Privacy Policy

1. Information We Collect

1.1 Personal Information You Provide

• Account Information: Every user starts with a guest (anonymous) account that exists only on the device the App is installed on. You can optionally attach an email address to that account by entering your email and confirming a 6-digit one-time code we send to that address. We collect only the email address — we do not store passwords. Additional sign-in providers (such as Sign in with Google or Sign in with Apple) may be offered in future releases; this policy will be updated before any are added.
• Interview Recordings: When you use the recording feature, we collect and store the audio recordings of your interview practice sessions.
• Transcripts: Audio recordings are transcribed using AI-powered transcription services, and the resulting text transcripts are stored in association with your account.
• Self-Assessment Data: When you complete a self-assessment, we collect your self-reported performance ratings, confidence levels, and subjective evaluations of your interview performance.
• Interview Metadata: We collect information you provide about each interview, including the company name, role title, interview date, and any job description text you import.

1.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the App, including features used, screens viewed, session duration, and interaction timestamps.
• Device Information: We may collect device type, operating system version, unique device identifiers, and general diagnostic data to improve App performance and stability.
• Crash and Performance Data: We collect crash reports and performance metrics to identify and fix technical issues.

1.3 Payment Information

We do not directly collect or store your payment card details. All in-app purchases and subscriptions are billed through Apple's App Store or Google Play according to those platforms' policies. Please refer to Apple and Google privacy policies for information on how they handle payment data.

2. How We Use Your Information and the Basis for Processing

We use the information we collect for the following purposes, and we rely on the consent you provide during onboarding as the lawful basis for each purpose:

• AI-Powered Analysis: Your interview recordings are transcribed and analyzed using artificial intelligence to generate calibration reports, including STAR rubric scoring, filler word analysis, talk-to-listen ratios, sentiment analysis, and perception gap assessments.
• Providing the Service: To create and maintain your account, store your interview data, generate reports, and deliver the core functionality of the App.
• Improving the Service: To understand usage patterns, diagnose technical issues, and improve App features and performance. We may use aggregated, de-identified data for this purpose.
• Communications: To send you account-related notifications, such as one-time sign-in codes, security alerts, and important service updates. We will not send marketing emails without your separate consent.
• Compliance and Safety: To comply with legal obligations, enforce our terms of service, and protect the rights, safety, and property of Journey Analytics, LLC, our users, and the public.

We do not sell your personal information. We do not sell, rent, or trade your personal data — including audio recordings, transcripts, or analysis results — to third parties for their marketing or advertising purposes.

3. Third-Party Services (Sub-Processors)

We use the following third-party services to operate the App. Each receives only the minimum data necessary to perform its function and is independently bound by its own published privacy commitments and, where applicable, by data processing agreements with us.

3.1 OpenAI (Whisper API)

• Purpose: Audio transcription only.
• Data Shared: Audio recordings are sent to OpenAI's Whisper API for transcription.
• Processing Location: United States.
• Retention: Per OpenAI's API data usage policy, data submitted through the API is not used to train OpenAI's models and is retained for up to 30 days for abuse and misuse monitoring before being deleted.
• Privacy Policy: openai.com/privacy

3.2 Anthropic (Claude)

• Purpose: Interview performance analysis (STAR scoring, delivery analysis, perception gap, coaching).
• Data Shared: Transcripts and interview metadata are sent to Anthropic's Claude models.
• Processing Location: United States.
• Retention: Per Anthropic's commercial terms, data submitted through the API is not used to train Anthropic's models. Data is retained only as needed for service delivery and abuse monitoring.
• Privacy Policy: anthropic.com/legal/privacy

3.3 Supabase

• Purpose: User authentication, database storage, and file storage (audio recordings).
• Data Shared: Account information, interview metadata, transcripts, analysis results, and audio files.
• Processing Location: United States.
• Security: Data is encrypted at rest and in transit. Row-Level Security (RLS) policies ensure users can only access their own data.
• Privacy Policy: supabase.com/privacy

