Privacy Policy

1. Introduction

ExecFit AI (“ExecFit,” “we,” “us,” or “our”) is an AI-powered executive talent and culture-fit matching platform operated by EXECFIT.AI LLC, a New York limited liability company. We take the privacy of our users — both executive candidates and company clients — seriously.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. By using the ExecFit AI platform, you agree to the practices described in this Policy.

Because our platform processes sensitive psychometric and career data about individuals, we hold ourselves to a higher standard than most platforms. Please read this Policy carefully.

2. Data We Collect

2.1 Executive Candidates

When you use ExecFit AI as an executive candidate, we collect:

• Identity information: full name, email address, professional title, location
• Career documents: resume, CV, and any supporting career materials you upload
• Psychometric assessment reports: DISC, Hogan, Gallup CliftonStrengths, PXT Select, MBTI, and any other assessment PDFs you upload
• Interview responses: your answers to questions asked by our AI interviewer, Aria
• AI-generated profile data: your ExecFit archetype, dimension scores, culture fit profile, and narrative report
• Consent records: your acceptance or rejection of contact requests, NDA signatures, and role disclosure acknowledgments
• Usage data: pages visited, features used, session timestamps
• Payment data: processed by Stripe. ExecFit does not store credit card numbers.

2.2 Company Clients

When you use ExecFit AI as a company client, we collect:

• Company identity: company name, website, industry, size
• Contact information: name and email of the account holder
• Culture profile data: responses to our culture survey, uploaded culture documents, and AI-generated culture intelligence profile
• Search criteria: role descriptions, requirements, and candidate shortlist interactions
• Contact request records: requests sent to candidates, outcomes, and NDA execution records for confidential searches
• Payment data: subscription and per-search payments processed by Stripe

2.3 Coach Applicants and Coaches

When you apply to or operate as an ExecFit AI coach, we collect:

• Professional profile: name, email, title, location, LinkedIn URL, bio, certifications, specialties, coaching focus areas, session rate, and booking URL
• Reference contacts: names and emails of professional references you provide
• Session and review data: coaching engagement records, session notes visible to clients, and ratings submitted by clients after sessions

3. How We Use Your Data

3.1 To provide the platform

• Generate your ExecFit executive intelligence report
• Match you to relevant executive roles or candidates
• Match candidates to coaches based on psychometric profile alignment
• Enable company clients to evaluate candidates for specific roles
• Manage contact requests, consent flows, and NDA processes between candidates and companies

3.2 Candidate anonymity and the contact request process

ExecFit AI is built on a candidate-first anonymity model. Your identity is protected by default. Here is exactly how information is shared and when:

What companies see before you consent: Companies browsing the ExecFit platform see only your anonymous profile — your ExecFit archetype, dimension scores, culture fit alignment, and a general career summary (function, seniority level, and industry). Your name, employer, resume, full report, and any identifying information are never visible to companies until you explicitly consent.

When a company requests contact: If a company is interested in your profile, they submit a contact request. You will receive a notification with information about the role and a general description of the company. You have the right to review this information and decline without any of your identifying details being shared.

When you accept a contact request: Only after you explicitly accept a contact request will the company gain access to your professional identity — your name, title, and the ability to communicate with you directly through the platform. Even then, your full psychometric report and uploaded assessment documents are shared only with your additional explicit consent on a document-by-document basis.

Confidential searches — additional NDA requirement: For searches designated as confidential by the company client, the disclosure sequence is modified. You will receive a contact request with a general role description, but the company name and specific details will not be disclosed until you sign a digital Non-Disclosure Agreement (NDA). The NDA is presented and executed within the ExecFit platform before any identifying company information is revealed. Once you sign the NDA, the company name, role brief, and relevant search details are disclosed. Only after you accept the contact request following NDA execution will the company gain access to your professional identity.

You may withdraw from a confidential search process at any time before accepting a contact request without penalty. Your obligations under any signed NDA regarding information already disclosed remain in effect per the terms of that NDA.

3.3 AI and model training: explicit statement

ExecFit AI does not use candidate data to train any AI model — our own or any third party's. The Anthropic API used to generate intelligence reports deletes all inputs and outputs within 7 days per Anthropic's commercial API terms. Candidate psychometric data is used solely to generate that candidate's report and is never incorporated into any AI training pipeline.

All AI processing on the platform uses the Anthropic API under commercial terms. Per those terms, API inputs and outputs are never used for model training and are automatically deleted after 7 days. This applies to all psychometric data, interview transcripts, and generated reports sent to the API.

ExecFit AI does not build or train proprietary AI models on candidate personal data. Our matching algorithms use aggregated, anonymized signals — not individual candidate data — for platform improvement.

