Privacy Policy

Introduction

Gradeless AI Pvt. Ltd. ("Gradeless AI", "we", "us", or "our") is the data controller and data fiduciary for personal data collected through the Rehearsal product. Rehearsal is an AI-powered interview preparation platform offered through three channels: the web application at tryrehearsal.ai, the Rehearsal iOS application, and the Rehearsal Android application.

This Privacy Policy describes the personal data we collect, how we use and share it, the third-party services we rely on (including third-party AI providers), and your rights under the laws that apply to you, including India's Digital Personal Data Protection Act 2023, the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the United States Children's Online Privacy Protection Act, and other applicable laws.

Important — AI is the core service.

Rehearsal's real-time AI voice interviewer, transcript analysis, AI scoring and feedback, report generation, personalised recommendations, and memory-based personalisation are not optional add-ons. They constitute the core functionality of the web platform and the mobile apps. Without sharing your data with the third-party AI providers named in Section 4, the Service cannot function and there is no meaningful non-AI mode to fall back to. For this reason, your consent to the AI processing described in Section 4 is a condition of using Rehearsal. We obtain that consent in two layers, in line with applicable mobile app store privacy and AI-disclosure requirements:

• At account creation, you accept this Privacy Policy, which names every third-party AI provider, the data we send to each, and the purpose of that sharing.
• Before your first AI-powered session in the iOS or Android app, a separate in-app consent screen lists the same providers in plain language and asks for your explicit, affirmative permission (a tap on "I agree") before any data is transmitted. This consent is specific to AI data sharing and is not bundled with other permissions. Closing the screen or navigating away is not consent.

If you decline either layer of consent, you will not be able to use Rehearsal, and we will not transmit any of your data to a third-party AI provider. You can withdraw consent at any later time by deleting your account from Settings → Account → Delete Account in the iOS or Android app, or by writing to contact@gradeless.ai; this stops all further data sharing and removes your data from our systems within 30 days, subject to limited legal retention described in Section 7.

1. Who We Are and How to Contact Us

2. Information We Collect

2.1 Information You Provide Directly

• Name and email address (during account creation via the available federated sign-in providers or Email OTP)
• Educational institution, course, graduation year, and academic details
• Professional profile (domain, function, industry, experience level, skill areas)
• Resume / CV file content (text extracted from PDFs you upload)
• Job descriptions you upload or paste
• Phone number, where you provide it
• Payment information collected and processed by our payment partners (we do not store full card numbers)
• Feedback, support messages, and any content you submit voluntarily

2.2 Information Generated Through Use of the Service

• Interview audio captured by your device microphone during practice sessions
• Real-time and stored interview transcripts (text)
• AI-generated questions, feedback, scores, and post-interview reports
• Q&A bookmarks ("Notebook" entries), reactions, and shared notes
• Aptitude test answers and guesstimate session content
• Memory insights derived from sessions (e.g., decision patterns, communication style) used to personalise future sessions
• Streak, learning-progress, and engagement metrics

2.3 Information Collected Automatically

• Device type, operating system, app version, and crash diagnostics
• IP address and approximate location derived from it
• Usage events (screens viewed, features used, session duration)
• On the web: cookies and similar storage (see Section 13)
• On iOS: we do not use the IDFA, do not track you across other apps and websites, and therefore do not present an App Tracking Transparency prompt
• On Android: we do not use the Android Advertising ID for advertising or cross-app profiling
• Push notification tokens (when notifications are enabled)

2.4 Sensitive Data

For the purposes of the CPRA (California) and similar laws, "sensitive personal information" we may process includes account credentials and the contents of your interview practice (audio, transcripts, resume). We use these only to deliver the AI interview service and never for purposes of inferring characteristics about you for advertising or profile-building. You have the right to limit our use of sensitive personal information; see Section 8.

Under India's DPDP Act 2023, the category of "sensitive personal data" is not defined separately, but we treat biometric-adjacent data (voice recordings) and account credentials with elevated security controls.

3. How We Use Your Information and Our Legal Basis

We use the data described in Section 2 to:

• Operate the AI interview, voice, transcript, report, recommendation, and memory features
• Generate personalised feedback, scores, and learning recommendations
• Maintain your account, authenticate sign-ins, and process subscription payments
• Communicate with you about your account, billing, and material changes to the Service
• Send promotional communications only with your consent (you can opt out at any time)
• Improve our own product (aggregated, de-identified usage analytics, debugging, abuse prevention). We do not use your content to train any third-party AI provider's foundation models.
• Comply with legal obligations and respond to lawful requests
• Protect the rights, safety, and property of Gradeless AI, our users, and the public

Legal bases (GDPR / UK GDPR users)

• Contract — to provide the service you signed up for (Article 6(1)(b))
• Consent — for AI processing involving third-party providers, marketing emails, and certain cookies (Article 6(1)(a)). You can withdraw consent at any time as described in Sections 7 and 8.
• Legitimate interests — for product analytics, security, abuse prevention, and limited diagnostic logging, where these do not override your rights (Article 6(1)(f))
• Legal obligation — for tax, accounting, and lawful requests (Article 6(1)(c))

Legal basis (India DPDP Act users): primarily your consent under section 6 of the DPDP Act, supplemented where applicable by the narrow "legitimate uses" listed in section 7 (for example, to comply with law or to respond to a medical emergency).