3.4 Expo Push Notifications (FCM / APNs)

• Purpose: To notify you when your interview analysis is ready, even if you've closed the app.
• Data Shared: An opaque Expo push token bound to your device, plus the report identifier needed to deep-link you to the report. No recording or transcript content is included in the notification payload.
• Processing Location: United States (Expo) with onward delivery through Google FCM (United States / global edge) and Apple APNs (United States / global edge).
• Privacy: Expo | Firebase | Apple

3.5 Sentry (Crash Reporting)

• Purpose: Anonymized crash reports and stack traces so we can identify and fix bugs.
• Data Shared: Stack traces, device model, OS version, and an opaque user identifier. We do not send your interview content to Sentry.
• Processing Location: United States.
• Privacy Policy: sentry.io/privacy

3.6 Apple App Store / Google Play (in-app purchases)

• Purpose: When you subscribe or buy credits, billing and entitlements are enforced by Apple's App Store or Google Play for that purchase.
• Data Shared: Purchase and subscription state surfaced by the platform — not your payment card numbers, interview recordings, or transcripts as part of the payment flow itself.
• Processing Location: Global, per the platform.
• Privacy: Apple | Google

3.7 Firebase Analytics (Product Analytics — mobile app)

• Purpose: To understand which features users actually use, where they get stuck, and how new releases change behavior — so we can prioritize improvements that matter.
• Data Shared: Aggregate behavioral events (e.g. "report viewed," "PDF exported," "recording started"), the score band of the most recent report (e.g. "60–79"), and standard automatic Firebase metrics: app version, OS version, device model, country, and a Firebase-issued installation ID. Our analytics wrapper strips fields whose names begin with email, password, transcript, notes, text, body, summary, or content, and truncates all string values to 100 characters before they leave the device, so interview recordings, transcripts, and AI-generated narrative content are never sent.
• Processing Location: United States (Google).
• Privacy: Firebase Privacy | Google Privacy Policy

3.8 Website Analytics & Advertising Pixels (yourdebrief.com only)

The Debrief marketing website (yourdebrief.com) uses a small set of measurement pixels to understand which referral sources are effective and to attribute paid ad spend. These pixels are loaded only on the website — not inside the Debrief mobile app — and they do not receive any interview content, transcripts, audio, or report data.

• Google Analytics 4 (GA4) — page views and high-level engagement, IP anonymized, no remarketing. Google Privacy Policy
• Meta (Facebook) Pixel — fires a standard PageView on every page and a Lead event when the iOS waitlist form is submitted successfully (email + a hashed identifier handled by Meta). Used for conversion measurement and ad optimization in Meta Ads Manager. Meta Privacy Policy
• Google Ads conversion tag — fires when the iOS waitlist form is submitted successfully, so Google Ads can attribute the conversion back to a clicked ad. Google Privacy Policy

You can opt out of these website-only pixels with a tracking-protection browser or extension (e.g. Brave, Safari Intelligent Tracking Prevention, uBlock Origin), or by using the browser's Do Not Track / Global Privacy Control signal. None of these pixels are required to use the Debrief mobile app.

4. Data Retention and Deletion

• Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• User-Initiated Deletion: You can permanently delete your account and all associated data at any time from inside the App: Settings → Account → Delete my account (type "DELETE" to confirm). This works for both guest accounts and email-attached accounts.
• Online Deletion: If you can no longer access the App (lost or wiped device), you can also request deletion from yourdebrief.com/account-deletion or by emailing support@yourdebrief.com from the email address associated with your account.
• Scope: Upon account deletion we permanently remove your account, audio recordings, transcripts, self-assessments, reports, pipeline entries, and any other data associated with your user ID from our active systems within 30 days, except where retention is required by law.
• Backups: Residual copies in encrypted backups may persist for up to 90 days after deletion before being automatically purged.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption at Rest: All data stored in our database and file storage systems is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All data transmitted between your device, our servers, and third-party services is protected using TLS 1.2 or higher.
• Row-Level Security (RLS): Database-level access controls ensure that authenticated users can only read, modify, and delete their own data.
• Access Controls: Administrative access to production systems is limited to authorized personnel and protected by multi-factor authentication.
• Secure File Storage: Audio recordings are stored in isolated, encrypted storage buckets with access controlled by authenticated, time-limited URLs.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Children and Age Requirements

Debrief is intended for adults aged 18 and over. Our Terms of Use require that you be at least 18 years of age to use the App, and we do not knowingly process the personal data of anyone under 18. Under India's DPDP Act, a "child" is anyone under 18, and we do not knowingly target, profile, or behaviorally track children.

