How Blacklight handles personal information

Scope

This Privacy Policy applies to the Blacklight Resumes public website, direct resume requests, partner-hosted or partner-referred Blacklight flows, status and delivery pages, support/privacy workflows, and partner portal access.

It covers public visitors, direct customers, partner-referred end users, partner contacts, and partner portal users.

What We Collect

• Contact information such as name, email, phone number, and location details
• Resume uploads, intake responses, portfolio links, LinkedIn links, education, experience, project, and certification information
• Job-target information such as job titles, company names, and job descriptions
• Generated resumes, cover letters, extras, scorecards, and request-linked analysis outputs
• Payment, invoice, and transaction metadata needed to process purchases, refunds, partner billing, and account administration
• Billing records such as invoice copies, invoice status history, billing contacts, PO details, and contract-linked commercial terms where applicable
• Support, privacy, trust, procurement, meeting-booking, and contact-request information
• Partner account, role, location, hosted-link, embed, and reporting metadata used to operate partner programs
• Technical, security, and operational event data such as IP address, browser details, request status, and authentication events

How We Use Information

• Generate and deliver resume packages and related materials
• Operate request status pages, delivery links, resend flows, and support workflows
• Process payments, refunds, partner billing, and account administration
• Support partner-hosted and partner-referred request flows, including hosted links, embeds, and trust/commercial review workflows
• Authenticate users and enforce role-based access in partner and admin areas
• Prepare aggregate, role-scoped, and location-scoped partner reporting and workbook exports
• Improve output quality, service reliability, abuse prevention, and platform security
• Comply with legal obligations and preserve required operational or compliance records

Partner-Hosted Requests

Some requests are submitted through a partner such as a library system, workforce organization, school district, college, university, or other institution.

In those cases, Blacklight still processes the request, generates the materials, and operates the status and delivery flow. The partner may have limited visibility into request activity associated with its own program, subject to role and location-based access controls.

That visibility can include scoped operational metrics, delivery status, location activity, and aggregate reporting exports for the partner program. It is not intended to create broad visibility into every request for every partner user.

School, District, And K-12 Program Use

Blacklight may support school districts, school-authorized K-12 career-readiness programs, colleges, and universities through institution-led partner workflows.

Those workflows are intended to be initiated, reviewed, funded, or supervised by the institution or an authorized program operator rather than by unsupervised child-directed public signup.

If a school, district, or similar institution uses Blacklight in a student-serving context, that institution is responsible for determining what notices, authorizations, or internal approvals are required for its program.

How We Share Information

We do not use a hidden data-sale or advertising-tracking model. We share information only as needed to operate the service, work with service providers, comply with law, protect the service, or support partner-originated request workflows.

• Infrastructure, hosting, storage, and authentication providers
• Payment processors and transactional email providers
• Model and AI providers used for request generation and processing
• Professional advisors, auditors, and service providers working on our behalf
• Law enforcement, regulators, courts, or other parties where disclosure is legally required or reasonably necessary
• Partners associated with partner-originated requests, within the visibility limits of that partner program

Core Providers

Blacklight currently relies on core providers such as Stripe for payments, Postmark for transactional email, Supabase for database, storage, and authentication infrastructure, Cloudflare for hosting and edge delivery, Cal.com for meeting-booking workflows where used, and OpenAI and related model tooling where needed for generation and processing.

AI And Automated Processing

Blacklight uses AI-assisted and automated processing to analyze request inputs, generate resume materials, score or evaluate outputs, and support request operations. AI-assisted output may still require user review, editing, and judgment.

Blacklight does not rely on a persistent external chat history as the official record of the service. In the current workflow, OpenAI API requests are sent from the server-side queue with response storage turned off (`store: false`), so Blacklight is not asking OpenAI to keep those responses for later API retrieval.

Under OpenAI’s standard API handling, limited API data may still be retained for a short abuse-monitoring window, which is commonly up to 30 days unless a different retention arrangement applies. Blacklight’s own request records, outputs, and retention/deletion rules remain the primary business record for the service.

Cookies And Similar Technologies

The public site is designed to avoid advertising cookies and third-party tracking pixels as a business model. We may still use limited session handling, local storage, and internal analytics or event logging needed to operate, secure, and improve the service.

Retention And Deletion

We do not intend to keep request-linked personal information forever. Different record types have different retention and minimization rules.

Our current operational approach includes a limited recoverable case-file window for request content, redaction of older messaging content, minimization of older audit and site network fields, deletion or trimming of aged queue records, and cleanup of older support attachments and tickets.

Billing records, including invoice copies and invoice/payment status history, may be retained longer than resume-request artifacts for accounting, audit, tax, contract-enforcement, collections, legal-hold, fraud-review, and dispute-resolution purposes.

If you submit a validated privacy deletion request, Blacklight may delete generated artifacts, delete or scrub uploaded files and request-linked content where supported, scrub applicant-linked PII in structured records, and preserve only limited records needed for compliance, disputes, legal holds, fraud review, or security.

Where a billing, collections, or legal need applies, limited billing and contract records may remain after account closure or privacy deletion even if resume artifacts and other operational content are removed on a shorter schedule.

Partner Account Closure And Deletion Requests

Closing a partner account and deleting partner data are not the same workflow. Account closure can end service access while billing, contract, audit, or dispute records are still retained.

If an authorized partner representative asks us to delete partner data, we may verify authority first, close or disable service access if needed, and then remove or minimize service data such as generated resumes, uploaded source files, support attachments, and bulky intake content where supported.

We may refuse or limit deletion where records must be retained for unpaid invoices, tax/accounting, fraud review, legal obligations, legal holds, collections activity, contract enforcement, security, or disputes. In those cases, we keep the minimum record set we reasonably need for those purposes.

Your Choices And Rights

Depending on where you live, you may have rights to request access to, correction of, deletion of, or information about personal information we hold about you.

You can use the contact/privacy path on the website to ask privacy questions or submit a privacy request. We may need to verify your identity before fulfilling certain requests.

Partner Portal Users

If you use the partner portal, we collect account and role information such as email, role, authentication linkage, scope, and related partner or location metadata. We use that information to manage access, enforce role restrictions, route notifications, operate hosted links and embeds, prepare scoped reporting, and support account administration.

Partner portal activity can also include billing-state changes, plan-change confirmations, support tickets, trust/commercial review requests, and meeting-booking context when those workflows are used.

If a partner account later closes or submits a deletion request, we may disable partner-user access quickly while retaining limited billing, contract, audit, or legal records that still apply to the institution account.

Security

We use administrative, technical, and organizational measures designed to protect personal information, including access controls, authentication requirements for protected areas, audit logging for sensitive administrative actions, hashed token handling for status and campaign access, and role-based and location-based access controls for partner access.

Billing records and invoice copies are treated as sensitive business records and are intended to be limited to billing, admin, finance, support, legal, or similarly authorized personnel with a legitimate operational need.

No system is completely secure, and we cannot guarantee absolute security.

Children’s Privacy

Blacklight Resumes is not intended for children under 13 through the public service, and we do not knowingly collect personal information from children under 13 through child-directed or unsupervised public signup flows.

Where Blacklight is used through an institution-led school or district program, use is expected to occur under the school, district, or authorized program context rather than as a general public child-directed service.

International Users

Blacklight operates from the United States. If you use the service from outside the United States, you understand that information may be processed and stored in the United States or other jurisdictions used by our service providers.

Changes To This Policy

We may update this Privacy Policy from time to time. If we make material changes, we may update the date on this page and take additional steps where appropriate.

Contact

For privacy questions or requests, use the contact page and select the privacy path so we can route the issue correctly.