4. Third-Party AI Providers

The AI features that power Rehearsal are delivered with the help of the named third-party providers in the table below. We disclose them by name as required by applicable mobile-app-store privacy guidelines, and the same disclosures are reflected in the data-safety information we provide on the Android app store. Before any of your personal data is shared with these providers in the iOS or Android app, we ask for your explicit, affirmative consent through an in-app screen that names each provider. Because AI is the core service of Rehearsal, the way to withdraw consent at a later date is to delete your account (Settings → Account → Delete Account), which stops all further data sharing and removes your data within 30 days.

4.1 Model Training Opt-Out

We use these providers under their commercial API terms with training disabled. Your content is not used to train the foundation models of OpenAI, Anthropic, Google, xAI, DeepSeek, Mistral, or ElevenLabs. Each provider may retain API request data for a short period for abuse and security monitoring (for example, OpenAI retains API data for up to 30 days under its standard API Data Processing Addendum and then deletes it).

4.2 AI-Generated Content Disclosure

You are interacting with an AI system. In line with Article 50(1) of the EU AI Act (Regulation EU 2024/1689), applicable mobile-app-store AI-generated content policies, and applicable AI transparency laws (such as California's "AI labeling" laws), we make this clear to you at the first interaction with any AI feature inside Rehearsal.

The questions, feedback, scores, reports, and voice responses generated inside Rehearsal are produced by AI systems. We make this clear during onboarding and at the start of AI-powered sessions, and the AI-powered nature of the Service is described in this Privacy Policy, in line with Article 50(2) and 50(4) of the EU AI Act, which require synthetic and AI-generated content to be identifiable as such. Where technically feasible, we additionally use signals that allow the AI-generated nature of the output to be detected.

Reporting AI output concerns. You may write to contact@gradeless.ai with any AI-generated content concern, and we will respond within 30 days.

4.3 Equal Protection of Your Data

We confirm, as required by applicable mobile-app-store privacy guidelines and applicable data-protection law, that every third party listed in this Section 4 and in Section 5 is bound by a written agreement (typically a Data Processing Addendum or equivalent) requiring them to provide the same or equivalent protection of your personal data as set out in this Privacy Policy. We review these agreements before integrating each provider.

4.4 Your Choice

The AI processing described above is the core service of Rehearsal and cannot be turned off while you continue to use the app. If you do not wish to share your data with the providers in this section, your choices are to not create an account, decline the in-app consent screen, or delete your existing account from Settings → Account → Delete Account. We do not sell your personal information to anyone, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA.

5. Other Third Parties We Share Data With

5.1 Infrastructure and Hosting

• Supabase, Inc. — authentication, PostgreSQL database, file storage. Stores account credentials, profile data, sessions, transcripts, and uploaded files.
• Render Services, Inc. — backend application hosting. Processes requests in transit; does not retain payloads.
• Vercel, Inc. — frontend application hosting and CDN.

5.2 Authentication Providers

• iOS sign-in provider — when you choose this option at sign-in, we receive your name and (optionally relayed) email address.
• Web sign-in provider — when you choose this option at sign-in, we receive your name, email, and account ID.
• Enterprise sign-in provider — when you choose this option at sign-in, we receive your name, email, and account identifier.

5.3 Payment Processing

• Razorpay Software Pvt. Ltd. — receives name, email, phone, billing address, and payment instrument details. We do not store full card numbers.
• Cashfree Payments India Pvt. Ltd. — same scope as Razorpay; used for select payment flows.
• iOS in-app purchase system — when you purchase a subscription through the iOS app, billing is handled by the platform vendor under the platform's media services terms; we receive only an opaque transaction identifier.
• Android in-app billing system — when you purchase through the Android app, billing is handled by the platform vendor; we receive only the purchase token.

