aimockcase
Legal

Privacy Policy

How we collect, use, and protect your data when you practice with the AI interviewer. Written to comply with the EU GDPR, California CCPA/CPRA, Saudi PDPL, and China PIPL.

Effective 15 June 2026 Last updated 15 June 2026

The one line that matters most: your live session audio is processed in transit only to produce a transcript. We never record or store it, and it cannot be replayed. The text transcript and your five-dimension scorecard are stored, generated by automated systems, and tied to your account.

This Privacy Policy explains how AI Mock Case ("we", "us") collects, uses, discloses, and protects Personal Data when you use aimockcase.org and the related voice mock-interview service (the "Service"). We process Personal Data in accordance with the EU and UK General Data Protection Regulation (the "GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), the Saudi Personal Data Protection Law (Royal Decree M/19, the "PDPL"), and the People's Republic of China Personal Information Protection Law (the "PIPL"), to the extent each applies to you. Where a specific regime grants you rights beyond the rest, those rights are set out in Section 10.

1. Introduction

1.1 This Policy applies to all visitors and users of the Service. It forms part of, and is incorporated by reference into, our Terms of Service.

1.2 Capitalised terms used but not defined here have the meanings given in the Terms of Service.

2. Who we are (the controller)

2.1 The data controller for Personal Data processed in connection with the Service is AI Mock Case, operated by the founder personally during the beta period, contactable at [email protected].

2.2 We have not appointed a Data Protection Officer because the scale and nature of our processing does not require one under Article 37 of the GDPR. Privacy enquiries are handled directly by the founder.

3. Information we collect

3.1 Information you provide

  • Account information. When you create an account we collect your first name, last name, email address, and a password. We never store your password in plain text; it is salted and hashed using an industry-standard algorithm, and we cannot recover it (only reset it).
  • Booking information: your declared skill level, target firm, focus area, time zone, and selected interview time. Because we already hold your name and email from your account, booking no longer asks for them.
  • Interview content: the real-time transcript produced from your spoken answers during the session, and the structured feedback (scorecard, rewrite pairs, model walk-through) we generate from that transcript. Your session audio is processed live to produce the transcript but is not recorded or stored by us.
  • Payment information. When paid plans are live, your billing name, billing region, currency, the bundle or plan purchased, and your credit balance. Card details are entered directly into Stripe and are never seen or stored by us (see Section 6).
  • Optional correspondence: anything you write to us by email or include in support requests.

3.2 Information collected automatically

  • Connection metadata: IP address, browser type and version, operating system, and approximate geolocation derived from IP, collected through standard web-server logs and our content-delivery network for security and abuse prevention.
  • Service usage: pages visited on the Service, cases you have taken, and timestamps of bookings, sessions, purchases, and feedback emails.
  • Email engagement: whether the confirmation and feedback emails we send are delivered and opened, via our transactional-email provider's standard tracking pixel.

3.3 Sensitive data and your spoken answers

3.3.1 We do not ask for and do not want sensitive or special-category data (such as data revealing health, ethnicity, religion, or political views). Because the transcript is generated from what you say out loud during a case, it could incidentally capture sensitive information if you choose to volunteer it. Please do not volunteer sensitive personal information during a session. Any sensitive information that does appear in a transcript is processed only to deliver the Service to you and is never used to infer characteristics about you, build a profile, or for advertising.

3.3.2 We do not collect government identifiers, biometric data, or data about children, and we do not buy Personal Data from data brokers. We run no advertising and no third-party analytics on the Service.

4. How we use Personal Data and our legal basis

4.1 We use Personal Data for the purposes in the table below. Where the GDPR or UK GDPR applies, we rely on the legal basis identified. The PDPL and PIPL recognise comparable non-consent bases (contract performance, legitimate interest, legal obligation); where those regimes require consent (including the separate consent the PIPL requires for processing sensitive information and for transferring data outside China), we obtain it before processing (see Section 8 and Section 10).

