Privacy Policy

1. Introduction

Ramen Labs LLC ("Company," "we," "us," or "our"), a Wyoming limited liability company, operates CareerMax (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use the Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

This Privacy Policy is designed to comply with applicable data protection laws, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other applicable privacy regulations.

2. Information We Collect

A. Information You Provide Directly

• Account Information: Name, email address, and authentication credentials (managed by our authentication provider)
• Profile Information: Display name, target job roles, job search start date
• Resume Data: Full resume content (structured or uploaded PDF), including contact information (phone number, address, LinkedIn URL, website), work experience, education, skills, and certifications
• Interview Data: Target roles, companies, interview questions and your responses, audio recordings of mock interviews, transcripts
• Job Application Data: Job descriptions, application URLs, application status and progress
• Skill Development Data: Target roles for upskilling, quiz responses and scores, learning progress
• Photographs: Photos uploaded for professional headshot enhancement
• Payment and Subscription Information: Subscription tier, billing interval, billing status, and subscription history. Payment card details, billing address, and financial information are collected, processed, and stored exclusively by our merchant of record, Polar.sh, and are never transmitted to or stored on our servers. We receive only confirmation of payment status and subscription state from Polar

B. Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken (e.g., resume uploads, interview sessions started, quizzes completed), button clicks, credit usage, and session duration
• Device and Technical Data: Browser type, operating system, screen resolution, IP address, and general location inferred from IP
• Analytics Data: Product engagement metrics, feature adoption patterns, error events, and performance data

C. Information Derived from Your Data

• AI Analysis Results: Resume scores, optimization suggestions, interview performance analysis (confidence, clarity, pace, tone), skill assessments, and generated content (cover letters, learning resources, quiz questions)
• Audio Analysis: Speech pattern analysis derived from mock interview recordings, including confidence metrics, clarity scores, and pacing assessments

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To operate, deliver, and personalize the Service, including AI-powered resume analysis, interview coaching, skill development, and photo enhancement
• AI Processing: To send your content (resumes, interview responses, photos, quiz answers) to our AI service providers for analysis, generation, and optimization. See Section 4 for details on AI model training practices
• Account Management: To create and manage your account, process subscriptions, track credit usage, and communicate about your account
• Product Improvement: To analyze usage patterns, identify bugs, improve features, and develop new functionality
• Analytics: To understand how users interact with the Service, measure feature adoption, and inform product decisions
• Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests
• Communications: To send essential service-related notifications (e.g., account changes, security alerts, policy updates)

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:

Service Providers and Third-Party Integrations

We share data with the following categories of third-party service providers who process data on our behalf:

• Authentication Provider (Clerk): Processes your email address, name, and authentication credentials to manage secure account access
• Backend Infrastructure (Convex): Stores and processes your account data, User Content, and application data on secure cloud servers
• AI Processing (Google Gemini API): Receives and processes your resume content, interview transcripts, audio recordings, quiz responses, and photographs to generate AI-powered analysis, suggestions, and content. We access the Google Gemini API through a paid commercial plan. Under Google's API data usage terms for paid services, Google states that it does not use data submitted through its paid API to train its foundation models. This is Google's contractual commitment and is governed by Google's terms of service; the Company relies on but cannot independently verify or guarantee Google's internal data handling practices. For the most current information on Google's data usage policies, please refer to Google's API terms of service directly
• Product Analytics (PostHog): Receives usage data, feature interaction events, and anonymized behavioral data to help us understand and improve the Service. PostHog processes data of identified users only (authenticated users)
• Payment Processing and Merchant of Record (Polar.sh): Polar.sh acts as our merchant of record and processes all subscription payments, billing, invoicing, tax collection, refunds, and dispute resolution. We share your email address, name, and an internal account identifier with Polar to link your payment to your CareerMax account. Polar independently collects and processes your payment card details, billing address, and transaction records. We do not have access to, process, or store your payment card numbers or banking information. Polar's collection and use of your data is governed by Polar's own privacy policy. As merchant of record, Polar is the entity that appears on your bank or credit card statement for subscription charges

Other Disclosures

We may also disclose your information:

• To comply with legal obligations, court orders, or governmental requests
• To protect our rights, property, or safety, or that of our users or the public
• In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy
• With your explicit consent

