COOKD AI INC.

PRIVACY POLICY

Effective Date: December 24, 2025

Cookd AI Inc. (the "Company," "we," "our," or "us") is committed to protecting the privacy and security of the personal information we collect from individuals who use our professional interviewing training Services and other Services. This Privacy Policy explains how we may collect, use, share, and protect personal information in connection with our operations.

This Privacy Policy is designed to be transparent, comprehensive, and accessible while maintaining the legal precision necessary to ensure compliance with applicable privacy laws across our operating jurisdictions. This Privacy Policy does not address the privacy practices of any third parties that we do not own, control, or are affiliated with. Capitalized terms not defined in this Privacy Policy will have the meaning stated in our Terms of Service

By accessing or using our Services, you acknowledge and agree to the practices described in this Privacy Policy. If you do not agree with the practices described in this Policy, please do not use our Services.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated Policy on our website and updating the "Effective Date" at the beginning of this document. You are encouraged to review this Policy periodically for any updates, and to use the information it contains to help you make informed decisions.

PERSONAL INFORMATION WE COLLECT

We may collect the following categories of personal information from individuals who use our Services, including but not limited to:

Identifiers. Full name, email address, physical address, telephone number, user account credentials, and other similar identifiers.
Academic Information. Educational institution, program of study, year of study, academic achievements, and other details related to your academic background.
Financial Information. Payment card details, billing address, transaction history, and other information needed to process payments for our Services. We do not store complete payment card information on our servers; this information is processed by our secure third-party payment processor Stripe.
Employment and Career Information. Work history, job titles, employers, skills, qualifications, professional certifications, career goals and preferences, and information contained in resumes or CVs.
Demographic Information. Age, gender, nationality, location, language preferences, and other demographic data that helps us tailor our Services to your needs.
Behavioral Information. Information about your use of our Services, including participation in interview simulations, assessment results, progress metrics, and feedback or survey responses.
Audio and Visual Information. Video and audio recordings of interview simulations, and other interactions. These are collected only with your explicit consent and destroyed after a transcript of each session is produced.
Device/Network & Online Identifiers: IP address, device identifiers, browser type, operating system, approximate location derived from IP, unique IDs, and related online identifiers.
Communications. Content of emails, chat messages, and other communications between you and our staff or service providers.

We may collect this information through various methods:

Direct Collection: Information you provide when you register for our Services, complete forms, participate in assessments, communicate with us, or participate in our programs.
Third-Party Sources: Information we may receive from various third parties with your consent.

HOW WE USE YOUR PERSONAL INFORMATION

We may use the personal information we collect for the following purposes:

Service Provision and Management
Providing and delivering the professional interviewing training, and related Services you request
Creating and managing your account
Processing payments and fulfilling transactions
Providing personalized feedback and recommendations
Responding to your inquiries and support requests
Communication
Sending service-related communications, such as appointment confirmations, reminders, and updates
Providing information about your account, our Services, and other matters
Delivering newsletters, event invitations, and other content you have opted to receive
Service Improvement and Development
Personalizing and improving your experience with our Services
Analyzing usage patterns and trends to enhance our website, applications, and Services
Developing new features, products, and services
Conducting research and analysis to better understand our users' needs and preferences
Testing and troubleshooting new products and features
Marketing and Promotion
Sending you information about events, offers, and opportunities that may be of interest to you
Delivering targeted advertisements based on your preferences and interactions with our Services
Measuring the effectiveness of our marketing and promotional efforts
Administering contests, promotions, surveys, or other site features
Legal and Operational Purposes
Complying with legal and regulatory obligations
Protecting our rights, property, and safety, and the rights, property, and safety of our users and others
Detecting, preventing, and addressing fraud, security breaches, and technical issues
Enforcing our Terms of Service and other agreements
Carrying out our obligations and enforcing our rights arising from any contracts entered into between you and us
Other Lawful Purposes
For any other lawful purpose disclosed to you at the time we collect your information
With your consent for purposes not listed above