PurposeCategories of dataLegal basis (GDPR Art. 6)
Creating and securing your account First name, last name, email, hashed password Performance of a contract (6(1)(b))
Provisioning the live interview (room, AI interviewer, exhibits) Booking info, live audio stream (in transit, not stored), transcript Performance of a contract (6(1)(b))
Generating and delivering your feedback report Transcript, scorecard Performance of a contract (6(1)(b))
Carrying your progress and weakness profile across sessions Past scorecards, profile Performance of a contract (6(1)(b))
Processing payments and managing your credit balance Billing identity, currency, plan/credits, transaction metadata Performance of a contract (6(1)(b)); legal obligation (6(1)(c)) for tax/accounting; legitimate interests (6(1)(f)) for fraud prevention
Detecting abuse, fraud, and security incidents Connection metadata, server logs Legitimate interests (6(1)(f)): protecting the integrity of the Service
Improving the interviewer prompt, scoring rubric, and case library Anonymised excerpts of transcripts Legitimate interests (6(1)(f)); you may object at any time (Section 10)
Sending service-related communications (confirmation, feedback, outages) Email address, name Performance of a contract (6(1)(b))
Sending optional product updates and announcements Email address, name Consent (6(1)(a)): opt-in only; withdrawable at any time
Complying with legal obligations and lawful requests Whatever is required Legal obligation (6(1)(c))

5. Accounts and passwords

5.1 To use the Service you create an account with your first name, last name, and email address, secured by a password or a third-party sign-in (e.g. Google). Your account links your bookings, transcripts, scorecards, and credit balance to you so your progress carries across sessions.

5.2 We never store your password in readable form. Passwords are salted and hashed; we cannot see, recover, or tell you your password, only help you reset it. You are responsible for keeping your credentials confidential and for activity under your account.

5.3 You can update your name and email, change your password, or request deletion of your account at any time (Section 10).

6. Payments and credits

6.1 During the current beta, where the Service is offered free of charge, no payment data is collected. The clauses in this Section describe how payments work once paid plans (credits and subscriptions) are switched on.

6.2 Payments are processed by Stripe, Inc. Card details are entered into Stripe's hosted payment fields and are sent directly to Stripe. We never see, receive, or store your full card number, CVC, or expiry. That data stays within Stripe's PCI-DSS-compliant environment. We receive only non-sensitive transaction metadata from Stripe, such as your billing name, the last four digits and brand of your card, the amount, currency, and a result code.

6.3 Credits represent prepaid mock interviews: 1 credit = 1 AI mock interview (a full voice case with the AI interviewer plus a scorecard). We store your credit balance, purchase history, plan type, and currency on your account. New accounts start at zero credits, and credits expire approximately one month after purchase.

6.4 The legal basis for payment processing is performance of your purchase contract; a legal obligation applies to the tax and accounting records we must keep; and we rely on legitimate interests for fraud prevention.

7. Disclosure to sub-processors and other recipients

7.1 We share Personal Data with the following sub-processors, exclusively to operate the Service. Each is bound by a data-processing agreement requiring confidentiality and appropriate security.

Sub-processorPurposeData categoryLocation
Google LLC (Google Cloud Platform)Database (Firestore), object storage, AI reasoning (Gemini), text-to-speech, computeAccount data, transcript, scorecardme-central1 (Doha, Qatar)
Daily.coReal-time audio room infrastructureAudio stream during the call only; not stored under our settingsGlobal edge
Deepgram, Inc.Real-time speech-to-textAudio stream during the call only; not retained for trainingUnited States
Stripe, Inc.Payment processing & fraud prevention (once paid plans launch)Billing name, email, card data (handled by Stripe, not stored by us), transaction metadataUnited States / EU / global
Resend, Inc.Transactional email deliveryName, email address, email bodyUnited States / EU
Cloudflare, Inc.TLS, CDN, DDoS protection, tunnelled ingressHTTP request metadata, IP addressGlobal edge

7.2 We disclose Personal Data to law enforcement, regulators, or other third parties only where required by law, where we believe in good faith that disclosure is necessary to protect rights, property, or safety, or with your explicit consent.