5.4 Analytics and Product Telemetry

• PostHog, Inc. (EU region, eu.i.posthog.com) — product analytics, session replay, and feature flags. Receives an internal user ID, screen / page events, and feature usage data. We do not send interview transcripts or resume content to PostHog. Session replay does not capture text input in sensitive fields.
• Google Analytics and Google Tag Manager (Google LLC) — traffic and conversion measurement on the marketing site only; not loaded inside the iOS or Android app.
• Vercel, Inc. (Vercel Analytics) — server-side and edge-level performance and traffic analytics for our website.
• hCaptcha (Intuition Machines, Inc.) — bot protection on web forms. Receives challenge data, IP address, and limited browser signals strictly for fraud prevention.

5.5 Institutional Partners

If your account was provisioned by an educational institution, authorised faculty or placement administrators of that institution may access your practice data and reports for academic and placement purposes.

5.6 Legal Requirements and Business Transfers

We may disclose information when required by law, valid legal process, or to protect the rights, safety, and property of Gradeless AI, our users, or the public. If we are involved in a merger, acquisition, or asset sale, we will notify users before personal data is transferred to a successor entity and provide an opportunity to delete the account.

6. International Data Transfers

Rehearsal is operated from India. The third parties named in Sections 4 and 5 are located primarily in the United States and the European Union. Where personal data is transferred outside the European Economic Area, the United Kingdom, or India, we rely on lawful transfer mechanisms — typically Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, and written data-processing agreements that require an equivalent level of protection. Under India's DPDP Act 2023, transfers are permitted unless the destination country has been specifically restricted by the Government of India; we monitor government notifications and adjust accordingly.

7. Data Retention

We retain different categories of data for different periods:

• Account profile (name, email, education): for the life of the account, plus 90 days after deletion to handle billing and abuse disputes.
• Interview transcripts and reports: 24 months from the date of the session, after which they are deleted unless you have explicitly chosen to keep them.
• Interview audio: not stored on our servers in raw form; live audio streams to OpenAI / ElevenLabs only for the duration of the session.
• Uploaded resumes / job descriptions: until you delete them or close your account, then deleted within 30 days.
• Memory insights (Mem0): until you delete them from Settings → Memories or close your account.
• Provider-side retention: OpenAI retains API request data for up to 30 days for abuse monitoring; other AI providers have similar short retention windows under their API DPAs.
• Payment records: 7 years, as required by Indian tax law.
• Analytics events (PostHog): 12 months at event level; aggregates retained longer.
• Encrypted backups: rotated out within 35 days.

Anonymised and aggregated data that cannot identify you may be retained indefinitely for research and analytics.

8. Your Rights and How to Exercise Them

Subject to applicable law, you have the following rights over your personal data:

8.1 Rights Available to All Users

• Correct your information: edit your profile in Settings → Account, or write to contact@gradeless.ai with the correction.
• Delete your account and all associated data: in line with applicable mobile-app-store account-deletion requirements and Section 12 of the DPDP Act, the Rehearsal iOS and Android apps offer in-app account deletion at Settings → Account → Delete Account. We action deletion within 30 days, except where law requires longer retention (for example, tax records).
• Withdraw consent for AI processing: because AI is the core service of Rehearsal, withdrawal is performed by deleting your account (above). Account deletion stops all further data sharing with the providers in Section 4.
• Opt out of promotional emails: use the unsubscribe link in any marketing email or write to contact@gradeless.ai.
• Email request: if any of the above is unavailable to you, write to contact@gradeless.ai from the email associated with your account. We respond within 30 days.

8.2 Additional Rights for EU / EEA / UK Users (GDPR)

• Right to restriction of processing
• Right to object to processing based on legitimate interests, including direct marketing
• Right to data portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (the AI scoring inside Rehearsal does not produce such effects; it is an educational practice tool)
• Right to lodge a complaint with your supervisory authority — for example, the Irish DPC, France's CNIL, or the UK ICO

8.3 Additional Rights for California Residents (CCPA / CPRA)

• Right to know what personal information we have collected, the sources, the purposes, and the categories of third parties with whom it is shared (this Privacy Policy itself satisfies that disclosure)
• Right to delete personal information we hold about you
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — we do not sell or "share" personal information for cross-context behavioural advertising, so there is nothing to opt out of; if this ever changes, we will provide a "Do Not Sell or Share My Personal Information" link
• Right to limit the use of sensitive personal information — we use sensitive personal information (interview audio, transcripts, resume contents, account credentials) only to deliver the AI interview service and never for inferring characteristics about you, advertising, or profile-building, which means a separate "Limit the Use of My Sensitive Personal Information" link is not currently required. To exercise this right at any time, write to contact@gradeless.ai with the subject line "Limit Sensitive PI". If we ever begin processing sensitive personal information for purposes that trigger the link requirement, we will add a clear and conspicuous link on this page and on the website footer.
• Right to non-discrimination — we will not deny you services, charge you a different price, or provide a different level of quality because you exercised any privacy right

8.4 Additional Rights for Indian Users (DPDP Act 2023)

• Right to access information about the personal data we process about you
• Right to correction, completion, updating, and erasure of your personal data
• Right to grievance redressal — contact our Grievance Officer at contact@gradeless.ai. We respond within the timelines prescribed by the DPDP Rules.
• Right to nominate another individual to exercise your rights in the event of your death or incapacity

You may use an authorised agent to submit a request on your behalf, in which case we may verify the agent's authority and your identity before fulfilling the request.

