Privacy Policy
Last updated: April 13, 2026
This policy explains every category of data we collect, that we may sell anonymised session data with your consent, and every right you have under US federal law, all 50 US state laws, GDPR, UK GDPR, and other international regulations.
PLAIN ENGLISH SUMMARY
DATA SALE NOTICE
With your explicit optional training data consent, anonymised session data including answer transcripts and scores may be sold or licensed to authorised research and technology partners. Your name, email address, voice recordings, and biometric data are never sold under any circumstances. California residents may opt out at any time. Full details and opt-out instructions are in Section 7 and Section 16 of this Policy.
1. Who We Are and How to Contact Us
NailTheInterview.ai ("we", "us", "our", "Company") is an AI-powered interview practice and coaching platform operated from Michigan, United States. We are the data controller for all personal data collected through our platform at nailtheinterview.ai.
Privacy contact and all data rights requests: [email protected] BIPA requests (Illinois): [email protected] — Subject: "BIPA Request" CCPA requests (California): [email protected] — Subject: "California Privacy Request" CCPA Opt-Out (Do Not Sell or Share): [email protected] — Subject: "CCPA Opt-Out" GDPR requests (EU): [email protected] — Subject: "GDPR Request" UK GDPR requests: [email protected] — Subject: "UK GDPR Request" All other state requests: [email protected] — Subject: "[Your State] Privacy Request"
We respond to all privacy requests within 30 days. We never charge fees for reasonable requests.
This Privacy Policy was last updated April 13, 2026 and supersedes all prior versions. We will notify registered users of material changes by email at least 14 days before they take effect.
2. Plain English Summary
WHAT WE DO NOT STORE: — Raw audio recordings: your voice is transmitted to OpenAI Whisper and immediately discarded — we have no copy — Session transcripts: exist only in server memory during your active session, automatically cleared when your session ends — not written to any database
WHAT WE DO COLLECT AND MAY SELL: — Session performance data: your scores, hire signals, framework classifications, improved answer rewrites, and related coaching metrics — Psychological data (with separate explicit consent): baseline anxiety rating, per-answer self-assessment, confidence delta, hiring outcome if voluntarily reported — Session metadata: job title, experience level, difficulty, company tier, urgency, language background — This data is anonymised before any commercial sale — your name and email are never included
WHAT WE NEVER SELL UNDER ANY CIRCUMSTANCES: — Your name or email address — Your voice recordings or biometric data — Session transcripts linked to your identity — Any data that can directly identify you as an individual
YOUR KEY RIGHTS: — Withdraw voice recording consent at any time by leaving the session — Opt out of any data sale at any time by withdrawing training consent in account settings or emailing us — Delete your account and all associated data at any time — Request a copy of the data we hold about you — California residents: exercise your CCPA "Do Not Sell or Share" right at any time — see Section 7.3
3. Complete Inventory of All Data We Collect
3.1 Account and Identity Data — NOT SOLD Email address, hashed authentication credentials, OAuth profile data from Google or LinkedIn (name, email, profile photo URL), account creation and login dates, account status and subscription tier.
3.2 Voice and Biometric Data — NEVER SOLD, NEVER RETAINED Raw audio recording: transmitted to OpenAI Whisper API for transcription only; not stored by us at any point; discarded within seconds of collection. Transcribed text: held in server-side session memory during your active session only; not written to any database or persistent storage; automatically cleared and not recoverable when your session ends. Legal classification: voice constitutes a biometric identifier under BIPA (Illinois), CUBI (Texas), Washington biometric law, Colorado Privacy Act biometric amendment; special category personal data under GDPR Article 9; sensitive personal information under CCPA/CPRA and all applicable state comprehensive privacy laws.