For users located in the United States, we additionally affirm that Debrief is not directed to children under 13 and we do not knowingly collect personal information from children under 13 (Children's Online Privacy Protection Act).

If you believe a person under 18 has provided us with personal information, please contact us at support@yourdebrief.com and we will take steps to delete that information promptly.

7. Your Rights

Depending on your jurisdiction (including the United States, India, and elsewhere), you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Erasure / Deletion: Request that we delete your personal information, subject to certain legal exceptions. See Section 4 for the in-app and online deletion paths.
• Data Portability: Request an export of your data in a commonly used, machine-readable format.
• Withdraw Consent: Withdraw the consent you provided during onboarding at any time. The simplest way to fully withdraw consent is to delete your account in Settings → Account → Delete my account, which removes all data associated with you. You can also email us with subject line "Withdraw consent" and we will process the withdrawal within 30 days.
• Object / Restrict Processing: Object to specific types of processing or request that we restrict how we process your data.
• Nominate (DPDP Right): Indian residents may nominate another individual who shall, in the event of your death or incapacity, exercise these rights on your behalf. To register a nomination, email support@yourdebrief.com with subject line "DPDP nomination" and provide the nominee's name and a contact email.
• Grievance Redressal (DPDP Right): Indian residents have the right to readily-available grievance redressal. See Section 11 for our Grievance Officer contact.
• Complaint to a Regulator: You have the right to lodge a complaint with the data protection authority in your jurisdiction. In India, that is the Data Protection Board of India.

To exercise any of these rights, please contact us at support@yourdebrief.com. We will respond within 30 days, as required by applicable law.

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right to request deletion. We do not sell personal information as defined under the CCPA.

8. International Data Transfers

Journey Analytics, LLC is based in the United States. The sub-processors listed in Section 3 process data primarily in the United States. If you use the App from outside the United States — including from India — your personal data will be transferred to, stored in, and processed in the United States and, where the sub-processor uses global edge infrastructure (such as push-notification delivery), other locations.

For users located in India: Such transfers are permitted under Section 16 of the DPDP Act, which allows transfer of personal data outside India to any country not specifically restricted by an order of the Central Government. The United States is not currently on a restricted list. We rely on industry-standard contractual safeguards with each sub-processor to maintain protections comparable to those required under the DPDP Act. By providing the consent described above, you acknowledge and consent to this transfer.

If India's Central Government later restricts transfers to the United States or to a specific sub-processor's jurisdiction, we will adjust our processing arrangements accordingly and update this policy.

9. Personal Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:

• Notify affected users without undue delay through in-app messaging, push notification, or email to the address associated with the account;
• Notify the Data Protection Board of India (for affected Indian users) and any other competent supervisory authority in your jurisdiction, in the form and within the timeframe required by applicable law;
• Take immediate steps to contain the breach, assess its scope, and mitigate further risk.

If you believe you have identified a security incident affecting Debrief, please email support@yourdebrief.com with subject line "Security incident report."

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where appropriate, by providing notice through the App or via email. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the App after material changes are posted constitutes your acceptance of the updated Privacy Policy. We may also re-prompt you for affirmative consent inside the App when changes are material.

11. Contact Us and Grievance Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Journey Analytics, LLC
Email: support@yourdebrief.com

Grievance Officer (India — DPDP Act, 2023)

Under Section 8(9) of the DPDP Act, 2023, Indian residents may contact our designated Grievance Officer to raise concerns about the processing of their personal data or to exercise the rights listed in Section 7.

• Name / Role: Journey Analytics, LLC — Grievance Officer
• Email: support@yourdebrief.com
• Subject line (preferred): "Grievance — DPDP"
• Response timeline: We aim to acknowledge grievances within 7 days and to resolve them within 30 days, in accordance with the DPDP Act and its Rules.

If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India.