Skip to main content
Fitted

Privacy Policy

Last updated: May 2026

1. Introduction

Fitted (“we,” “us,” or “our”) operates the Fitted web application (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and password when you create an account.
  • Resume Files: Resume documents you upload in PDF, DOCX, or text format.
  • Job Descriptions: Job listing text you provide for analysis.
  • Payment Information: Billing details processed securely through Stripe. We do not store your full credit card number.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns.
  • Device Information: Browser type, operating system, and screen resolution.
  • Log Data: IP address, access times, and referring URLs.

3. How We Use Your Information

We use your information for the following purposes:

  • To provide and maintain the Service, including AI-powered resume tailoring and analysis.
  • To process your resume and job descriptions through our AI provider (Anthropic Claude API). Before sending, we run a best-effort PII strip on your resume. See section 4 for exactly what we strip and what we do not.
  • To manage your account and credit balance.
  • To process payments through Stripe.
  • To communicate with you about your account, service updates, and support requests.
  • To improve the Service based on usage patterns and feedback.
  • To detect and prevent fraud or abuse.

4. How We Share Your Information

We do not sell your personal information. We do not use your data for advertising purposes. We share your information only with:

  • Supabase: Authentication and data storage provider.
  • Anthropic (Claude API): AI processing of resume and job description content. Per Anthropic's API terms, content sent through their API is not used to train AI models. Anthropic may retain prompt content for a limited period (currently up to 30 days) for trust-and-safety and abuse monitoring. See Anthropic's privacy policy.
  • Stripe: Payment processing. Stripe's privacy policy governs payment data handling.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental request.

4.1 Best-effort PII stripping (what we attempt and what we do not)

Before we send your resume to Anthropic, we attempt to strip the following from the resume text. This is a best-effort pass, not a guarantee. If any of these patterns slip past our regex, they will reach the AI as part of your resume content:

  • Email addresses (general format)
  • US-format phone numbers (e.g. +1 (555) 555-5555)
  • URLs starting with http(s)://, plus literal LinkedIn and GitHub profile links
  • US-format physical addresses (e.g. San Francisco, CA 94107)

We do not currently strip the following, so you should assume Anthropic sees this content as part of your resume:

  • Your name (we keep it so we can re-insert it into your tailored output)
  • Names of past employers, schools, coworkers, and managers
  • International phone numbers, postal codes, and addresses (UK, Canadian, Indian, EU, etc. formats are not detected by our US-focused pattern)
  • Personal websites or portfolios that don't start with http(s):// and aren't on a major social domain (e.g. a bare myportfolio.com)
  • Job descriptions you paste for analysis. We treat job descriptions as public-facing text and send them to the AI as-is. If a JD includes a recruiter's email, that email reaches the AI.

Recommendation:if there is anything on your resume you don't want sent to our AI provider, redact it before uploading. The strip is a defensive measure, not a guarantee.

4.2 Image-based resumes

We accept PDF, DOCX, and TXT files. Image-only PDFs (scans without an embedded text layer), PNGs, and JPGs are not processed because we do not run OCR. If your file uploads but no text is extracted, you will see an error and no AI request will be made.

5. Data Storage and Security

Your data is stored in the United States using Supabase (hosted on AWS infrastructure). We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS) and at rest.
  • Secure authentication with password hashing.
  • Role-based access controls for internal systems.
  • Regular security reviews.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. You may delete your account and all associated data at any time through your account settings. Upon deletion, we will remove your data within 30 days, except where retention is required by law.

7. Cookie Policy

Fitted uses only essential cookies necessary for the Service to function. These include:

  • Authentication session cookies.
  • Security cookies (CSRF protection).
  • Cookie consent preference.

We use PostHog for privacy-friendly product analytics. PostHog helps us understand how people use Fitted so we can make it better. It does not track you across other websites, does not serve ads, and does not sell your data. You can learn more at posthog.com/privacy.

We do not use advertising cookies or cross-site tracking. We do not participate in any ad networks.

8. Your Rights Under GDPR (European Economic Area)

If you are located in the EEA, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure: Request deletion of your personal data (“right to be forgotten”).
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to our processing of your personal data.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

Our legal basis for processing personal data is (a) performance of a contract (providing the Service), (b) legitimate interests (improving and securing the Service), and (c) your consent where applicable.

To exercise these rights, contact us at privacy@fitted.ai.

9. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

9.1 Right to Know

You have the right to request that we disclose:

  • The categories of personal information we have collected about you.
  • The categories of sources from which the personal information was collected.
  • The business or commercial purpose for collecting the personal information.
  • The categories of third parties with whom we share the personal information.
  • The specific pieces of personal information we have collected about you.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions. You can delete your account and all data through your account settings or by contacting us.

9.3 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge different prices, or provide a different level of quality.

9.4 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories:

  • Identifiers: Name, email address, IP address.
  • Commercial Information: Credit purchase and payment records.
  • Internet Activity: Usage data, browsing history within the Service.
  • Professional Information: Resume content, job descriptions provided by you.

9.5 Sale of Personal Information

We do not sell your personal information. We have not sold any personal information in the preceding 12 months.

We do not sell or share your personal information for advertising purposes. If this ever changes, we will update this policy and notify you directly.

9.6 How to Submit a Request

To exercise your CCPA rights, contact us at privacy@fitted.ai. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such data, we will delete it promptly.

11. International Data Transfers

Your information may be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. We encourage you to review this page periodically.

13. Contact Us

If you have questions about this Privacy Policy, please contact us at: privacy@fitted.ai

Terms of Service · Back to Home