Privacy Policy

Last updated: April 13, 2026

    The short version: We collect only what we need to run the service. We do not sell your data. We do not use your resume to train AI models. Your payment information is handled entirely by Stripe — we never see your card number.
  

This Privacy Policy explains how 1stStep.ai ("we," "us," or "our"), operated from New Jersey, collects, uses, and protects information when you use our platform at app.1ststep.ai. By using the service, you agree to the practices described here.

1. Information We Collect

Category	What We Collect	Why
Account info	First name, last name, email address	To identify your account and verify your subscription status
Resume content	Text or file content you paste or upload	To generate your tailored resume via AI
Job descriptions	Text you paste into the job description field	To tailor your resume to the specific role
Usage data	Number of tailors and searches used per month	To enforce plan limits and display your usage meter
Payment info	Processed by Stripe — we only receive a subscription status confirmation	To manage paid subscriptions

We do not collect government IDs, Social Security numbers, health information, or precise geolocation. The location you enter for job searches (city, state, or ZIP) is used only to query job listings and is not stored on our servers.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the 1stStep.ai service
Tailor your resume and generate AI outputs in response to your requests
Verify your subscription status and enforce plan usage limits
Respond to your support inquiries
Send you transactional emails (e.g., payment receipts, renewal reminders) where applicable
Comply with legal obligations under New Jersey and applicable federal law

We do not use your resume, job descriptions, or personal information to train AI models, build advertising profiles, or sell to third parties.

3. How Your Data Is Processed

When you click "Tailor My Resume," your resume text and job description are sent from your browser to our secure Vercel serverless functions, which forward them to Anthropic's Claude API to generate the tailored output. The result is returned directly to your browser session.

We do not permanently store your resume content on our servers. The text is processed in-transit and the result is returned to you. Your account name, email, and usage counts are the only data retained beyond your session.

Your browser stores session data (resume text, tailored history, usage counts) locally using localStorage. This data never leaves your device unless you explicitly submit it through the app.

4. Third-Party Services

We work with the following third-party providers who may process your data:

Provider	Purpose	Data Shared
Anthropic	AI model powering resume tailoring and cover letter generation	Resume text, job description, extra instructions. Subject to Anthropic's Privacy Policy.
Stripe	Payment processing	Email address, payment card details. Subject to Stripe's Privacy Policy.
Vercel	Hosting and serverless infrastructure	Standard server request logs (IP, timestamp, route). Subject to Vercel's Privacy Policy.
JSearch / RapidAPI	Live job listings for Job Search feature	Job keywords and location (no personally identifiable information). Subject to RapidAPI's Privacy Policy.
GoHighLevel (GHL)	CRM — customer account records for paid subscribers	Name and email upon subscription. Subject to GoHighLevel's Privacy Policy.

We do not allow these providers to use your data for their own advertising or to sell it to others beyond what is necessary to provide their services to us.

5. Data Retention

We retain your account information (name and email) for as long as your account is active. Usage counts reset monthly as part of normal plan operation. If you request account deletion, we will remove your personally identifiable information from our records within 30 days, except where retention is required by law (e.g., financial records required for tax purposes under applicable New Jersey and federal law).

6. Your Privacy Rights

Depending on where you reside, you may have the following rights regarding your personal data. To exercise any of these rights, email us at evan@1ststep.ai. We will respond within 45 days; if we need more time, we will notify you and may extend the response period by an additional 45 days.

Right to Know / Access Request a copy of the personal data we hold about you and how it is used.

Right to Correct Request correction of inaccurate personal data we maintain about you.

Right to Delete Request deletion of your personal data, subject to legal retention obligations.

Right to Data Portability Receive a copy of your data in a portable, machine-readable format.

Right to Opt-Out We do not sell personal data or use it for targeted advertising. There is nothing to opt out of.

Right to Non-Discrimination We will not deny service, charge different prices, or treat you differently for exercising any of these rights.

New Jersey residents have rights under the New Jersey Data Privacy Act (N.J.S.A. 56:8-166.1 et seq., effective January 15, 2025), including the rights listed above. If we deny your request, you may submit an appeal by emailing evan@1ststep.ai with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days and will provide a written explanation of our decision. If your appeal is denied, you may contact the New Jersey Division of Consumer Affairs at njconsumeraffairs.gov.

California residents have rights under the California Consumer Privacy Act (CCPA), including the rights listed above. We will respond to verifiable consumer requests within 45 days.

7. Cookies and Local Storage

1stStep.ai uses browser localStorage (not traditional cookies) to store your session data locally on your device. This includes your resume text, tailored resume history, usage counts, and account preferences. This data is stored on your device only and is not transmitted to our servers.

Our payment provider (Stripe) may set their own cookies for fraud prevention and payment flow purposes. You can manage these through your browser settings.

8. Data Security & Breach Notification

We take reasonable technical and organizational measures to protect your information, including HTTPS encryption for all data in transit and access controls on our server infrastructure. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

In the event of a security breach affecting your personal data, we will notify affected New Jersey residents as required under the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163). Notification will be made in the most expedient time possible and without unreasonable delay, and no later than 30 days after we discover the breach, unless a law enforcement agency determines that notification would impede a criminal investigation.

9. Children's Privacy

1stStep.ai is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted personal information to us, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to notify you by email or through a notice in the app at least 30 days before the changes take effect. Continued use of the service after changes are posted constitutes your acceptance of the updated policy.

Questions or requests about your data?
Email us at evan@1ststep.ai. We take privacy seriously and will respond promptly. For New Jersey privacy rights matters, you may also contact the New Jersey Division of Consumer Affairs at njconsumeraffairs.gov.