3.4 To improve the platform

• Analyse anonymized, aggregated data to improve our matching algorithms and assessment methodology
• Track coaching outcomes (with candidate consent) to improve coach matching and demonstrate ROI
• Conduct internal research on leadership patterns across archetypes and industries — using only anonymized, aggregated data

3.5 To communicate with you

• Send transactional emails: report delivery, contact request notifications, NDA execution confirmations, booking confirmations, and application status updates
• Send platform updates and relevant coaching or career content (you can opt out at any time)

3.6 What we do NOT do

• We do not sell your personal data to third parties
• We do not share your psychometric data with companies without your explicit, role-specific consent
• We do not reveal your identity to any company without your explicit acceptance of a contact request
• We do not use your data to train any AI model — ours or any third party's
• We do not share your data with advertisers
• We do not make automated employment decisions — all ExecFit scores are inputs to human judgment, not standalone hiring decisions

4. Data Controller and Processor Roles

The distinction between data controller and data processor is important for understanding your rights and our obligations.

ExecFit AI acts as a data controller when we collect and process your personal data directly — for example, when a candidate registers and generates a report, or when a coach submits an application.

ExecFit AI acts as a data processorwhen a company client purchases a search and we evaluate candidates on their behalf. In that context, the company client is the data controller and ExecFit AI processes candidate data according to the company's instructions and our contractual terms. Company clients who are subject to GDPR should contact us at [email protected] to request a Data Processing Addendum (DPA).

Enterprise and institutional clients may request a formal DPA outlining the specific processing activities, data categories, security measures, and sub-processor arrangements applicable to their account.

5. How We Share Your Data

5.1 With company clients (candidates only): staged disclosure model

ExecFit AI operates a staged disclosure model. The amount of your data visible to a company client depends on where you are in the consent process:

Companies do not receive your raw uploaded assessment PDFs, your full interview transcript, or your resume unless you explicitly provide these as part of an application. ExecFit AI dimension scores and culture fit profiles are analytical inputs designed to support human judgment. They are not automated hiring decisions.

5.2 Company client obligations

By using ExecFit AI to access candidate profiles and contact information, company clients agree to the following:

• Candidate data obtained through ExecFit AI may be used only for the purpose of evaluating candidates for the specific role for which contact was requested
• Company clients may not share candidate data with third parties, including other companies, investors, or advisors, without the candidate's explicit consent
• Company clients must handle all candidate information in compliance with applicable employment discrimination law, including Title VII of the Civil Rights Act, the Americans with Disabilities Act, and EEOC guidelines on the use of AI in hiring
• Company clients designating a search as confidential are responsible for ensuring their internal handling of candidate information maintains the same confidentiality standards required of candidates under the NDA
• Violation of these obligations may result in immediate suspension of platform access and may give rise to legal liability

5.3 Non-Disclosure Agreements: platform process

ExecFit AI facilitates NDA execution entirely within the platform for confidential searches. The process is as follows:

For candidates: When you receive a contact request for a designated confidential search, you will be presented with a digital NDA before any company information is disclosed. The NDA is presented in plain English with a summary of key obligations before the full legal text. You may review, sign, or decline. Declining means you will not receive company details and the contact request will lapse. Signing is recorded with a timestamp and your consent record is stored securely.

For company clients: When designating a search as confidential, company clients acknowledge that ExecFit AI will present an NDA to candidates as a condition of disclosure. Company clients may not instruct ExecFit AI to disclose their identity to candidates who have not signed the applicable NDA. Company clients are responsible for maintaining confidentiality of candidate information consistent with the platform's NDA framework and their own contractual obligations.

NDA records, including signatures and timestamps, are retained for 7 years and may be produced in the event of a dispute.

5.4 With coaches: coaching confidentiality

If you book a coaching session or consult through ExecFit AI, your coach receives access to your ExecFit report (archetype, dimension scores, strengths, growth edges) and session notes from prior sessions within your engagement.

Coaching session content — including session notes, goal progress, and in-session disclosures — is strictly confidential between you and your coach. ExecFit AI will not disclose individual coaching session content to company clients under any circumstances. Company clients may receive only aggregate, anonymised outcome data at the cohort level, and only when the cohort is large enough to prevent individual identification (minimum N=5).

Coaches do not receive your raw uploaded assessment documents or your resume.

5.5 With service providers

We share data with trusted service providers who help us operate the platform:

• Supabase: database and file storage (data stored in US-East region)
• Vercel: hosting and serverless functions
• Stripe: payment processing
• Resend: transactional email delivery
• Anthropic (API): AI report generation. Data sent to Anthropic's API is deleted after 7 days and is never used for model training per Anthropic's commercial API terms.

All service providers are contractually required to protect your data and use it only to provide services to ExecFit AI. Enterprise clients may request our full sub-processor list by contacting [email protected].