COOKIES AND TRACKING TECHNOLOGIES

We and our service providers use cookies, pixels, software development kits (SDKs), and similar tracking technologies to automatically collect certain information when you access or use our Services. These technologies help us operate our Services, understand usage patterns, improve performance, enhance user experience, conduct analytics, and support security and fraud prevention. The information collected through these technologies may include IP address, device and browser information, operating system, pages viewed, features used, timestamps, referring URLs, and other usage data. We use third-party analytics providers, including Google Analytics (provided by Google LLC) and Mixpanel (provided by Mixpanel, Inc.), to help us analyze how users interact with our Services. These providers may use cookies or similar technologies to collect information about your use of our Services and may process such information in accordance with their own privacy policies. Where required by applicable law, we obtain your consent before placing non-essential cookies or using similar tracking technologies, and you may manage your cookie preferences through browser settings or other tools made available on the Platform. Cookie Choices. You may control cookies through your browser settings and, where available, through any cookie banner or preference center on our Services. You can also opt out of certain analytics and advertising cookies by using industry opt-out tools (such as the Network Advertising Initiative or the Digital Advertising Alliance), where applicable. We recognize and honor Global Privacy Control (GPC) signals sent by your browser

LEGAL BASES FOR PROCESSING (EUROPEAN USERS ONLY)

For users in the European Economic Area (EEA) and the United Kingdom, we process your personal information based on one or more of the following legal bases:

Contractual Necessity. Processing is necessary for the performance of our contract with you to provide our Services or to take steps at your request before entering into such a contract.
Legitimate Interests. Processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:
Operating and improving our business and Services
Marketing our Services
Protecting against fraud and unauthorized transactions
Ensuring network and information security
Compliance with Legal Obligations. Processing is necessary for compliance with a legal obligation to which we are subject.
Consent. You have given your consent to the processing of your personal information for one or more specific purposes. Where we rely on your consent, you have the right to withdraw your consent at any time.

HOW WE SHARE YOUR PERSONAL INFORMATION

We may share your personal information with the following categories of recipients:

Service Providers. We may share personal information with third-party service providers who perform services on our behalf, including but not limited to:
Cloud storage and hosting providers
Artificial intelligence and machine learning service providers (including providers of speech synthesis, natural language processing, and large language model technologies)
Payment processors
Data analytics providers
Email and communication service providers
Customer relationship management systems
IT and security service providers
Professional advisors and consultants

These service providers are contractually obligated to use your personal information only to provide services to us and in accordance with our instructions and this Privacy Policy. You consent to the processing of data about you by these providers in the manner and for the purposes set out in this Privacy Policy. For more information on these third parties, including how to opt out from certain data collection, please contact us using the email in the “Contact Us” section of this Privacy Policy, or by visiting the respective third party’s privacy policy, including but not limited to the following:

Amazon Web Services (AWS): https://aws.amazon.com/privacy/
OpenAI (ChatGPT): https://openai.com/policies/privacy-policy/
Stripe: https://stripe.com/privacy
Mixpanel (Mixpanel, Inc.): https://mixpanel.com/legal/privacy-policy/
ElevenLabs (ElevenLabs Inc.): https://elevenlabs.io/privacy
Google Gemini (Google LLC): https://support.google.com/gemini/answer/13594961
MiniMax (MiniMax AI): https://www.minimax.ai/privacy

Business Partners. We may share personal information with business partners with whom we jointly offer products or services. We require our business partners to respect the privacy and security of your personal information.

Legal Authorities and Compliance. We may disclose personal information to government authorities and other third parties when required by law, such as:
In response to lawful requests by public authorities, including to meet national security or law enforcement requirements
To comply with a subpoena, court order, or other legal process
To enforce our Terms of Service or other agreements
To protect our rights, property, or safety, and the rights, property, and safety of our users or others
Corporate Transactions. We may share personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. We will take reasonable steps to ensure that your personal information continues to be subject to the same protections set out in this Privacy Policy.
With Your Consent. We may share your personal information with other third parties when we have your consent to do so.

