PProoftrace Back to home
Legal

Privacy Policy

We built Prooftrace to assess how people work, not to surveil them. This policy explains what we collect, why, and how you can control it.

Last updated: 1 June 2026

1. Who we are

Prooftrace Labs, Inc. (“Prooftrace”, “we”, “us”) is the data controller for personal data collected through prooftrace.io and the Prooftrace interview platform. We are incorporated in Delaware and operate from San Francisco, CA.

Questions or requests about your data: privacy@prooftrace.io

2. Data we collect

2.1 Hiring team accounts

When an organisation signs up or is onboarded during our beta, we collect:

  • Name, work email address, and job title
  • Organisation name and size
  • Billing information (processed by Stripe — we do not store raw card data)
  • Communication history with our support team

2.2 Waitlist

If you submit your email address through our waitlist form, we store only your email address and the timestamp of submission. We use this solely to contact you when a spot opens.

2.3 Candidate session data

Prooftrace's core product captures signals about how a candidate works during an interview session. Candidates are shown a clear, plain-language consent screen before any session begins and must actively accept before the session starts.

With consent, we record within the browser sandbox:

  • Keystroke timing and cadence (not the content of keystrokes outside the code editor)
  • Code written and edited in the IDE, including edit history
  • Prompts sent to permitted AI models and the responses received
  • Paste events — content pasted and its source (clipboard vs model output)
  • Focus changes and time spent on different parts of the environment
  • Terminal commands run and their output

We do not capture webcam footage, audio, or screen content outside the Prooftrace sandbox unless a hiring team explicitly enables optional recording features (which require a separate candidate consent step).

2.4 Usage and technical data

We collect standard server logs including IP address, browser type, operating system, referring URL, and pages visited. We use this for security monitoring and product improvement. Logs are automatically deleted after 90 days.

3. How we use your data

  • Provide and improve the service. Process interviews, generate session reports, maintain accounts, and develop new features.
  • Communications. Send transactional emails (interview invitations, reports, billing receipts) and, where you have opted in, product updates.
  • Security. Detect and prevent fraud, abuse, and unauthorised access.
  • Legal obligations. Comply with applicable laws and respond to lawful requests from authorities.

We do not sell personal data. We do not use candidate session data to train third-party AI models or share it with model providers beyond what is necessary to fulfil a single interview request.

4. Legal basis for processing (GDPR)

For users in the European Economic Area and the United Kingdom, our legal basis for processing personal data is:

  • Contract. Processing your account data is necessary to perform our agreement with your organisation.
  • Legitimate interests. Security monitoring, product analytics, and improving the service.
  • Consent. Candidate session recordings and optional communications. You may withdraw consent at any time.
  • Legal obligation. Where required by applicable law.

5. Who we share data with

We share personal data only with the following categories of sub-processors:

  • Cloud infrastructure (e.g. Vercel, AWS) — to host the platform and store data.
  • Payment processor (Stripe) — for billing.
  • AI model providers (Anthropic, OpenAI, and others as permitted by a hiring team's task configuration) — solely to process prompts submitted by candidates during sessions. Providers are contractually bound not to use this data for training.
  • Error monitoring (e.g. Sentry) — to diagnose technical issues.
  • Customer support tooling — to manage support requests.

We publish a complete and up-to-date sub-processor list at prooftrace.io/sub-processors.

6. International transfers

Prooftrace is based in the United States. If you are located in the EEA or UK, your data is transferred to and processed in the US. We rely on the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers.

7. Data retention

  • Account data — retained for the duration of your contract plus 60 days after account closure, then deleted.
  • Candidate session data — retained for 12 months by default. Hiring teams can shorten or lengthen this in their organisation settings, subject to a maximum of 36 months.
  • Waitlist emails — retained until you are onboarded or you request deletion, whichever comes first.
  • Server logs — automatically deleted after 90 days.

8. Your rights

Depending on your location, you may have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (“right to be forgotten”), subject to legal obligations.
  • Restrict or object to certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@prooftrace.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to delete it, and to opt out of its sale (we do not sell personal information). To submit a request, email us at the address above with the subject line “California Privacy Request”.

9. Children

Prooftrace is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. Candidate consent and transparency

We hold ourselves to a high standard on candidate privacy because it directly affects trust in the platform. Before any interview session:

  • Candidates receive a plain-language summary of exactly what will be recorded.
  • Consent is active, not passive — a candidate must click “I agree” to proceed.
  • Candidates can request a copy of their own session data via the hiring organisation or by contacting us directly.

11. Security

We use industry-standard measures to protect personal data: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, regular security reviews, and anomaly detection. Despite these measures, no system is completely secure. If we discover a breach that affects your data, we will notify you in accordance with applicable law.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. The “Last updated” date at the top of this page will always show when the policy was last revised. For material changes, we will notify hiring team admins by email at least 14 days before the change takes effect.

13. Contact

For privacy requests or questions, contact our privacy team:

privacy@prooftrace.io

Prooftrace Labs, Inc.
San Francisco, CA, USA