Privacy Policy

This Privacy Policy explains how preppito collects, uses, shares, and protects personal data when you visit our website and when you use our interview practice platform. preppito provides a practice environment only. We do not run hiring processes and we do not make selection decisions for employers.

1. Scope

This policy covers the preppito website and the interview practice platform, including accounts, sessions, transcripts, generated questions, and related features such as feedback and reports.

2. What data we process

We process only what we need to deliver the service, to keep it secure, and to meet our legal duties.

We do not intentionally collect data about you from third parties, other than retrieving the job posting you point us to.

3. Purposes and legal bases

We process personal data in accordance with the GDPR.

4. Where processing takes place

We work with trusted service providers to deliver the interview practice experience. We configure these services to process and store customer data in European Union regions where available. Our design intent is that personal data for core processing activities remains in the European Union.

We instruct our providers to act on our documented instructions through our contracts and service settings. We do not permit our providers to use your prompts or outputs to train their models for other customers. We do not grant such permission for preppito user content.

5. Retention

We keep personal data only for as long as needed for the stated purposes.

• CV files are processed to extract text content, which is stored with your job records. The original CV file is not stored, only the extracted text content. Job descriptions are stored with your job records.
• Generated questions and transcripts are stored permanently. This permanent storage is beneficial for candidates, enterprises, and preppito, as it allows for long-term tracking of progress, historical analysis, and continuous improvement of the platform
• You can delete your transcript and generated questions at any time from your account, which removes the content from our active systems
• Consent logs that evidence your explicit consent are retained for compliance purposes
• Security logs are retained for up to 90 days unless a longer period is needed to investigate incidents
• Support tickets are retained for up to 12 months unless a longer period is required by law
• Backups follow fixed rotation schedules and are overwritten. When you delete content we remove it from active systems and it will fall out of backups on the normal cycle

If law requires a longer retention we may retain the minimum necessary information for that period.

6. Your rights

Subject to conditions and exceptions in the GDPR, you have the following rights:

• Right of access and to obtain a copy of your data
• Right to rectification
• Right to deletion
• Right to restriction
• Right to object where we rely on legitimate interests
• Right to data portability

Note: For enterprise data sharing, you can withdraw your consent at any time in your account settings (see Enterprise Workspaces section above). For other processing based on consent, withdrawal is exercised through account deletion.

You can exercise these rights from within your account where features are available or by contacting info@preppito.com. We may need to verify your identity. We will respond without undue delay and within one month where possible.

You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands the authority is Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

7. Children

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe that a child provided us with personal data please contact us and we will delete it.

8. Security

We use technical and organisational measures intended to protect personal data. These include encryption in transit and at rest, role based access control, least privilege, logging and audit trails, vulnerability management, and staff training. If we become aware of a personal data breach we will notify affected users and regulators where legally required.

9. Automated decision making and fairness

We do not make automated decisions that produce legal or similarly significant effects for you. Our feedback is advisory for practice purposes only. We monitor for bias and quality issues as part of our model governance.

10. Transparency about AI

You practice with an AI system that generates questions and feedback. We clearly label AI generated content in the product. If you have questions about how the system works, contact info@preppito.com.

11. Who we share data with

We share personal data only with:

• Our processors who act on our instructions to deliver the service
• Professional advisers and auditors under a duty of confidentiality
• Authorities where required by law
• Enterprise customers, but only with your explicit consent and only for practice sessions linked to jobs created by that enterprise (see Enterprise Workspaces below)

We do not sell personal data.

11a. Enterprise Workspaces

preppito offers enterprise workspaces that allow companies to create practice jobs and invite candidates to practice. If you are invited to practice jobs created by an enterprise, we will ask for your explicit consent before sharing any of your practice results with that enterprise.

12. How we make decisions about data

We follow the principles of data minimisation, purpose limitation, and storage limitation. We review this policy and our records of processing at least once a year.

13. Changes to this policy

We may update this policy from time to time. Significant changes will be announced on the website or by email. You can see the date of the latest update at the top of this page. If changes materially affect how we process your data we will ask for consent again where required.

Annex A consent text used in the product