3.3 Session Metadata — SALEABLE IN ANONYMISED FORM with training consent Job title practised for, industry category selected, experience level, interview difficulty setting (1-5), language background if ESL mode used, company tier targeted (startup, mid-size, enterprise, FAANG, consulting or finance), interview urgency (1-3 days, this week, just practising), session completion timestamp, session number in account history, device ID (anonymous browser-generated identifier — stripped before any sale).
3.4 Performance and Scoring Data — SALEABLE IN ANONYMISED FORM with training consent Story Structure score (0-20), Proof and Specifics score (0-20), Skill Match score (0-20), How You Think score (0-10), Clear Delivery score (0-20), Language and Polish score (0-10), all twelve modifier values and their signs, hire signal (Strong Hire / Lean Hire / Lean No-Hire / Strong No-Hire), structural framework detected (STAR, PPF, PAS, CAR, WWE, Value Proposition), readiness label, improved answer rewrite generated by AI, average session score, per-question score array.
3.5 Psychological and Behavioural Data — SALEABLE IN ANONYMISED FORM — collected ONLY with explicit training data consent Baseline anxiety rating: self-reported nervousness before session starts (1 = very nervous, 5 = very confident). Per-answer self-assessment: self-rated quality of answer before seeing AI score (1 = poor, 5 = excellent) — collected after each recording before score is revealed. Confidence delta: self-reported change in interview readiness after session (1 = much less confident, 5 = much more confident). Session number: which session number this is in account history. Attempt number: whether this answer is a first attempt or retry. Hiring outcome: whether you received a job offer — collected optionally via email 14 days after session if you choose to respond; never required.
3.6 Technical and Security Data — NOT SOLD IN IDENTIFIABLE FORM IP address (security and rate limiting only — anonymised after 90 days before any dataset inclusion), browser fingerprint hash (session abuse prevention only — not a persistent cross-site tracker — not used for advertising), server access logs and error logs (anonymised after 90 days, deleted after 90 days).
3.7 Payment Data — NEVER SOLD Subscription tier and status, Stripe customer ID and subscription ID (reference numbers only — we never see or store payment card numbers, CVV, or bank account details — all payment data processed exclusively by Stripe, Inc.).
3.8 Communications Data — NOT SOLD Transactional emails sent to you, support correspondence you send to us.
4. Legal Bases for Processing
4.1 EU and UK Users (GDPR Article 6 and Article 9) Explicit consent (Article 6(1)(a) and Article 9(2)(a)): voice and biometric data processing; training data collection and storage; psychological and behavioural data; commercial sale of anonymised data in datasets. Contractual necessity (Article 6(1)(b)): account data, session metadata, and performance data required to deliver the Service. Legitimate interests (Article 6(1)(f)): IP address and technical security data for fraud prevention and rate limiting. Legal obligation (Article 6(1)(c)): payment records for tax compliance; data breach notifications.
4.2 Illinois BIPA Explicit written electronic consent obtained via pre-session consent screen before each recording, satisfying BIPA Section 15(b) as clarified by Public Act 103-769 (effective August 2, 2024).
4.3 California CCPA/CPRA Sensitive personal information (voice) processed only with opt-in consent via pre-session consent screen. Training data collected and commercially exploited only with explicit opt-in training data consent. CCPA opt-out right provided and honoured within 15 days.
4.4 All US State Comprehensive Privacy Laws Sensitive biometric and psychological data processed only with explicit opt-in consent. Opt-out rights for any data sale provided and honoured as required by each applicable state law.
5. Voice and Biometric Data — Full Legal Compliance Disclosure
5.1 Illinois BIPA (740 ILCS 14 as amended by Public Act 103-769, effective August 2, 2024) — Mandatory Written Policy This Section constitutes the publicly available written policy required by BIPA Section 15(a).
