Your resume is the most personal thing on this site. We treat it that way.
- We never train AI models on your resume. Period. Our analyzer uses keyword rules; no LLMs, no neural-net training, no third-party AI ingestion.
- We collect: account info (name, email, phone), resume content you upload, payment metadata (PayPal handles cards — we never see them), and basic analytics (anonymized IP, page-views).
- We share data only with named sub-processors needed to deliver the Service: Supabase (storage), Brevo (email), PayPal (payments), Cloudflare (CDN), Sentry (error tracking), PostHog (product analytics). All listed below.
- You have rights under CCPA, CPA, VCDPA, CTDPA, GDPR, UK-DPA, and PIPEDA: access, correction, deletion, portability, opt-out of sale/sharing. California residents may opt out at Do Not Sell or Share My Personal Information. Submit other rights requests at [email protected].
- Resume files are retained 365 days after engagement closes; we delete on request earlier.
- We notify affected users of any qualifying data breach within 72 hours of discovery.
- The Service is for adults 18+. We don’t knowingly collect data from anyone under 18.
- Honor signal: we respect Global Privacy Control (GPC) headers as a CCPA opt-out request.
Table of contents (20 sections)
1Scope and consent
This Privacy Policy applies to data we collect through thepharmwcg.com, our subdomains, and any related services we operate (the “Service”). It is incorporated by reference into our Terms of Service. By using the Service you consent to the data handling described here. If you do not consent, do not use the Service.
Aurum Transfers Limited is the data controller for the personal data described in this policy. Our address and contact details are in §19.
2What personal data we collect
We collect the following categories of personal data:
- Account data — name, email, phone (optional), time zone, password hash, account-creation timestamp, last-login timestamp.
- Resume content — the file you upload (PDF/DOCX/RTF), the extracted text, structured fields parsed from it (employment history, credentials, education, skills, contact info embedded in the resume itself).
- Service-engagement data — intake-form responses, appointment records (date/time/topic), Keyerrá’s coaching notes, deliverables, revision history.
- Payment metadata — customer name, billing email, tier purchased, transaction ID, payment timestamp. We do not see, store, or process card numbers, CVVs, or bank-account details — PayPal is the merchant of record.
- Communications — email correspondence with us, support tickets, newsletter subscription status.
- Site-usage analytics — page views, click events, autocaptured form interactions, web vitals, anonymized IP-derived geolocation, user-agent string.
- Affiliate-attribution data — which referral link or session brought you to us, anonymized via a hash. See Cookie Policy.
- Cookies and similar technologies — see Cookie Policy.
3How we collect it
- Directly from you — when you create an account, upload a resume, fill out the intake form, send us an email, or schedule an appointment.
- Automatically — through cookies, web vitals, and our analytics tools (PostHog, Sentry).
- From service providers — PayPal returns transaction confirmations; Brevo returns email-delivery status; Supabase Auth returns account-creation events.
4Why we use it (lawful purposes)
We process your personal data only for the following lawful purposes (GDPR Art. 6 / CCPA business-purpose framework):
- To deliver the Service — read your resume, run intake calls, write the rewrite, schedule deliveries (legal basis: contract).
- To process payment — share customer name + email + tier with PayPal (legal basis: contract).
- To send transactional communications — order confirmation, delivery notice, intake-call reminders, password reset (legal basis: contract).
- To send marketing communications — newsletter, blog updates, lead-magnet drip — only with your double-opt-in consent (legal basis: consent; see Terms §20 for opt-out).
- To improve the Service — anonymized analytics, web vitals, error tracking (legal basis: legitimate interest).
- To comply with legal obligations — tax records, accounting, legal-process responses (legal basis: legal obligation).
- To enforce our rights and prevent abuse — fraud detection, rate-limiting, terms-violation investigation (legal basis: legitimate interest).
5Resume content — special handling
Specifically:
- Files are stored in a private Supabase Storage bucket. Anonymous read is denied; authenticated users can only read their own files via Row-Level Security policy.
- Extracted text is stored in
feedback_reports.raw_text(truncated to 20,000 characters) with the same RLS policy. - Coach notes (Keyerrá’s private notes about your resume) are admin-write/admin-read only.