Sub-Processors

The third-party service providers listed above constitute our current sub-processors. We maintain data processing agreements with each sub-processor that require them to protect your data to standards consistent with this Privacy Policy. If we engage a new sub-processor that materially changes how your personal data is processed, we will update this Privacy Policy and, where required by applicable law (including GDPR), provide prior notice to affected users via email or in-app notification. Your continued use of the Service following notice of a new sub-processor constitutes acceptance of that sub-processor, unless you exercise your right to object or delete your account.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained for the duration of your account
• User Content (resumes, interviews, job applications): Retained until you delete the specific content or your account
• Credit Transaction History: Retained for the duration of your account for audit and billing purposes
• Subscription and Payment Records: Payment transaction records and invoices are retained by our merchant of record, Polar.sh, in accordance with their own data retention policies and applicable tax and financial record-keeping laws, which may require retention beyond the deletion of your CareerMax account
• Analytics Data: Retained in accordance with our analytics provider's retention policies
• AI Processing Logs: Data sent to AI providers is processed in real-time and not stored by us beyond what is necessary for delivering results

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax, legal, or regulatory obligations) or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

6. Data Security

We implement commercially reasonable technical and organizational security measures to protect your personal data, including:

• Encryption of data in transit using HTTPS/TLS
• Authentication and access controls for all data operations
• Content Security Policy (CSP) headers and other browser-level protections
• Input validation and sanitization to prevent injection attacks
• File type and size restrictions for uploads
• Regular security reviews of third-party service providers

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

Data Breach Notification

In the event of a security breach that results in the unauthorized access, disclosure, or loss of your personal data, we will notify affected users without undue delay. For users in the EEA, UK, or Switzerland, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, as required by GDPR Article 33. For users in California and other U.S. states with breach notification laws, we will provide notice in accordance with the applicable state statute. Notifications will be sent via the email address associated with your account and, where appropriate, through an in-app notification. The notice will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

7. Cookies and Tracking Technologies

The Service uses cookies and similar technologies for:

• Essential Cookies: Required for authentication, security, and core Service functionality
• Analytics Cookies: Used by our analytics provider (PostHog) to understand usage patterns and improve the Service

We do not use cookies for advertising or cross-site tracking purposes. Our analytics platform only tracks authenticated users and does not engage in third-party advertising tracking.

Cookie Consent. When you first visit the Service, a cookie consent banner is presented, allowing you to accept or decline non-essential (analytics) cookies. Essential cookies required for authentication and core functionality are always active and do not require consent. If you decline analytics cookies, our analytics provider (PostHog) is instructed to cease tracking your activity. You may change your cookie preferences at any time by clearing your browser's local storage for the Service, which will cause the consent banner to reappear on your next visit.

You may also manage cookies through your browser settings. Disabling essential cookies may impair your ability to use the Service.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate personal data via your account settings
• Deletion: Delete your account and associated data
• Data Portability: Request your data in a structured, machine-readable format

European Economic Area (EEA), United Kingdom, and Swiss Users (GDPR)

In addition to the above, you have the right to:

• Object: Object to processing of your personal data based on legitimate interests
• Restrict Processing: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection authority

Legal Bases for Processing (GDPR): We process your data on the following legal bases: (a) performance of a contract (providing the Service); (b) legitimate interests (improving the Service, security, analytics); (c) consent (where required for specific processing activities); and (d) legal obligations.

California Residents (CCPA/CPRA)

In addition to the general rights above, California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and the categories of third parties with whom data is shared
• Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
• Opt-Out of Sale: We do not sell personal information. No opt-out is necessary
• Limit Use of Sensitive Information: Request limitation on the use of sensitive personal information

To exercise any of these rights, contact us at hey@ramensoftwarelabs.com. We will respond to verifiable requests within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

9. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States and potentially other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely primarily on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum; and (b) data processing agreements with our service providers that incorporate appropriate safeguards. Where our third-party service providers participate in recognized data transfer frameworks (such as the EU-U.S. Data Privacy Framework), we may also rely on those frameworks as an additional transfer mechanism.

By using the Service, you acknowledge the necessity of transferring your data internationally as described in this section in order for us to provide the Service to you.

10. Children's Privacy

The Service is not directed to individuals under 16 years of age (or under 18 in jurisdictions where 16 is below the age of digital consent). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at hey@ramensoftwarelabs.com.

11. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. The Service does not currently respond to DNT signals, as there is no universally accepted standard for how to interpret and respond to these signals. We will update this policy if a standard is established.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by updating the "Last Updated" date and, where appropriate, providing additional notice through the Service or via email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.