We do not sell your personal information. We also do not share personal information for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws, unless otherwise disclosed to you and you are provided any required opt-out rights.

Use of Personal Information With Artificial Intelligence

The collection and use of personal information are integral to training our artificial intelligence (“AI”) model and delivering high-quality interview Services and other Services to users. By analyzing real-world data, the AI model can simulate realistic interview scenarios, provide personalized feedback, and continuously improve its performance. However, these activities must be conducted in strict compliance with various privacy laws to ensure the lawful and ethical use of personal data.

Legal Framework. Many jurisdictional privacy laws require private communications may only be recorded or intercepted with the consent of all parties involved. This "all-party consent" requirement ensures that individuals retain control over their personal information. Additionally, these laws emphasize the importance of protecting privacy rights and mandate that personal data be used responsibly and transparently. These legal principles guide the collection and use of personal information for AI training and service provision.

Application. Personal information collected from users is used to enhance the AI model's capabilities. For example, data may be analyzed to identify patterns in communication, assess interview performance, and provide tailored feedback. This data-driven approach ensures that the Services offered are customized to meet the unique needs of each user. By using de-identified data to the extent possible, the AI model can improve its functionality while minimizing privacy risks. In providing these Services, we may process personal information using third-party artificial intelligence service providers acting on our behalf and subject to contractual obligations to process such information only in accordance with our instructions and applicable law.

AI is not applied in any way or manner for the purposes of automated decision-making or processing as defined under GDPR Article 22.

Safeguards. To ensure compliance with privacy laws, several safeguards are implemented:

Explicit Consent: Users are informed about how their personal information will be used, and we obtain explicit consent where required by applicable law, including for recording interview simulations and, in certain jurisdictions, for the use of non-essential cookies or similar tracking technologies.
Anonymization: Personal data is anonymized or de-identified to the extent possible to prevent the identification of individuals, reducing privacy risks.
Data Minimization: Only the information necessary for AI training and service provision is collected, in line with data minimization principles.
Security Protocols: Robust security measures are in place to protect personal information from unauthorized access or disclosure.

By adhering to these safeguards, the use of personal information for AI training and service provision not only enhances the quality of the Services offered but also ensures compliance with privacy laws and the protection of users' rights.

JURISDICTION-SPECIFIC PRIVACY RIGHTS

Depending on your location, you may have specific rights regarding your personal information. Below, we outline the rights available to you based on your jurisdiction.

Rights for All Users. Regardless of your location, you have the right to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete personal information
Opt-out of receiving marketing communications from us
Request information about how your personal information is used and shared

United States Privacy Rights. If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you may have the following additional rights:

Right to Know/Access: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, our purposes for collecting the information, and the categories of third parties with whom we have shared the information.
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out: You have the right to opt-out of the "sale" or "sharing" of your personal information (as those terms are defined under applicable state laws) and the processing of your personal information for targeted advertising purposes.
Right to Non-Discrimination: You have the right not to be discriminated against for exercising your privacy rights.

California residents may also have the right to request information about our disclosure of personal information to third parties for their direct marketing purposes under California's "Shine the Light" law.

For a current list of states with comprehensive privacy laws, please see: https://iapp.org/news/a/us-state-comprehensive-privacy-law-comparison/

European Privacy Rights (GDPR). If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable national laws:

Right of Access: You have the right to obtain confirmation as to whether personal information concerning you is being processed and, if so, access to that personal information.
Right to Rectification: You have the right to have inaccurate personal information corrected and incomplete personal information completed.
Right to Erasure (Right to be Forgotten): You have the right to have your personal information erased under certain circumstances.
Right to Restriction of Processing: You have the right to restrict the processing of your personal information under certain circumstances.
Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit that information to another controller.
Right to Object: You have the right to object to the processing of your personal information under certain circumstances, including processing for direct marketing purposes and profiling.
Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

