This Privacy Policy explains how Sentient AI Inc. (doing business as "NexxaScreen") collects, uses, shares, and protects your personal data when you use our website, platform, and services. We have written this policy to be transparent and straightforward — not to bury important details in legal jargon.
By using NexxaScreen, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
1. Who We Are
Sentient AI Inc. (dba "NexxaScreen," "we," "us," "our") is a Delaware corporation registered at:
Sentient AI Inc. 8 The Green STE R Dover, DE 19901 United States
We operate the NexxaScreen platform at https://nexxascreen.com, an AI-powered interview and hiring assessment platform.
Data Protection Officer (DPO): Vinay Jain Email: [email protected]
EU Representative: To be appointed. We are in the process of designating an EU representative pursuant to Article 27 of the GDPR. This section will be updated once the appointment is finalized.
Roles under data protection law:
- When we provide services directly to candidates (such as mock interviews or the AI Interview Coach), we act as the data controller.
- When we process candidate data on behalf of a recruiting company or employer, we act as a data processor on their behalf. In that scenario, the employer is the data controller and determines the purposes and means of processing.
- For our own platform operations (analytics, security, service improvement), we act as the data controller.
2. Scope
This Privacy Policy applies to all individuals who interact with NexxaScreen, including:
- Candidates — individuals who participate in AI-powered interviews (whether invited by an employer or practicing independently), use mock interview features, or create candidate accounts.
- Recruiters and Employers — organizations and their authorized personnel who use NexxaScreen to create, manage, and evaluate interviews, and who access candidate assessment data.
- Campus Users — colleges, universities, placement officers, and students who use NexxaScreen through our Campus (College B2B) product for interview preparation and placement activities.
- Website Visitors — anyone who visits nexxascreen.com or our related web properties, regardless of whether they create an account.
This policy covers data collected through:
- The NexxaScreen web platform (nexxascreen.com)
- AI-powered video and phone interviews
- WhatsApp, SMS, and email communications sent through our platform
- Our APIs and integrations
- Our mobile-accessible web application
This policy does not cover third-party websites or services linked from our platform. We encourage you to review the privacy policies of any third-party service you interact with.
Relationship to other legal documents: This Privacy Policy should be read alongside our Terms of Service, Cookie Policy, and Data Processing Agreement. In the event of a conflict between this Privacy Policy and any other agreement, the terms that provide greater protection for your personal data will prevail.
3. Data We Collect
We collect different categories of personal data depending on how you interact with NexxaScreen. The following table provides a comprehensive overview.
Account Data
| Data Element | Description | Who It Applies To |
|---|---|---|
| Full name | First and last name | All users |
| Email address | Primary contact email | All users |
| Password | Stored as a cryptographic hash (we never store plaintext passwords) | All users |
| Company name | Organization name | Recruiters, campus users |
| Job title / role | Professional role within the organization | Recruiters |
| Profile photo | Optional avatar or profile image | All users |
| Phone number | Used for account verification or communication | All users (when provided) |
Interview Data
| Data Element | Description | Who It Applies To |
|---|---|---|
| Video recordings | Full video recordings of interview sessions | Candidates |
| Audio recordings | Audio tracks from video interviews and phone interviews | Candidates |
| Transcripts | AI-generated text transcriptions of spoken responses | Candidates |
| AI-generated scores | Numerical and categorical assessments of interview performance | Candidates |
| AI-generated summaries | Written summaries and evaluations of candidate responses | Candidates |
| Interview timestamps | Date, time, and duration of interview sessions | Candidates |
| Interview configuration | Questions, scoring rubrics, and parameters set by recruiters | Recruiters |
Biometric-Adjacent Data
| Data Element | Description | Purpose |
|---|---|---|
| Speech pace metrics | Words per minute and variation in speaking speed | Communication assessment |
| Vocal clarity indicators | Analysis of pronunciation clarity and articulation | Communication assessment |
| Filler word frequency | Count and frequency of filler words (um, uh, like, etc.) | Communication assessment |
| Pause patterns | Duration and placement of pauses in speech | Communication assessment |
Important distinction: We analyze voice characteristics for communication assessment purposes. We do not create voiceprints, facial geometry maps, fingerprint scans, retina/iris scans, or any biometric identifier used to uniquely identify individuals. See Section 6 (Biometric Data Notice) for details.
