Skip to main content
CogniPrep logo

Privacy Policy

Last updated: 14 June 2026

Introduction

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our practice games platform.

Information We Collect

1. Account Information

  • Name and email address
  • Password (encrypted and hashed — we never store it in plain text)
  • Subscription tier
  • Payment information (processed and stored by Stripe — we do not store card details)
  • Terms of Service and Privacy Policy acceptance timestamps and version
  • Current daily practice streak and personal best score

2. Game Session Data

Each time you complete a game, we store:

  • The full game state — including every trial, your responses, and timestamps — stored as structured data
  • Raw score, normalised score, and percentile ranking
  • Session start and end times, and total duration
  • Game-specific performance metrics (e.g., reaction time, accuracy, error patterns)
  • Performance category (e.g., average, above-average)

3. Feedback Reports

Feedback reports are generated on-demand from your session data and include:

  • Overall score and performance category
  • Identified strengths and areas for improvement
  • Personalised recommendations
  • Detailed insights based on your game metrics

Note: Feedback reports are not stored separately - they are generated dynamically from your session and score data.

4. Technical and Security Information

  • IP address (used for security and audit logging)
  • Browser user-agent string (used to identify your device type for display purposes)
  • Device fingerprint (a hash of your user-agent, used only for display in device management UI)
  • Device session tokens stored as secure cookies (used to enforce the 2-device limit)

Note: The 2-device limit is enforced using persistent device tokens (cookies), not fingerprinting. Each device gets a unique token that identifies it as one of your 2 allowed devices.

5. Preferences and Consent

  • Cookie consent choices (analytics and marketing), with timestamps

6. Interview Practice Data

When you use the Interview Practice feature, we collect and process:

  • Video recordings — your camera and microphone output for each of the five interview questions, uploaded to Cloudflare R2 secure cloud storage
  • Audio transcript — a text transcription of your spoken answers, generated by OpenAI Whisper
  • Content analysis scores — AI-generated scores (0–10) for relevance, clarity, and structure of your answers
  • Non-verbal presentation scores — AI-generated scores (0–10) for eye contact, posture, and confidence, derived from video frames
  • Filler word detection — a list of filler words identified in your speech (e.g. "um", "like")
  • Overall score and summary — a composite score and AI-generated written summary of your performance
  • Interview credit transactions — a ledger of credit grants, purchases, usage, and refunds

Raw video files are deleted from cloud storage automatically once AI processing is complete. Transcripts, scores, and feedback are retained in your account until you delete the session or close your account.

How We Use Your Information

We use your personal data for the following purposes:

Service Delivery

  • Provide access to practice games and features
  • Manage your account and tier
  • Process payments through Stripe
  • Authenticate and secure your account
  • Enforce the 2-device limit using persistent device tokens (stored as secure cookies)

Personalisation & Analytics

  • Display your game statistics, scores, and progress charts
  • Generate personalised feedback reports with strengths and recommendations (generated on-demand from your session data)
  • Calculate your percentile ranking against anonymised population benchmarks
  • Track your daily practice streak and personal best
  • Compute improvement trends across your session history

Anonymised Population Benchmarks

Your raw scores are included in aggregated, anonymised calculations to build population statistics (mean, median, standard deviation, percentile distributions) for each game. These statistics are used to calculate your percentile ranking. No individual scores are identifiable in this process.

Communication

  • Send transactional emails required to operate your account (e.g., account confirmations, security alerts, billing notifications)
  • Send service-related announcements about CogniPrep features and updates
  • We do not send third-party marketing emails or any emails unrelated to CogniPrep. Every email includes an unsubscribe link for non-essential communications.

Legal & Security

  • Maintain a GDPR audit trail of privacy-related actions on your account
  • Comply with legal obligations
  • Prevent fraud and abuse
  • Enforce our terms of service

Interview Practice

  • Process your video and audio recordings through AI systems to generate interview feedback (transcript, content scores, non-verbal scores, filler word detection)
  • Display your interview history, scores, and AI-generated feedback in your account dashboard
  • Manage your interview credit balance — recording purchases, grants, usage, and automatic refunds on processing failure
  • Send you an email notification when your interview feedback is ready

Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Contract - To provide services you've subscribed to
  • Consent - For analytics, marketing, and optional features
  • Legitimate Interest - To improve our service and prevent fraud
  • Legal Obligation - To comply with laws and regulations