China Privacy Rights (PIPL). If you are located in the People's Republic of China, you have the following rights under the Personal Information Protection Law (PIPL):

Right to Know and Decide: You have the right to know, decide, and limit or refuse the processing of your personal information by others.
Right to Access and Copy: You have the right to access and obtain a copy of your personal information.
Right to Correction: You have the right to request correction of inaccurate or incomplete personal information.
Right to Deletion: You have the right to request deletion of your personal information under certain circumstances.
Right to Explanation: You have the right to request an explanation of our personal information processing rules.
Right to Withdraw Consent: You have the right to withdraw your consent to the processing of your personal information.
Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant authorities if you believe your rights have been violated.

Hong Kong Privacy Rights (PDPO). If you are located in Hong Kong, you have the following rights under the Personal Data (Privacy) Ordinance:

Right to be Informed: You have the right to be informed whether providing personal data is obligatory or voluntary, the purpose of data collection, and the potential consequences of not providing the data.
Right to Access: You have the right to request access to your personal data held by data users.
Right to Correct: You have the right to request corrections to your personal data if it is inaccurate or incomplete.
Right to Erasure: While there is no explicit right to erase data, you can request deletion of data that is no longer necessary for processing.
Right to Object: You can object to the use of your personal data for direct marketing purposes.

To exercise your respective data privacy right, please contact the Company at the information in the Contact Us section of this Policy.

DATA SECURITY AND INCIDENT RESPONSE

Security Measures. We implement comprehensive administrative, technical, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include: Administrative Safeguards:

Regular privacy and security training for all staff
Background checks for employees with access to sensitive data
Formal access control policies and procedures
Regular security risk assessments and audits
Vendor management program to ensure service providers maintain appropriate security controls

Technical Safeguards:

Encryption of personal information in transit and at rest using industry-standard encryption protocols
Multi-factor authentication for access to systems containing personal information
Firewalls, intrusion detection systems, and anti-malware solutions
Regular security patches and updates to all systems
Network segmentation and access controls
Logging and monitoring of system activities to detect unauthorized access attempts

Physical Safeguards:

Secured facilities with controlled access
Video surveillance and alarm systems
Visitor management procedures
Secure disposal of physical documents containing personal information
Redundant power and environmental controls for data centers

Data Breach Response. In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

Investigate and Contain: Promptly investigate the breach and take steps to contain and mitigate the harm.
Assess the Risk: Evaluate the nature and scope of the breach, the types of information involved, and the risk of harm to affected individuals.
Notification: Notify affected individuals, regulatory authorities, and other required parties in accordance with applicable laws and within the timeframes specified by those laws:

For European users: Within 72 hours of becoming aware of the breach (for notifications to supervisory authorities)
For U.S. users: In accordance with applicable state breach notification laws
For Chinese users: In accordance with the requirements of the PIPL and related regulations

Remediation: Implement measures to address the cause of the breach and prevent similar incidents in the future.

Our notification will include, to the extent known:

A description of the breach;
The types of information involved;
Steps we are taking to protect your information;
Measures you can take to protect yourself; and
Contact information for further questions.

DATA RETENTION AND DELETION

Retention Periods. We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal, regulatory, tax, accounting, or reporting requirements. The specific retention periods depend on the nature of the information and the purposes for which it is used.