Device and Usage Data
| Data Element | Description | Collection Method |
|---|---|---|
| IP address | Internet Protocol address | Automatic |
| Browser type and version | e.g., Chrome 125, Safari 19 | Automatic |
| Operating system | e.g., Windows 11, macOS, iOS, Android | Automatic |
| Device type | Desktop, tablet, or mobile | Automatic |
| Pages visited | Which pages you view on our platform | Umami (cookieless) |
| Session duration | How long you spend on the platform | Umami (cookieless) |
| Referral source | How you arrived at our website | Google Analytics (GA4) |
| Feature usage | Which platform features you interact with | Application logs |
Note on analytics: Our primary analytics tool (Umami) is self-hosted and cookieless — it does not use cookies or track you across websites. We also use Google Analytics (GA4) for website analytics, which may use cookies as described in our Cookie Policy.
Third-Party Authentication Data
| Data Element | Source | Description |
|---|---|---|
| Name | Google OAuth, LinkedIn OAuth | Name from your social account |
| Email address | Google OAuth, LinkedIn OAuth | Email associated with your social account |
| Profile photo | Google OAuth, LinkedIn OAuth | Avatar from your social account |
We only receive the data you authorize during the OAuth consent flow. We do not access your contacts, posts, or other social media content.
Communication Data
| Data Element | Description | When Collected |
|---|---|---|
| WhatsApp messages | Messages sent to/from candidates via WhatsApp Business | When WhatsApp communication is used |
| SMS messages | Text messages sent to candidates | When SMS outreach is used |
| Email content | Transactional and notification emails | When email communication is triggered |
| Phone numbers | Mobile or landline numbers for communication | When phone interviews or messaging is used |
| Communication timestamps | When messages were sent, delivered, and read | Automatic with each communication |
Payment Data
| Data Element | Description | Storage |
|---|---|---|
| Billing name and address | Name and address for invoicing | Stored by us |
| Subscription plan | Which plan you are on | Stored by us |
| Payment method type | e.g., credit card, debit card | Stored by us (type only) |
| Card details | Full card number, CVV, expiration | Processed and stored by Stripe only — we never see or store your full card details |
| Transaction history | Record of charges and credits | Stored by us and Stripe |
Campus Data
| Data Element | Description | Who It Applies To |
|---|---|---|
| College/university name | Name of the educational institution | Campus administrators |
| Department | Academic department | Campus administrators |
| Student enrollment information | Student lists for interview scheduling | Campus administrators, students |
| Placement data | Placement activity and outcomes | Campus administrators |
4. How We Use Your Data
We process your personal data for specific, disclosed purposes. Below we map each purpose to its legal basis across the jurisdictions we operate in.
Service Delivery
What we do: Operate the platform, manage accounts, conduct interviews, deliver results to recruiters, process payments, and provide customer support.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Performance of a contract (Article 6(1)(b)) |
| United States | Contractual necessity; disclosed in this policy |
| India (DPDP Act) | Consent of the Data Principal |
| California (CCPA/CPRA) | Business purpose — performing services |
AI Analysis and Scoring
What we do: Use artificial intelligence to evaluate interview responses, score communication skills, generate summaries, and provide feedback.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Explicit consent obtained before each interview session (Article 6(1)(a)) |
| United States | Consent obtained via pre-interview disclosure and acceptance |
| India (DPDP Act) | Consent of the Data Principal |
| California (CCPA/CPRA) | Consent; ADMT pre-use notice provided |
AI Model Improvement
What we do: Use de-identified data to improve the fairness, accuracy, and quality of our AI models. See Section 5 for full details.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Legitimate interest (Article 6(1)(f)) — supported by Legitimate Interests Assessment |
| United States | Disclosed in this policy; consent where required by state law |
| India (DPDP Act) | Consent of the Data Principal |
| California (CCPA/CPRA) | Business purpose — improving services |
Communication
What we do: Send interview invitations, reminders, results notifications, account alerts, and support responses via email, WhatsApp, or SMS.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Performance of a contract (Article 6(1)(b)) for service communications; consent (Article 6(1)(a)) for marketing |
| United States | Contractual necessity for service communications; CAN-SPAM and TCPA compliance for marketing |
| India (DPDP Act) | Consent of the Data Principal |
| California (CCPA/CPRA) | Business purpose — communicating with consumers |
Analytics
What we do: Analyze platform usage patterns, feature adoption, and performance metrics to improve our services.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Legitimate interest (Article 6(1)(f)) for cookieless analytics; consent for cookie-based analytics |
| United States | Disclosed in this policy |
| India (DPDP Act) | Consent of the Data Principal |
| California (CCPA/CPRA) | Business purpose — analytics and research |
Security and Fraud Prevention
What we do: Monitor for unauthorized access, detect suspicious activity, prevent abuse, and protect the integrity of the platform and its users.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Legitimate interest (Article 6(1)(f)) and legal obligation (Article 6(1)(c)) |
| United States | Disclosed in this policy; applicable security laws |
| India (DPDP Act) | Reasonable purpose under Section 7 |
| California (CCPA/CPRA) | Business purpose — security and fraud prevention |
Legal Compliance
What we do: Comply with applicable laws, respond to lawful requests from authorities, enforce our terms of service, and establish or defend legal claims.