7.3 If we are involved in a merger, acquisition, or sale of assets, Personal Data may be transferred as part of that transaction. We will notify you by email before any such transfer.

7.4 We do not sell or rent Personal Data, and we do not share Personal Data for cross-context behavioural advertising. This statement is true under the CCPA's "sale" and "sharing" definitions and the PIPL's provision-to-third-parties rules alike.

8. International data transfers

8.1 Personal Data is primarily stored in Google Cloud's me-central1 region in Doha, Qatar. Audio is transcribed in real time by Deepgram in the United States; emails are sent through Resend's US/EU infrastructure; and, once live, payments are processed by Stripe in the US/EU.

8.2 EEA, UK, and Switzerland. Where Personal Data of data subjects in these regions is transferred outside them, the transfer is governed by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference into our sub-processors' data-processing addenda, together with supplementary technical measures (encryption in transit and at rest, access controls, audit logging).

8.3 Saudi Arabia (PDPL). The PDPL restricts transfers of Personal Data outside the Kingdom; our storage is in Doha, Qatar, which is outside Saudi Arabia. Where we transfer the Personal Data of users in Saudi Arabia, we rely on the transfer conditions permitted by the PDPL and its Implementing Regulations, including transfer necessary to perform a contract with you and the use of appropriate safeguards, subject to SDAIA's requirements.

8.4 China (PIPL). Using the Service involves transferring your Personal Data outside mainland China (it is stored in Doha and transcribed in the United States). The PIPL requires your separate, specific consent for such a cross-border transfer, in addition to a lawful transfer mechanism (such as the CAC Standard Contract). We will not transfer the Personal Data of users in mainland China abroad without first obtaining that separate consent and putting the required mechanism in place. Until then, the in-app Service may be unavailable to mainland-China users (see the locale switcher in the footer).

8.5 You may request a copy of the safeguards in place for a specific transfer by emailing [email protected].

9. Data retention

9.1 We retain Personal Data only for as long as necessary for the purposes set out in this Policy, after which it is deleted or anonymised. Session audio is not stored at all, so it does not appear as a retained category below.

CategoryRetention period
Session audioNot stored; processed live and discarded
Transcripts and scorecards12 months, or until you request account deletion, whichever is sooner
Account & profile data (name, email, hashed password, preferences, session history)For the life of your account, plus 30 days after a deletion request to allow back-up rollover
Server logs and connection metadata90 days, then automatically deleted
Email engagement metadata12 months
Payment and transaction records (once paid plans are live)Kept for the statutory tax/accounting retention period required in our jurisdiction, which is longer than the 12-month transcript period
Records we are legally required to retain (e.g., fraud investigation)The minimum period required by applicable law

10. Your rights

10.1 Subject to the laws that apply to you, you have the rights below. We honour these rights regardless of where you live; the groupings identify where each set is mandated.

10.1 EEA, UK, and Switzerland (GDPR / UK GDPR)

  • Right of access to your Personal Data (Article 15).
  • Right to rectification of inaccurate Personal Data (Article 16).
  • Right to erasure, the "right to be forgotten" (Article 17).
  • Right to restriction of processing (Article 18).
  • Right to data portability in a structured, commonly used, machine-readable format (Article 20).
  • Right to object to processing based on legitimate interests, including objecting to use of your data for service improvement (Article 21).
  • Right to withdraw consent at any time, where processing is based on consent (Article 7(3)).
  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22). We make no such decisions about you (see Section 14).
  • Right to lodge a complaint with a supervisory authority in your country.

