Privacy Policy
Last updated: April 12, 2026
This policy explains exactly what data we collect, why, and what rights you have under every applicable US state law and international regulation. We have written this to be honest and readable, not to obscure what we do.
THE PLAIN TRUTH ABOUT YOUR DATA
1. Who We Are
NailTheInterview.ai ("we", "us", "our") is an AI-powered interview practice platform operated from Michigan, United States. We are the data controller for personal data collected through our platform.
Privacy contact: [email protected] For BIPA requests: [email protected] — Subject: "BIPA Request" For GDPR requests: [email protected] — Subject: "GDPR Request" For CCPA requests: [email protected] — Subject: "California Privacy Request"
We are committed to full transparency. This policy tells you exactly what data we collect, why, how long we keep it, and what rights you have.
2. The Truth About What We Store
We believe in plain English. Here is exactly what data we do and do not hold:
WHAT WE DO NOT STORE: — Raw audio recordings: your voice is transmitted to OpenAI Whisper for transcription and never saved by us — Session transcripts: exist only in temporary session memory during your active session, cleared when the session ends — Conversation history: held in memory during your session only, not persisted to any database
WHAT WE DO STORE (if you create an account): — Your email address and hashed password — Your profile preferences: job category, language, difficulty settings — Basic usage metadata: number of sessions completed, dates of use
WHAT THIRD PARTIES RECEIVE ON YOUR BEHALF: — OpenAI receives your audio to transcribe it (under their API data policy, not used for training) — Anthropic receives your transcript and session context to generate feedback (API data, not used for training) — ElevenLabs receives the improved answer text to speak it back to you — Vercel receives all standard web traffic data as our hosting provider
No audio recording is retained by anyone in the chain beyond the duration of its processing. No session transcript is retained beyond your active session.
3. What Personal Data We Collect
3.1 Data You Provide Account data: email address, name, hashed password (if you create an account) Profile data: job title, experience level, industry, language preference, difficulty settings These are provided voluntarily. You can use the service without an account for free tier features.
3.2 Voice and Biometric Data When you use the microphone: your voice recording (processed and immediately discarded), transcribed text (session memory only, not persisted) Legal classification: your voice constitutes a biometric identifier under BIPA (740 ILCS 14), sensitive personal data under GDPR Article 9, and sensitive personal information under CCPA/CPRA and multiple state comprehensive privacy laws.
3.3 Technical Data IP address, browser type, device type, operating system — collected automatically for security and rate limiting. Not linked to your identity unless you have an account.
3.4 Usage Metadata (account users only) Number of sessions completed, dates of use, features accessed. Used to improve the service and provide account features. Not sold or shared for advertising.
3.5 Payment Data Processed directly by Stripe. We never see or store full card numbers or CVV codes.
4. Legal Bases for Processing
4.1 GDPR (EU and UK users) Explicit consent (Article 6(1)(a) and Article 9(2)(a)): voice and biometric data — obtained via the consent screen before each session Contractual necessity (Article 6(1)(b)): account data and session data to deliver the service you signed up for Legitimate interests (Article 6(1)(f)): IP address and technical data for security, fraud prevention, and rate limiting
4.2 US State Laws Illinois BIPA: explicit written electronic consent via consent screen California CCPA/CPRA: we process sensitive personal information only with consent and do not sell it Colorado, Virginia, Connecticut, Texas, and all other state comprehensive privacy laws: we process sensitive biometric data on the basis of your opt-in consent only
4.3 All Users By clicking "I agree — start interview" on the consent screen you provide the legally required consent for voice and biometric data processing in all applicable jurisdictions simultaneously.
5. Voice and Biometric Data — Full Legal Disclosure
5.1 Illinois BIPA (740 ILCS 14) — Full Compliance Disclosure In compliance with BIPA Section 15 and as amended by Public Act 103-769 (August 2, 2024):
What we collect: voiceprints as biometric identifiers, derived from your spoken answers during practice sessions Purpose: transcription of your answers for the sole purpose of generating interview feedback Retention: raw audio — not retained by us after transmission to OpenAI Whisper. Transcribed text — session memory only, cleared on session end. We do not retain biometric data beyond your active session. Destruction: no biometric data is retained beyond the session, so no scheduled destruction is required. If any residual data were retained it would be destroyed within 3 years of collection or within 1 year of the purpose being satisfied, whichever is earlier. Sale prohibition: we will never sell, lease, trade, or profit from your biometric identifiers or biometric information Disclosure prohibition: we will never disclose your biometric data to any third party except OpenAI Whisper for transcription (required to provide the service) and as required by law Consent: your explicit electronic consent is obtained via the consent screen before each recording session. Electronic consent satisfies the "written release" requirement as clarified by the 2024 BIPA amendment.
