed to children and is intended only for users 18 years of age or older. We do not knowingly collect personal information from any person under 13 (for purposes of the Children's Online Privacy Protection Act, "COPPA") or any person under 18 (per our general age policy).

If we discover we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. Parents or guardians who believe we have collected such information may contact contact@titlebump.com.

12. International Transfers

The Service is operated from the United States. If you access the Service from a country other than the United States, you consent to the transfer, storage, and processing of your information in the United States and in any other country where our subprocessors operate. Data-protection laws in the United States may differ from those of your country.

The Service is not intended for residents of the European Union, European Economic Area, United Kingdom, or Switzerland. We do not represent compliance with the GDPR or UK GDPR and do not provide Standard Contractual Clauses or other EU transfer mechanisms. If you are located in those regions, do not use the Service.

13. Cookies and Similar Technologies

13.1 Categories

We do not currently use advertising, retargeting, or cross-site tracking cookies. We do not embed third-party analytics tags that track you across sites. If we add analytics in the future, we will update this Policy and, where required, present a cookie banner and obtain consent.

13.2 Managing Cookies

Most browsers let you refuse or delete cookies. Note that blocking strictly necessary cookies may prevent you from signing in.

14. Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal as an opt-out of any sale or sharing of personal information (see Section 9.6). Because we do not currently sell or share personal information, GPC does not change our behavior.

We do not respond to generic "Do Not Track" (DNT) browser headers beyond honoring GPC, because there is no common industry standard for DNT.

15. Automated Decision-Making and AI

We use artificial-intelligence models to:

• parse your resume;
• generate career-research outputs;
• score how well jobs match your profile;
• draft tailored resumes, cover letters, and outreach messages;
• produce interview-prep content and the Resume Roaster critique.

These are not solely automated decisions that produce legal or similarly significant effects on you. You are always in control:

• You choose which jobs to pursue and apply to;
• You review all AI-generated content before using it anywhere;
• You can ignore, override, or edit any match score, flag, or generated draft;
• We do not share your AI Output with employers or recruiters.

If you want to understand how a particular score or suggestion was produced, email contact@titlebump.com.

16. Breach Notification

If we become aware of a security incident that compromises your personal information, we will notify you and applicable regulators within the timelines required by applicable law. Notifications will describe the nature of the incident, the information affected, the steps we have taken, and recommendations for you.

17. Deceased Users and Lawful Access

We handle requests from the estates or authorized representatives of deceased Users and from governmental authorities as described in Sections 22 and 18–22 of the Terms of Service.

18. Changes to This Policy

We may update this Privacy Policy. The "Last Updated" date at the top reflects the most recent revision. If we make material changes, we will notify you by email or in-app notice at least fourteen (14) days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance. If you do not agree, stop using the Service and delete your Account before the effective date.

19. Contact Us

All inquiries (privacy rights requests, security reports, legal notices, and general questions) should be sent to contact@titlebump.com. We respond within ten (10) business days and always within the timelines required by applicable law.

Summary of Rights (Quick Reference)

By using Title Bump, you acknowledge you have read this Privacy Policy.