Free Resume Builders Are Selling Your Career Data - I Audited resume.io, Zety, and Novoresume

# Free Resume Builders Are Selling Your Career Data - I Audited resume.io, Zety, and Novoresume

Your resume contains the most sensitive personal data you'll ever type into a website. These "free" builders are harvesting every keystroke.

---

I spend a lot of time thinking about web privacy. I build developer tools that run client-side specifically because I believe your data should stay on your machine. So when a friend asked me which free resume builder to use, I did what any paranoid developer would do: I opened DevTools, read the privacy policies, and started counting trackers.

What I found made me sick.

These aren't resume builders. They're data harvesting operations wearing a word processor costume. They collect your full legal name, home address, phone number, email, employment history, education, skills, salary expectations - sometimes even your photo - and then pipe it to data brokers, ad networks, session recording services, and recruiters who pay for access.

I audited three of the most popular "free" resume builders: resume.io, zety.com, and novoresume.com. This is what I found.

---

The Methodology

For each site, I performed the following:

1. Network traffic analysis - Monitored every outbound request using browser DevTools and a proxy
2. Cookie audit - Catalogued every cookie, its expiration, and its purpose
3. Content Security Policy (CSP) analysis - Checked which external domains the site authorizes connections to
4. Privacy policy review - Read the full legal text (so you don't have to)
5. Terms of service review - Checked for intellectual property claims, arbitration clauses, and billing practices
6. Consent mechanism audit - Tested whether tracking consent defaults to opt-in or opt-out
7. Tag manager inspection - Decompiled Google Tag Manager containers and tracked data layer events

I created a test resume with realistic (but fake) personal data on each platform and tracked what happened to it.

Let's start with the worst offender.

---

resume.io - The Data Broker in Plain Sight

Parent company: Career.io / Talent Inc.

Trackers found: 14+

Session recording: Yes (Hotjar)

Cookie retention: Up to 17 years

Data selling: Explicitly stated in privacy policy

The Tracking Infrastructure

When you load resume.io, the following services receive data about you before you've even clicked "Get Started":

That's 14 third-party services, minimum. But two of these deserve special attention.

The Ad Blocker Bypass: Proxied Mixpanel

Here's something most users will never catch. resume.io doesn't load Mixpanel from api.mixpanel.com like a normal website would. Instead, they proxy Mixpanel requests through a custom subdomain on DigitalOcean.

Why does this matter? Because your ad blocker, your privacy extension, your Pi-hole - none of them will catch it. Standard blocklists block mixpanel.com. They don't block analytics-subdomain.resume.io or whatever custom domain is being used as a passthrough.

This is a deliberate, engineered decision to circumvent your privacy tools. They know you don't want to be tracked. They track you anyway.

The Ad Blocker Bypass, Part 2: Server-Side Facebook Conversions API

The Facebook Pixel can be blocked by most ad blockers. Facebook knows this. So they created the Conversions API - a server-side tracking mechanism where the website's backend sends your data directly to Facebook's servers.

resume.io uses this. Even if you have uBlock Origin, Privacy Badger, and a VPN, your data still flows to Facebook because the request never touches your browser. It goes server-to-server, completely invisible to you.

This means Facebook knows you're building a resume. They know when you started, when you finished, and potentially what's in it.

The 17-Year Cookie

Most cookies expire in days or months. resume.io sets a cookie called Vanity_id that expires in 17 years - the year 2043.

Let that sink in. A tracking identifier that follows you for nearly two decades. Through job changes, career pivots, moves across the country. One persistent ID tying your entire professional trajectory together.

The Privacy Policy That Says the Quiet Part Out Loud

Most companies bury their data selling behind euphemisms like "sharing with partners" or "improving our services." resume.io doesn't bother:

> "We may use the personal data we collect from your resume to sell to third parties, including data brokers."

That is a direct quote. They explicitly tell you they sell your resume data - your name, address, phone number, work history, education - to data brokers. The same data brokers that feed into people-search sites, spam call lists, and targeted advertising databases.

The 8-Brand Data Funnel

resume.io is owned by Talent Inc., which also operates:

• TopResume - resume writing service
• TopCV - CV writing service (international)
• ZipJob - resume optimization
• Career.io - career tools platform
• Plus at least 4 additional brands

Your data flows freely across all of these. Create a resume on resume.io and your information is accessible to the entire Talent Inc. ecosystem. One sign-up, eight companies with your career data.

