Privacy Policy

1. Scope and data controller

The data controller responsible for your personal information is:

• Entity: CaseGrade LLC
• State of formation: Illinois, United States (File No. 17871196)
• Mailing address: 200 West Grand Avenue, Chicago, IL 60654, United States
• Privacy contact: privacy@casegrade.io
• General contact: hello@casegrade.io

This Privacy Policy applies to personal information we collect directly from you, automatically when you use the Services, from third-party service providers, and from organizations (universities, consulting clubs, employers) that provide you access to the Services. When we provide the Services under a signed agreement with a university, consulting club, or enterprise customer, we may act as a data processor on that customer's behalf. See Section 21 for how institutional-channel data is handled.

This Privacy Policy does not apply to third-party websites or services linked from the Services, or to information that has been aggregated, de-identified, or anonymized so that it cannot reasonably identify you.

2. Information we collect

A. Information you provide directly

• Full name and email address
• Account login credentials (passwords are stored only as a salted, industry-standard one-way hash and are never accessible to us in plaintext)
• Profile information: target consulting firms, recruiting timeline, experience level, confidence level
• Interview preferences: preferred AI voice, speaking pace
• Interview transcripts and drill responses you create during practice sessions
• Communications you send to us (support requests, contact form submissions, feedback)
• Payment information processed through our PCI-compliant third-party payment processor — we do not see, receive, or store full credit card numbers
• Survey responses, waitlist entries, and testimonial submissions

B. Information collected automatically

• IP address and approximate location derived from IP
• Device identifiers, browser type and version, operating system
• Pages viewed, links clicked, session duration, navigation paths
• Referral URLs and campaign parameters
• Crash data, diagnostic logs, and performance telemetry
• Cookie identifiers (see Section 5)
• Usage data: which features you access, interview sessions started and completed, drills attempted, learning modules completed, streak activity

C. AI interaction and performance data

Because our Services include AI-powered voice interviews, automated scoring, and personalized feedback, we collect and process:

• Audio streamed during live voice interviews (processed in real time by our AI provider; see Sections 6 and 10 for how voice data is handled)
• Text transcripts of interview sessions
• AI-generated outputs: readiness scores, dimension breakdowns, readiness bands, evidence-backed feedback, recommended next steps
• Stage-by-stage scoring data across interview stages
• Rubric scores, top strengths, top gaps, and transcript-anchored evidence spans
• Drill attempt scores, mental math session results, and question bank responses
• Progress and streak tracking data

D. Information from third parties

• Our payment processor: transaction status, subscription state, billing events
• Authentication providers: if you sign in via single sign-on, including institutional accounts
• Universities, consulting clubs, or employers who sponsor your access: your name, email, and enrollment or affiliation status
• Analytics providers: privacy-respecting, cookieless page-view data (only when you have accepted optional analytics cookies)

3. How we use your information

• To provide, operate, and maintain the Services, including AI interviews, scoring, drills, learning modules, and progress tracking
• To create and manage your account
• To generate your readiness score, dimension breakdowns, evidence-backed feedback, and personalized improvement recommendations after each interview
• To show your session history, progress trends, streak data, and monthly usage on your dashboard
• To personalize your experience, including voice preferences, firm-specific interview styles, and content recommendations
• To process transactions and manage billing, subscriptions, renewals, and refunds through our payment processor
• To send transactional emails (account verification, password reset, billing receipts)
• To send product updates and promotional materials, subject to your preferences and applicable law
• To improve the quality of our scoring rubric, drill content, and AI interviewer behavior using aggregated, de-identified performance signals only
• To monitor usage, analyze trends, and understand how users engage with the Services
• To detect, investigate, and prevent fraud, abuse, security incidents, and rate-limit violations
• To enforce our Terms of Service, including monthly interview session caps and acceptable use policies
• To comply with legal obligations, lawful requests, and regulatory requirements

We do not use your individual transcripts, audio, drill responses, or scores to train general-purpose AI models, and we do not authorize our AI providers to do so. See Section 10.

