Last updated: 17 June 2026
aurate is a trading name of AURATE AI LTD, a company registered in England and Wales (Company No. 17131159), with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. Throughout this policy, "aurate", "we" and "us" refer to AURATE AI LTD.
We are the data controller for your personal data.
Contact for data protection queries: hello@aurateai.com
ICO Registration: ZC109790
aurate is designed to keep your personal data tight to what's actually needed to run the service. We don't record audio. We don't sell your data. We don't use your sessions to train AI models. What we do keep is described below — and you can delete almost all of it by deleting your account.
/autopsy page — your Vibe Score, feedback bullets, metric evidence, phase summaries, Biggest Gap, Silver Lining, and Next Step. This is text generated by our scoring engine that quotes and paraphrases what you said in the session.At the end of each session we store your performance scores alongside a one-way hash of your account identifier. Because that hash is derived from your account, it stays linked to you — so this is pseudonymised data, and we treat it as personal data. It is not anonymised. We use it to give you progression insight across sessions and to maintain aggregate performance benchmarks. It never includes your name, email, or IP address. See Section 3.3 for the detail, and Section 6 for how long we keep it — including that, because these rows carry no name, email, or IP, they are not removed when you delete your account.
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Account creation | Authentication, account management, transactional communications |
| CV text | Session configuration (uploaded, extracted in-browser, or pasted) | Personalising the interview and grading your performance. See Sections 3.2 and 6 for storage and retention. |
| Session configuration choices | Session setup | Calibrating the AI interviewer (role level, industry, persona) |
| Payment information | Checkout | Processing payments. We do not store card details — handled entirely by our payment processor. |
| Data | How Generated | Retention |
|---|---|---|
| Audio (voice) | Real-time conversation with the AI interviewer | Never stored. Streams directly from your browser to our AI provider via ephemeral token. Never passes through our servers. |
| Session transcript | Transcribed in real time during the session | Retained on our servers to generate and verify your performance feedback and to resolve disputes. Tied to your account; deleted when you delete it, or after 18 months, whichever comes first. |
| AI responses | Generated by our AI provider during the session | Stored as part of the session transcript (same row as above) — same retention and deletion behaviour. |
| Vibe Score, Vibe Card payload, and feedback bullets | Generated at session end by our autopsy pipeline | Retained as the report shown on your Vibe Card and /autopsy page — includes your Vibe Score, metric evidence, phase summaries, Biggest Gap, Silver Lining, Next Step, and feedback bullets. This is AI-generated text that quotes and paraphrases what you said. Tied to your account; deleted when you delete it. |
| Module summaries | Generated at phase transitions | Retained as the “strongest response” and “weakest response” the scoring engine extracts from each phase. These quote and paraphrase what you said. Tied to your account; deleted when you delete it. |
| Action plan | Extracted at the end of the session | Stored on your session record. Tied to your account; deleted when you delete it. |
| Heartbeat telemetry | Sent periodically during active sessions | Stored as a timestamp update used for crash detection and session recovery. No transcript content. |
At the end of each session we store performance metrics from your results: your Vibe Score and sub-scores (logic, delivery, resilience, synthesis), filler-word frequency, persona, tier, role/sector category, session length, and a per-session counter that lets us see your trend over time. We store these alongside a cohort_id — a one-way SHA-256 hash of your account identifier. Because that hash is derived from your account, these rows stay linked to you: this is pseudonymised data and we treat it as personal data. It is not anonymised, and we do not claim it cannot be traced back to you.
We do not include your name, email address, IP address, or any transcript content in this data. Our lawful basis is legitimate interest (Article 6(1)(f)) — giving you progression insight across sessions and maintaining aggregate performance benchmarks. You can object to this processing at any time (see Section 7).
Because these rows carry only the hashed identifier and your performance numbers — no name, email, or IP — they are not removed when you delete your account. We keep them so our aggregate benchmarks and trend statistics stay intact. If you would like your existing benchmarking rows removed, contact us before deleting your account and we will delete them — after your account is gone we can no longer tell which rows are yours.
| Data | Purpose | Retention |
|---|---|---|
| IP address (session) | Dispute resolution, fraud prevention, session validation | Retained for 90 days, then automatically deleted. Lawful basis: legitimate interest. |
| IP address (account creation) | Sign-up fraud and abuse prevention | Logged for fraud and abuse prevention. Retained for 90 days, then automatically deleted (or earlier on request); not linked to your account. Lawful basis: legitimate interest. |
| Browser/device information | Session compatibility and debugging | Not stored persistently. Used transiently during session establishment. |
| Consent timestamps | Proving you consented to session terms | Stored on your account record; deleted when you delete your account. |
We use Vercel Web Analytics to understand how visitors use aurate (for example, which pages are viewed and how visitors arrive). It is privacy-first and cookieless — it does not use cookies or other persistent identifiers, does not track you across other websites, and does not collect personally identifiable information. It records only aggregated, non-identifying data such as page views, referring sites, approximate country-level location, and device or browser type. Vercel Inc. acts as a processor for this purpose.
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing the interview simulation service | Performance of contract (Article 6(1)(b)) |
| Processing payments | Performance of contract (Article 6(1)(b)) |
| Generating your autopsy and performance analysis | Performance of contract (Article 6(1)(b)) |
| Storing consent timestamps | Legal obligation (Article 6(1)(c)) |
| Retaining IP addresses for dispute resolution and fraud prevention | Legitimate interest (Article 6(1)(f)) |
| Storing pseudonymised benchmarking and progression data | Legitimate interest (Article 6(1)(f)) — see Section 3.3 |
| Crash detection and session recovery | Legitimate interest (Article 6(1)(f)) |
| Website analytics — understanding how visitors use the site | Legitimate interest (Article 6(1)(f)) |
| Sending transactional emails | Performance of contract (Article 6(1)(b)) |
We do not use your data for marketing purposes unless you explicitly opt in. We do not sell your data to third parties. We do not use your session content (audio, transcripts) for AI model training.