The Dark Pattern: "Free" Means TXT

resume.io advertises itself as free. And technically, you can create a resume for free. But when you try to download it, you discover that the free tier only allows plain text (.txt) downloads.

A .txt resume. No formatting, no layout, no design. Completely useless for an actual job application.

The professional-looking PDF you spent an hour crafting? That's behind the paywall. And there's no refund policy once you pay.

Consent Theater

When you first visit resume.io, the consent mechanism for advertising cookies is set to "granted" by default. The Google Tag Manager data layer shows:

ad_storage: "granted"
analytics_storage: "granted"
ad_user_data: "granted"
ad_personalization: "granted"

You haven't clicked anything. You haven't consented to anything. But every tracking service is already running, already collecting, already sending your data to ad networks. The "consent" banner is theater - the show started before the curtain went up.

Perpetual License Over Your Content

From the Terms of Service: resume.io claims a perpetual, irrevocable, worldwide license to use your resume content. The resume you wrote about your career, your achievements, your personal story - they claim the right to use it forever, for any purpose.

---

zety.com - The Session Recording Nightmare

Parent company: BOLD LLC

Trackers found: 17+

Session recording: DUAL (Microsoft Clarity AND Hotjar)

Auto-renewal: $1.95 trial to $25.95 every 4 weeks

Data selling: Admitted under CCPA

The Tracking Infrastructure

Zety loads even more trackers than resume.io:

That's 17+ services. But the real horror here is the dual session recording.

Two Companies Are Recording You Type Your Home Address

Both Microsoft Clarity and Hotjar are running simultaneously on Zety. Both are session recording tools. Both capture:

• Every character you type
• Every click you make
• Every scroll movement
• Mouse movements and hover patterns
• Form field interactions

Now think about what you type into a resume builder:

• Your full legal name
• Your home address
• Your phone number
• Your email address
• Your employer names and dates
• Your job titles and responsibilities
• Your education history
• Your skills and certifications
• Sometimes your salary expectations

Two separate companies are recording video replays of you typing this information. Someone at Microsoft and someone at Hotjar can literally watch a screen recording of you entering your Social Security number's worth of personal data, character by character.

This isn't analytics. This is surveillance.

"May Be Considered a Sale"

Zety's privacy policy includes this remarkable piece of legal gymnastics:

Their data sharing practices with third parties "may be considered a 'sale'" under the California Consumer Privacy Act (CCPA).

Translation: they sell your data. They just don't want to use the word "sell" without legal hedging.

Selling Resume Data to Recruiters

Zety shares resume data with recruiters and employers for monetary compensation. This means the resume you built to apply for jobs is being sold to companies you never applied to. Your professional history becomes a product that Zety monetizes by selling access to recruiters who want to cold-contact you.

You came to build a resume. You became the product.

The $337/Year Trap

Zety's pricing is a masterclass in dark patterns:

1. $1.95 "trial" - seems cheap, gets your credit card on file
2. Auto-renews at $25.95 every 4 weeks - not monthly, every 4 weeks (13 billing cycles per year)
3. Annual cost: approximately $337 - for a resume builder
4. Credit card auto-update - they use a service that automatically updates your card details if your bank issues a new card number, so even getting a new card doesn't stop the charges
5. Cancellation is deliberately difficult - buried settings, confirmation loops, "are you sure?" flows

$337 per year. For a tool that Microsoft Word, Google Docs, or a LaTeX template does for free.

The Browser Extension That Watches Everything

Zety offers a browser extension. Sounds helpful - maybe it checks your resume for errors? But reading the permissions reveals it collects browsing data on other websites.

Install the Zety extension to help with your resume, and it watches where you go on the entire internet. Which job boards you visit. Which company career pages you browse. Which LinkedIn profiles you view. All of that data feeds back to BOLD LLC.

Geolocation Down to Latitude and Longitude

Most websites track your approximate location via IP geolocation - usually accurate to the city level. Zety goes further, requesting and storing latitude and longitude coordinates.

They don't just know you're in Denver. They know which neighborhood. Combined with your home address from your resume (which they're already recording via session replay), this is extraordinary precision for a document editor.

Forced Arbitration and Class Action Waiver

Buried in Zety's Terms of Service:

• Mandatory binding arbitration - you cannot sue them in court
• Class action waiver - you cannot join a class action lawsuit against them

If Zety experiences a data breach exposing thousands of resumes - full names, addresses, phone numbers, employment histories - you cannot participate in a class action. You must arbitrate individually, at significant personal expense, against a company with a legal department.

This is why these clauses exist. Not to protect you. To protect them when (not if) something goes wrong.