| Jurisdiction | Legal Basis |
|---|---|
| EU/UK (GDPR) | Legal obligation (Article 6(1)(c)) and legitimate interest (Article 6(1)(f)) |
| United States | Legal obligation; applicable laws and regulations |
| India (DPDP Act) | Compliance with law |
| California (CCPA/CPRA) | Legal obligation |
5. Artificial Intelligence Disclosures
NexxaScreen uses artificial intelligence as a core part of our platform. We believe in being transparent about what our AI does, what it does not do, and how we work to make it fair.
What Our AI Does
- Evaluates interview responses — AI analyzes candidate answers for relevance, depth, structure, and alignment with the role requirements defined by the recruiter.
- Scores communication skills — AI assesses spoken communication across dimensions including clarity, pace, vocabulary, fluency, coherence, and confidence.
- Generates summaries — AI produces written summaries of interview performance to help recruiters review candidates efficiently.
- Provides coaching feedback — For mock interviews and practice sessions, AI generates actionable feedback to help candidates improve.
- Transcribes speech — AI converts spoken responses into text transcripts for analysis and review.
- Conducts interactive video interviews via AI avatar — In some interview modes, candidates interact with an AI-generated video avatar that appears as a human-like character. This is an AI, not a real person. The avatar is designed to create a more natural and engaging interview experience. Candidates are informed of this before the interview begins through our consent screen.
What Our AI Does NOT Do
- Make hiring decisions — Our AI provides assessments and scores as decision-support tools. The recruiter or employer retains full authority over all hiring decisions. AI outputs are recommendations, not determinations.
- Perform facial recognition — We do not use AI to identify individuals by their facial features.
- Create voiceprints — We do not use AI to create unique biometric voiceprints for identification purposes.
- Infer protected characteristics — Our AI is not designed to infer or assess race, gender, age, disability, religion, sexual orientation, or any other protected characteristic.
AI Training and Fairness
We distinguish between employer-initiated interviews (conducted for hiring decisions or internal testing) and candidate-initiated sessions (mock interviews, demos, guest "try it" sessions, practice, and enrichment). Only de-identified data from candidate-initiated sessions is used for AI model training. Employer-initiated interview data is never used for training.
All interview data, regardless of type, may be used in de-identified form for bias audits, quality assurance, and compliance reporting.
Key principles of our AI training practices:
- De-identification first — Before any data enters our training pipeline or is used for bias audits, all personal identifiers (name, email, company, and other identifying information) are removed. De-identified data cannot be traced back to you.
- Employer data excluded from training — Data from employer-initiated interviews is used only for generating assessments, bias audits, quality assurance, and compliance. It is never used to train or fine-tune AI models.
- Fairness improvement — Training on diverse, de-identified data from candidate-initiated sessions helps our AI produce more consistent and equitable assessments across different accents, speaking styles, and communication patterns.
- Bias reduction — We use de-identified data from all interview types to identify and correct patterns where our AI may produce systematically different outcomes for different groups.
- No individual profiling — Training data is used to improve the general model, not to build profiles of individual candidates.
- Annual bias audit — We commit to conducting annual audits of our AI models to assess and address potential bias in scoring and assessment outcomes.
Right to Human Review
You have the right to request human review of any AI-generated assessment. If you believe an AI-generated score or summary does not accurately reflect your interview performance, you may:
- Contact the recruiting company that invited you (if applicable), as they are the decision-maker.
- Contact us at [email protected] to request a review of the AI assessment process.
Model Transparency
Our AI models are built using large language models (currently Anthropic Claude) and speech-to-text technology (currently Deepgram). These models:
- Are general-purpose AI models fine-tuned for interview assessment tasks
- Process each interview independently — they do not retain information from one candidate's interview to another
- Produce probabilistic outputs — scores and assessments represent the model's evaluation based on the criteria provided, not absolute truths
- May occasionally produce errors, inconsistencies, or outputs that do not accurately reflect a candidate's abilities
Nature of AI Scores
AI-generated scores are relative, not absolute. A candidate's score reflects how the AI evaluated their responses against the interview criteria set by the employer — it is not an objective measurement of the candidate's skills or abilities. Key points about AI scoring:
- Relative assessment: Scores are contextual to the specific interview, role requirements, and evaluation criteria configured by the employer. The same response may receive different scores under different criteria.
- Not perfectly reproducible: Because our AI uses large language models, the same interview response evaluated multiple times may yield slightly different scores. This is an inherent characteristic of probabilistic AI systems.