5.2 Texas (CUBI — Tex. Bus. & Com. Code Ch. 503) We comply with Texas biometric consent requirements. We collect voiceprints only with your consent and destroy them within a reasonable time. We never sell biometric data. Enforcement is by the Texas Attorney General.
5.3 Washington (RCW 19.375) We comply with Washington's biometric identifier law, providing notice and obtaining consent before enrolling biometric identifiers and not selling biometric data.
5.4 Colorado (CPA Biometric Amendment, effective July 2025) We obtain your explicit written electronic consent before collecting biometric data from Colorado residents consistent with Colorado requirements.
5.5 All Other States We apply the Illinois BIPA standard — the most protective biometric privacy standard in the United States — to all users regardless of their state. This means every user receives written notice, explicit consent, a prohibition on sale, and responsible handling regardless of whether their state has a specific biometric law.
6. How We Share Your Data
We do not sell your personal data. Period.
6.1 Service Providers (Sub-Processors) We share data only with providers who process it on our behalf to deliver the service:
Anthropic (Claude AI) What they receive: your transcribed answers, job title, experience level, session settings Purpose: generating interview questions and feedback Data location: United States Privacy policy: anthropic.com/privacy Data training: Anthropic does not train models on API inputs per their usage policy
OpenAI (Whisper) What they receive: your audio recording Purpose: speech-to-text transcription Data location: United States Privacy policy: openai.com/policies/privacy-policy Data training: OpenAI does not train on API data per their data processing addendum
ElevenLabs What they receive: text of the improved answer and interviewer questions Purpose: generating synthesised voice audio Data location: United States Privacy policy: elevenlabs.io/privacy-policy
Vercel What they receive: standard web request data (IP, headers, paths) Purpose: hosting and serving the platform Data location: United States and global edge network Privacy policy: vercel.com/legal/privacy-policy
Stripe (paid users only) What they receive: payment card data (processed directly — we never see card numbers) Purpose: subscription billing Privacy policy: stripe.com/privacy
6.2 Legal Requirements We may disclose data if required by a court order, subpoena, or applicable law. We will notify you of any such request where legally permitted to do so.
6.3 Business Transfers If we are acquired by or merged with another company, user data may be transferred. We will provide advance notice and you will have the opportunity to delete your account.
6.4 International Transfers Our servers are in the United States. For EU and UK users, data is transferred under Standard Contractual Clauses or our sub-processors' EU-US Data Privacy Framework certifications where applicable.
7. Your Rights by State
7.1 All Users (Baseline Rights) Regardless of where you live you have the right to: — Withdraw voice recording consent at any time by leaving the session — Request confirmation of what data we hold about you — Request deletion of your account and associated data — Receive data breach notification if your personal data is compromised
Contact: [email protected] for any of the above.
7.2 Illinois (BIPA) Right to prevent sale of biometric data (we never sell it) Right to request destruction of biometric data (we hold none beyond your session) Contact: [email protected] — Subject: "BIPA Request"
7.3 California (CCPA / CPRA) Right to know what personal information we collect, use, and share Right to delete personal information Right to correct inaccurate information Right to opt out of sale or sharing (we do not sell or share for advertising) Right to limit use of sensitive personal information Right to non-discrimination for exercising rights Right to data portability Enforced by the California Privacy Protection Agency (CPPA) Contact: [email protected] — Subject: "California Privacy Request"
7.4 Colorado (CPA) Right to access, correct, delete, and port your data Right to opt out of sale, targeted advertising, and profiling Opt-out via Global Privacy Control (GPC) signal is recognised Contact: [email protected] — Subject: "Colorado Privacy Request"
7.5 Virginia (VCDPA) Right to access, correct, delete, and port your data Right to opt out of sale and profiling for decisions with legal or similarly significant effects Right to appeal our decisions within a reasonable time Contact: [email protected] — Subject: "Virginia Privacy Request"
7.6 Connecticut (CTDPA as amended July 2026) Right to access, correct, delete, and port your data Right to opt out of sale, targeted advertising, and profiling Right to human review of solely automated decisions Right to know if AI is used to process your data for decisions (yes — our feedback is AI-generated, for practice purposes only) Contact: [email protected] — Subject: "Connecticut Privacy Request"
7.7 Texas (TDPSA) Right to access, correct, delete, and port your data Right to opt out of sale of personal data Contact: [email protected] — Subject: "Texas Privacy Request"
7.8 Minnesota Right to question and receive explanation for consequential automated profiling decisions Contact: [email protected] — Subject: "Minnesota Privacy Request"
7.9 All Other States with Comprehensive Privacy Laws (Maryland, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Iowa, Indiana, Tennessee, Utah) Rights to access, correct, delete, and opt out of sale of personal data consistent with each state's applicable law. Contact: [email protected] — Subject: "[Your State] Privacy Request"
7.10 EU and UK Users (GDPR / UK GDPR) Right to access your personal data Right to rectification of inaccurate data Right to erasure ("right to be forgotten") Right to restrict processing Right to data portability Right to object to processing Right not to be subject to solely automated decision-making with legal effects Right to lodge a complaint with your local supervisory authority We will respond to all requests within 30 days. We will never charge for reasonable requests.