---

novoresume.com - The 63-Domain Data Pipeline

Trackers found: 15+

Session recording: DUAL (Microsoft Clarity AND Hotjar)

Data retention: 6 years

CSP authorized domains: 63+

Facial analysis: Yes, on profile photos

The Tracking Infrastructure

Another Proxied Mixpanel

Just like resume.io, Novoresume proxies Mixpanel analytics through a custom DigitalOcean domain. This is not a coincidence - it's a pattern. These companies specifically engineer their tracking to bypass your privacy tools.

When two out of three major resume builders independently implement the same ad blocker evasion technique, you're looking at an industry practice, not an accident.

Another Server-Side Facebook Bypass

Novoresume also implements the Facebook Conversions API server-side. Your browser-based privacy tools are useless against this. The data goes from Novoresume's servers directly to Facebook's servers. You never see the request. You can't block what you can't see.

63 External Domains in the Content Security Policy

A Content Security Policy (CSP) header tells the browser which external domains a website is allowed to connect to. Most websites authorize a handful - maybe 5 to 15 domains for CDNs, analytics, and fonts.

Novoresume's CSP authorizes connections to 63+ external domains.

Sixty-three. That's 63 different companies or services that the website is configured to send data to. Even if not all are active at any given time, the infrastructure is in place. The pipes are built. The valves just need to be opened.

Here's a partial list of the domain categories:

• Ad networks: Google, Facebook, Bing, Pinterest, LinkedIn, TikTok
• Session recording: Hotjar, Microsoft Clarity
• Analytics: Mixpanel (proxied), Google Analytics, Segment
• Marketing: Braze, Intercom, Customer.io
• CDNs and infrastructure: Cloudflare, AWS, DigitalOcean, Fastly
• Payment: Stripe, PayPal
• Fonts and assets: Google Fonts, Adobe Fonts
• And dozens more

Every one of those domains is a potential data recipient. Every connection is a potential leak of your personal information.

6-Year Data Retention

Novoresume retains your personal data for 6 years. Not 6 months. Not 1 year. Six years.

Think about where you were professionally 6 years ago. Different job? Different city? Different career entirely? Novoresume will still have that version of you on file. Your old address, your old phone number, your old employer - all sitting in their database for half a decade after you last used their service.

Profile Photo Facial Analysis

If you upload a profile photo to your resume (common in European CV formats), Novoresume performs facial analysis on it. The privacy policy references processing of biometric-adjacent data from uploaded photos.

You uploaded a headshot for your CV. They analyzed your face.

Cross-Channel Data Linking

Novoresume builds unified user profiles by linking data across channels - your resume data, your browsing behavior, your email interactions, your ad click history. All of it gets merged into a single profile that follows you across the internet.

You're not a user. You're a node in a data graph.

---

The Big Picture: Why This Matters

Let me zoom out for a moment.

A resume is arguably the most sensitive document most people will ever create digitally. It contains:

• Full legal name - identity theft vector
• Home address - physical security risk
• Phone number - spam calls, SMS phishing
• Email address - phishing, credential stuffing target
• Employment history - social engineering ammunition
• Education details - security question answers
• Skills and certifications - targeted scam bait
• Sometimes salary data - used against you in negotiations

Now imagine all of that data flowing to:

• Data brokers who resell it to anyone willing to pay
• Ad networks who use it to target you across the internet
• Session recording companies who have video of you typing it
• Recruiters who cold-contact you for jobs you never applied to
• Unknown third parties across 63+ authorized domains

This isn't hypothetical. This is what the privacy policies explicitly state. This is what the network traffic objectively shows. This is what's happening right now to millions of people who just wanted to update their resume.

The Consent Illusion

All three sites default tracking consent to "granted." The consent banners are cosmetic. By the time you see the cookie popup, dozens of tracking scripts have already fired, already fingerprinted your browser, already sent data to ad networks.

Under GDPR, consent must be:

• Freely given - not pre-checked
• Specific - not bundled
• Informed - not buried in legalese
• Unambiguous - not defaulted to "yes"

All three sites fail on every count. The consent mechanisms are legally questionable at best, deliberately deceptive at worst.

The Ad Blocker Arms Race

Two out of three sites actively circumvent ad blockers using proxied analytics and server-side conversion APIs. They know you've installed privacy tools. They've specifically engineered around them.

This is the privacy equivalent of a store putting up a "we respect your privacy" sign while installing hidden cameras in the changing rooms. They acknowledge the expectation of privacy. Then they deliberately violate it through technical means designed to be invisible.

