Privacy Policy

Name: Resume Roast
Price: 2.99 EUR
Availability: InStock
Author: PunchLab

Last updated: February 18, 2026

1. Controller / Data Responsible

Resume Roast is operated by PunchLab, an individual business based in Munich, Germany.

Contact for privacy matters: hello@punchlab.dev

For full legal details, see our Impressum.

2. What Data We Collect and Why

Resume / CV file

When you use Resume Roast, you upload a PDF resume. We extract the text content server-side and send it to our AI provider for analysis. The original file is discarded immediately after text extraction. The extracted text is discarded after the AI response is returned to you — typically within seconds.

Legal basis: Art. 6(1)(b) GDPR — processing necessary to perform the service you requested.

Retention: Your resume text is not stored. Generated results (score, roast text) are delivered directly to your browser and are not retained on our servers beyond the active session. No personal data is stored in a database.

Payment information

Payments are processed by LemonSqueezy (LS Bird B.V., a registered merchant of record). LemonSqueezy acts as the seller of record and handles all payment data. We never see or store your credit card details.

LemonSqueezy may collect your email address and billing information to issue a receipt and comply with tax regulations. See LemonSqueezy's Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR — processing necessary for the purchase contract.

Server logs

Our hosting infrastructure (Cloudflare Pages / Workers) automatically records standard server logs including IP addresses, timestamps, and request details. These logs are used to maintain security and diagnose technical issues. They are processed and retained by Cloudflare according to their policies.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure and functioning service.

Anonymous usage analytics

We use Plausible Analytics to understand aggregate site usage (page views, referrers, device types). Plausible collects no personal data, sets no cookies, and is fully GDPR-compliant. No IP addresses are stored.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding and improving the service, without infringing your privacy.

3. Third-Party Service Providers

We share data with the following service providers only to the extent necessary to deliver the service:

Anthropic, PBC

AI provider used to generate the resume roast, score, and suggestions. Your extracted resume text is sent to Anthropic's API for real-time analysis. Anthropic does not use API inputs for model training. See Anthropic Privacy Policy.

LemonSqueezy (LS Bird B.V.)

Merchant of record handling all payments and tax compliance. Processes your payment and billing details. See LemonSqueezy Privacy Policy.

Cloudflare, Inc.

Hosting provider (Cloudflare Pages and Workers). Processes technical request data (IP address, headers) as part of delivering the website. See Cloudflare Privacy Policy.

Plausible Analytics

Privacy-respecting, cookie-free web analytics. No personal data is collected. See Plausible Privacy Policy.

All providers operate under appropriate data protection agreements. Where applicable, Standard Contractual Clauses (SCCs) are in place for international data transfers.

4. Data Transfers Outside the EU

Some of our service providers (Anthropic, Cloudflare) are based in the United States. Data transfers to the US are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards. By using Resume Roast, you acknowledge that your resume text will be processed in the US for the duration of the AI analysis.

5. Cookies

We do not use tracking, advertising, or analytics cookies. The only cookies that may be set are those technically required by LemonSqueezy during the payment flow. No cookie consent banner is required since we set no non-essential cookies.

6. Your Rights Under GDPR

You have the following rights regarding your personal data under the General Data Protection Regulation (GDPR / EU 2016/679):

Right of access (Art. 15 GDPR) — request confirmation of whether we process your personal data and, if so, a copy.
Right to rectification (Art. 16 GDPR) — request correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — request deletion of your personal data ("right to be forgotten").
Right to restriction (Art. 18 GDPR) — request that we restrict processing of your data.
Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR) — object to processing based on legitimate interests.
Right to lodge a complaint (Art. 77 GDPR) — contact the competent supervisory authority.

Since we do not store personal data beyond the active session, there is typically nothing to access, modify, or delete after your session ends. To exercise any rights or with questions, contact: hello@punchlab.dev

Supervisory authority for Bavaria, Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany. www.lda.bayern.de

7. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

8. Contact

For any privacy-related questions or requests: hello@punchlab.dev

PunchLab · Munich, Germany