Selfinity AI Limited (Company No. 16974440), registered in England and Wales with its registered office at Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Selfinity platform ("Service").
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO), registration number ZC111045.
1. Information We Collect
1.1 Account Information
When you sign in via Google OAuth, we receive your name, email address, and profile photo from Google. We use this information to create and manage your account.
1.2 Interview Session Data
During interview sessions, we collect and process the following data to provide the Service:
- Chat messages — text you send to and receive from the AI assistant.
- Audio transcriptions — if you enable microphone input, your speech is transcribed in real time using OpenAI's Realtime API. Audio data is streamed directly to OpenAI for transcription and is not stored by us or OpenAI beyond the processing duration. We retain only the resulting text transcripts.
- Screen share content — when you share a browser tab, periodic screenshots may be captured and sent to the AI for visual context. These screenshots are processed in real time and are not permanently stored.
- Uploaded files — files you upload (PDF, DOCX, TXT) for interview preparation are stored securely in AWS S3 cloud storage in the United States and associated with your account. File content is processed into vector embeddings (numerical representations of your document content) stored in our database to enable AI-powered search and retrieval during your sessions. During active interview sessions, relevant portions of your file content may be sent to OpenAI via API for contextual AI responses. You can delete your uploaded files at any time through the Service, which removes the file from cloud storage, its associated vector embeddings, and any stored metadata.
1.3 Payment Information
Payment processing is handled by Stripe. We do not store your full card number or payment credentials on our servers. Stripe may collect and process your payment details in accordance with their own privacy policy. We receive only a limited set of billing information from Stripe (such as the last four digits of your card and billing email) to display on your account.
1.4 Usage and Analytics Data
We collect anonymous usage data to understand how the Service is used and to improve it. This includes page views, feature usage, and conversion events. We use Meta (Facebook) Pixel for analytics and advertising attribution. You can manage your cookie preferences through the cookie consent banner displayed on the Service.
1.5 Technical Data
We automatically collect technical information such as your IP address, browser type, device type, operating system, and access times for security, troubleshooting, and analytics purposes.
2. How We Use Your Information
We use your personal data for the following purposes:
- To provide the Service — creating your account, running interview sessions, processing your uploaded files into vector embeddings for personalised AI interview assistance, delivering AI responses, and processing payments (lawful basis: contract performance).
- To improve the Service — analysing usage patterns, diagnosing technical issues, and developing new features (lawful basis: legitimate interest).
- To communicate with you — sending account-related notifications, responding to support requests, and providing service updates (lawful basis: contract performance and legitimate interest).
- To ensure security — detecting and preventing fraud, abuse, and unauthorised access (lawful basis: legitimate interest).
- Analytics and marketing — measuring advertising effectiveness via Meta Pixel (lawful basis: consent, managed through our cookie banner).
We will only send you marketing communications (product updates, promotions, or newsletters) if you have explicitly opted in. You can unsubscribe at any time using the link in any marketing email or by contacting us. Transactional emails (account notifications, payment receipts, session summaries) are sent as part of the Service and do not require separate consent.
3. AI Data Processing
Your chat messages, screen content, and relevant portions of your uploaded file content (retrieved via vector search) are sent to third-party AI model providers (currently OpenAI) via their API to generate responses. Importantly:
- Your data is not used by our AI providers for model training.
- Data is transmitted securely via encrypted API connections.
- We have a Data Processing Agreement (DPA) in place with our AI provider, as required by UK GDPR Article 28.
3.1 Automated Decision-Making
The Service uses AI to generate interview responses and feedback. These outputs are for practice and educational purposes only and do not constitute professional advice or produce legal effects concerning you. No decisions with legal or similarly significant effects are made solely by automated means. You always retain full control over how you use the AI-generated content.
4. Special Category Data in Uploaded Files
Files you upload (such as CVs, resumes, or cover letters) may contain special category personal data as defined by UK GDPR Article 9, including information relating to health, racial or ethnic origin, religious beliefs, or other protected characteristics.
We process uploaded files solely to provide the interview preparation features of the Service. We do not extract, classify, or make decisions based on any special category data that may be present in your files. However, because your file content is processed into vector embeddings and portions may be sent to our AI provider during sessions, we rely on your explicit consent (UK GDPR Article 9(2)(a)) as the lawful condition for processing any special category data contained in your uploaded files.