10.2 California (CCPA / CPRA)

  • Right to know what Personal Information we collect, use, and disclose.
  • Right to delete Personal Information.
  • Right to correct inaccurate Personal Information.
  • Right to opt out of the "sale" or "sharing" of Personal Information (we do neither).
  • Right to limit the use of sensitive Personal Information. We do not solicit sensitive categories, and any incidental sensitive content in a transcript is used only to deliver the Service.
  • Right to use an authorized agent to make a request, and right to non-discrimination for exercising any of these rights.

10.3 Saudi Arabia (PDPL)

  • Right to be informed about how your Personal Data is processed.
  • Right of access to your Personal Data and to obtain a copy of it.
  • Right to request correction of inaccurate Personal Data.
  • Right to request destruction / erasure of your Personal Data.
  • Right to withdraw consent where processing is based on consent.
  • Right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA).

10.4 Mainland China (PIPL)

  • Right to know about, and to decide on, the processing of your Personal Information, and to restrict or refuse processing.
  • Right of access to, and to obtain a copy of, your Personal Information.
  • Right to correct inaccurate Personal Information.
  • Right to delete your Personal Information.
  • Right to data portability, to have your Personal Information transferred to another handler you designate.
  • Right to withdraw any consent you have given, including your separate consent to cross-border transfer (Section 8.4) and to the processing of sensitive Personal Information.
  • Right to an explanation of automated decision-making and to request human review (Section 14).
  • Right to lodge a complaint with the Cyberspace Administration of China (CAC) or another competent authority.

10.5 How to exercise your rights

Email us at [email protected]. We will respond within 30 days (extendable by a further period for complex requests, with notice). We may need to verify your identity, or an authorized agent's authority, before acting. Exercising any right is free; we may charge a reasonable fee only for manifestly unfounded or excessive requests, as permitted by Article 12(5) GDPR and the equivalent provisions of the other regimes.

11. Security

11.1 We apply technical and organisational measures appropriate to the risk, including TLS 1.3 in transit, encryption at rest, salted password hashing, principle-of-least-privilege access controls, audit logging, and segregation of production credentials from version control. Card data is handled entirely within Stripe's PCI-DSS-compliant environment (Section 6).

11.2 No method of transmission or storage is fully secure. In the event of a Personal Data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authority: within 72 hours of becoming aware where the GDPR applies (Articles 33 and 34), and within the timeframes set by SDAIA (PDPL) and the CAC (PIPL) for affected users in those regions.

12. Cookies and similar technologies

12.1 We use only strictly-necessary cookies required to operate sign-in, the booking flow, and the in-call page. We do not use advertising, analytics, or social-media cookies, so no cookie banner is required for our use of strictly-necessary cookies. When payments go live, Stripe sets fraud-prevention scripts that are generally strictly necessary for processing your payment.

12.2 You can disable all cookies in your browser; sign-in and the booking flow may not function if you do so.

13. Children's privacy

13.1 The Service is directed to adults preparing for graduate-level recruitment and is restricted to users aged 18 and over. It is not directed to children, and we do not knowingly collect Personal Data from minors. Under the PIPL, the Personal Information of minors under 14 is treated as sensitive and requires guardian consent; our 18+ restriction means we do not knowingly process it. If you believe a minor has provided Personal Data, contact us at [email protected] and we will delete it.

14. Automated decision-making and profiling

14.1 The Service uses automated systems (the AI interviewer and the scoring engine) to generate your feedback and scorecard. This feedback is informational and does not produce legal or similarly significant effects on you. It is one signal among many in your interview preparation.

14.2 You have the right to an explanation of how your scorecard was generated and to request a human review if you wish to contest it. To exercise either, email [email protected]. This satisfies both Article 22 GDPR and the PIPL's automated-decision explanation right.

15. Changes to this Policy

15.1 We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be notified by email to your account address at least 14 days before they take effect, except where a shorter period is required by law.

16. How to contact us

16.1 Email [email protected] for any question, request, or complaint about this Policy. See also our Terms of Service.