Privacy Policy
Last updated: July 1, 2026
We collect only what we need to run the platform. We never sell your data and never use candidate responses to train AI models. When an organization assesses you, that organization controls your data. When you sign up yourself, you do.
Questions?hello@secondframe.co
We never sell data
Personal data is never sold, rented, or traded to third parties for any purpose.
No ad targeting
Candidate data is never used for advertising or marketing purposes.
No AI training
Candidate responses are never used to train public or third party AI models or shared datasets.
You control your data
When an organization assesses you, that organization controls your data. When you sign up yourself, you do.
001
Introduction
Secondframe ("Secondframe," "we," "us," or "our") operates the Secondframe platform and related services (the "Service").
We handle personal data in line with applicable laws, including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA and CPRA), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), where applicable.
This Policy explains what we collect, how we use it, who we share it with, how long we keep it, and the rights available to you.
002
Our Role: Processor and Controller
A. Processor (on behalf of Organizations). When an Organization invites a Candidate and processes that Candidate's data through the Service, the Organization is the data controller and Secondframe is the data processor. We process that data on the Organization's instructions under our Data Processing Addendum. Invited Candidates should direct data requests to the Organization, and we will assist as required.
B. Controller (for our own users). We are the data controller for Organization account users, Candidates who create their own accounts or take self initiated assessments, Contributors, website visitors, and prospects. For these individuals, this Policy governs directly.
003
Information We Collect
A. Account information. Name, work or personal email, organization name, role, credentials, and, for sign in through Google or LinkedIn, the basic profile information those providers share.
B. Candidate and assessment data. Assessment interactions and messages, actions and timing, the generated transcript, scores across evaluation dimensions, reports, and any documents or notes submitted. For invited assessments this is provided or generated on behalf of the Organization.
C. Profile data (candidate accounts). For Candidates with accounts, a profile that may include aggregated scores, confidence and variance signals, badges, and history. You control whether a public version of your profile is visible.
D. Payment data. When you purchase, Paddle, our payment provider and merchant of record, processes your payment. We receive limited transaction information and do not store full card numbers.
E. Usage and technical data. IP address, device and browser information, log data, and interaction metrics, collected for security, performance, and analytics.
F. Cookies and similar technologies. See Section 013.
004
How We Use Information
We use personal data to provide and operate the Service, deliver and score assessments, generate reports and profiles, process payments, authenticate users, provide support, maintain security and prevent abuse, comply with law, and improve the Service.
We do not sell personal data. We do not use Candidate data for advertising. We do not use Candidate assessment responses to train public or third party foundation models or shared datasets.
005
Automated Processing and AI Based Assessment
The Service uses AI and automated processing to run simulations and to produce scores and reports. These outputs are decision support information. Secondframe does not make employment decisions.
Where an Organization uses outputs to make decisions about individuals, the Organization is responsible for required human review, notices, bias auditing, and any rights to explanation, appeal, or accommodation under applicable automated decision making laws. For the EU AI Act, Secondframe is the provider of the AI system and the Organization is the deployer. We will provide information reasonably necessary to support the Organization's compliance.
If you are subject to a decision based significantly on automated processing, you may have rights under GDPR Article 22 and similar laws, including to obtain human review. Direct such requests to the Organization that ran the assessment, or to us at hello@secondframe.co where we are the controller.
006
Legal Bases for Processing (GDPR and similar)
Where the GDPR or similar law applies, we rely on performance of a contract (to provide the Service), legitimate interests (to secure, support, and improve the Service, balanced against your rights), consent (where required, for example for certain cookies or public profile visibility), and legal obligation. For invited Candidate data, the Organization determines the lawful basis.
007
How We Share Information and Our Sub Processors
We share data only as needed to operate the Service:
- Hosting and infrastructure: Google Cloud Platform.
- Payment processing and merchant of record: Paddle.