What we collect: voiceprints as biometric identifiers derived from spoken answers during practice sessions. Sole purpose: speech-to-text transcription to enable interview feedback generation — no other purpose. Retention: raw audio — not retained by us after OpenAI Whisper transcription, typically discarded within seconds. Transcribed text — session memory only, automatically cleared when session ends. No biometric data written to any database, file system, backup, or archive by us at any time. Destruction schedule: because no biometric data is retained beyond the active session no scheduled destruction is required. Any inadvertently retained data would be destroyed within the earlier of 3 years from collection or 1 year after the purpose is satisfied. Prohibition on sale: we will never sell, lease, trade, profit from, or otherwise commercially exchange your biometric identifiers or biometric information. This prohibition is absolute, unconditional, and permanent. It is categorically separate from and unaffected by our rights to sell anonymised session performance data. Disclosure: we will never disclose biometric data to any party other than OpenAI Whisper (required for transcription) and as required by a valid court order. Consent: explicit written electronic consent obtained via pre-session consent screen before each session. BIPA requests: [email protected] — Subject: "BIPA Request"
5.2 Texas (CUBI, Tex. Bus. & Com. Code Chapter 503) Consent obtained before each collection. Purpose limited to transcription for service delivery. Biometric identifiers destroyed within a reasonable time (immediately — no retention). Never sold. Enforcement by Texas Attorney General.
5.3 Washington (RCW 19.375) Notice provided and consent obtained before collecting biometric identifiers. Not sold or disclosed except to OpenAI for transcription.
5.4 Colorado (CPA Biometric Amendment, effective July 2025) Explicit written electronic consent obtained before collecting biometric data from Colorado residents.
5.5 All Other States We apply the Illinois BIPA standard to all users regardless of state. Every user globally receives written notice, explicit session-by-session consent, absolute prohibition on sale, and access to destruction requests.
6. How We Use Your Data
6.1 Providing the Service Account data, session metadata, and performance data are used to authenticate you, generate personalised interview questions, produce your coaching report, display your session history, and manage your subscription.
6.2 Product Improvement (all users) Aggregated and anonymised session metadata and performance data — from which no individual can be identified — are used to improve our question generation, calibrate our scoring methodology, and develop new features. This use does not require training data consent as it involves only genuinely anonymised aggregates.
6.3 AI Model Training (training consent required) With your explicit optional training consent we use your session data, including anonymised transcripts, to fine-tune and improve our AI coaching models. Direct identifiers are stripped before data enters any training pipeline.
6.4 Commercial Data Sale and Licensing (training consent required) With your explicit optional training consent we may sell, licence, and commercially exploit your anonymised session data as described in Section 7 below. This is a core commercial activity of the Company.
6.5 Security and Fraud Prevention IP addresses, device identifiers, and browser fingerprints are used to enforce rate limits, prevent anonymous session abuse, and detect fraudulent account creation. Not used for advertising.
6.6 Legal Compliance Payment records retained for tax compliance. Data breach notifications as required by law. Responses to valid legal process.
6.7 Communications Transactional emails: welcome, session follow-up (including optional hiring outcome request), subscription management, product notices, legal notices. Marketing emails only with your consent, opt-out available at any time.
7. Our Right to Sell Your Data and How We Do It
7.1 This Is a Core Commercial Right — Read This Section Carefully We are fully transparent that the commercial sale and licensing of anonymised session data is a fundamental commercial purpose of the Service and is a material part of the consideration for providing you access. We exercise this right responsibly and lawfully as described below.