4. Legal bases for processing

If you are in a jurisdiction that requires a legal basis (EEA, Switzerland, UK, Brazil, and similar regimes), we process your personal information on one or more of these bases:

• Contract performance: processing necessary to provide the Services you signed up for (account creation, interviews, scoring, billing)
• Legitimate interests: improving the Services, securing the platform, preventing fraud, conducting analytics — provided those interests do not override your rights and freedoms
• Consent: for optional analytics cookies, marketing emails, processing of your voice during live interviews where consent is the appropriate basis, and any processing expressly identified to you as consent-based
• Legal obligation: where required by applicable law, including tax, accounting, anti-money-laundering, and child-protection laws

5. Cookies and tracking

We use the following categories of cookies and similar technologies:

• Strictly necessary: authentication session cookies, CSRF tokens, and cookie-consent preferences. These are always active and cannot be disabled.
• Analytics (optional): privacy-respecting, cookieless or minimally-identifying page-view analytics. Only activated after you accept optional cookies via our cookie consent banner.

We do notuse third-party advertising cookies, cross-site tracking pixels, behavioral retargeting, or participate in advertising networks. You can manage cookie preferences through our cookie consent banner on first visit. Choosing “Essential only” disables all optional analytics at the network level, not merely at the interface level.

Global Privacy Control (GPC):We recognize and honor the Global Privacy Control browser signal as a valid opt-out request under the California Consumer Privacy Act and similar state laws. If you visit our Services with GPC enabled, we will treat that signal as a request to opt out of any “sale” or “sharing” of personal information as those terms are defined under those laws.

6. Voice, audio, and biometric data

The Services include live voice interviews. Because voice data is particularly sensitive and is treated as “biometric” under some U.S. state laws (including the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/; the Texas Capture or Use of Biometric Identifier Act (“CUBI”); and Washington state biometric laws), we address voice and audio data separately in this section.

A. What we collect during live interviews

When you begin a live voice interview, your microphone audio is streamed in real time to our AI model provider via a real-time streaming API for transcription and AI-response generation. A text transcript is produced and stored in your account. Once the transcript has been produced, the raw audio stream is discarded and is not persistently stored by CaseGrade.

B. What we do not do with your voice

• We do not create or store voiceprints, voice embeddings, voice-based biometric templates, speaker-recognition models, or any other identifier derived from the unique characteristics of your voice.
• We do not use your voice to identify or authenticate you across sessions.
• We do not sell, license, lease, trade, or otherwise profit from voice data.
• We do not disclose voice data to advertisers or data brokers.
• We do not use your voice data to train general-purpose AI models, and our AI provider's API data policy likewise does not use API inputs or outputs to train their general-purpose models.

C. Your voice consent

Before your first live interview, we present a clear consent prompt that explains (i) that your microphone audio will be streamed to our AI provider for real-time transcription, (ii) that a text transcript will be stored in your account, (iii) that raw audio is not persistently stored, and (iv) that you may withdraw consent and stop the interview at any time by ending the session. You must affirmatively accept that prompt before audio streaming begins. To the extent applicable law (including BIPA) requires a written release for the processing of biometric identifiers, this Privacy Policy and your recorded in-product acceptance of the voice-consent prompt together constitute that written release.

D. Biometric retention and destruction schedule

To the extent any voice data or derived data is treated as a biometric identifier or biometric information under applicable law, we commit to the following written retention and destruction schedule: (i) raw audio is discarded in-stream immediately after transcript generation, and is not persistently stored by CaseGrade; (ii) no voiceprint or voice template is ever created; (iii) text transcripts, which are not themselves biometric identifiers, are retained as described in Section 12; (iv) if you delete your account, any remaining voice-derived data is purged within the windows described in Section 12; and (v) in all events, any voice-derived data is permanently destroyed within three (3) years of your last interaction with the Services or when the initial purpose for collection has been satisfied, whichever occurs first.

E. Illinois, Texas, and Washington residents

If you are a resident of Illinois, Texas, Washington, or another U.S. jurisdiction with a biometric-information law, the commitments in this Section 6 are made specifically for your benefit, and the retention and destruction schedule in Section 6(D) is the written schedule required under BIPA. Questions or requests related to biometric handling should be directed to privacy@casegrade.io.

