---
title: Privacy Policy · Greenroom
description: How Greenroom collects, uses, stores, and protects your personal data — including GitHub data, interview recordings, and analytics.
url: https://usegreenroom.app/privacy
last_updated: 2026-06-04
---

# Privacy Policy

Last updated: May 17, 2026  ·  Questions: support@usegreenroom.app

**Two products — read the one that applies to you**
**Candidate practice tool** (you signed up yourself): no audio stored, no transcripts stored, session cleared when you close the tab.

**B2B hiring screen** (a company sent you a link): audio and transcript stored 90 days then permanently deleted. An AI produces a score. A human at the hiring company makes the actual hire/no-hire decision — not the AI.

## 1. Who we are

Greenroom (operated by Greenroom Technologies) provides two services: a candidate interview-practice tool, and a B2B AI screening platform for hiring companies. In the B2B context the hiring company is the **data controller**; Greenroom is the **data processor**. This policy covers both products. Sections marked Practice or B2B screen apply only to that product.

## 2. What we collect and why

### Practice Candidate self-practice

- Name, email, profile picture (Google sign-in)
- GitHub username, top repos, programming languages (if connected)
- LinkedIn headline and skills (if connected)
- Target role, company, interview date
- Session metadata: date, role, question count, feedback summary

**What we do not store in the practice tool:** voice audio is processed in real time and never written to disk. Transcripts are held in memory only and discarded at session end. Webcam video never leaves your device.

### B2B screen Hiring company screens

- Name and email (provided by the hiring company or entered by you)
- Voice audio recording of the full session
- Full interview transcript
- AI-generated score (1–10), sub-scores (technical, communication, role fit), and hire/no-hire recommendation
- Integrity signals: tab-switch count, fullscreen exits, paste events, response latency
- Job description provided by the hiring company

## 3. Lawful basis for processing (GDPR Articles 6 and 9)

For users in the EU, UK, and EEA, we rely on the following lawful bases:

| Processing activity | Lawful basis | Notes |
| --- | --- | --- |
| Account creation and authentication | Contract necessity (Art. 6(1)(b)) | Required to deliver the service |
| Practice tool session personalisation | Contract necessity (Art. 6(1)(b)) | Tailoring questions to your background |
| B2B voice audio recording and storage | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) | Collected via pre-session consent. Withdrawable at any time — email support@usegreenroom.app |
| AI scoring and hire recommendation | Explicit consent (Art. 6(1)(a)) | Collected via pre-session consent. See Section 4 for Art. 22 rights |
| Bias audit record retention (4 years) | Legal obligation (Art. 6(1)(c)) | Required by NYC LL144 and CCPA ADMT regulations |
| Security logging and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Necessary to protect users and platform integrity |
| Communications and support | Legitimate interests (Art. 6(1)(f)) | Responding to requests you initiate |

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Email support@usegreenroom.app with the subject "Withdraw Consent."

## 4. Automated decision-making and AI scoring (GDPR Article 22)

**EU / UK candidates — read this**
Greenroom uses automated processing to produce a hire/no-hire recommendation. GDPR Article 22 gives you specific rights. Read this section carefully.

When you complete a B2B screen, our AI analyses your responses and produces: an overall score (1–10), sub-scores for technical depth, communication, and role fit, a written performance summary, a hire recommendation, and any red flags.

**What the AI evaluates:** response content, technical accuracy, communication clarity and structure, alignment between your experience and the role, and response latency patterns. The AI does not evaluate accent, ethnicity, gender, age, or physical appearance.

**The AI does not make hiring decisions.** The AI output is advisory. Greenroom contractually requires all hiring companies (via our Data Processing Agreement) to ensure a human with genuine decision authority reviews AI outputs before any rejection decision is made. That human must have real authority to override the AI — not merely rubber-stamp it. Greenroom cannot guarantee the internal practices of individual companies but enforces this obligation contractually and may terminate access for companies that breach it.

**Your rights under Article 22 (EU/UK candidates):**

- **Right to human review** — request that your application be reviewed by a human without reference to the AI score. Email support@usegreenroom.app — "Human Review Request."
- **Right to contest** — if you believe the AI score is inaccurate or unfair, you may challenge it. We will provide the scoring rationale within 14 days.
- **Right to explanation** — request a plain-language explanation of what signals fed your score. Email support@usegreenroom.app — "Explanation Request."

**Data Protection Impact Assessment:** We have conducted a DPIA covering the nature, necessity, and risks of our AI scoring system. It is available to supervisory authorities on request.

## 5. Illinois Biometric Information Privacy Act (BIPA)

**Illinois residents — this section is legally required reading**
Illinois law (740 ILCS 14) treats voice recordings used for speaker identification as biometric data. Violations carry statutory damages of $1,000–$5,000 per person per incident.