- Cannot be fully explained at the individual level: While we can describe the dimensions our AI evaluates (e.g., relevance, depth, communication clarity), we cannot provide a complete, granular explanation of why the AI assigned a specific score to a specific response. Large language models do not produce human-interpretable reasoning chains for each decision.
- Advisory only: Scores are tools to assist human decision-makers, not replacements for human judgment. No hiring decision should be based solely on an AI score.
- Human review available: If you believe an AI assessment does not reflect your performance, you have the right to request human review (see below).
We continuously evaluate our AI outputs for quality and consistency. If you encounter an assessment that seems incorrect or unfair, please contact us.
Shared Responsibility Model
NexxaScreen provides AI-powered assessment tools. Employers and recruiters who use our platform are responsible for:
- Making final hiring decisions using their own human judgment
- Ensuring their use of AI assessment data complies with their local employment and anti-discrimination laws
- Providing any additional notices or obtaining any additional consents required by their jurisdiction
- Determining how AI assessment data factors into their overall hiring process
We provide the tools; the employer makes the decisions and bears responsibility for how those decisions are made.
6. Biometric Data Notice
This section provides specific disclosures required by state biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), the California Consumer Privacy Act (CCPA/CPRA), the Washington My Health My Data Act, and similar state laws.
What We Collect
As part of our communication assessment feature, we analyze voice characteristics from interview audio recordings. Specifically, we process:
- Speech pace — words per minute and variation in speaking speed
- Vocal clarity — pronunciation clarity and articulation quality
- Filler word frequency — how often filler words (um, uh, like, you know) appear in speech
- Pause patterns — duration and placement of pauses during responses
- Fluency indicators — smoothness of speech delivery and sentence completion
What We Do NOT Collect
We do not collect, capture, or store:
- Facial geometry or facial recognition data
- Fingerprints
- Retina or iris scans
- Voiceprints (unique voice identifiers used for authentication)
- Palm prints, hand geometry, or gait analysis
- DNA or genetic markers
- Any biometric identifier used to uniquely identify a specific individual
Purpose
Voice characteristics are analyzed solely to evaluate spoken communication skills in the context of an interview assessment. This data is used to generate communication scores and feedback — not to identify, authenticate, or track individuals.
Retention and Destruction
- Maximum retention period: Voice characteristic data derived from interviews is retained for a maximum of 1 year from the date of collection, after which it is permanently and irreversibly deleted.
- Earlier deletion: If you request deletion of your data, or if the recruiting company requests deletion, voice characteristic data will be deleted within 30 days of the request.
- Deletion method: Data is permanently deleted from all active systems. Backup copies are purged on the next backup rotation cycle, not to exceed 90 days after active deletion.
Consent
- Consent for voice characteristic analysis is obtained before each interview session through a digital consent screen presented to the candidate.
- The consent screen clearly discloses that voice characteristics will be analyzed for communication assessment purposes.
- You may decline consent, in which case the communication assessment feature will not be applied to your interview.
Withdrawal of Consent
- You may withdraw your consent to voice characteristic analysis at any time by emailing [email protected].
- Upon withdrawal, we will delete your voice characteristic data within 30 days.
- Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
No Sale or Sharing
We do not sell, lease, trade, or otherwise disclose biometric-adjacent data (voice characteristics) to any third party for commercial purposes. Voice characteristic data is shared only with the recruiting company that initiated the interview, as part of the communication assessment results, and with our sub-processors as necessary to provide the service.
7. How We Share Your Data
We share your personal data only in the following circumstances and with appropriate safeguards in place.
Recruiting Companies and Employers
If you are a candidate participating in an employer-initiated interview, your interview data (recordings, transcripts, AI scores, summaries, and communication assessment results) is shared with the recruiting company that invited you. In this context, the recruiting company is the data controller for their use of your data in their hiring process. Their privacy policy governs their handling of your data after they receive it.
Sub-Processors
We use third-party service providers to operate our platform. These sub-processors process your data on our behalf, under our instructions, and subject to data processing agreements that require them to protect your data.
A current list of our sub-processors is available at /legal/sub-processors.
Our key sub-processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, S3 storage, AI services (Bedrock), email (SES), text-to-speech (Polly) | United States |
| Anthropic | AI analysis and scoring (Claude) | United States |
| Deepgram | Speech-to-text transcription | United States |
| LiveKit | Real-time video and audio infrastructure | United States |
| Twilio | Telephony, WhatsApp messaging, SMS | United States |
| Stripe | Payment processing | United States |
| Hetzner | Server hosting | European Union (Germany) |
| Resend | Transactional email delivery | United States |
| OAuth authentication, website analytics (GA4) | United States | |
| OAuth authentication | United States | |
| Laravel Forge | Server provisioning and management | United States |
Professional Advisors
We may share your data with our legal counsel, accountants, auditors, and other professional advisors who are bound by professional confidentiality obligations.