5.6 Legal requirements

We may disclose your data if required to do so by law, court order, or to protect the rights, property, or safety of ExecFit AI, our users, or the public.

6. Psychometric Data — Special Category Notice

Psychometric assessment data (personality profiles, cognitive ability scores, behavioral assessments) may constitute sensitive personal information under applicable privacy laws, including the California Consumer Privacy Act (CCPA) and similar state laws. We process this data based on your explicit consent, given when you upload assessment documents and generate your report.

ExecFit AI does not use psychometric data to make or contribute to automated employment decisions. All scores are analytical inputs designed to support human judgment by hiring managers and HR professionals. Company clients are responsible for ensuring their use of ExecFit data complies with applicable employment discrimination law, including Title VII of the Civil Rights Act, the Americans with Disabilities Act (ADA), and EEOC guidelines on the use of AI in hiring.

We do not classify psychometric data as biometric data under applicable law. If you believe your data may qualify for additional protections under your jurisdiction's specific definitions, please contact [email protected].

7. Data Retention

We retain your data for as long as your account is active and for a reasonable period thereafter. Specifically:

• Executive candidate profiles and reports: retained for 3 years from last activity
• Uploaded assessment documents: retained for 3 years from last activity
• Contact request records and consent logs: retained for 7 years
• NDA signatures and execution records: retained for 7 years
• Coaching session notes: retained for 5 years to support longitudinal outcome tracking
• Payment records: retained for 7 years as required by financial regulations
• API processing logs (Anthropic): automatically deleted after 7 days per Anthropic's commercial terms

You may request deletion of your data at any time. See Section 9 for your rights.

8. Data Security

We implement industry-standard security measures to protect your data:

• All data is transmitted over encrypted HTTPS connections
• Database access is protected by row-level security (RLS) — you can only access your own data
• Uploaded files are stored in access-controlled cloud storage with unique, non-guessable URLs
• API keys and credentials are stored as environment variables, never in code
• NDA records are stored with tamper-evident audit logs
• We conduct regular reviews of access permissions and security configurations

No system is completely secure. If you believe your data has been compromised, contact us immediately at [email protected].

9. Your Rights

Depending on where you are located, you may have the following rights:

• Access: request a copy of all personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion: request deletion of your personal data (“right to be forgotten”)
• Portability: request your data in a machine-readable format
• Objection: object to certain uses of your data, including direct marketing
• Withdrawal of consent: withdraw consent for any processing based on consent
• Opt-out of automated profiling: request that your data not be used in any automated scoring or matching processes
• Consent record access: request a copy of all contact request decisions and NDA records associated with your account

To exercise any of these rights, email [email protected] with the subject line “Privacy Request.” We will respond within 30 days. For deletion requests, we will confirm deletion within 30 days and retain only what we are legally required to keep.

California residents (CCPA)

California residents have the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact [email protected].

EEA and UK residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR, including the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: (i) performance of a contract when providing core services; (ii) explicit consent for psychometric data processing; and (iii) legitimate interests for platform improvement using anonymised data. We do not transfer EEA personal data to third countries without appropriate safeguards. Contact [email protected] to request information about applicable transfer mechanisms.

10. Data Processing Addendum (DPA)

Enterprise clients, PE-backed portfolio companies, and any client subject to GDPR, CCPA, or similar data protection regulations may request a formal Data Processing Addendum. The DPA sets out:

• The specific categories of personal data processed on your behalf
• The purposes and duration of processing
• Security measures and audit rights
• Sub-processor arrangements and notifications
• Data subject rights handling procedures

To request a DPA, email [email protected] with the subject line “DPA Request.”

11. Cookies and Tracking

ExecFit AI uses minimal cookies necessary to operate the platform, including session authentication cookies. We do not use advertising cookies or cross-site tracking.

12. Children's Privacy

ExecFit AI is designed for executive-level professionals and is not intended for anyone under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided us personal information, contact [email protected] and we will delete it promptly.

13. International Users

ExecFit AI is operated from the United States. If you access the platform from outside the US, your data will be transferred to and processed in the United States.

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR. Our legal bases for processing are: (i) performance of a contract when providing core services; (ii) explicit consent for psychometric data processing; and (iii) legitimate interests for platform improvement using anonymised data. We do not transfer EEA personal data to third countries without appropriate safeguards. Contact [email protected] to request information about applicable transfer mechanisms.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our privacy practices or for other operational, legal, or regulatory reasons. If we make material changes, we will post the revised policy on this website and notify registered users by email at least 14 days before they take effect. By continuing to use the platform after the effective date, you agree to the revised Privacy Policy.

15. Contact Us

For privacy questions, data requests, or to report a concern:

EXECFIT.AI LLC
New Rochelle, New York, United States
Privacy Officer: [email protected]
Legal: [email protected]
Website: execfitai.com