### Pre-session written consent

If you are an Illinois resident, before your B2B screening session begins you will be presented with a separate consent screen that explicitly discloses: (a) that voice audio will be recorded, (b) the purpose of collection (candidate evaluation), (c) the retention and destruction schedule below, and (d) your right to decline and request an alternative process. That consent screen — not this policy — is your written release under BIPA. Proceeding past it constitutes your written, informed consent.

If you do not consent, email support@usegreenroom.app or contact the hiring company before your session to request an alternative selection process.

### Biometric data retention and destruction schedule

Consistent with BIPA, we permanently delete voice audio at the sooner of:

- 90 days after the hiring company completes evaluation of your screen, or
- 3 years from the date of collection

Deletion is permanent — not archived, not anonymised. Transcripts follow the same schedule.

### No sale or profit from biometric data

We do not sell, lease, trade, or profit from your voice recordings or any voiceprint data. We do not disclose biometric data to any third party except sub-processors delivering the service (see Section 8), each bound by equivalent protective obligations.

## 6. NYC Local Law 144 (Automated Employment Decision Tools)

Greenroom is an Automated Employment Decision Tool (AEDT) under NYC Local Law 144. Hiring companies using Greenroom to screen candidates for NYC-based roles must comply with LL144 independently. Greenroom supports compliance as follows:

### Annual bias audit

We conduct an annual independent bias audit of Greenroom's scoring system, evaluating selection and scoring rates across sex and race/ethnicity categories. The most recent audit summary — including audit date, data source, selection rates, and impact ratios — is published at /compliance/nyc-local-law-144 and updated annually.

### Candidate notice obligation

Hiring companies are responsible for providing candidates at least 10 business days' notice before a Greenroom screen is used, identifying the AEDT and the job qualifications it evaluates. Greenroom provides template notice language to hiring companies in our onboarding materials.

### Right to alternative process

Candidates being evaluated for NYC-based roles may request an alternative selection process not involving the AI. Contact the hiring company directly. Hiring companies are contractually required to accommodate such requests.

### Data available on request

Within 30 days of a written request we will provide: types of data collected, data source, and retention policy. Email support@usegreenroom.app.

## 7. California residents (CCPA / CPRA)

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not respond differently to browser Do Not Track signals because we do not sell or share personal information in the first place; however we do honour Global Privacy Control (GPC) signals as an opt-out of any future sharing.

### Automated Decision-Making Technology (ADMT)

Greenroom uses ADMT to produce hire/no-hire recommendations. Before your session begins, you will receive a pre-use notice describing how the system works, what personal information it uses, the outputs it generates, and how those outputs influence hiring decisions. You may request an alternative selection process by contacting the hiring company or emailing support@usegreenroom.app. We will not retaliate against you for making this request.

### Categories of personal information collected (past 12 months)

- Identifiers: name, email address
- Audio recordings (B2B screens only)
- Internet or electronic network activity: session logs, integrity signals
- Professional or employment-related information: role, company, interview responses
- Inferences: AI scores and hire recommendations drawn from the above

California residents may exercise all rights in Section 9. Responses within 45 days of a verifiable request.

## 8. Data retention

The following periods are exact commitments, not approximations. The longer retention for AI scores is a legal obligation under NYC LL144 and CCPA ADMT regulations (Art. 6(1)(c) GDPR basis), which overrides GDPR's data minimisation principle for those specific records.

| Data type | Practice tool | B2B screen |
| --- | --- | --- |
| Voice audio | Not stored | 90 days → permanently deleted |
| Interview transcript | Not stored (session memory only) | 90 days → permanently deleted |
| AI score, sub-scores, recommendation | 90 days paid · 7 days free → deleted | 4 years (legal obligation — bias audit records) |
| Written AI summary | 90 days paid · 7 days free → deleted | 4 years (legal obligation) |
| Integrity signals | Not stored | 90 days → permanently deleted |
| Account profile | Until deletion request | Until deletion request |
| Bias audit aggregate data | — | 4 years minimum (LL144 requirement) |
| Security / access logs | 90 days | |

## 9. Your rights

| Right | Applies to | How to exercise |
| --- | --- | --- |
| Not to be subject to solely automated decisions | EU / UK (GDPR Art. 22) | Email support@usegreenroom.app — "Human Review Request" |
| Human review and right to contest | EU / UK | Email support@usegreenroom.app or contact hiring company |
| Explanation of AI logic | EU / UK / California | Email support@usegreenroom.app — "Explanation Request" |
| Withdraw consent | All users (where consent is lawful basis) | Email support@usegreenroom.app — "Withdraw Consent" |
| Access your data | All users (GDPR Art. 15, CCPA) | Email support@usegreenroom.app — response within 30 days |
| Erasure / right to be forgotten | EU / UK (Art. 17), California | Email support@usegreenroom.app — completed within 14 days |
| Data portability | EU / UK (Art. 20) | Email support@usegreenroom.app |
| Opt out of ADMT | California (CCPA ADMT) | Contact hiring company or email support@usegreenroom.app |
| Alternative selection process | NYC candidates (LL144) | Contact hiring company directly |
| Deletion of biometric data | Illinois (BIPA) | Email support@usegreenroom.app — completed within 14 days |
| No retaliation for exercising rights | All users (explicit CCPA requirement) | Retaliation is prohibited. Report concerns to support@usegreenroom.app |