The Session Recording Problem

Session recording tools like Hotjar and Microsoft Clarity are meant for UX optimization - watching how users interact with a checkout flow or navigation menu. They have legitimate uses on e-commerce sites or SaaS dashboards.

Using session recording on a resume builder is a different thing entirely. The "form interactions" being recorded aren't someone entering a shipping address for a one-time purchase. They're entering their complete professional identity. Every keystroke of their personal history, recorded on video, stored on third-party servers.

Two of the three sites run dual session recording - two different companies simultaneously recording the same sensitive data entry. Twice the copies. Twice the attack surface. Twice the risk.

---

What You Should Do Instead

If You've Already Used These Sites

1. Delete your account - don't just stop using it. Find the account deletion option (it will be buried) and exercise it.
2. Email a GDPR/CCPA deletion request - send a formal data deletion request. Under GDPR (EU) or CCPA (California), they are legally required to comply. Email their data protection officer or privacy contact.
3. Check data broker sites - search for yourself on sites like Spokeo, BeenVerified, and WhitePages. Your resume data may have already been sold. Most of these sites have opt-out processes.
4. Change your phone number if possible - if you've started receiving more spam calls after using these services, this is likely why.
5. Monitor your email - watch for phishing attempts that reference your professional details. "Hi [Name], I saw you worked at [Company]..." is a common pattern using harvested resume data.

For Future Resume Building

Use offline tools. The simplest way to keep your resume private is to never put it on someone else's server:

• Microsoft Word or Google Docs - yes, Google has privacy issues too, but at least they're not selling your resume to data brokers
• LaTeX with a template - free, beautiful output, completely offline
• Canva (with caution) - better privacy practices than dedicated resume sites, though still not perfect
• Any local word processor - LibreOffice is free and entirely offline

If you must use a web tool, check for these red flags:

• Does it require an account to download? (monetization through data)
• Does the free tier restrict download formats? (dark pattern to force payment)
• Does the privacy policy mention "data brokers," "third parties," or "sale"?
• Does it load session recording scripts? (check for hotjar, clarity, fullstory in the page source)
• Are analytics proxied through custom domains? (active blocker evasion)

The Privacy-First Approach

This is exactly why I'm passionate about client-side tools. When processing happens in your browser, there's nothing to intercept, nothing to sell, nothing to breach. Your data literally never leaves your machine.

At ToolBox, every tool we build follows this principle. Our Meta Tag Generator, QR Code Generator, JSON Formatter, Markdown Editor, and 130+ other tools all run entirely in your browser. Zero tracking. Zero server-side data collection. No accounts required. Your data stays yours.

We don't have a resume builder (yet), but the principle applies universally: the safest data is data that never leaves your device. Whether you're generating QR codes, formatting JSON, or writing markdown, there's no reason a web tool needs to phone home with your content.

When you're evaluating any web tool - not just resume builders - ask yourself: does this actually need to send my data to a server? In 2026, with modern browsers and WebAssembly, the answer is almost always no.

---

Summary Comparison Table

---

Final Thoughts

I didn't write this to shame individual developers at these companies. I wrote it because millions of people - many of them job seekers in vulnerable positions - are handing over the most sensitive data they have to companies that treat it as a product to be monetized.

Job seekers deserve better. They're already stressed about finding work. They shouldn't also have to worry about whether their resume builder is selling their home address to data brokers or recording them type their phone number.

The technology to build a privacy-respecting resume tool exists today. Client-side rendering, browser-based PDF generation, local storage - none of this requires a server to touch your data. The reason these companies don't use these approaches isn't technical. It's financial. Your data is worth more to them than your subscription fee.

Every tracker is a business decision. Every session recording is a business decision. Every proxied analytics endpoint designed to evade your ad blocker is a business decision. And every one of those decisions prioritizes their revenue over your privacy.

The next time you see a "free" tool asking for sensitive personal information, remember: if you're not paying for the product, you are the product. And if you are paying for the product - as Zety's $337/year subscribers can attest - you might still be the product.

Choose tools that respect you. Choose tools that process your data locally. Choose tools that don't need to see your data in the first place.

Your career is yours. Your resume is yours. Your data should be too.

---

*Have questions about web privacy or want to check a tool's tracking practices? Reach out - I'm always happy to help people understand what's happening with their data. And if you need privacy-first web tools for your daily workflow, check out ToolBox - 139+ tools, zero tracking, everything runs in your browser.*