Data Sharing and Third Parties

We share your data only with the following trusted third-party services:

Service Providers

  • Stripe — Payment processing (PCI-DSS compliant). Stripe stores your billing details; we only receive a customer reference ID.
  • Supabase — Authentication and database hosting. Your account and game data is stored on Supabase-managed infrastructure.
  • Vercel — Application hosting and CDN. Vercel processes requests to serve the application.
  • Cloudflare R2 — Cloud object storage used to temporarily hold your interview video recordings during AI processing. Raw video files are automatically deleted once processing is complete.
  • OpenAI — AI models (Whisper for transcription, GPT-4o for content analysis, GPT-4o Vision for non-verbal analysis) used to generate interview feedback. Your video frames and audio are transmitted to OpenAI's API for processing and are subject to OpenAI's Privacy Policy. OpenAI does not use API inputs to train its models by default.
  • Trigger.dev — Background job processing used to run interview analysis asynchronously. Job payloads include your interview ID and are processed on Trigger.dev-managed infrastructure.

We do not sell your personal data to third parties. We do not use your data for cross-context behavioural advertising. Data shared with OpenAI for interview processing is governed by OpenAI's API data usage policy — by default, OpenAI does not use API inputs to train its models.

Data Security

We implement industry-standard security measures:

  • SSL/TLS encryption for data in transit
  • Encrypted database storage
  • Secure password hashing (bcrypt)
  • Regular security audits
  • Access controls and authentication
  • Device session management (max 2 active devices)
  • Interview video files stored in private Cloudflare R2 buckets — not publicly accessible — and accessible only via short-lived signed URLs during processing

Data Retention

We retain your data for the following periods:

  • Account data — until you delete your account
  • Game sessions and scores — automatically deleted after 2 years, or immediately when you delete your account or request removal
  • Interview video recordings — deleted from Cloudflare R2 automatically once AI processing is complete (typically within minutes to a few hours of submission). They are never retained longer than 24 hours regardless of processing outcome.
  • Interview feedback, transcripts, and scores — retained in your account until you delete the session, or automatically removed 2 years after creation, or immediately when you delete your account
  • Interview credit transactions — 7 years (financial record requirement)
  • Payment records — 7 years (legal requirement)
  • GDPR audit logs — deleted when you delete your account
  • Device session tokens — automatically removed after 30 days of inactivity (safety net to prevent permanent lockouts from lost devices)

The 2-year automatic deletion of game data and 30-day device session cleanup are enforced by a daily automated job. You can also delete your data at any time from your account settings.

Your Rights

Under GDPR and other privacy laws, you have the right to:

  • Access - Request a copy of your personal data
  • Rectification - Correct inaccurate data
  • Erasure - Request deletion of your data ("right to be forgotten")
  • Restriction - Limit how we process your data
  • Portability - Export your data in a machine-readable format
  • Object - Object to certain types of processing
  • Withdraw Consent - Revoke consent at any time

To exercise these rights, visit your account settings or contact us at support@cogniprep.app.

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

International Data Transfers

Your data is processed by Supabase and Vercel, which may store and process data in the United States and other countries. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission where applicable

Automated Decision-Making

We use automated processing to personalise your experience:

  • Game difficulty is adjusted automatically based on your performance scores
  • Personalised recommendations are generated from your game history
  • Performance percentiles are calculated by comparing your scores against aggregated population data
  • Interview feedback is generated entirely by automated AI systems (OpenAI) — no human reviews your video or transcript. The AI produces scores, a transcript, and written feedback. These outputs are for personal self-improvement only and do not constitute a professional evaluation.

These automated processes do not produce legal or similarly significant effects. You can request human review of any automated assessment by contacting us at support@cogniprep.app.

Cookies

We use cookies to enhance your experience. For detailed information, please read our Cookie Policy.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by:

  • Posting a notice on our website
  • Sending an email notification
  • Updating the "Last updated" date

Contact Us

If you have questions or concerns about this privacy policy:

  • Email: support@cogniprep.app
  • Data Protection Officer: support@cogniprep.app

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete — Request deletion of your personal information, subject to certain exceptions
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing — We do not sell or share your personal information with third parties for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights

To exercise your California privacy rights, visit your account settings or contact us at support@cogniprep.app. We will respond to verifiable requests within 45 days.

Supervisory Authority

If you're in the EU/EEA, you have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, contact your national supervisory authority listed at edpb.europa.eu.