Privacy Policy.

Last Updated: March 2026

001

Introduction

SecondFrame (“we,” “us,” or “our”) operates the SecondFrame platform and related services (the “Service”). We are committed to protecting personal data and handling it responsibly, transparently, and in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where applicable. This Privacy Policy explains how we collect, use, store, and protect personal information when customers and candidates interact with our services.

002

Our Role

Our platform is used by organizations (“Customers”) to evaluate technical judgment logic. In relation to candidate data submitted by Customers: • The Customer is the Data Controller • SecondFrame acts as a Data Processor We process candidate personal data solely on behalf of our Customers and in accordance with their instructions.

003

Information We Collect

A. Customer Account Information: When organizations create an account, we may collect name, company name, work email address, billing information, credentials, and communication history. B. Candidate Information: Customers may submit candidate name, email address, assessment responses, uploaded documents, evaluation scores, and interview notes. We do not independently source candidate data. C. Usage & Technical Data: We automatically collect IP addresses, device/browser types, log data, and interaction metrics to ensure security and performance.

004

How We Use Information

We use collected information to provide and operate the Service, process assessments, generate reports, maintain security, and provide support. We do not sell personal data. We do not use candidate data for advertising. We do not use candidate responses to train public AI models.

005

Legal Basis for Processing (GDPR)

Where GDPR applies, we process data based on contractual necessity, legitimate interests (security and improvement), and Customer instructions. For candidate data, the Customer determines the lawful basis.

006

Data Retention

Customer and candidate data is retained as long as the Customer maintains an active account or until deletion is requested. Upon account termination, data is deleted within a reasonable period unless retention is required by law.

007

Data Sharing

We do not sell or rent personal data. We may share data only with trusted service providers (hosting, payments), professional advisors, or authorities when legally required.

008

International Data Transfers

If data is transferred outside the original jurisdiction, we implement appropriate safeguards in accordance with applicable law.

009

Data Security

We implement technical measures including HTTPS encryption, secure cloud infrastructure, and role-based access controls to protect personal data.

010

Data Subject Rights

Depending on jurisdiction, individuals may have rights to access, correct, delete, or object to processing. Candidates should contact the hiring organization (Data Controller) directly to exercise these rights.

011

Children’s Data

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect data from minors.

012

Changes to This Policy

We may update this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

013

Contact Information

For privacy-related inquiries: SecondFrame Email: hello@secondframe.co

Data Sovereignty

For specific data requests or deletion inquiries, reach out to our privacy team. Individual reasoning patterns are anonymized at ingestion before being aggregated into institutional benchmarks.

Contact Privacy Office