- We never publish resume excerpts publicly or in case studies without explicit written consent (see Share Your Win consent flow).
6Sensitive PII redaction
Some resumes contain especially sensitive identifiers — we redact these before any analysis runs:
- DEA registration numbers (pharmacist resumes occasionally include them — they shouldn’t).
- Social Security numbers or partial SSN patterns.
- Date of birth (rarely on a U.S. resume but seen on internationally-trained candidates’ CVs).
- Government-issued ID numbers (passport, driver’s license).
- Immigration-status indicators if presented in identifying form.
The original file remains intact and downloadable by you. The parsed/analyzed copy held in our database has these patterns redacted. If you spot one we missed, email [email protected] and we will re-run redaction.
7AI / machine-learning use
lib/resumeAnalyzer.ts) uses deterministic keyword rules — no LLMs, no neural networks, no machine-learning training. Your resume content is never sent to OpenAI, Anthropic, Google, or any other AI provider.For our own product improvement we may retain anonymized aggregate statistics (e.g., “5,200 pharmacy-tech resumes parsed in Q2; average ATS-readability score 64/100”) but never your individual content tied to you.
If we ever change this posture (e.g., introduce an LLM-powered analyzer in a future tier), we will: (a) update this policy with at least 30 days’ notice, (b) require explicit opt-in from existing customers, and (c) document the AI provider, the data sent, and the retention by that provider.
8Who we share data with (sub-processors)
We share your personal data only with the following sub-processors, each contractually bound to confidentiality and security standards equivalent to ours:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Supabase | Database + storage | All account, resume, and service data |
| Brevo | Transactional + marketing email | Email, name, opt-in status |
| PayPal | Payment processing | Customer name, email, tier, amount |
| Cloudflare | CDN, DNS, WAF | IP, request headers (transient) |
| Vultr | Application hosting | Server logs (anonymized) |
| Sentry | Error tracking | Stack traces, user agent, anonymized IP |
| PostHog | Product analytics | Pseudonymous events, autocaptured clicks |
| Impact (impactcdn.com) | Affiliate tracking | Click events, anonymized session ID |
| Ezoic (ezoic.com) | Ad mediation + consent management (Gatekeeper CMP) | Anonymized visitor ID, consent state, page-context metadata |
We do not sell your personal data to anyone. We do not share data with advertisers, data brokers, or marketing networks. We do not engage in “cross-context behavioral advertising” as defined by CCPA.
We may disclose personal data in response to a valid legal process (subpoena, court order, government request), to protect against fraud or abuse, or in connection with a corporate transaction (merger, acquisition, asset sale). In such cases, we notify affected users where legally permitted.
9International transfers
The Service is hosted in the United States. Your personal data may be transferred to, stored, and processed in the U.S. and in other countries where our sub-processors operate.
For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK IDTA / Swiss Addendum where required. Sub-processors are contractually bound to those clauses.
10Retention periods
- Resume files — 365 days after engagement closes, then deleted from active storage. Available for earlier deletion on request.
- Coach notes and deliverables — same as resume files (365 days post-engagement).
- Account data — until you request deletion, plus 7 years if required for tax/legal records.
- Payment records — 7 years (IRS retention requirement).
- Email communications — 3 years from last contact.
- Anonymous analytics — indefinitely, but cannot be linked back to you.
- Audit logs — 2 years (security/compliance evidence).
- Backups — 30 days; deletion requests propagate to backups within 35 days of confirmation.
11Security measures
We apply standard security practices appropriate to the sensitivity of the data:
- TLS 1.2+ for all data in transit; HTTPS-only; HSTS enabled.
- At-rest encryption for the Postgres database and Supabase Storage.
- Row-Level Security on every table; service-role keys held only on the server-side hosting environment.
- Multi-factor authentication on all sub-processor admin accounts.
- Least-privilege access — Keyerrá’s coach role can read customer data; her account does not have schema-write access.
- Audit logging on all admin actions.
- Quarterly review of access permissions and dependency vulnerabilities.
No system is perfectly secure. While we use industry-standard practices, we cannot guarantee absolute protection against all threats.