7.2 The Data We Sell We may sell, licence, transfer, sublicence, or otherwise commercially exploit datasets containing anonymised records from sessions where users have provided explicit training data consent. The following data fields may be included in a sold or licensed record:
Interview question text Anonymised answer transcript (all direct identifiers irreversibly removed) Story Structure score (0-20) Proof and Specifics score (0-20) Skill Match score (0-20) How You Think score (0-10) Clear Delivery score (0-20) Language and Polish score (0-10) All twelve modifier names and values Hire signal (Strong Hire, Lean Hire, Lean No-Hire, Strong No-Hire) Structural framework classification Readiness label Improved answer rewrite Baseline anxiety rating (1-5) Per-answer self-assessment rating (1-5) Confidence delta (1-5) Session number in account history Attempt number (first attempt or retry) Hiring outcome if voluntarily reported Job category, experience level, difficulty setting, company tier, interview urgency, language background No name, no email address, no user ID, no device ID, no IP address, no payment data, no biometric data
7.3 California Residents — CCPA Do Not Sell or Share Right The commercial sale or licensing of your data, even in fully anonymised form, may constitute a "sale" or "sharing" of personal information under CCPA/CPRA. California residents have the right to opt out of any such sale or sharing at any time with no penalty and no reduction in service quality.
To opt out: Option 1: Email [email protected] — Subject: "CCPA Opt-Out — Do Not Sell or Share" Option 2: Withdraw training data consent in your account settings
We will honour your opt-out within 15 days as required by CCPA. We will not discriminate against you in any way for exercising this right.
7.4 EU and UK Users — GDPR Consent and Withdrawal For EU and UK users the legal basis for commercial data exploitation is your explicit consent (GDPR Article 6(1)(a) and Article 9(2)(a)). You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Genuinely anonymised data already delivered to buyers is not personal data under GDPR and is not subject to recall.
7.5 Anonymisation Standard Before inclusion in any commercially exploited dataset all records are processed to: — Remove or irreversibly transform all direct identifiers (name, email, user ID, device ID, IP address, OAuth identifiers) — Meet the GDPR Recital 26 anonymisation standard such that no individual is reasonably identifiable — Meet the CCPA de-identified data standard (Cal. Civ. Code § 1798.3(g)) — Meet applicable US state de-identified data definitions
All buyers and licensees execute written Data Licence Agreements that: prohibit re-identification of individuals; require compliance with applicable privacy law; restrict use to specified permitted purposes; and prohibit onward sale of the raw dataset without our written consent.
7.6 Who We Sell To Authorised buyers and licensees may include HR technology companies, assessment platform providers, AI research laboratories and foundations, academic and research institutions, enterprise talent platforms, career development organisations, and any other entity with a legitimate commercial or research use case for behavioural interview assessment data.
7.7 Withdrawal of Training Data Consent To withdraw at any time: Option 1: Uncheck the training data consent toggle in account settings Option 2: Email [email protected] — Subject: "Withdraw Training Data Consent"
We will stop collecting new training data immediately and confirm withdrawal within 7 days. Data already anonymised and included in datasets provided to buyers before your withdrawal cannot be recalled as it can no longer be linked to you.
7.8 What We Will Never Sell — Absolute Prohibitions Regardless of any consent given, regardless of any other provision of this Policy, and without exception under any circumstances: — We will never sell your name or email address — We will never sell your raw audio recordings — We will never sell your biometric data or voiceprints — We will never sell session transcripts linked to your identity — We will never sell your account credentials or payment data — We will never sell any data that can directly identify you as a specific individual — We will never sell data from sessions where you did not provide training data consent
8. Third-Party Sub-Processors
We share your data with the following sub-processors who process it on our behalf. Data processing agreements are in place with each where required by law:
ANTHROPIC, INC. (Claude AI) Data: transcribed answers, job title, level, session settings, conversation history during session Purpose: AI question generation, scoring, feedback, improved answers, session analysis Location: United States | API data not used for model training | anthropic.com/privacy | GDPR: Standard Contractual Clauses