7. Sensitive personal information

Under the California Privacy Rights Act (“CPRA”) and similar state laws, certain categories of personal information are classified as “sensitive.” In the course of providing the Services, we may collect the following sensitive personal information:

• Account log-in credentials (email address in combination with password hash or authentication token)
• Voice recordings during live interviews (transient, not persistently stored; see Section 6)
• The contents of communications you choose to send to us through our support channels

We use sensitive personal information only for the purposes of providing the Services you requested, authenticating you, preventing fraud, ensuring safety and security, and complying with law — each of which is a purpose permitted under CPRA § 1798.121(a). We do not use or disclose sensitive personal information to infer characteristics about you, for cross-context behavioral advertising, or for any other purpose beyond those just listed. Because we already limit our use of sensitive personal information to these permitted purposes, California residents' “Right to Limit Use of Sensitive Personal Information” is honored by default. You may still submit a verified request to confirm or restrict such use by contacting privacy@casegrade.io.

8. Automated decision-making and human review

Our Services use automated systems to score your interview performance, assign a readiness band, and generate personalized feedback (collectively, “Automated Outputs”). Because Automated Outputs may influence how you and, in some cases, your sponsoring institution perceive your interview readiness, we provide the following protections in addition to any rights you may have under the GDPR (including Article 22), the California Consumer Privacy Act and its implementing ADMT regulations, the Colorado AI Act, or similar laws:

• How Automated Outputs are generated: your interview transcript is evaluated by a scoring model against a structured rubric with defined dimensions (for example, structure, hypothesis, quantification, synthesis). The model surfaces evidence spans from your transcript to support each dimension score. A readiness band is produced by applying thresholds to the overall rubric score.
• Significance and consequences: Automated Outputs are informational training feedback only. They do not themselves hire, admit, or reject you, and CaseGrade does not make hiring, admission, or employment decisions on behalf of any consulting firm, university, or employer.
• Right to human review: you may request human review of any Automated Output by emailing privacy@casegrade.io with a description of the session in question. A CaseGrade team member will re-examine the relevant transcript and rubric application, correct any factual or computational errors, and provide you a written response within 30 days.
• Right to contest: if after human review you disagree with the Automated Output, you may submit a written objection, which we will consider, document, and, where appropriate, apply a corrected score to your record.
• Right to an explanation: you may request a plain-language description of the rubric dimensions, thresholds, and evidence-anchoring approach used to produce your Automated Output.
• Right to opt out (institutional contexts): if your sponsoring institution consumes individual-level Automated Outputs about you under a separately agreed data-sharing arrangement, you may request that we share only aggregated, de-identified metrics about your cohort instead. We will honor that request unless prohibited by the institution's program rules.

9. Who we share information with

A. Service providers (subprocessors)

We use a small, carefully vetted set of subprocessors to run the Services. Each is bound by a data processing agreement that restricts their use of your information to the services they provide to us:

• Database hosting providers: store your account data, transcripts, scores, and progress in encrypted, US-based PostgreSQL infrastructure
• AI model providers: process your voice audio in real time during interviews and generate scoring outputs. Our AI model provider's API data policy does not use API inputs or outputs to train their general-purpose models, and may retain API content for up to 30 days for abuse-monitoring purposes before deletion, unless legal hold applies.
• Payment processors: handle credit card charges, subscriptions, and refunds. We use a PCI-DSS Level 1 certified processor; we never see or store your full card number.
• Transactional email providers: send verification emails, password resets, and billing receipts
• Application hosting and infrastructure providers: serve the website and run server-side functions from US-based regions
• Error monitoring and telemetry providers: receive crash reports and performance telemetry, with active filters configured to scrub personal identifiers before transmission
• Uptime monitoring providers: ping our health endpoint to detect outages and receive no user data

A current list of subprocessors is maintained at casegrade.io/subprocessors. Institutional customers may subscribe to receive advance notice of subprocessor changes as described in Section 24.