Law Enforcement and Regulators
We may disclose your data when we believe in good faith that disclosure is required to:
- Comply with applicable law, regulation, legal process, or governmental request
- Enforce our Terms of Service or other agreements
- Protect the rights, property, or safety of NexxaScreen, our users, or the public
- Detect, prevent, or address fraud, security, or technical issues
We will notify you of such requests where legally permitted to do so.
Business Transfers
In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy. Where required by law, we will obtain your consent before such transfer.
We Never Sell Personal Data
We do not sell your personal data. We have never sold personal data. We will not sell your personal data. This applies across all jurisdictions and to all categories of data we collect, including under the broadened definitions of "sale" in the CCPA/CPRA.
We do not share your personal data with third parties for cross-context behavioral advertising.
8. International Data Transfers
NexxaScreen is a US-based company with hosting infrastructure in the European Union (Germany). Your personal data may be transferred to, stored, and processed in countries outside your country of residence. We take the following measures to ensure your data is protected during international transfers.
Where Your Data Is Processed
| Location | Purpose |
|---|---|
| United States | AI processing, telephony, payment processing, email delivery, authentication |
| European Union (Germany) | Primary server hosting (Hetzner) |
EU and UK to United States
For transfers of personal data from the European Economic Area (EEA) or United Kingdom to the United States, we rely on:
- EU-US Data Privacy Framework (DPF) — Where our US-based sub-processors are certified under the DPF, we rely on their certification as a valid transfer mechanism.
- Standard Contractual Clauses (SCCs) — As a fallback and supplementary measure, we enter into the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) with our US-based sub-processors.
- UK Extension to the Data Privacy Framework and the UK Addendum to the International Data Transfer Agreement — For transfers from the UK specifically.
India to United States
For transfers of personal data from India, we rely on:
- Consent-based transfer — Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we transfer data with the consent of the Data Principal to countries not restricted by the Central Government of India.
Transfer Safeguards
- We conduct Transfer Impact Assessments where required to evaluate the data protection regime of the receiving country.
- All sub-processors are bound by Data Processing Agreements that include appropriate data protection obligations.
- We implement technical safeguards including encryption in transit and at rest for all transferred data.
- We monitor regulatory developments and update our transfer mechanisms as needed.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and resolve disputes. The table below sets out our standard retention periods.
| Data Type | Retention Period | Notes |
|---|---|---|
| Interview recordings (video and audio) | 2 years from date of recording, or employer-specified shorter period | Employers may configure shorter retention through their account settings |
| Interview transcripts and AI scores | 2 years from date of creation, or employer-specified shorter period | Aligned with recording retention |
| Biometric-adjacent data (voice characteristics) | 1 year from date of collection | Permanently deleted after this period |
| Account data (profile, settings) | Duration of active account + 30 days after deletion or deactivation | 30-day grace period allows account recovery |
| Communication logs (WhatsApp, SMS, email) | 1 year from date of communication | Includes message content and delivery metadata |
| Website analytics data | 26 months from date of collection | Consistent with standard analytics retention |
| Payment and billing records | As required by tax law (typically 7 years) | Retained to comply with financial regulations |
| Audit and security logs | 7 years from date of creation | Retained for compliance, investigation, and security purposes |
| De-identified training data (candidate-initiated sessions only) | Indefinite | De-identified data from candidate-initiated sessions is not personal data and may be retained indefinitely for AI model improvement |
Deletion Process
When personal data reaches the end of its retention period, or when you submit a valid deletion request:
- Data is deleted from all active databases and storage systems.
- Data in backup archives is purged on the next backup rotation cycle (within 90 days of active deletion).
- De-identified data from candidate-initiated sessions that has already been incorporated into AI training datasets is not considered personal data and is not subject to individual deletion requests. Employer-initiated interview data is not used for AI training and is subject to standard retention and deletion schedules.
Employer-Controlled Retention
For interviews conducted on behalf of employers, the employer may set a shorter retention period than our defaults. We honor the shorter of our standard period or the employer-specified period.
10. Your Privacy Rights
Regardless of where you live, we provide all NexxaScreen users with the ability to:
- Access your personal data
- Correct inaccurate or incomplete data
- Delete your personal data (subject to legal retention requirements)
- Export your data in a portable format
- Withdraw consent you have previously given
Below are additional rights specific to your jurisdiction.
EU/UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of access (Article 15) — Obtain a copy of your personal data and information about how it is processed.
