Privacy Policy

    Last updated 30 August 2025

    This Privacy Policy explains how preppito collects, uses, shares, and protects personal data when you visit our website and when you use our interview practice platform. preppito provides a practice environment only. We do not run hiring processes and we do not make selection decisions for employers.

    1. Scope

    This policy covers the preppito website and the interview practice platform, including accounts, sessions, transcripts, generated questions, and related features such as feedback and reports.

    2. What data we process

    We process only what we need to deliver the service, to keep it secure, and to meet our legal duties.

    Account data

    Name, email address, preferred language, authentication data, settings.

    Documents you provide

    Your CV or resume and the job post link you choose to share. We use these to generate practice questions. We wipe the CV file from our systems right after processing.

    Generated content

    The interview questions created from your CV and job post, the full transcript of your practice interview, the feedback and tips that the system generates for you, and session metadata such as date, time, duration, and features used.

    Audio handling

    Your voice is processed in real time during the session to run the conversation and to create the transcript. We do not store audio for playback in our systems.

    Device and usage data

    Log files, browser and device information, event data, and approximate location derived from the IP address. We use this for security, service reliability, and product improvement in an anonymous or de identified form.

    Support and communications

    Messages that you send to our support channels, including message content and metadata.

    Cookies and similar tracking technologies

    We do not use cookies, pixels, device fingerprinting, or similar tracking technologies on our website or in the web app. If this ever changes we will update this policy and, where required, request your consent first.

    We do not intentionally collect data about you from third parties, other than retrieving the job posting you point us to.

    3. Purposes and legal bases

    We process personal data only where a legal basis in Article 6 GDPR applies and, where relevant, Article 9 for special categories.

    Provide the service

    Register your account, run practice sessions, generate questions from your CV and the job post, create and display your transcript and feedback, and let you review previous sessions.

    Legal basis: Article 6 paragraph 1 letter b contract performance.

    Special category data that you may choose to share

    During a session you might mention information that reveals special categories of data, for example health or religious beliefs. Because the transcript and the generated questions must reflect what you actually said in order to produce meaningful feedback, we ask for your explicit consent before the session starts so that we may process such information if you choose to share it. You can withdraw this consent at any time.

    Legal basis: Article 9 paragraph 2 letter a explicit consent.

    4. Providers we use and where processing takes place

    We use two main providers to deliver the experience.

    ElevenLabs

    We use ElevenLabs to power the live interview experience, for example to generate the interviewer voice prompts and to support real time voice interaction. We do not store audio for playback in our systems. We instruct ElevenLabs to act on our documented instructions through our contracts and service settings. Where the provider offers European data residency we select it.

    Google Gemini on Google Cloud

    We use Gemini to process the relevant content of your session, which includes generating practice questions from your CV and job post and analysing the session transcript to produce feedback and tips. We configure these services to process and store customer data in European Union Google Cloud regions. Our design intent is that personal data for these processing activities remains in the European Union.

    We do not permit our providers to use your prompts or outputs to train their models for other customers. We do not grant such permission for preppito user content.

    5. International transfers

    Our design is to process and store personal data for the core service in the European Union. We do not routinely transfer this personal data outside the European Economic Area.

    If a transfer outside the EEA is necessary, for example for support or incident response, we will use the safeguards that the law requires. These include the European Commission Standard Contractual Clauses and, where applicable, adequacy decisions. We keep a record of any such transfers.

    6. Retention

    We keep personal data only for as long as needed for the stated purposes.

    • CV file and job description are used to generate questions and are wiped from our systems right after processing
    • Generated questions and transcripts are stored for up to 30 days by default so that you can review your session
    • You can delete your transcript and generated questions at any time from your account, which removes the content from our active systems
    • Consent logs that evidence your explicit consent are retained for up to 60 days after deletion of the related session for compliance
    • Security logs are retained for up to 90 days unless a longer period is needed to investigate incidents
    • Support tickets are retained for up to 12 months unless a longer period is required by law
    • Backups follow fixed rotation schedules and are overwritten. When you delete content we remove it from active systems and it will fall out of backups on the normal cycle

    If law requires a longer retention we may retain the minimum necessary information for that period.

    7. Your rights

    Subject to conditions and exceptions in the GDPR, you have the following rights:

    • Right of access and to obtain a copy of your data
    • Right to rectification
    • Right to deletion
    • Right to restriction
    • Right to object where we rely on legitimate interests
    • Right to data portability
    • Right to withdraw consent at any time, which does not affect processing that took place before withdrawal

    You can exercise these rights from within your account where features are available or by contacting info@preppito.com. We may need to verify your identity. We will respond without undue delay and within one month where possible.

    You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands the authority is Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

    8. Children

    Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe that a child provided us with personal data please contact us and we will delete it.

    9. Security

    We use technical and organisational measures intended to protect personal data. These include encryption in transit and at rest, role based access control, least privilege, logging and audit trails, vulnerability management, and staff training. If we become aware of a personal data breach we will notify affected users and regulators where legally required.

    10. Automated decision making and fairness

    We do not make automated decisions that produce legal or similarly significant effects for you. Our feedback is advisory for practice purposes only. We monitor for bias and quality issues as part of our model governance.

    11. Transparency about AI

    You practice with an AI system that generates questions and feedback. We clearly label AI generated content in the product. If you have questions about how the system works, contact info@preppito.com.

    12. Who we share data with

    We share personal data only with:

    • Our processors who act on our instructions to deliver the service
    • Professional advisers and auditors under a duty of confidentiality
    • Authorities where required by law

    We do not sell personal data.

    13. How we make decisions about data

    We follow the principles of data minimisation, purpose limitation, and storage limitation. We review this policy and our records of processing at least once a year.

    14. Changes to this policy

    We may update this policy from time to time. Significant changes will be announced on the website or by email. You can see the date of the latest update at the top of this page. If changes materially affect how we process your data we will ask for consent again where required.

    Annex A consent text used in the product

    Explicit consent for transcript and generated questions

    I give preppito explicit consent to process the full transcript of my practice interview and the interview questions that are generated from my CV and the job post, including any special category information that I choose to reveal, only to generate practice questions and personalised feedback, and to store the transcript and the generated questions for up to 30 days so that I can review my session. I understand that processing uses Google services configured to run in European Union Google Cloud regions. I can withdraw this consent at any time and my transcript and generated questions will then be deleted. This consent is required in order to provide the service because feedback must be based on what I actually said and on the questions built from my CV.