12Data-breach notification
If a personal-data breach occurs that is likely to result in risk to your rights and freedoms, we will:
- Notify the relevant supervisory authorities within 72 hours of discovery (per GDPR Art. 33 and equivalent state laws).
- Notify affected users without undue delay — by email to the address on file, in plain language, including the nature of the breach, the data categories affected, the likely consequences, and the measures we are taking.
- Document the incident, root cause, and remediation in a security postmortem retained for 5 years.
If you suspect a security issue, email [email protected]. We respond to verifiable reports within 2 business days.
13Your rights (CCPA, GDPR, PIPEDA)
Depending on your location, you have rights under one or more of these laws:
- CCPA / CPRA (California) — know, delete, correct, opt-out of sale (we don’t sell), opt-out of sharing for cross-context behavioral advertising (we don’t do this), limit use of sensitive PI, non-discrimination for exercising rights.
- CPA (Colorado), CTDPA (Connecticut), VCDPA (Virginia) — access, correction, deletion, portability, opt-out of targeted ads / sale / profiling.
- GDPR (EU/EEA) — access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdraw consent at any time, lodge a complaint with your data-protection authority.
- UK-DPA (United Kingdom) — same rights as GDPR.
- PIPEDA (Canada) — access, correction, withdraw consent.
We will not discriminate against you for exercising any of these rights — you will continue to receive the same quality of service at the same price.
14Submitting a data-subject request
To submit a data-subject access request (DSAR), email [email protected] with:
- Your full name and the email address associated with your account.
- Which right you are exercising (access, deletion, correction, etc.).
- Verification — for security, we may ask you to confirm via the same email used at signup, or to confirm a recent transaction detail.
We respond within 30 days; if your request is complex we may extend by an additional 60 days with notice. There is no fee for the first request in any 12-month period; we may charge a reasonable fee for excessive or repetitive requests.
15Children's privacy
The Service is intended for adults 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted personal data to us, please contact [email protected] and we will delete it.
16Do Not Track and global privacy controls
We honor the Global Privacy Control (GPC) signal as a CCPA-valid opt-out request from your browser. If your browser sends GPC, we will treat that as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising.
We currently do not respond to legacy “Do Not Track” (DNT) headers because there is no industry consensus on what they require; GPC is the modern, more interpretable signal.
17Third-party links and embeds
Our Service contains links to third-party websites and embeds (e.g., affiliate links, YouTube videos, payment widgets). This Privacy Policy does not apply to those third-party services. We encourage you to read the privacy policy of each external service you interact with.
18Advertising and ad-mediation partners
The Pharm participates in advertising through Ezoic, an ad-mediation platform that runs header bidding across multiple demand sources. Ezoic and its certified partners use cookies and similar technologies to serve relevant ads, measure performance, and apply frequency caps. Where applicable (US visitors), Ezoic also handles consent state via the Gatekeeper CMP (TCF 2.3 + Consent Mode v2 compatible).
We may, in the future, add additional ad-network partners (such as Google AdSense or other certified mediation partners). If and when we do, this section will be updated before those partners are activated, and visitors in the EU/UK will be re-prompted for consent.
How to opt out of personalized advertising
- Ezoic privacy and opt-out: ezoic.com/privacy-policy
- Digital Advertising Alliance (US): aboutads.info/choices
- Your Online Choices (EU): youronlinechoices.eu
- Personalized advertising from Google (covers any future Google AdSense integration): google.com/settings/ads
- Network Advertising Initiative: optout.networkadvertising.org
Cookies used by advertising partners
Ezoic and its mediation partners set the following first- and third-party cookies for ad delivery, fraud prevention, and frequency capping: ezovuuid, ezovuuidtime, ez_cmpccpa, __ezas, and CMP consent-state cookies. For the full inventory see our Cookie Policy.
Ezoic privacy notice
19Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes that adversely affect your rights, we will provide at least 30 days’ notice on the homepage and via email to the address on file. Continued use of the Service after the effective date constitutes acceptance.
20Contact
Questions, concerns, or notices regarding this policy should be directed to:
Privacy / DSAR: [email protected]
Security incidents: [email protected]
General contact: [email protected]
Email is not a confidential channel. Do not include sensitive personal data (Social Security numbers, full bank-account numbers, etc.) in your correspondence.