Our commitments

Trust & Safety

We built InterviewCaddy because interview prep is broken — not because anyone needed another shortcut. This page is the long-form version of how we think about ethics, security, and your data. Read it, share it, hold us to it.

How we think about ethics

Interviews are a high-stakes, often unfair process. They test things that don't always match the actual job — composure under fluorescent light, how quickly you can recall an example from four years ago, whether you can think on your feet at 9am when your nervous system is in fight-or-flight mode.

AI tools that help candidates navigate this process are not categorically good or bad. They're tools. How you use them is what matters.

Our position

  • Practice with InterviewCaddy is always appropriate. Mock sessions, recorded practice with friends, drilling weak areas at 11pm — that's preparation, and preparation is what interviewing is supposed to be about.
  • Use of Live Assist during actual interviews is your call. Many candidates use it as a real-time coach. Some employers permit AI assistance. Some prohibit it. Some have no stated policy. We don't pretend to know the rules of every company you might interview with — and we don't think it's our place to decide for you.
  • We recommend transparency where required. If the interviewing company has a published policy on AI assistance, follow it. If you've signed an NDA or honor code, follow that. If you're uncertain, ask the recruiter before the interview. Most reputable companies will tell you straight.
  • We will not build features designed to deceive a counterparty in conversation. We provide a private workspace for your own notes and prompts. We don't build features for impersonation, fabricating credentials, or misrepresenting your identity. The line is between coaching and deception. We sit firmly on the coaching side.

What this means in practice

  • The FAQ on our marketing site addresses "is it appropriate to use during real interviews" directly. We don't dodge the question.
  • We will not market InterviewCaddy as "undetectable" or "invisible." Our workspace is private by technical design — separate from your shared screen, separate from any recording. We describe what it does. We don't lean into anti-detection theater.
  • We will pull or refund accounts that we determine are using the Service for documented fraud, including misrepresenting identity, qualifications, or experience in a way that violates a counterparty's terms.

How we protect your data

The AI interview tooling industry has had a rough year. In August 2025, a major competitor exposed 83,000 users' interview transcripts and screenshots through a basic security mistake — an admin password committed to a public GitHub repository. Multiple other tools have been documented displaying "stealth" overlays that were, in fact, visible during screen sharing.

We watched that happen. We built differently.

Encryption

  • All data in transit is encrypted with TLS 1.2 or higher
  • All data at rest is encrypted at the infrastructure layer with AES-256
  • We do not currently implement application-level encryption — data is decrypted on read by anyone with authorized database access
  • Authentication uses signed JWTs with short refresh windows
  • No production credentials are ever committed to source control; we use environment isolation and key rotation

Access controls

  • Internal access to user data is limited to authorized personnel for support, debugging, or operations
  • All internal data access is logged and reviewed
  • Admin operations require additional authentication and produce audit records
  • We do not have a customer-data-grants-by-default culture; access is granted per-incident and revoked after

What we DON'T collect

  • We do not access your webcam. The Service does not require camera access.
  • We do not capture the interviewer's video, screen content, or shared materials
  • We do not access other applications running on your device
  • We do not track your browsing outside the Service
  • We do not collect data about your other open windows, files, or processes beyond what's necessary to run our own application

What we DO collect (and why)

  • Your resume and target role (so AI prompts are tailored to you)
  • Audio from your mock and Live Assist sessions (to transcribe questions and generate prompts in real time)
  • Usage data (which features you used, how often) so we can improve the Service
  • Error reports and performance data so we can fix bugs
  • Payment information (handled by Stripe, never stored on our servers)

We do NOT train AI on your data

This is unambiguous and worth stating plainly: your resume, your job descriptions, your audio, and your transcripts are not used to train any AI model — ours or our providers'. We have data processing agreements with our AI partners (Anthropic, OpenAI, Google, Deepgram) that contractually prohibit training on customer data.

If we ever change this policy, you will be notified by email at least 30 days in advance and given the option to delete your data and cancel your subscription with a full refund of the unused term.

Audio handling

  • Audio is processed in real time for transcription
  • Raw audio is not retained after the session ends
  • Transcripts of practice sessions are stored for your reference
  • You can delete any transcript at any time from within the application
  • Live Assist session content is not retained beyond the session unless you explicitly save it

Data deletion

You can delete your account at any time from within the application. Upon deletion, your profile, resume, transcripts, and session data are permanently removed within 30 days.

Some data may be retained longer where required by law (for example, financial transaction records for tax purposes). Anonymized usage statistics may remain in aggregate analytics.

Where your data lives

InterviewCaddy is operated from Canada. Our infrastructure runs on:

  • Supabase (data hosting, authentication) — SOC 2 Type 2 certified
  • AI providers (Anthropic, OpenAI, Google) — enterprise data processing agreements in place
  • Deepgram (speech transcription) — enterprise data processing agreement in place
  • Stripe (payments) — PCI DSS Level 1 certified

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We comply with applicable cross-border data transfer requirements under GDPR, PIPEDA, and CCPA.

Security incident response

In the event of a security breach affecting your data, we commit to:

  • Notify affected users within 72 hours of discovery
  • Provide clear information about what was accessed and what you should do
  • Cooperate with regulators as required by applicable law
  • Publish a post-incident report describing what happened and what we changed

We have not had a security breach. If we ever do, this is how we'll handle it.

Our security commitments

We take the following commitments seriously and consider them part of our product, not adjacent to it.

What we will always do

  • Encrypt data in transit and at rest
  • Use industry-standard authentication and session management
  • Limit internal access to user data
  • Maintain data processing agreements with our AI providers prohibiting training on customer data
  • Disclose security incidents within 72 hours of discovery
  • Honor data deletion requests within 30 days
  • Publish material changes to this policy with 30 days' notice

What we will never do

  • Sell your personal information
  • Use your resume, transcripts, or audio to train AI models
  • Access your data without a documented reason (support request, debugging, legal compliance)
  • Commit credentials to source control
  • Operate without disaster recovery and backup processes
  • Pretend a security incident didn't happen if one occurs

Working with employers and recruiters

We recognize that the rise of AI interview tools has created legitimate concerns for hiring teams. We support employers in setting their own policies.

If you are a recruiter, hiring manager, or talent leader:

  • We do not facilitate fabricating credentials, identity, or work history
  • We do not provide tools designed to bypass authentication checks or proctoring systems
  • We will respond to legitimate inquiries about our practices at trust@interviewcaddy.com
  • We will pull accounts found to be used in documented fraud

Our Service is designed for candidate preparation and self-coaching. We trust adults to make their own decisions about how they use it during real conversations, and we trust employers to set and enforce their own interviewing policies.

How to contact us

For general questions: support@interviewcaddy.com

For privacy or data requests: privacy@interviewcaddy.com

For trust & safety, including reports of misuse, security concerns, or employer inquiries: trust@interviewcaddy.com

We respond to all inquiries within one business day.

Document changes

This page is versioned and material changes are logged below.

[DATE] — Initial publication.