Privacy Policy

Last updated: 2026-05-27.

This policy describes what Crackd collects, why, and how to control it. The candidate-facing summary on the session-intro page is the authoritative version of "what you're consenting to"; this document is the long form for legal compliance.

What we collect

Data Purpose Retention
Email address (from the invite) Identifying your session, sending the report, paying any stipend 90 days after submit, then anonymised
Workspace name (for hirers) Authentication scope + billing While the workspace exists
Session inputs (comments, answers, code edits, notes) Grading your screen + fixture calibration 90 days after submit
AI chat transcripts + token counts Grading AI fluency + ops monitoring 90 days
Browser fingerprint hash Detecting session sharing 90 days
Webcam snapshots (opt-in, when enabled) Presence verification 30 days, then deleted
Server logs (IPs, request paths) Security + abuse detection 30 days
Analytics events (page views, click times) Product improvement + integrity 12 months in PostHog

Lawful basis

  • For candidates: explicit consent (Art. 6(1)(a) GDPR) recorded at session start.
  • For hirers: contract performance (Art. 6(1)(b)) — they signed up for Crackd to run screens.

Sub-processors

  • Neon (Postgres hosting) — EU + US regions, candidate data lives in the workspace's chosen region.
  • Anthropic (default LLM provider) — see their data policy. API calls are not used to train Anthropic's models per their commercial terms.
  • OpenAI / Google (optional LLM providers, only when the hirer's workspace has configured a key).
  • PostHog (session analytics) — EU region available; default deployment is EU.
  • Vercel (hosting).
  • Stripe (payments — only if a stipend is enabled on the screen).

Your rights (GDPR / CCPA)

  • Right to access — get a copy of your data.
  • Right to deletion — request erasure.
  • Right to rectification — correct inaccurate data.
  • Right to portability — export in a machine-readable format.
  • Right to object to processing — withdraw consent.

Email privacy@iscracked.com to exercise any of these. We respond within 14 days.

Children

Crackd is not directed at people under 18. We don't knowingly collect data from anyone under 18.

Security

  • TLS in transit; encryption at rest in Neon.
  • Sub-processor contracts include SCCs for EU transfers.
  • Authentication via passwordless email OTP.
  • Internal access logged + reviewed quarterly.

Changes

We'll update this page with a new "Last updated" date when we change practice. Material changes will be emailed to active hirer admins; candidates with active sessions will be re-prompted for consent.

Contact

  • privacy@iscracked.com — data rights, GDPR, CCPA
  • security@iscracked.com — vulnerabilities, incidents