ZeroPitch

Privacy Policy

Last updated: February 19, 2026 · Effective date: February 19, 2026

1. Introduction

ZeroPitch (“we,” “us,” or “our”) operates a conversational assessment platform that enables organizations to conduct AI-powered interviews, sales simulations, and communication practice sessions (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website, applications, and related services.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Definitions

  • Organization — A company, team, or individual that creates experiences and invites candidates to participate.
  • Candidate / Participant — An individual who participates in an assessment session via a shared link.
  • Dashboard User — An Organization member who accesses the management dashboard.
  • Session — A single assessment interaction between a Candidate and our AI agent.

3. Information We Collect

3.1 Information Candidates Provide

  • Identity information — Name and email address used for session authentication via one-time verification code.
  • Profile data — Responses to custom profile fields configured by the Organization (e.g., resume, work history, skills, and other information requested before the session begins).
  • Session content — Audio recordings of your voice during the session, real-time transcripts generated from your speech, and your self-reflection responses (if applicable).
  • Video and screen recordings — Camera and/or screen recordings when enabled by the Organization for a particular session section.
  • Canvas and diagram data — Content you create on the interactive whiteboard or canvas during the session.
  • Uploaded files — Resumes, documents, or other files you upload as part of the profile or session workflow.

3.2 Information Dashboard Users Provide

  • Account information — Name, email address, and authentication credentials provided during sign-up via OAuth.
  • Billing information — Subscription status and plan details associated with your Organization account.
  • Organization content — Scenarios, system prompts, evaluation rubrics, job descriptions, branding assets, and other content created to configure experiences.

3.3 Information Collected Automatically

  • Device and browser information — IP address, browser type and version, operating system, and device identifiers collected via standard HTTP headers.
  • Session integrity signals — Tab-switch events, connection status, and similar metadata collected during a session to help Organizations assess session integrity. These signals are informational only and do not trigger automated decisions.
  • Security and abuse prevention data — Bot detection scores from Google reCAPTCHA Enterprise (which may process your IP address, browser characteristics, and interaction patterns), rate-limiting counters, and authentication attempt records.
  • Cookies — We use strictly necessary cookies for session authentication. We do not use advertising or analytics cookies. See Section 8 for details.

4. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (GDPR)
Providing and operating the assessment sessionPerformance of contract; Consent
Converting your speech to text and generating AI responsesPerformance of contract; Consent
Generating evaluation scores, analytics, and feedback for the OrganizationLegitimate interest of the Organization
Processing payments and managing subscriptionsPerformance of contract
Preventing fraud, abuse, and unauthorized accessLegitimate interest; Legal obligation
Maintaining audit logs for security and complianceLegitimate interest; Legal obligation
Improving the accuracy and quality of our AI models and ServiceLegitimate interest

5. Third-Party Service Providers (Sub-Processors)

We share data with the following categories of service providers, solely as necessary to operate the Service. Each provider processes data under contractual obligations to protect your information.

ProviderPurposeData Processed
SupabaseDatabase hosting and authenticationAll structured application data (session records, profile data, transcripts, user accounts)
Google Cloud PlatformMedia storage (GCS), AI model hosting (Vertex AI), bot protection (reCAPTCHA Enterprise)Audio/video recordings, uploaded files, session text for AI processing, IP address and browser signals for reCAPTCHA
AssemblyAIReal-time speech-to-text transcriptionAudio stream during the session (processed in real time, not stored by provider)
CartesiaText-to-speech voice synthesisAI-generated response text (converted to audio and returned, not stored by provider)
UpstashRate limiting and abuse preventionIP address (hashed as rate-limit key); no personal data stored

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

6. AI Processing and Automated Decision-Making

Our Service uses artificial intelligence to conduct conversational assessments. During a session:

  • Your speech is transcribed to text by our speech-to-text provider (AssemblyAI) in real time.
  • The transcript is processed by a large language model (Google Gemini) to generate contextual AI responses and evaluate your performance against criteria set by the Organization.
  • AI-generated response text is converted to spoken audio by our text-to-speech provider (Cartesia).