OPENAI, LLC (Whisper) Data: raw audio recording Purpose: speech-to-text transcription only Location: United States | API data not used for model training | openai.com/policies/privacy-policy | GDPR: SCCs / EU-US Data Privacy Framework
ELEVENLABS, INC. Data: text of AI-generated questions and improved answers Purpose: synthesised interviewer voice audio Location: United States | elevenlabs.io/privacy-policy | GDPR: Standard Contractual Clauses
VERCEL, INC. Data: all HTTP request data including IP addresses, request paths, user agents Purpose: platform hosting and delivery Location: United States and global edge network | vercel.com/legal/privacy-policy | GDPR: Standard Contractual Clauses
SUPABASE, INC. Data: all data we store — account data, session metadata, training data where consent given Purpose: database hosting, authentication, API services Location: United States (AWS us-east-1) | supabase.com/privacy | GDPR: Standard Contractual Clauses
STRIPE, INC. Data: payment transactions (processed directly — we never receive or store card numbers or CVV) Purpose: subscription and payment processing Location: United States | stripe.com/privacy | GDPR: EU-US Data Privacy Framework
RESEND, INC. Data: email address and transactional email content Purpose: transactional email delivery Location: United States | resend.com/legal/privacy-policy | GDPR: Standard Contractual Clauses
CLOUDFLARE, INC. Data: DNS queries and web traffic metadata Purpose: DNS, DDoS protection, CDN Location: United States and global network | cloudflare.com/privacypolicy | GDPR: EU-US Data Privacy Framework
We do not share your data with any other third party except as required by valid legal process. We will notify you of any legally compelled disclosure where permitted by law. In the event of a merger or acquisition, user data may be transferred with advance notice and the opportunity to delete your account.
9. International Data Transfers
Our servers are in the United States. If you access the Service from outside the United States your data will be transferred to and processed in the United States.
For EU and UK users: we transfer personal data to the United States on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK International Data Transfer Agreement (IDTA) as applicable, and rely on the EU-US Data Privacy Framework certifications of our US sub-processors where available.
For all international users: by creating an account and using the Service you acknowledge that your data will be processed in the United States and potentially in other countries where our sub-processors operate, which may have different data protection standards than your home country.
10. Data Retention
Raw audio recordings: not retained — discarded immediately after OpenAI Whisper transcription (within seconds of collection) Session transcripts and conversation history: session memory only — automatically cleared when session ends; not recoverable Biometric data: never retained beyond the active session
Account email and hashed credentials: retained for account lifetime plus 30 days after account closure or deletion request OAuth profile data: retained while account is active; deleted within 30 days of account closure Account preferences: retained while active; deleted within 30 days of closure
Session metadata and performance data: retained while account is active; deleted within 30 days of deletion request; anonymised versions already in commercially licensed datasets are not subject to recall as they cannot be linked to you Training data (session answers, psychological data): retained while account active and training consent active; deleted within 30 days of account deletion or training consent withdrawal; already-licensed anonymised records not subject to recall
IP addresses and security logs: anonymised and aggregated after 90 days; raw logs deleted after 90 days Payment records and billing history: retained for 7 years as required by US tax law and applicable financial regulations Email communications: retained for 3 years for legal and dispute resolution purposes
11. Your Rights
11.1 Universal Rights — All Users Regardless of Location — Withdraw voice recording consent at any time by leaving the session — Withdraw training data consent and opt out of any data sale at any time — Request confirmation of what personal data we hold — Request deletion of your account and all personal data — Receive data breach notification if your personal data is compromised — Receive a response within 30 days at no charge
11.2 Illinois (BIPA 740 ILCS 14) Right to receive written biometric data retention policy (Section 5 of this Policy) Right to prevent sale of biometric data (we never sell biometric data — absolute prohibition) Right to request destruction of retained biometric data (we hold none beyond your session) Contact: [email protected] — Subject: "BIPA Request"