- Right to rectification (Article 16) — Correct inaccurate personal data or complete incomplete data.
- Right to erasure (Article 17) — Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restriction of processing (Article 18) — Request that we limit how we use your data in certain circumstances.
- Right to data portability (Article 20) — Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Article 21) — Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
- Rights related to automated decision-making (Article 22) — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You may request human intervention, express your point of view, and contest automated decisions.
- Right to lodge a complaint — You may file a complaint with your local Data Protection Authority. For UK residents, this is the Information Commissioner's Office (ICO) at https://ico.org.uk. For EU residents, contact the relevant supervisory authority in your member state.
To exercise your rights, email [email protected]. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notice to you).
California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, our purposes, and the categories of third parties with whom we share it.
- Right to delete — Request deletion of your personal information, subject to certain exceptions.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt-out of sale or sharing — We do not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism.
- Right to limit use of sensitive personal information — You may direct us to limit the use of sensitive personal information to what is necessary to perform the services.
- Non-discrimination — We will not discriminate against you for exercising your privacy rights (no denied services, different pricing, or reduced quality).
- Automated Decision-Making Technology (ADMT) Notice — Effective January 2027, California law provides the right to opt out of automated decision-making technology used for consequential decisions. We provide pre-use notice before each interview and will implement an opt-out mechanism in compliance with applicable regulations.
- Authorized agents — You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and verify your identity.
Verification: We verify your identity through email confirmation to the email address associated with your account.
To exercise your rights, email [email protected]. We will respond within 45 days (extendable by an additional 45 days for complex requests, with notice to you). You may also submit requests through your account settings where available.
India Residents (DPDP Act)
If you are a resident of India, you have the following rights under the Digital Personal Data Protection Act, 2023:
- Right of access — Obtain a summary of your personal data being processed and the processing activities.
- Right to correction — Request correction of inaccurate or misleading personal data.
- Right to erasure — Request erasure of personal data that is no longer necessary for the purpose for which it was collected.
- Right to grievance redressal — You have the right to register a grievance with us regarding our handling of your personal data. We will acknowledge your grievance and provide a resolution within 30 days.
- Right to nominate — You may nominate another individual to exercise your rights in the event of your death or incapacity.
- Consent withdrawal — You may withdraw your consent at any time. Upon withdrawal, we will cease processing and delete your personal data within a reasonable timeframe, unless retention is required by law. Note that withdrawal of consent may affect your ability to use certain features of the platform.
To exercise your rights, email [email protected]. We will respond within 30 days.
Illinois Residents (BIPA)
If you are an Illinois resident, you have additional rights under the Illinois Biometric Information Privacy Act (BIPA):
- Written consent — We obtain your written consent (via digital consent screen) before collecting any biometric-adjacent data (voice characteristics for communication assessment).
- Right to request deletion — You may request deletion of your biometric data at any time by emailing [email protected].
- Destruction schedule — Biometric-adjacent data is destroyed within 1 year of your last interaction with the platform, or within 30 days of a deletion request, whichever comes first.
- No profit from biometric data — We do not sell, lease, trade, or otherwise profit from your biometric data.
Colorado and Connecticut Residents
If you are a resident of Colorado or Connecticut, you have the following additional rights under the Colorado Privacy Act and the Connecticut Data Privacy Act:
- Right to opt out of profiling — You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
- Right to opt out of targeted advertising — You may opt out of the processing of your personal data for the purposes of targeted advertising.
- Right to appeal — If we decline to take action on your rights request, you may appeal our decision by contacting us at [email protected]. We will respond to your appeal within 45 days.
How to Exercise Your Rights
Email: [email protected]
Please include:
- Your full name and email address associated with your account
- The specific right(s) you wish to exercise
- Your state or country of residence
Response time: Within 30 days for most requests (45 days for CCPA requests). No fee is charged for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to act, with an explanation.
Identity verification: We may request additional information to verify your identity before processing your request. This is a security measure to prevent unauthorized access to your personal data.
11. Children's Privacy
NexxaScreen is designed for professional and educational use by adults.
- Minimum age: Our platform is not intended for use by anyone under the age of 16.
- Interview participation: Participation in video or phone interviews requires users to be at least 18 years of age.
- Campus users: Students accessing the platform through a college or university campus program must be at least 16 years of age and have appropriate authorization from their educational institution.
- COPPA compliance: We do not knowingly collect personal data from children under the age of 13. If we discover that we have inadvertently collected personal data from a child under 13, we will promptly delete it.
- Parental notice: If you are a parent or guardian and believe your child has provided personal data to NexxaScreen, please contact us at [email protected]. We will take steps to delete the data and close any associated account.