- AI model routing and inference: OpenRouter and the model providers it routes to, or, under BYOK, the Organization's configured provider.
- Email delivery: Postmark.
- Authentication providers you choose, such as Google or LinkedIn.
- The relevant Organization, for invited assessments.
- Professional advisors, and authorities where legally required.
- A successor entity in a merger, acquisition, or asset sale, subject to this Policy.
A current sub processor list with locations is available on our Sub Processor List, and Organizations receive advance notice of changes under the DPA.
Bring your own key (BYOK). If an Organization configures its own AI provider key, assessment data for that Organization is processed by that provider under the Organization's arrangement with it, which is outside our control.
008
Public Candidate Profiles
If you enable a public profile, information such as your name, summary scores, and badges may appear on a public web page that search engines can index. We do not display assessment transcripts, the identity of Organizations that assessed you, or your detailed history on public profiles. You can change visibility or request removal at any time in your settings or by contacting us. Cached copies held by third parties such as search engines may persist for a period after removal.
009
Data Retention
We keep personal data only as long as needed, then delete or anonymize it, on the following schedule:
- Live assessment session state: held in temporary storage and automatically expired approximately two hours after the session ends.
- Completed assessment transcripts and scores: retained for the duration of the relevant account plus 12 months, or until deletion is requested by the controlling party, whichever is earlier.
- Candidate account and profile data: retained while the account is active, and deleted within 30 days after an account deletion request.
- Organization account data: retained while the account is active, and deleted within 30 days after account closure.
- Payment and transaction records: retained for 7 years to meet tax, accounting, and legal obligations.
- Usage, log, and technical data: retained for up to 12 months, then deleted or aggregated into anonymized statistics.
- Marketing and contact data: retained until you unsubscribe or request deletion.
- Backups: rolling backups are purged within 90 days.
Where a legal hold or obligation requires longer retention, we keep the affected data only for as long as required.
010
Candidate and Organization Data Access
For invited assessments, Organizations can access the full assessment, including the transcript and scores. Candidates who took an invited assessment without an account do not receive the transcript by default. Candidates with their own accounts see their own scores and profile, but not internal Organization notes or other candidates' data. Access controls separate Candidate facing data from Organization facing data.
011
International Data Transfers
We may process and store data in countries other than your own, including Canada and the United States. Where we transfer personal data internationally, we use appropriate safeguards such as the Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms.
012
Data Security
We use technical and organizational measures including encryption in transit, access controls, role based permissions, and secure cloud infrastructure. If we become aware of a personal data breach affecting you, we will notify the relevant controller and, where we are the controller, affected individuals and regulators as required by law, without undue delay. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
013
Cookies
We use necessary cookies to operate the Service (for example, authentication and security) and, with consent where required, analytics cookies to understand usage. In the EU and UK we present a consent banner and do not set non essential cookies without consent. You can also control cookies through your browser. The categories we use are: strictly necessary, functional, and analytics.
014
Your Rights
Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, to withdraw consent, and to opt out of certain processing.
- If you are a Candidate assessed by an Organization, contact that Organization (the controller). We will support them in responding.
- If we are the controller (account holders, self initiated Candidates, Contributors, visitors), contact us at hello@secondframe.co.
California residents have rights to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA and CPRA. To exercise California rights, email hello@secondframe.co with the subject "California Privacy Request."
We will not discriminate against you for exercising your rights, and we will verify requests before acting. We aim to respond within 30 days, or sooner where the law requires.
015
Children
The Service is intended for users 18 and older and is not directed to children. We do not knowingly collect data from children, and we will delete such data if we learn we have collected it.
016
Changes to This Policy
We may update this Policy. We will post the new version with an updated date and provide notice of material changes. Continued use after the effective date constitutes acceptance.
017
Contact
For privacy inquiries:
Secondframe
Email: hello@secondframe.co
Email: hello@secondframe.co
Privacy questions?
We respond to all privacy requests within one business day.