11.3 California (CCPA / CPRA) Right to know what personal information we collect, use, disclose, and sell Right to delete personal information (subject to legal retention requirements) Right to correct inaccurate personal information Right to opt out of sale or sharing — email "CCPA Opt-Out" — honoured within 15 days Right to limit use of sensitive personal information Right to non-discrimination for exercising rights Right to data portability Enforced by: California Privacy Protection Agency (CPPA) Contact: [email protected] — Subject: "California Privacy Request"
11.4 Colorado (CPA) Rights to access, correct, delete, and port personal data Right to opt out of sale, targeted advertising, and profiling Global Privacy Control (GPC) signal honoured Contact: [email protected] — Subject: "Colorado Privacy Request"
11.5 Virginia (VCDPA) Rights to access, correct, delete, and port personal data Right to opt out of sale and profiling Right to appeal our decisions Contact: [email protected] — Subject: "Virginia Privacy Request"
11.6 Connecticut (CTDPA 2026) Rights to access, correct, delete, and port personal data Right to opt out of sale, targeted advertising, and profiling Right to human review of automated decisions Right to know if data is processed to train large language models (yes — with training consent; see Section 7) Contact: [email protected] — Subject: "Connecticut Privacy Request"
11.7 Texas (TDPSA) Rights to access, correct, delete, and port personal data Right to opt out of sale of personal data Contact: [email protected] — Subject: "Texas Privacy Request"
11.8 Minnesota Right to explanation of consequential automated profiling decisions Contact: [email protected] — Subject: "Minnesota Privacy Request"
11.9 All Other States with Comprehensive Privacy Laws (Maryland, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Iowa, Indiana, Tennessee, Utah, and any other state enacting a comprehensive privacy law): Rights to access, correct, delete, and opt out of sale Contact: [email protected] — Subject: "[Your State] Privacy Request"
11.10 EU Users (GDPR) Right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection (Article 21), not to be subject to solely automated decisions with legal effects (Article 22), withdraw consent at any time, lodge complaint with supervisory authority
11.11 UK Users (UK GDPR and Data Protection Act 2018) Same rights as EU users. Complaints to the ICO at ico.org.uk.
11.12 Canada (PIPEDA) Right to access and correct personal information. Complaints to the Privacy Commissioner of Canada.
11.13 Australia (Privacy Act 1988) Rights to access and correct under the Australian Privacy Principles. Complaints to the OAIC.
11.14 Brazil (LGPD) Rights to confirmation, access, correction, anonymisation, portability, deletion, information about sharing, and revocation of consent. Complaints to the ANPD.
HOW TO EXERCISE ANY RIGHT: email [email protected] with your state or country and the specific right. Response within 30 days at no charge. We will not retaliate against you for exercising any privacy right.
12. AI and Automated Processing
12.1 How AI Is Used Anthropic Claude Sonnet: generates interview questions, follow-up questions, scores, feedback, improved answer rewrites, and session analysis. OpenAI Whisper: converts your audio to text (speech-to-text only). ElevenLabs: converts text to synthesised voice audio.
12.2 Nature of AI Outputs All AI-generated content is probabilistic and for educational practice purposes only. It does not constitute employment assessments, professional evaluations, or decisions with legal or practical significance. No employer may use our scores in any hiring decision.
12.3 Automated Decision-Making Disclosure Connecticut (2026): we disclose that session data is processed by AI systems for your personal practice benefit only, producing no decisions with legal effects. With your training consent, anonymised session data may be used to train large language models. GDPR Article 22: we do not use solely automated decision-making to produce decisions with legal or similarly significant effects.
12.4 Texas Responsible AI Governance Act (effective January 1, 2026) We comply with this Act. Our Service generates only practice coaching feedback and does not engage in any prohibited AI application.
13. Cookies and Tracking
Strictly necessary cookies: session authentication cookies to maintain your login state — required for the Service to function. Local storage: a randomly generated anonymous device identifier stored in your browser for session abuse prevention — not shared with third parties. Analytics: we may use privacy-respecting analytics collecting only anonymised aggregate data — not individual user tracking. No advertising cookies, cross-site tracking cookies, social media pixels, or behavioural profiling cookies. Global Privacy Control (GPC): recognised and honoured as an opt-out for California, Colorado, and Connecticut residents as required by their respective laws.