B. Coaches and program partners

If you use live coaching (CaseGrade Partner Track tier or equivalent), relevant session information may be shared with your assigned coach so that they can provide the coaching you requested. If your access is sponsored by a university or consulting club, the sponsoring organization may receive aggregated cohort analytics (for example, average readiness scores, session counts, dimension breakdowns) and, only where separately agreed in a signed data-sharing arrangement, individual progress data for students the organization has provisioned.

C. Legal and safety disclosures

We may disclose information to comply with applicable law, valid legal process, or binding requests from regulators; to enforce our Terms; to detect or investigate fraud or abuse; or to protect the rights, property, or safety of CaseGrade, our users, or others.

D. Business transfers

We may transfer information in connection with a merger, acquisition, sale of assets, financing, or bankruptcy. We will require any successor to honor the commitments in this Privacy Policy or provide equivalent protections, and we will provide reasonable advance notice of any material change in ownership that affects your data.

E. We do not sell or share your data

We do not sell personal information for monetary consideration. We do not “share” personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and the California Privacy Rights Act. We do not use your data for advertising, and we do not share your data with ad networks.

10. AI-specific disclosures

• Audio processing: during live voice interviews, your audio is streamed to our AI model provider's real-time API for transcription and AI-response generation. Raw audio is not permanently stored by CaseGrade. Once the transcript is generated, the audio stream is discarded. See Section 6 for full voice-data handling.
• Transcript storage: text transcripts of your interviews are stored securely in your account for scoring, feedback generation, and your session history. You can request deletion at any time.
• Scoring pipeline: after each interview, your transcript is analyzed by a separate scoring pass against a case-specific rubric. The scoring output (readiness score, dimension scores, evidence spans, recommendations) is stored as part of your session record.
• Model training: we do not use your individual transcripts, audio, drill responses, or scores to train general-purpose AI models. Our contractual terms with our AI model provider prohibit their use of our API inputs and outputs to train their general-purpose models. We use only aggregated, de-identified performance signals to improve our own scoring rubric quality.
• No voice cloning: we do not use your voice to generate synthetic speech, clone your voice, or produce any output that imitates you.
• Inactivity timeout: if no activity is detected during a live interview for a defined period, the session is automatically ended to prevent unnecessary audio processing and cost accrual.
• AI limitations: Automated Outputs may be incomplete, inaccurate, biased, or inappropriate. They are provided for training and informational purposes only, are not a guarantee of any interview or employment outcome, and should not be relied on as a substitute for professional advice. See Sections 7 and 8 above, and the AI disclosure in our Terms of Service.

11. Please do not submit sensitive data

The Services are designed for consulting interview preparation. We do not request, and you should not submit, government-issued identification numbers, financial account numbers, payment card data (other than via our payment processor's hosted fields), health information, information about racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic or health data, sex life or sexual orientation, information about criminal convictions or offenses, or information about children under 16. If you nonetheless submit such information, we will treat it with care, but we ask that you refrain from submitting it in the first place.

12. Data retention

• Account data: retained for as long as your account is active, plus up to 30 days after deletion for account-closure processing
• Interview transcripts and scores: retained for as long as your account is active. You can request deletion at any time.
• Raw interview audio: not permanently stored. Discarded in-stream after transcript generation.
• Drill attempts and progress data: retained for as long as your account is active
• Payment records and tax-relevant billing metadata: retained as required for tax, accounting, and legal compliance (typically 7 years in the United States)
• Error logs and diagnostic telemetry: retained for 90 days
• Server access and security logs: retained for up to 14 days for operational and security purposes
• Marketing communications preferences: retained until you unsubscribe or request deletion, plus a minimal suppression list indefinitely to honor your opt-out
• Analytics data: aggregated, cookieless where possible, and not personally identifiable

If you delete your account, we remove your personal data and transcripts from our active systems within 30 days. Aggregated, de-identified performance statistics may be retained for product research. Backup copies in our point-in-time database recovery system are retained for up to 30 additional days after deletion and are then purged, for a maximum total deletion window of 60 days from your request.