General Retention Guidelines:

Account Information: We retain your account information for the duration of your relationship with us and after account closure to comply with legal obligations, resolve disputes, and enforce our agreements.
Transaction Information: We retain information related to transactions to comply with tax, accounting, and other legal requirements.
Communications: We retain communications with you to provide customer support, maintain records of our interactions, and comply with legal obligations.
Training Records: We retain records of your participation in our training Services to provide ongoing support, track your progress, and improve our Services.
Audio/Video Recordings: We retain audio/video recordings of your training sessions only as needed to create transcripts and provide our Services. Once a transcript has been created, the audio/video recording is destroyed.
AI Machine Learning: We may retain and use personal information for the purposes of developing and improving our artificial intelligence (AI) models through machine learning. This information will be processed in a manner consistent with this Privacy Policy and applicable legal requirements, including deidentification (to the extent possible) and security measures to protect your data. Any personal information used for machine learning will be stored securely and will not be disclosed in a manner that identifies you as an individual, except as permitted by law.
Marketing Preferences: We retain records of your marketing preferences until you opt-out or request deletion.

Deletion Procedures. When personal information is no longer needed, we securely delete or anonymize it using industry-standard methods, including but not limited to the following:

Electronic Data:

Secure deletion using specialized software that overwrites data multiple times
Decommissioning and physical destruction of storage media when appropriate
Anonymization techniques that irreversibly transform personal information so that it can no longer be used to identify an individual

Physical Documents:

Secure shredding using cross-cut shredders
Contracted secure destruction services with certification of destruction

Data Minimization. We implement data minimization principles to limit the collection and retention of personal information to what is directly relevant and necessary for the purposes for which it is processed. This includes:

Regular data inventory and classification exercises
Periodic review of retained data to identify and securely dispose of unnecessary information
Implementation of automated retention schedules and deletion processes

INTERNATIONAL DATA TRANSFERS

Cross-Border Transfer Mechanisms. As a global company operating in several jurisdictions, we may transfer your personal information across international borders. When we transfer personal information from one jurisdiction to another, we implement appropriate safeguards to ensure that your information remains protected in accordance with this Privacy Policy and applicable data protection laws.

Depending on the countries involved, these safeguards may include:

For Transfers from the United States:

Contractual provisions requiring adequate protection
Technical and organizational measures to ensure security and confidentiality

For Transfers from Europe:

Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules (BCRs) for intra-group transfers
Adequacy decisions issued by the European Commission
Post-Schrems II administrative measures, as appropriate
Derogations under Article 49 of the GDPR in limited circumstances

For Transfers from China:

Security assessments by the Cyberspace Administration of China (CAC)
Standard contracts approved by Chinese authorities
Certification by specialized agencies
Other mechanisms as required by the PIPL and its implementing regulations

For Transfers from Hong Kong:

Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Certification mechanisms
Receiving country reciprocity with PDPO protections
Exemptions for data subject consent or contractual performance necessity

Data Localization Requirements. In certain jurisdictions, we may be required to store specific categories of personal information locally. We comply with these data localization requirements by:

Maintaining servers and data storage facilities in relevant jurisdictions
Implementing technical measures to ensure data remains within required geographic boundaries
Conducting regular audits to verify compliance with localization requirements

Additional Safeguards. Beyond the formal transfer mechanisms, we implement additional technical, organizational, and contractual measures to protect your information during international transfers, including:

End-to-end encryption for data in transit
Access controls and authentication requirements
Regular security assessments of our data transfer practice
Contractual commitments from recipients to maintain appropriate security measures

CHILDREN'S PRIVACY

Our Services are directed towards college students and are not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information as soon as possible.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us using the information provided in the "Contact Us" section below, and we will take steps to remove such information from our systems.

THIRD-PARTY LINKS AND SERVICES

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Privacy Policy applies only to our Services. We have no control over and assume no responsibility for the privacy practices of any third-party sites or services.

We encourage you to review the privacy policies of any third-party sites or services you visit or use to understand how they collect, use, and share your personal information.

Examples of third-party services that may be linked from our platform include:

Educational resources and academic institutions
Professional networking platforms
Job posting and recruitment websites
Payment processors
Social media platforms

CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact Cookd AI Inc. using the subject “Privacy” and the information below:

Via Mail:
New York: 40 Wall St, 28th Floor, New York, NY 10005
Via Email: privacy@cookd.ai