14. Security
Technical measures: TLS 1.2+ encryption for all data in transit; encrypted database storage at rest; API key security with environment variable isolation; per-IP rate limiting; browser fingerprint-based session abuse detection; row-level security on all database tables; industry-standard password hashing; no persistent biometric data storage.
Organisational measures: access controls limiting data access to authorised personnel; third-party data processing agreements with all sub-processors; regular review of data minimisation practices.
No internet transmission is 100% secure. In the event of a security breach affecting personal data we hold we will notify affected users and relevant regulatory authorities: within 72 hours under GDPR; within 30 days for California, Colorado, and New York; as expeditiously as practicable under all other applicable state breach notification laws.
Our minimal data architecture — we do not store audio recordings or session transcripts — substantially limits personal data at risk in any breach. The personal data most at risk is account email addresses.
15. Children's Privacy
The Service requires a registered account. Account creation requires you to be at least 13. We do not knowingly collect personal data from children under 13.
COPPA (15 U.S.C. §§ 6501-6506): if we become aware a child under 13 has created an account we will immediately suspend it and delete all associated data. Parents who believe a child under 13 has used the Service should contact [email protected] immediately.
Users aged 13-17: may use the Service only with parental or guardian consent. We do not sell personal data of users under 18 and do not use their data for targeted advertising. We comply with the California Age-Appropriate Design Code (AB 2273), Maryland Age-Appropriate Design Code, Colorado children's data protections, Connecticut 2026 children's privacy amendments, and all other applicable state children's privacy laws.
Parents of users under 18 may request access to, correction of, or deletion of their child's data by contacting [email protected] with proof of parental relationship.
16. Do Not Sell or Share My Personal Information
CCPA/CPRA REQUIRED NOTICE — CALIFORNIA RESIDENTS
As described in Section 7, we may sell or commercially license anonymised session performance data from users who have given explicit training data consent.
CALIFORNIA RESIDENTS — YOUR RIGHT TO OPT OUT:
You have the right to direct us not to sell or share your personal information at any time. To exercise this right:
Email: [email protected] — Subject: "CCPA Opt-Out — Do Not Sell or Share" OR withdraw training data consent in account settings
We will honour your opt-out within 15 days. We will not: — Deny you goods or services — Charge you a different price — Provide a different quality of service — Suggest you will receive a penalty for exercising this right
ALL USERS: Withdrawing training data consent has the same practical effect — your data will not be included in any future commercial dataset.
WE NEVER SELL: — Your name or email address — Your voice recordings or biometric data — Any data with a direct identifier attached — Data from users who have not given training data consent — Data from users who have exercised their opt-out
17. Changes to This Policy
We will update this Policy when our data practices change or when required by law. For material changes we will notify registered users by email at least 14 days before changes take effect and post a prominent notice on the Service including a summary of what changed.
Your continued use after the effective date constitutes acceptance. If you disagree you may stop using the Service and request account and data deletion. Previous versions are available on request.
18. Complaints and Supervisory Authorities
We take all privacy complaints seriously and respond within 30 days. Contact: [email protected]
If you are not satisfied with our response:
California: California Privacy Protection Agency (CPPA) — cppa.ca.gov Colorado: Colorado Attorney General — coag.gov Virginia: Virginia Attorney General — ag.virginia.gov Connecticut: Connecticut Attorney General — ct.gov/ag Texas: Texas Attorney General — texasattorneygeneral.gov Illinois (BIPA): Illinois Attorney General — illinoisattorneygeneral.gov All other US states: your state Attorney General's office
EU residents: your national data protection supervisory authority — edpb.europa.eu for the full list UK residents: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113 Canadian residents: Office of the Privacy Commissioner of Canada — priv.gc.ca Australian residents: Office of the Australian Information Commissioner — oaic.gov.au Brazilian residents: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
NailTheInterview.ai — Michigan, United States