12. California Privacy Notice (CCPA/CPRA Supplement)
This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
Categories of Personal Information Collected
The following table maps our data collection practices to the CCPA's statutory categories of personal information.
| CCPA Category | Examples from NexxaScreen | Collected | Sold | Shared for Cross-Context Behavioral Advertising |
|---|---|---|---|---|
| A. Identifiers | Name, email address, IP address, phone number | Yes | No | No |
| B. Personal information under Cal. Civ. Code 1798.80(e) | Name, address, phone number | Yes | No | No |
| C. Protected classification characteristics | Not intentionally collected | No | No | No |
| D. Commercial information | Subscription plan, transaction history, credit balance | Yes | No | No |
| E. Biometric information | Voice characteristics (pace, clarity, filler words) | Yes | No | No |
| F. Internet or similar network activity | Pages visited, feature usage, session data | Yes | No | No |
| G. Geolocation data | Approximate location derived from IP address | Yes | No | No |
| H. Sensory data (audio, visual) | Interview video and audio recordings | Yes | No | No |
| I. Professional or employment information | Resume/CV, company name, job title | Yes | No | No |
| J. Education information | College name, department (campus users) | Yes | No | No |
| K. Inferences | AI assessment scores, communication ratings, performance summaries | Yes | No | No |
| L. Sensitive personal information | Account login credentials (email + password hash) | Yes | No | No |
Sources of Personal Information
- Directly from you (account registration, interview participation, communications)
- From recruiting companies or employers (interview configuration, candidate lists)
- From educational institutions (campus program enrollment)
- Automatically from your device (IP address, browser type, usage data)
- From third-party authentication providers (Google OAuth, LinkedIn OAuth)
Business Purposes for Collection
We collect personal information for the business purposes described in Section 4 of this policy, including: providing our services, AI analysis and scoring, communication, analytics, security, and legal compliance.
Retention
We retain personal information as described in Section 9 of this policy.
Shine the Light (California Civil Code Section 1798.83)
California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
Automated Decision-Making Technology (ADMT)
- Pre-use notice: Before each interview, candidates receive a disclosure that AI will be used to analyze their responses and generate assessment scores.
- Purpose: ADMT is used to evaluate interview responses and communication skills to assist recruiters in their hiring process.
- Opt-out: Candidates may decline AI assessment. This may limit the availability of certain platform features.
- Impact assessment: We conduct annual assessments of our automated decision-making technology to evaluate its impact on consumers, including potential for bias and disparate outcomes.
Financial Incentive Programs
We do not offer financial incentives related to the collection, retention, or sale of personal information.
13. India Privacy Notice (DPDP Act Supplement)
This section provides additional disclosures for residents of India under the Digital Personal Data Protection Act, 2023 (DPDP Act).
Legal Basis for Processing
Under the DPDP Act, we process your personal data based on your consent. The DPDP Act does not recognize "legitimate interest" as a standalone legal basis. Accordingly, we obtain your consent for all processing activities related to your personal data when you are located in India.
Consent is obtained through:
- Account registration (for account and profile data)
- Pre-interview consent screen (for interview, AI analysis, and voice characteristic data)
- Communication opt-in (for WhatsApp, SMS, and marketing communications)
Consent Manager
We are preparing for compliance with the Consent Manager framework as specified in the DPDP Rules. We intend to have our consent management infrastructure operational by November 2026, in accordance with the expected regulatory timeline.
Grievance Officer
In accordance with the DPDP Act, our Grievance Officer is:
Name: Vinay Jain Email: [email protected] Response time: Within 30 days of receiving your grievance
You may contact the Grievance Officer to:
- Register a complaint about how your personal data is being processed
- Request access to, correction of, or erasure of your personal data
- Withdraw your consent
- Exercise your right to nominate
Data Principal Rights
Your rights as a Data Principal are described in Section 10 of this policy. All rights requests may be submitted to [email protected].
Cross-Border Transfers
Your personal data may be transferred to and processed in the United States and the European Union. Such transfers are made with your consent and only to countries that have not been restricted by the Central Government of India under the DPDP Act. If the Central Government restricts transfers to any country where our sub-processors are located, we will take appropriate steps to ensure continued compliance, which may include data localization or migration to compliant infrastructure.
Data Fiduciary Obligations
As a Data Fiduciary under the DPDP Act, we are committed to:
- Processing your personal data only for the purposes for which consent was obtained
- Maintaining accuracy of your personal data
- Implementing reasonable security safeguards to protect your personal data
- Deleting your personal data when it is no longer needed for its stated purpose or upon withdrawal of consent
- Publishing the contact details of our Grievance Officer (provided above)
14. Data Security
We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. No system is perfectly secure, and we cannot guarantee absolute security, but we take reasonable steps to protect your data.
