Privacy Policy

ConnectGRC is the data controller for personal data collected through the Service. We make decisions about why and how it is processed.

If you have a data-protection question, write to us via the contact page and mark the message "Data protection." A dedicated DPO contact is published below before public launch.

We process the following categories of personal data:

• Account data — email, password hash, role (talent / employer), email-verification status. Sign-up data collected by Supabase Auth on our behalf.
• Profile data — full name, location, years of GRC experience, framework expertise, certifications, career goals, uploaded résumés, LinkedIn URL, and any free-text you add. You choose what to share.
• Voice-assessment data — audio captured during a voice session is processed in real-time by speech-to-text (Deepgram via LiveKit Inference). We do not retain the raw audio file once the session ends. We retain the transcript (assessor + candidate turns) and per-question text answers.
• Assessment outputs — tier, overall score, per-domain scores, AI-generated strengths/improvements/summary, timestamps.
• Usage and device data — IP address (for the consent log and rate-limiting), browser user-agent, pages visited, in-app events. PostHog processes a subset for product analytics.
• Consent records — every voice-data consent you give is logged with its version, timestamp, and IP — this is the audit trail GDPR / EU AI Act expect.

We do not deliberately collect special-category data (Article 9 GDPR). Your voice recording is processed for transcription but is not used for biometric identification.

Under GDPR Article 6 we rely on:

• Performance of a contract — to provide you with the account, profile, and core platform features you signed up for.
• Your explicit consent — for voice-assessment audio capture, recorded separately before each assessment starts. You can withdraw consent at any time by ending the session and requesting deletion.
• Legitimate interests — security monitoring, fraud prevention, debugging, anonymised analytics for service improvement. We balance these against your rights and freedoms.
• Legal obligation — when we must retain or disclose data to comply with applicable law.

The Service uses third-party AI processors for specific purposes:

• Speech-to-text (Deepgram via LiveKit Inference) — transcribes voice answers in real-time.
• Text-to-speech (Cartesia via LiveKit Inference) — voices the assessor.
• Conversational LLM (OpenAI via LiveKit Inference) — runs the live assessor turn-by-turn.
• Scoring judge + synthesis(Google Gemini 2.5 Pro via Vertex AI) — grades your answers against rubric "golden answers" and writes the strengths/improvements summary.
• Embeddings (OpenAI text-embedding-3-small) — indexes our internal golden-answer rubrics. Your data is not embedded.
• Career-pathway generation (Google Gemini via Vertex AI) — generates simulated career paths from your profile inputs.

We have written agreements with each processor requiring them to process data only on our instructions and not to train their models on your inputs. Where a processor is outside the European Economic Area, transfers are protected by Standard Contractual Clauses and supplementary measures.

AI outputs — tier, score, written feedback, career suggestions — are advisory. They are not used to make decisions that produce legal or similarly significant effects on you without a human in the loop. You can request human review of any AI output by contacting us.

We retain personal data for the following default periods:

• Profile and account data — until you delete your account, then up to 30 days in backups before secure erasure.
• Voice-assessment audio — not retained. The transcript is created in real-time and the raw audio is discarded at session close.
• Transcripts and per-question answers — retained for as long as your account is active. You can delete any assessment row from the profile privacy page (subject to a brief grace period for backups).
• Consent logs — retained for 6 years after the consent ends, as required for audit purposes under GDPR Article 7(1).
• Security and audit logs — retained for 1 year.
• Anonymised analytics — retained indefinitely. Once data is irreversibly anonymised it falls outside GDPR.

We share personal data only with the following categories of recipient:

• Sub-processors — Supabase (database + auth), Cloudflare (edge hosting), LiveKit (voice infrastructure), Deepgram, Cartesia, OpenAI, Google Cloud Vertex AI, PostHog (product analytics).
• Employers you connect with — only the data you choose to share, and at the moment you initiate the share. We never publish your full transcript or per-question answers without your specific action.
• Law-enforcement and regulators — when we are legally required to do so.

A current sub-processor list will be maintained at this page before public launch.

Some of our sub-processors operate in the United States or other jurisdictions outside the European Economic Area. Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021) together with supplementary measures including encryption in transit and at rest, contractual prohibitions on government access, and minimised data scope. A copy of the SCCs is available on request.

We protect personal data using a combination of technical and organisational measures, including:

• TLS 1.3 in transit.
• Encryption at rest for all database and object storage (managed by our infrastructure providers).
• Row-Level Security policies on every database table; service-role access is gated by application-side admin checks.
• Principle of least privilege for staff access to systems.
• Logging and monitoring of administrative actions.

No security control is absolute. If we become aware of a personal- data breach that is likely to result in a risk to your rights or freedoms, we will notify you and the relevant supervisory authority in line with GDPR Articles 33 and 34.

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data — most of this you can do yourself from the profile pages.
• Eraseyour data (the "right to be forgotten") — delete individual assessments from the profile privacy page, or delete your whole account, also from there.
• Restrict processing in certain circumstances.
• Port your data — export your profile and assessment history as JSON on request.
• Object to processing based on legitimate interests.
• Withdraw consent for voice-assessment audio at any time. Withdrawing consent does not affect processing that occurred before the withdrawal.
• Complain to your local data-protection supervisory authority. EU/UK residents may complain to the ICO, CNIL, or equivalent regulator in your country of residence.

We respond to verifiable requests within one month. To exercise a right, use the controls on your profile privacy page or contact us via the contact page.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified to signed-in users at least 14 days before they take effect. The version number and last-updated date at the top of this page are the canonical record.

Use the contact page for any data-protection enquiry and mark your message "Data protection." A dedicated DPO email address will be published here before public launch.