9. How We Protect Your Data

We use TLS 1.2+ in transit, encryption at rest for our database and file storage, role-based access controls, audit logging, regular security reviews, and a responsible-disclosure / bug-bounty channel. To responsibly disclose a security issue, please write to contact@gradeless.ai. No system is perfectly secure; we will notify affected users without undue delay if we become aware of a personal-data breach that is likely to result in a high risk to your rights, in line with applicable law (including GDPR Article 33–34 and section 8(6) of the DPDP Act).

10. Automated Decision-Making and Profiling

Rehearsal uses AI to simulate interviews, score answers, and generate reports. This processing is automated, but it does not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22 — it is an educational practice tool, not a hiring or selection decision system. We do not use AI to make admissions, employment, or credit decisions. You can request a human review of any AI output by writing to contact@gradeless.ai.

11. Children's Privacy

The Rehearsal iOS app is rated 17+ and the Android app uses the equivalent platform age rating. The web platform is intended for users aged 18 and above. We do not knowingly collect personal data from children below the applicable age in any of these channels.

India (DPDP Act 2023): India's DPDP Act 2023 defines a child as an individual below 18 years of age. Processing of a child's personal data requires verifiable parental consent under Section 9, and we do not perform tracking, behavioural monitoring, profiling, targeted advertising, or automated decision-making in respect of children.

United States (COPPA): Under the Children's Online Privacy Protection Act, our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. We comply with the FTC's COPPA Rule including its 2025 amendments restricting third-party sharing, advertising, and retention of children's data.

EU / EEA / UK (GDPR): We do not knowingly process personal data of children under 16 (or the lower age of digital consent set by an EU member state, where applicable) without verifiable parental consent.

If you believe a child has provided us with personal data, please write to contact@gradeless.ai and we will delete it promptly.

12. Device Permissions

Our mobile apps request the following device permissions:

• Microphone — required for spoken interview practice. We ask each platform's runtime permission prompt and stop using the microphone when the session ends.
• Notifications — optional; used to remind you about scheduled practice or new feedback.
• Photos / Files — optional; used only when you upload a resume.
• Network — required to use any feature.

We do not request location, contacts, calendar, SMS, call logs, or background location.

13. Cookies, Web Storage, and Mobile Identifiers

On the web we use first-party cookies and browser storage to keep you signed in, remember preferences, and measure aggregate product usage. Where required by law (for example in the EEA / UK), we ask for your cookie preferences via a consent banner before non-essential cookies are set. You can change your choices at any time through the banner or your browser settings; disabling essential cookies may break sign-in.

On iOS we do not use the IDFA, do not perform cross-app or cross-website tracking, and therefore do not present an App Tracking Transparency prompt. On Android we do not use the Android Advertising ID for advertising or cross-app profiling. Both apps store a randomly generated internal user ID in the device keychain / keystore to keep you signed in; you can clear it by signing out or uninstalling the app.

14. Third-Party Links

Our platform may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before sharing personal data with them.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make a material change (for example, adding a new third-party AI provider), we will update the "Last updated" date above, post a notice in the apps and on this page, and where required by law ask for fresh consent. Your continued use of Rehearsal after the effective date of an update constitutes acceptance of the updated Privacy Policy.

16. Jurisdiction-Specific Disclosures

16.1 California Notice at Collection (CCPA / CPRA)

At or before the point of collection, we collect the categories of personal information described in Section 2 for the purposes described in Section 3. We do not sell personal information and do not share it for cross-context behavioural advertising. We retain personal information for the periods described in Section 7. To exercise your CCPA / CPRA rights, see Section 8.3.

16.2 EEA / UK GDPR Representative

Where required by GDPR Article 27, we will appoint an EU / UK representative and update this section with their contact details. Until then, EEA and UK users may contact our privacy team directly at contact@gradeless.ai.

16.3 India — Grievance Officer (DPDP Act 2023 / IT Rules 2021)

17. Contact Us

For privacy questions, data requests, or any concern about this Privacy Policy, please contact us:

By using Rehearsal you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. For the AI-powered features described in Section 4, we will also ask for your explicit in-app consent before sharing any of your data with the named third-party AI providers.