13. Data security

We implement administrative, technical, and physical safeguards designed to protect your data, including:

• Encryption in transit using modern TLS, with strict transport security policies
• Encryption at rest for our primary database
• Industry-standard one-way password hashing
• Content Security Policy headers restricting script, connect, and frame sources
• Authentication middleware protecting authenticated routes at the edge
• API rate limiting on interview and realtime endpoints
• Signed-webhook verification for payment events to prevent spoofing
• Separation of authentication secrets between development and production environments
• Role-based access controls (admin versus student)
• Error monitoring with PII-scrubbing filters for real-time incident detection

Despite these measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections and to continuously improving them.

14. Data breach notification

If we experience a security incident that results in unauthorized access to, or acquisition of, your personal information in a manner that triggers notification obligations under applicable law, we will notify you and the relevant regulatory authorities without undue delay and in accordance with the timelines required by that law (for example, 72 hours under the GDPR to the relevant supervisory authority). Notifications will describe, to the extent known at the time, the nature of the incident, the categories of information affected, the steps we have taken, and the steps you can take to protect yourself.

15. Your rights

Depending on your location and applicable law, you may have the right to:

• Access personal information we hold about you and know what we have collected, used, disclosed, and (where applicable) shared in the 12 months before your request
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information, subject to limited retention exceptions
• Export your data in a portable, machine-readable format
• Object to or restrict certain processing, including profiling and automated decision-making
• Opt out of the “sale” or “sharing” of personal information (we do not sell or share, but we will still honor the request)
• Limit the use and disclosure of sensitive personal information (we already limit this by default; see Section 7)
• Withdraw consent where processing is based on consent
• Request human review of, and contest, Automated Outputs (see Section 8)
• Not receive discriminatory treatment for exercising privacy rights
• Lodge a complaint with a data protection authority (see Section 19)

To request access, correction, export, or deletion of your data, email privacy@casegrade.io. To protect your information, we will verify your identity before acting on a request, typically by confirming control of the email address associated with your account and by requesting additional information where the request is of high sensitivity or value. We will respond to verified requests within 30 days (or sooner if required by your jurisdiction), and may extend once by up to 45 additional days where the request is particularly complex, with notice to you. You may also designate an authorized agent to make a request on your behalf; we will require reasonable proof of that authorization.

16. Children's privacy

CaseGrade is designed for university students and early-career professionals. The Services are not directed to, and we do not knowingly collect personal information from, anyone under the age of 18. If we learn that we have collected personal information from a person under 18 without appropriate consent, we will delete it promptly. If you believe a minor has created an account, please contact privacy@casegrade.io. Parents or guardians with questions about their child's data may use the same contact address.

17. California privacy notice

If you are a California resident, the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) provide you with specific rights regarding your personal information, including:

• The right to know the categories and specific pieces of personal information we have collected, used, disclosed, and shared
• The right to delete personal information we have collected, subject to exceptions
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information for cross-context behavioral advertising — we do not engage in either
• The right to limit the use and disclosure of sensitive personal information (see Section 7)
• The right to non-discrimination for exercising your privacy rights

The categories of personal information we have collected in the preceding 12 months are described in Section 2. The business purposes for which we collect each category are described in Section 3. The categories of recipients with whom we share personal information are described in Section 9. We do not sell or share personal information.

To exercise your California privacy rights, submit a request to privacy@casegrade.io or use the mechanisms on your profile page. We will verify requests as described in Section 15. You may also designate an authorized agent. We recognize and honor the Global Privacy Control signal as described in Section 5.

Your California Privacy Choices: casegrade.io/privacy-choices

18. Other U.S. state privacy rights

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, or Maryland, you may have additional rights under your state's consumer privacy law, including the right to access, correct, delete, and export your personal information, and in some cases to opt out of targeted advertising, sale, and certain profiling. We do not engage in targeted advertising or sale. To exercise these rights, contact privacy@casegrade.io. You may also have a right to appeal a denial of your request by replying to our response; we will provide an appeal mechanism in our response where required.

19. EEA, Swiss, and UK disclosures

If you are in the European Economic Area, Switzerland, or the United Kingdom, you have the rights described in Section 15, plus the right to lodge a complaint with a supervisory authority (for example, your national data protection authority, the Swiss Federal Data Protection and Information Commissioner, or the UK Information Commissioner's Office).