By uploading files to the Service, you explicitly consent to the processing of any special category data they may contain for the purpose of AI-powered interview preparation. You may withdraw this consent at any time by deleting your uploaded files, which will remove the files, their vector embeddings, and associated data. To minimise risk, we recommend reviewing your files before upload and redacting any sensitive information that is not relevant to your interview preparation.
5. Data Sharing
We do not sell your personal data. We share data with the following categories of third-party service providers, solely to operate the Service:
- Google (Firebase) — authentication and hosting.
- OpenAI — processing your chat messages and screen content to generate AI responses, and real-time audio transcription via the OpenAI Realtime API, under a Data Processing Agreement.
- Stripe — payment processing.
- Amazon Web Services (AWS) — file storage (S3) for user-uploaded documents.
- Google Cloud Platform (GCP) — infrastructure hosting, database, and storage.
- Meta (Facebook) — analytics and advertising attribution (with your consent).
- Resend (United States) — transactional email delivery. We share your email address and first name with Resend to send account notifications, session reminders, session completion summaries, and payment confirmations. Email content may include session names, dates, and credit amounts. Resend processes this data under a Data Processing Agreement with Standard Contractual Clauses for international transfers.
6. International Data Transfers
Our infrastructure is hosted on Google Cloud Platform in the United States. This means your personal data is transferred to and stored in the US. Additionally, some of our third-party service providers (Amazon Web Services, OpenAI, Stripe, Meta) are based in the United States. Your uploaded files are stored in AWS S3 in the United States.
When we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office (ICO), incorporated into our agreements with each US-based processor.
- Data Processing Agreements with all third-party processors, as required by UK GDPR Article 28.
- Technical measures including encryption of data in transit and at rest.
- Transfer Risk Assessments conducted for each international transfer, in accordance with ICO guidance.
7. Data Retention
We retain your data as follows:
- Account data — retained for as long as your account is active. Upon account deletion, we delete your personal data within 30 days, including all uploaded files from cloud storage, their vector embeddings, session histories, and associated metadata, except where we are required to retain it by law.
- Interview sessions — chat transcripts and session summaries are retained for up to 12 months after the session, unless you delete them earlier.
- Uploaded files — retained for as long as your account is active or until you delete them. When you delete a file, the original file is removed from cloud storage, its vector embeddings are deleted from our database, and associated metadata is erased. Deletion is processed immediately. File content sent to OpenAI during interview sessions is processed in real time and is not retained by OpenAI beyond their standard API data processing period (up to 30 days for abuse monitoring, as specified in their Data Processing Agreement).
- Screenshots — screen share screenshots are processed transiently in memory and sent to the AI provider in real time. They are not permanently stored.
- Audio transcriptions — raw audio is not stored. Transcribed text is retained temporarily (up to 24 hours) during the session and then stored permanently as part of your session history in our database.
- Payment records — retained for up to 7 years to comply with UK tax and accounting obligations (HMRC requirements).
8. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can ask us to delete your personal data in certain circumstances. For uploaded files, you can exercise this right directly through the Service by deleting individual files, which removes the original file, all vector embeddings derived from it, and associated metadata.
- Right to restrict processing — you can ask us to limit how we use your data.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interest.
- Rights related to automated decision-making — you can request human review of significant decisions made solely by automated means.
- Right to withdraw consent — where we process your data based on consent (such as analytics cookies), you can withdraw your consent at any time via the cookie settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at support@selfinity.ai. We will respond within one month of receiving your request, as required by law.
9. Cookies and Tracking
We use the following types of cookies and tracking technologies:
- Essential cookies — required for authentication and core Service functionality. These cannot be disabled.
- Analytics cookies — used to understand Service usage via Meta Pixel. These are only activated with your consent.
You can manage your cookie preferences at any time through the cookie consent banner or your browser settings.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS) and at rest.
- Access controls and authentication for all internal systems.
- Regular security reviews and monitoring.
- Use of managed cloud infrastructure with industry-standard security certifications.
While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34.
- Take immediate steps to contain and remediate the breach.
12. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
15. Contact
For any privacy-related questions or requests, contact our designated privacy contact at: support@selfinity.ai
Selfinity AI Limited (Company No. 16974440)
Lytchett House, 13 Freeland Park, Wareham Road
Poole, Dorset, BH16 6FA
United Kingdom
