Privacy Policy
Last updated: 2026-05-27.
This policy describes what Crackd collects, why, and how to control it. The candidate-facing summary on the session-intro page is the authoritative version of "what you're consenting to"; this document is the long form for legal compliance.
What we collect
| Data | Purpose | Retention |
|---|---|---|
| Email address (from the invite) | Identifying your session, sending the report, paying any stipend | 90 days after submit, then anonymised |
| Workspace name (for hirers) | Authentication scope + billing | While the workspace exists |
| Session inputs (comments, answers, code edits, notes) | Grading your screen + fixture calibration | 90 days after submit |
| AI chat transcripts + token counts | Grading AI fluency + ops monitoring | 90 days |
| Browser fingerprint hash | Detecting session sharing | 90 days |
| Webcam snapshots (opt-in, when enabled) | Presence verification | 30 days, then deleted |
| Server logs (IPs, request paths) | Security + abuse detection | 30 days |
| Analytics events (page views, click times) | Product improvement + integrity | 12 months in PostHog |
Lawful basis
- For candidates: explicit consent (Art. 6(1)(a) GDPR) recorded at session start.
- For hirers: contract performance (Art. 6(1)(b)) — they signed up for Crackd to run screens.
Sub-processors
- Neon (Postgres hosting) — EU + US regions, candidate data lives in the workspace's chosen region.
- Anthropic (default LLM provider) — see their data policy. API calls are not used to train Anthropic's models per their commercial terms.
- OpenAI / Google (optional LLM providers, only when the hirer's workspace has configured a key).
- PostHog (session analytics) — EU region available; default deployment is EU.
- Vercel (hosting).
- Stripe (payments — only if a stipend is enabled on the screen).
Your rights (GDPR / CCPA)
- Right to access — get a copy of your data.
- Right to deletion — request erasure.
- Right to rectification — correct inaccurate data.
- Right to portability — export in a machine-readable format.
- Right to object to processing — withdraw consent.
Email privacy@iscracked.com to exercise any of these. We respond within 14 days.
Children
Crackd is not directed at people under 18. We don't knowingly collect data from anyone under 18.
Security
- TLS in transit; encryption at rest in Neon.
- Sub-processor contracts include SCCs for EU transfers.
- Authentication via passwordless email OTP.
- Internal access logged + reviewed quarterly.
Changes
We'll update this page with a new "Last updated" date when we change practice. Material changes will be emailed to active hirer admins; candidates with active sessions will be re-prompted for consent.
Contact
privacy@iscracked.com— data rights, GDPR, CCPAsecurity@iscracked.com— vulnerabilities, incidents