Important: AI-generated scores and evaluations are provided to the Organization as decision-support tools only. They are not used to make fully automated decisions about candidates without human review. Organizations are responsible for ensuring that their use of AI-assisted evaluations complies with applicable employment and anti-discrimination laws.

Session integrity signals (such as detected prompt injection attempts or tab-switch events) are recorded as informational signals and are never used to automatically block, disqualify, or penalize a candidate.

7. Consent and Audio/Video Recording

Before an assessment session begins, you will be presented with a consent dialog that clearly describes:

  • That the session will be audio recorded for evaluation purposes.
  • That AI-powered analysis will be used to evaluate your responses.
  • That your data will be processed by our service providers.
  • That session data will be stored in accordance with this Privacy Policy.

You must provide explicit consent before the session can start. If you do not consent, you may close your browser to exit. Your consent is recorded with a timestamp in our systems.

Withdrawal of consent: You may withdraw consent at any time by closing your browser during a session. However, data already processed prior to withdrawal cannot be retroactively deleted from real-time AI processing streams. You may request deletion of stored data by contacting us (see Section 11).

8. Cookies and Tracking Technologies

We use only strictly necessary cookies:

CookiePurposeDurationType
session_tokenAuthenticates the candidate session (HMAC-signed)6 hoursStrictly necessary (httpOnly)
session_idClient-side session routing6 hoursStrictly necessary
sb-*-auth-tokenDashboard user authentication (managed by Supabase)Session / refreshStrictly necessary (httpOnly)

We do not use advertising cookies, analytics cookies, or third-party tracking pixels. Google reCAPTCHA Enterprise may set its own cookies for bot detection; please refer to Google's Privacy Policy for details.

9. Data Retention

  • Session data (transcripts, recordings, profile responses, evaluation results) — Retained for as long as the Organization maintains an active account, or as required for legal compliance. Organizations may request deletion of session data at any time.
  • Dashboard user accounts — Retained for the duration of the account. Data is deleted upon account closure, subject to legal retention requirements.
  • Audit logs — Retained for a minimum of 2 years for security and compliance purposes.
  • Payment records — Retained as required by applicable tax and financial regulations (typically 7 years).
  • Cookies — Session cookies expire after 6 hours. Authentication cookies expire on logout or session refresh.

10. Data Security

We implement the following security measures to protect your data:

  • All data in transit is encrypted via TLS/HTTPS.
  • Session tokens use HMAC-SHA256 signing with timing-safe comparison.
  • WebSocket relay connections require short-lived JWT tokens (5-minute expiry).
  • Database access uses row-level security (RLS) policies to enforce data isolation.
  • Media uploads use pre-signed URLs with size limits and expiration.
  • Rate limiting and brute-force protection are enforced on all public endpoints.
  • All state-changing operations are recorded in an immutable audit log.
  • Candidate-facing API responses are sanitized to prevent exposure of internal system prompts, evaluation criteria, and future session content.

While we employ industry-standard practices, no system is completely secure. If you discover a security vulnerability, please contact us at hello@buildzeroist.com.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

For All Users

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate data.
  • Deletion — Request deletion of your personal data, subject to legal retention requirements.
  • Withdraw consent — Withdraw your consent at any time for data processing based on consent.

Additional Rights Under GDPR (EEA/UK)

  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right not to be subject to solely automated decision-making
  • Right to lodge a complaint with a supervisory authority

Additional Rights Under CCPA (California)

  • Right to know what personal information is collected and how it is used
  • Right to request deletion of personal information
  • Right to opt out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at hello@buildzeroist.com. We will respond within 30 days (or as required by applicable law).

12. International Data Transfers

Your data may be processed in countries other than your own, including the United States, where our service providers operate. When transferring data internationally, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with our sub-processors listed in Section 5
  • Service providers certified under recognized frameworks where applicable

13. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page and, where appropriate, providing additional notice (such as an email or in-app notification). Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

See also: Terms of Service