Your voice is processed by our AI provider during your session for real-time transcription so the interviewer can respond. We've architected the audio path so that audio never transits our servers — it goes directly from your browser to the provider via an ephemeral token, and we never store any audio recording or voiceprint. We retain only the resulting text transcript and the scores derived from it.
We use your interview audio only to transcribe your answers and generate your feedback — never to recognise or identify you by your voice. For that reason we treat this as ordinary personal data under UK GDPR, not as special category 'biometric' data under Article 9.
We share personal data only with service providers acting as data processors on our behalf, in the following categories:
| Category | Data Shared | Purpose |
|---|---|---|
| Cloud database and authentication | Email, user profile, session metadata, telemetry, IP | Database, authentication, session state |
| AI interview provider | Audio (in-transit), CV context (in system prompt) | AI interview simulation |
| Payment processor | Email, payment information | Payment processing |
| Application hosting | Transient request data during function execution | Application hosting, autopsy processing |
| Website analytics | Cookieless, aggregated usage data — page views, referring site, approximate country, device/browser type (no cookies, no personal identifiers) | Understanding how visitors use the site |
| Rate limiting and abuse prevention | IP addresses, user identifiers | Protecting the service from abuse, fraud, and excessive requests |
| Transactional email | Email address | Transactional email delivery |
| Error monitoring | Error data (anonymised request metadata) | Error tracking and monitoring |
| Email and productivity | Email correspondence (support and data-protection requests) | Receiving and handling your support and privacy emails |
When a job description is uploaded, as part of the parsing process, Gemini extracts the Role and company name to increase accuracy ahead of the interview.
Some of these providers process personal data outside the United Kingdom, including in the United States. Where they do, the transfer is protected by an approved safeguard — the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") or the UK International Data Transfer Agreement. We make the names of our current processors available on request.
We do not share personal data with any other third parties.
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Audio | Not retained. Never stored. | N/A — streams directly from browser to AI provider |
| Session transcript and AI responses | Account lifetime, or 18 months, whichever is shorter | Account deletion (cascade) or scheduled 18-month purge |
| Vibe Card payload, module summaries, action plan | Account lifetime | Account deletion (cascade) |
| CV text and CV summary | Lifetime of your session record | Account deletion (cascade) plus session cleanup |
| Account data (email, tier, credits) | Lifetime of account | Account deletion |
| Session telemetry (scores, metadata) | Lifetime of account | Account deletion (cascade) |
| IP address (session) | 90 days | Automatic scheduled purge |
| IP address (account-creation logs) | 90 days, then automatically deleted (or earlier on request) | Automatic scheduled purge (not linked to your account) |
| Consent timestamps | Account lifetime | Account deletion (cascade) |
| Pseudonymised benchmarking & progression data | Indefinite | Not removed on account deletion — rows carry only a one-way hash plus performance scores (no name, email, or IP), retained to keep aggregate statistics intact. See Section 3.3 |
| Vibe Card shares | Lifetime of account | Account deletion (cascade) |
| Admin audit logs | Retained for compliance | Not deleted — required for compliance |
| Payment records (transaction IDs, amounts, tier — no card data) | Retained; your user identifier is removed on account deletion | Anonymised on account deletion (financial record retained) |
| Waitlist sign-up email (if you joined the waitlist) | Until removal on request | On request |
Under UK GDPR, you have the following rights:
Account deletion: Use the "Delete my account" button in your profile settings. Deletion is immediate and irreversible. Your directly identifying data — profile, session history, telemetry, transcripts, and CV — is permanently removed. Pseudonymised benchmarking and progression rows, which carry only a one-way hash of your account identifier plus performance scores (no name, email, or IP), are retained to keep our aggregate statistics intact (see Sections 3.3 and 6).
All other rights: Email hello@aurateai.com. We will respond within 30 days.
Complaints: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS/HTTPS on all connections), database-level Row Level Security policies, API key isolation via ephemeral tokens (keys never exposed to client browsers), and immutable audit logging of all administrative actions.
aurate uses cookies only where strictly necessary. We use authentication session cookies to keep you signed in — these are first-party, expire when your session ends or when you sign out, and cannot be disabled without breaking sign-in. We do not use advertising cookies, analytics cookies, or cross-site tracking cookies. Most of your client-side state (your tier and your session preferences) is held in your browser's localStorage rather than in cookies, and is cleared by signing out, clearing site data, or deleting your account.
aurate is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will delete their account and associated data.
We may update this privacy policy from time to time. We will notify you of material changes by email or by a prominent notice in the application. The latest version will always be available at this page.
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information. This section supplements the rest of our Privacy Policy for California residents.
In the preceding 12 months, we have collected the following categories of personal information as described in Section 3 above: identifiers (email address), commercial information (purchase history), internet activity information (session telemetry), and inferences drawn from session performance (Vibe Scores).
aurate does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We have not sold personal information in the preceding 12 months.
aurate does not share your personal information for cross-context behavioral advertising as defined under the CPRA. We do not use tracking or advertising cookies.
To exercise any of these rights, email hello@aurateai.com. We will verify your identity and respond within 45 days.