## 10. Sub-processors and data sharing

We do not sell your data. We share data only with the sub-processors below, each bound by a data processing agreement. We will notify affected customers at least 30 days before adding or replacing a sub-processor.

| Sub-processor | Purpose | Data shared | Location |
| --- | --- | --- | --- |
| **Mistral AI** | Primary LLM — question generation, AI scoring, summaries | Interview transcript, job description | France (EU) — GDPR applies directly |
| **OpenAI** | Whisper — voice transcription | Audio recording | USA — EU SCCs in place |
| **Groq** | Fallback transcription only | Audio recording (fallback path only) | USA — EU SCCs in place |
| **Supabase** | Database (PostgreSQL) — all persistent data | All application data | USA — EU SCCs in place |
| **Render** | Backend application hosting | All application data in transit | USA — EU SCCs in place |
| **Cloudflare** | CDN, edge routing, DDoS protection | Request metadata only (no personal data at rest) | Global |
| **Stripe / Razorpay** | Payment processing | Billing data only — we never see or store card numbers | USA / India |
| **Google** | OAuth authentication | Name, email, profile picture | USA — EU SCCs in place |

Copies of applicable Standard Contractual Clauses for US-based transfers are available on request: support@usegreenroom.app.

## 11. B2B hiring companies — your obligations as data controller

**For hiring companies only**
This section describes your legal obligations when using Greenroom to screen candidates.

When your company uses Greenroom, you are the data controller. Greenroom is your data processor. A **Data Processing Agreement (DPA)** governing this relationship is available at /dpa and is incorporated into our Terms of Service by reference. EU customers requiring a countersigned DPA should email support@usegreenroom.app.

As data controller you are responsible for:

- Providing candidates at least **10 business days' notice** before a Greenroom screen is used (NYC LL144)
- Publishing Greenroom's bias audit summary on your careers website (NYC LL144)
- Providing a functional path for candidates to request an alternative selection process
- Ensuring a human with genuine decision authority reviews AI recommendations before rejection (GDPR Art. 22)
- Obtaining BIPA written consent from Illinois-resident candidates before their session begins — Greenroom's pre-session modal satisfies this if you use our hosted screen link; if you embed Greenroom via API, consent collection is your responsibility
- Including Greenroom in your own privacy policy sub-processor list
- Appointing a Data Protection Officer if required by GDPR Article 37

## 12. Security

- Data in transit: TLS 1.3
- Data at rest: AES-256
- Audio files: encrypted object storage, access-controlled signed URLs, time-limited
- Internal access: role-based, MFA enforced
- Payment data: handled by Stripe / Razorpay — we never store card details
- Security incidents: we will notify affected users within 72 hours of confirmed breach (GDPR Art. 33 standard)

## 13. Cookies and tracking

We use the following cookies:

| Cookie | Purpose | Duration | Can you opt out? |
| --- | --- | --- | --- |
| `gr.b2b.token` | B2B portal authentication (JWT) | Session / until logout | No — required to use the service |
| `gr.token` | Candidate app authentication | Session / until logout | No — required to use the service |

We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users. We do not use Google Analytics or any behavioural tracking service. We honour **Global Privacy Control (GPC)** signals.

## 14. EU representative (GDPR Article 27)

Greenroom Technologies does not have an establishment in the EU or UK. As required by GDPR Article 27, we are in the process of appointing a designated EU representative. Until that appointment is complete, EU and UK data subjects may direct queries and complaints to support@usegreenroom.app. We will update this section with the representative's name and contact details upon appointment.

## 15. Changes to this policy

Material changes will be communicated by email to registered users and by updating the date above. Continued use of Greenroom after the effective date constitutes acceptance. For changes to BIPA-specific processing, we will obtain fresh written consent before the change takes effect.

## 16. Contact and complaints

Privacy questions: support@usegreenroom.app — we aim to respond within 3 business days.

**EU / UK residents:** if unsatisfied with our response, you may lodge a complaint with your local supervisory authority (ICO in the UK: ico.org.uk; or your EU member state's DPA).

**Illinois residents:** complaints regarding BIPA compliance may be submitted to the Illinois Attorney General or via private right of action under 740 ILCS 14/20.

**California residents:** complaints may be submitted to the California Privacy Protection Agency (CPPA).