When we transfer personal data from the EEA, Switzerland, or the UK to the United States or to any other country not recognized as providing an adequate level of data protection, we rely on legally recognized transfer mechanisms, including the European Commission's Standard Contractual Clauses (as supplemented for the UK and Switzerland) and, where applicable, the EU–U.S. Data Privacy Framework and its UK and Swiss extensions. We conduct transfer impact assessments on material subprocessors and implement supplementary measures where appropriate.

EU / UK Representative:where required under Article 27 of the GDPR or Article 27 of the UK GDPR, we will appoint a representative before commencing offering of the Services to residents of the relevant jurisdiction and list the representative's contact details here. [EU/UK REPRESENTATIVE DETAILS TO BE INSERTED BEFORE EU/UK LAUNCH.]

20. International data transfers

We process and store personal information primarily in the United States. If you are outside the United States, your data will be transferred to and processed in the United States and in other jurisdictions where our subprocessors operate. We take appropriate steps to ensure transferred data receives protection consistent with this Privacy Policy and applicable law, including through the mechanisms described in Section 19.

21. Institutional and enterprise accounts; FERPA

Where the Services are provided under a university partnership, consulting club license, employer sponsorship, or other institutional agreement:

• The sponsoring organization may receive aggregated cohort analytics, and, only where separately agreed in a data-sharing agreement or data processing addendum, individual student progress data for students it has provisioned.
• Where we process personal information on behalf of the institution under such an agreement, we act as a data processor (or “service provider” under the CCPA) and the institution controls the data. The institution's own privacy notice and internal policies may also apply.
• Where student education records protected by the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g, are disclosed to CaseGrade by an educational institution, CaseGrade will accept designation as a “school official” with a legitimate educational interest under 34 C.F.R. § 99.31(a)(1), use such records only for the purposes authorized by the institution, remain under the institution's direct control with respect to those records, and not redisclose personally identifiable information from education records without authorization.
• If you originally accessed the Services through an institutional sponsorship and later choose to use the Services directly (for example, after graduation), we will clearly present you with the option to “claim your account”; from that point forward, your relationship with CaseGrade is governed by this Privacy Policy and our Terms of Service rather than by the institution's arrangement.
• Institutional customers may request a data processing addendum and, where applicable, FERPA-compliant terms by contacting partnerships@casegrade.io.

22. Marketing communications

We may send you product updates and promotional materials where permitted by law and your preferences. You can opt out of marketing emails at any time using the unsubscribe link in the email or by updating your account preferences. We will still send service-related communications (account verification, password reset, billing receipts, security alerts, material changes to our legal terms) regardless of your marketing preferences, as these are necessary to deliver the Services.

23. Third-party services

The Services integrate with third-party products in the following categories: AI model providers, payment processors, transactional email providers, database hosting providers, application hosting and infrastructure providers, error monitoring services, and uptime monitoring services. Your use of those services is subject to their own terms and privacy policies. We are not responsible for the privacy practices of third parties we do not control. Institutional customers under a data processing addendum may request the named list of subprocessors.

24. Changes to subprocessors

We maintain an up-to-date list of subprocessors at casegrade.io/subprocessors. Institutional customers under a data processing addendum may subscribe to receive email notice of any addition or replacement of a subprocessor that materially processes their data, typically at least 30 days before the change takes effect. If a customer objects to a proposed change on reasonable data protection grounds, we will work in good faith to address the objection or to provide a path to terminate the relevant portion of their subscription.

25. Changes to this policy

We will post material changes to this page and update the “Last updated” date above. For significant changes, we will also email you at the address on your account and, where required by law, obtain fresh consent before relying on any new processing that requires it. Your continued use after changes take effect means you acknowledge the revised policy.

26. Contact

Questions about privacy? Email privacy@casegrade.io or hello@casegrade.io. Postal mail may be sent to: CaseGrade LLC, 200 West Grand Avenue, Chicago, IL 60654, United States.

CaseGrade LLC · casegrade.io