Privacy Policy

Effective date: February 11, 2026

1. Introduction

MakeLetter ("Company", "we", "us", or "our") operates the website located at makeletter.online and all related services, applications, and APIs (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect personal information when you access or use the Service. By using the Service, you consent to the practices described in this policy.

We are committed to protecting your privacy and handling your data transparently. If you do not agree with this policy, please do not use the Service.

2. Data Controller

For the purposes of applicable data protection laws (including the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA")), MakeLetter is the data controller responsible for your personal data collected through the Service.

3. Information We Collect

3.1 Information You Provide Directly

  • Account information: Email address, display name, and authentication credentials when you register. If you authenticate via a third-party identity provider (e.g., Google), we receive your name and email address from that provider. We do not receive or store your third-party passwords.
  • Resume data: Documents you upload (PDF, DOCX) and the structured information extracted from them, including work experience, education, skills, certifications, and other professional details.
  • Job application data: Company names, job titles, descriptions, URLs, locations, salary information, referral contacts, application stages, deadlines, and notes you enter.
  • Generated and edited content: Letters, correspondence, and other written content generated through or edited within the Service, including version history.
  • Communications: Any information you provide when contacting our support team.

3.2 Information Collected Automatically

  • Usage data: Feature interactions, generation counts, export events, and timestamps of activity within the Service.
  • Device and browser data: Browser type, operating system, screen resolution, language preference, and referring URL.
  • Log data: IP address, access timestamps, request URLs, and HTTP status codes recorded by our hosting infrastructure.

3.3 Information We Do Not Collect

We do not collect payment card numbers, bank account details, or other financial instrument data. All payment processing is handled by our third-party payment processor, and we only receive transaction identifiers, subscription status, and billing metadata.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of contract: Processing necessary to provide the Service you have requested, including account management, content generation, document export, and subscription management.
  • Legitimate interest: Processing necessary for our legitimate business interests, such as fraud prevention, security, service improvement, and analytics, where those interests are not overridden by your rights.
  • Consent: Where required by law, we rely on your explicit consent, which you may withdraw at any time.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings.

5. How We Use Your Information

  • Service delivery: To operate, maintain, and provide the features of the Service, including AI-powered content generation, document processing, application tracking, and document export.
  • AI processing: Your resume content and job details are transmitted to third-party AI service providers solely to generate, regenerate, or edit letters on your behalf. Only the minimum data necessary for each operation is transmitted.
  • Account administration: To manage your account, authenticate your identity, process subscription changes, and communicate essential service notifications (e.g., password resets, billing alerts).
  • Usage enforcement: To enforce generation limits, rate limits, and tier-based access controls as described in our Terms of Service.
  • Security and fraud prevention: To detect, prevent, and address abuse, unauthorized access, and other harmful activity.
  • Service improvement: To analyze aggregated, de-identified usage patterns to improve reliability, performance, and user experience.
  • Legal compliance: To comply with applicable laws, enforce our Terms of Service, and respond to legal requests.

6. Third-Party Sub-Processors

We engage third-party service providers ("sub-processors") to assist in delivering the Service. These providers are contractually bound to process personal data only as instructed by us and to maintain appropriate security measures. Categories of sub-processors include:

  • Cloud infrastructure and database providers: For hosting, data storage, authentication, and file storage with access controls and encryption at rest.
  • AI service providers: For natural language processing used in content generation, content editing, and document parsing. Data sent to AI providers is used solely to fulfill your request and is not used by them to train or improve their models.
  • Payment processors: For subscription billing and payment management. We do not receive or store your full payment card details.
  • Application hosting providers: For serving the web application and content delivery.
  • Document processing services: For converting content into export formats (PDF, DOCX). Content is processed transiently and not retained beyond the export operation.

A current list of specific sub-processors is available upon request by contacting us at the address in Section 15.

7. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States. Where we transfer personal data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS/HTTPS) for all data transmissions
  • Encryption at rest for stored data
  • Row-level security policies restricting database access to authorized users
  • Token-based authentication with short-lived session credentials
  • Secure, access-controlled file storage with MIME type verification
  • Rate limiting and abuse prevention on all API endpoints
  • Separation of client-accessible and server-only credentials

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security.

9. Data Retention

  • Account data: Retained for the duration of your active account.
  • User-created content: Resumes, jobs, threads, letters, and version history are retained until you delete them individually or delete your account.
  • Exported files: Temporarily stored for a limited period (up to 1 hour) to facilitate download, then automatically deleted.
  • Usage and generation logs: Retained for billing accuracy, abuse prevention, and service improvement. Logs do not contain the content of your resumes or letters.
  • Post-deletion: Upon account deletion, all associated personal data is permanently removed from our active systems. Residual copies in encrypted backups may persist for up to 30 days before automatic expiration.

10. Tier Downgrade and Data Preservation

If you downgrade your subscription, we never delete your data. Content exceeding the lower tier's limits becomes read-only. You retain full access to view, copy, export, and delete existing content. Creation and editing capabilities are restricted until usage is within the new tier's limits.

11. Your Rights

11.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Restriction: Request restriction of processing in certain circumstances.
  • Portability: Request your data in a structured, machine-readable format. The Service provides built-in export functionality for your content.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior processing.
  • Supervisory authority: Lodge a complaint with your local data protection authority.

11.2 Rights Under CCPA (California Residents)

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of your personal information.
  • Right to opt-out: We do not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

11.3 Exercising Your Rights

You may exercise most rights directly through the Service (profile settings, content deletion, account deletion, data export). For requests that cannot be fulfilled through the Service, contact us at the address in Section 15. We will respond within 30 days (or the timeframe required by applicable law). We may request identity verification before processing your request.

12. Cookies and Similar Technologies

We use strictly essential cookies for authentication and session management. These cookies are necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, third-party tracking cookies, or cross-site tracking technologies. We do not participate in ad networks or retargeting programs.

13. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided personal data, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us.

14. Changes to This Policy

We may revise this Privacy Policy at any time. Material changes will be communicated by updating the "Effective date" at the top of this page and, where required by law, by providing additional notice (e.g., email notification or in-app banner). Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

For privacy-related inquiries, data subject requests, or complaints, please contact us at:

support@makeletter.online