Privacy Policy
Effective date: 17 May 2026 · Last updated: 17 May 2026 · Version: 2026-05-17
The short version. Aistint is an AI-powered resume reviewer. To analyse your resume we send its contents to Anthropic's Claude API. We store your account, analyses and usage in Supabase. We never sell your data, never train AI models on it, and you can export or delete everything at any time from Account → Privacy & data.
1. Who we are
This Privacy Policy describes how [Legal Entity Name] ("Aistint", "we", "us") collects and uses personal data when you use the Aistint app and website at aistint.app. We are the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Data Controller under the EU GDPR where it applies.
2. What we collect
2.1 Account & profile data
- Email address, name, password (stored as a bcrypt/argon2 hash — never in plain text)
- Email verification codes (OTPs) — temporary, deleted after use or expiry
- If you sign in with Google: your Google ID, name, email and avatar URL
- Optional profile fields you provide: job title, LinkedIn URL, avatar colour
- Plan and credits (free / pro), trial dates
2.2 Resume & analysis data
- The text content of resumes you upload or paste
- Target role, job description, and any other inputs you provide for analysis
- Analysis results we generate: score, grade, career level, strengths, weaknesses, suggestions, cover letter drafts
- Mood / coaching state if you use the Mission Bot
2.3 Usage & technical data
- Pages visited, features used, analyses run, session duration
- Approximate location derived from IP address
- Device type, browser, operating system, screen size
- Crash and error logs
2.4 Payment data
- Subscription plan, amount, status, transaction reference
- We do not store your card number, CVV or UPI PIN. Payments are processed by our payment partner [Razorpay / Stripe — fill in] who is PCI-DSS certified.
3. How we use your data
| Purpose | Data | Legal basis |
| Create & secure your account | Account, OTP | Contract |
| Analyse your resume and generate feedback | Resume, analysis, account | Contract / consent |
| Customer support | Account, communication | Contract |
| Send transactional emails (login, billing, results) | Email, name | Contract / legal |
| Send marketing emails (you can opt out) | Email, name | Consent |
| Improve the product & analytics | Usage, device | Consent / legitimate interest |
| Detect abuse and fraud | Account, usage, IP | Legitimate interest |
| Comply with tax, accounting and legal requirements | Payments, account | Legal obligation |
4. AI processing & resume content — important
To analyse your resume, the text content is sent to Anthropic, PBC (anthropic.com) — the maker of Claude. Anthropic acts as our data processor under a Data Processing Agreement.
- What is sent: resume text, target role, job description and instructions to the model. We strip out highly sensitive identifiers (e.g. Aadhaar, PAN, bank details) before sending where automatically detectable, but you should avoid pasting these into your resume.
- Where it goes: Anthropic's API servers (United States).
- How long Anthropic keeps it: Anthropic retains API inputs for up to 30 days for trust-and-safety review, then deletes them. They do not train their models on data submitted via the API.
- Our copy: we store the resume text and analysis output in your account so you can revisit it. You can delete any analysis from Account → My analyses.
If you do not consent to AI processing of your resume, please do not use Aistint — the core feature cannot work without it.
5. Who we share data with
We do not sell your personal data. We share only with the following processors, each bound by a Data Processing Agreement:
| Processor | Purpose | Location |
| Anthropic, PBC | AI resume analysis (Claude API) | USA |
| Supabase, Inc. | Database & authentication | USA / Singapore |
| Cloudflare, Inc. | Web hosting, CDN, edge functions | Global edge network |
| Resend | Transactional email delivery | USA |
| Google LLC | OAuth sign-in (if you choose Google login) | USA |
| [Razorpay / Stripe] | Payment processing | India / USA |
We may also disclose data to authorities when required by law, court order or to protect rights, safety and property; and to a successor entity in case of a merger, acquisition or sale of assets (with notice to you).
6. International data transfers
Our processors are located outside India. We transfer your data to them in accordance with the DPDP Act and applicable Government of India notifications. For EEA/UK users, we rely on Standard Contractual Clauses approved by the European Commission with each processor.
7. Retention
| Category | Retention period |
| Account data | While account is active + 90 days after deletion |
| Resume content & analyses | While account is active, or until you delete them; whichever first |
| OTP codes | Up to 15 minutes, then deleted |
| Sessions | 30 days after last activity |
| Payment records | 8 years (Income Tax Act, India) |
| Marketing consent log | 3 years after withdrawal (audit trail) |
| Backups | 30 days rolling |
8. Your rights
Under the DPDP Act, GDPR and similar laws you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — fix anything inaccurate
- Erasure — delete your account and associated data
- Withdraw consent — at any time, without affecting prior lawful processing
- Nomination — appoint someone to exercise rights on your behalf (DPDP Act)
- Grievance redressal — raise a complaint with our Grievance Officer (Section 13)
- Object to direct marketing — we will stop on request
- Complain to the Data Protection Board of India or your local supervisory authority
You can exercise most of these directly inside the app: Account → Privacy & data. Or email privacy@aistint.app. We respond within 30 days.
9. Children's privacy
Aistint is not directed at children under 18. We do not knowingly collect personal data of children. We do not engage in tracking, behavioural monitoring or targeted advertising directed at children. If you believe a child has provided data to us, please contact us and we will delete it.
10. Security
We protect your data with:
- HTTPS / TLS for all traffic
- Encryption at rest for sensitive fields
- Password hashing (never plain text)
- OTP-based email verification
- Server-side API keys — never exposed to the browser
- Access controls and audit logging on our backend
No system is 100% secure. In case of a personal data breach we will notify the Data Protection Board of India and affected users as required by law.
11. Cookies & local storage
Aistint uses only the minimum storage needed to keep you signed in and remember your preferences:
- Session token — to keep you logged in (essential)
- Plan / preferences cache — to load the app faster (essential)
- Consent log — your choices about analytics and marketing (essential)
We do not use third-party advertising cookies. If we add analytics that uses cookies, we will ask for your consent first via a banner.
12. Changes to this Policy
We may update this Policy. When we make material changes we will notify you in the app and by email, and where required we will re-ask for your consent. The "Last updated" date and "Version" above always reflect the current version.
For any privacy question or to exercise your rights:
In accordance with the DPDP Act and the Information Technology Rules, our Grievance Officer is:
- Name: [Officer Name]
- Designation: Grievance Officer
- Email: grievance@aistint.app
- Phone: +91-[XX]-[XXXX-XXXX]
- Hours: Mon–Fri, 10:00–18:00 IST