Technical Measures
- Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest — Personal data stored in our databases and cloud storage is encrypted at rest using AES-256 encryption.
- Access controls — We enforce role-based access controls and the principle of least privilege. Only authorized personnel with a business need can access personal data.
- Authentication security — Passwords are stored using industry-standard cryptographic hashing (bcrypt). We support multi-factor authentication for recruiter accounts.
- Infrastructure security — Our hosting infrastructure (Hetzner, AWS) provides physical security, network firewalls, and intrusion detection systems.
- Dependency management — We regularly update our software dependencies and monitor for known security vulnerabilities.
Organizational Measures
- Data minimization — We collect only the data necessary for the purposes described in this policy.
- Employee access — Access to personal data is limited to employees and contractors who need it to perform their job functions, and who are bound by confidentiality obligations.
- Vendor assessment — We evaluate the security practices of our sub-processors before engaging them and require data processing agreements with appropriate security commitments.
- Incident response — We maintain an incident response plan to detect, investigate, and respond to data security incidents. Where required by law, we will notify you and relevant authorities of a breach within the applicable timeframes (72 hours under GDPR, without unreasonable delay under CCPA).
Your Role in Security
You can help protect your data by:
- Using a strong, unique password for your NexxaScreen account
- Enabling multi-factor authentication where available
- Not sharing your account credentials with others
- Logging out of your account when using shared devices
- Reporting any suspected unauthorized access to [email protected]
Responsible Disclosure
If you discover a security vulnerability in our platform, please report it to [email protected]. We appreciate responsible disclosure and will work to address confirmed vulnerabilities promptly.
15. Cookies and Tracking Technologies
We use cookies and similar technologies to operate our platform and analyze usage. Our approach prioritizes privacy:
- Primary analytics (Umami): Our main analytics tool is self-hosted and cookieless. It does not use cookies, does not track users across websites, and does not collect personal data. It provides aggregate usage statistics only.
- Website analytics (Google Analytics GA4): We use GA4 on our marketing website, which may set cookies. Consent is obtained where required by law.
- Essential cookies: We use cookies that are strictly necessary for the platform to function, such as session management and authentication tokens.
- No advertising cookies: We do not use tracking cookies for advertising or cross-site behavioral targeting.
For detailed information about the specific cookies we use, their purposes, durations, and how to manage your preferences, please see our Cookie Policy.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, applicable laws, or regulatory guidance.
How We Notify You
- Material changes: If we make a material change to this policy (such as a new category of data collection, a new purpose for processing, or a change in data sharing practices), we will provide at least 30 days advance notice via email to the address associated with your account and/or through a prominent notice on our website before the change takes effect.
- Non-material changes: For minor updates (such as formatting, clarifications, or updated contact information), we will update the "Effective Date" at the top of this policy.
Your Options
After receiving notice of a material change:
- If you continue to use NexxaScreen after the notice period, your continued use constitutes acceptance of the updated policy.
- If you do not agree with the changes, you may close your account and request deletion of your data before the changes take effect.
Previous Versions
Previous versions of this Privacy Policy are available upon request. Contact [email protected] to obtain a copy of any prior version.
17. Contact Us
We welcome your questions, concerns, and feedback about this Privacy Policy and our data practices.
Privacy Inquiries
Email: [email protected] Subject line: Privacy Inquiry — [Your Topic]
This is the fastest way to reach us for any privacy-related matter, including:
- Exercising your privacy rights (access, deletion, correction, portability)
- Questions about how your data is used
- Reporting a privacy concern
- Requesting information about our sub-processors or data transfers
General Inquiries
Email: [email protected]
For questions about our services, account support, or other non-privacy matters.
Postal Address
Sentient AI Inc. Attn: Privacy Team 8 The Green STE R Dover, DE 19901 United States
Data Protection Officer
Name: Vinay Jain Email: [email protected] Postal: Sentient AI Inc., Attn: Data Protection Officer, 8 The Green STE R, Dover, DE 19901, United States
EU Representative
To be appointed. We are in the process of designating an EU representative in accordance with Article 27 of the GDPR. Once appointed, their contact details will be published here and at /legal/eu-representative.
Supervisory Authorities
If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk
- European Union: Contact the Data Protection Authority in your member state — https://edpb.europa.eu/about-edpb/about-edpb/members_en
- India: Data Protection Board of India (once established under the DPDP Act)
- California: Office of the Attorney General — https://oag.ca.gov/privacy
This Privacy Policy was last updated on April 11, 2026.
Sentient AI Inc. (dba NexxaScreen) — 8 The Green STE R, Dover, DE 19901, United States