How to Exercise: Email [email protected] with your state/country and the specific right. We will verify your identity and respond within 30 days.
8. Data Retention
Raw audio recordings: not retained by us — discarded immediately after OpenAI Whisper transcription Session transcripts and conversation history: session memory only — cleared automatically when your session ends Account email and profile data: retained for the lifetime of your account, deleted within 30 days of account closure or deletion request Technical/IP data: aggregated and anonymised after 12 months Payment records: retained for 7 years as required by US tax law Biometric data: never retained by us beyond your active session per our architecture
Because we do not persistently store voice recordings or session transcripts, the biometric data retention risk that BIPA and similar laws are designed to address is structurally minimised. The data simply does not exist beyond your session.
9. Security
We implement the following technical and organisational security measures: — TLS encryption for all data in transit — Secure, access-controlled hosting infrastructure via Vercel — API key security and per-IP rate limiting on all endpoints — Minimal data architecture: we do not store what we do not need — No persistent biometric data storage — the most effective protection is not storing it
No internet transmission is fully secure. In the event of a data breach affecting personal data we hold (primarily account email addresses), we will notify affected users and relevant state authorities within the timeframes required by applicable state breach notification laws — typically 30 days for California, Colorado, and New York users and as promptly as practicable for all others.
10. Children's Privacy
This service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child under 13 has used this service contact [email protected] immediately and we will promptly delete any associated data.
Users aged 13-18 may use the service only with parental or guardian consent. We comply with: — COPPA (15 U.S.C. §§ 6501-6506): no data collection from under-13s — California Age-Appropriate Design Code: we do not design features to encourage minors to provide more data than necessary — Colorado, Connecticut, Maryland, and other state children's data protections: we do not sell minors' data and apply heightened protections to users under 18
If you are under 18 please review these Terms with a parent or guardian before using the service.
11. AI and Automated Decision-Making
Our service uses AI systems (Anthropic Claude) to generate interview scores, feedback, and improved answer suggestions. These outputs are automated and probabilistic.
We disclose this use of AI consistent with Connecticut's 2026 requirement that controllers disclose whether personal data is processed to train large language models — we do not use your data to train models.
Our AI-generated scores and feedback are for practice purposes only. They do not constitute binding assessments, employment decisions, or professional evaluations. They do not have legal or similarly significant effects on you.
If you are a Minnesota or Connecticut resident you have the right to contest automated profiling decisions and request human review. For practice feedback this right is academic — our feedback has no real-world consequences — but contact [email protected] if you wish to exercise it.
We comply with the Texas Responsible AI Governance Act (effective January 1, 2026) which prohibits certain harmful AI use cases. Our service generates only practice feedback and does not engage in any prohibited AI applications.
12. Cookies and Tracking
We use strictly necessary session cookies to maintain your login state and authentication. We do not use advertising cookies, cross-site tracking cookies, or behavioural profiling cookies.
We may use privacy-respecting analytics to understand aggregate platform usage. These tools collect anonymised data only — page views, session duration, feature usage — and do not identify individual users.
California, Colorado, and Connecticut residents: we recognise and honour the Global Privacy Control (GPC) browser signal as an opt-out of any data sale or sharing for targeted advertising. Since we do not engage in these practices the signal has no practical effect but we acknowledge it as required.
13. Changes to This Policy
We will notify registered users of material changes by email at least 14 days before changes take effect. A prominent notice will also appear on the platform. Your continued use after changes take effect constitutes acceptance. If you disagree you may stop using the service and request data deletion.
14. Contact and Complaints
All privacy enquiries: [email protected] BIPA requests (Illinois): [email protected] — Subject: "BIPA Request" CCPA requests (California): [email protected] — Subject: "California Privacy Request" GDPR requests (EU/UK): [email protected] — Subject: "GDPR Request" All other state requests: [email protected] — Subject: "[Your State] Privacy Request"
We respond within 30 days. We do not charge fees for reasonable requests.
EU and UK residents have the right to lodge a complaint with their local data protection supervisory authority. US residents may lodge complaints with their state Attorney General's office.
NailTheInterview.ai — Michigan, United States