Privacy Policy

1. What we collect

We collect only what is needed to provide the service:

• Account data: your email address and a securely hashed password (we never store your password in readable form).
• Your submissions: the profile, documents and text you provide for preparation — case study, summary of experience, CV — and the AI analysis derived from them.
• Practice data: your learning progress, quiz scores, interview transcripts and debriefs.
• Voice (optional): if you answer by voice, the recorded audio is processed only to produce a transcript (see section 4).
• Usage analytics: a small, content-free record of which step of the journey you reached (e.g. “started a demo”, “viewed a debrief”). It never includes your submission text, transcripts or any free text. Non-essential analytics only runs if you opt in via the cookie banner (see section 8).
• Operational/technical data: minimal logs and error reports needed to keep the service running and secure. We never include the content of your submissions or transcripts in logs, analytics or error reports.

2. Why we use it (lawful basis)

Under UK GDPR we rely on the following lawful bases. (PanelReady is designed for candidates in the UK and the Gulf; equivalent local data-protection law may also apply to you.)

• Contract — to create and run your account and provide the preparation features you ask for (analysis, lessons, mock interview, debrief).
• Consent — for sending a submission to the AI provider (see section 3), for any optional voice processing, and for non-essential usage analytics. You can withdraw consent at any time; withdrawal does not affect processing already carried out.
• Legitimate interests — to keep the service secure, prevent abuse, and fix faults, balanced against your rights (we use the minimum data needed and never the content of your work for this).

3. AI processing & who receives your data

To analyse your submission, generate lesson content, run the mock interview and produce your debrief, the relevant text (and, if you use voice, your recorded audio) is sent to our AI provider, Google (Gemini), through our own server. Our API key is held only on the server and is never exposed in your browser. We ask for your explicit consent before a real submission is sent for analysis, and we recommend redacting confidential detail first (see section 5).

Free-tier training caveat: when PanelReady runs on the provider's free tier, the provider may use the content of requests to improve their products. This is a property of the tier, not of PanelReady — moving to a paid / no-training / enterprise tier removes it, and PanelReady is built on a provider abstraction so the operator can switch without changing the app. Until then, treat the service as suitable for redacted or non-confidential practice material, and do not paste anything you are not comfortable sharing under those terms.

Beyond the AI provider, PanelReady relies on a small set of processors that handle data strictly on our instructions:

• Supabase — application database and authentication (stores your account, submissions and practice data).
• Vercel — application hosting and delivery.
• Google (Gemini) — the AI processing described above.
• Email provider — sends transactional email (verification, password reset). It sees your email address, not your submissions.
• Analytics & error tracking — the content-free usage analytics described in section 1 (first-party by default) and error reporting used only to keep the service running. Neither receives your submission content.

We do not sell your personal data, and we do not use it for advertising.

4. Voice data

If you answer by voice, your audio is sent to the AI only to produce a transcript and is not retained by PanelReady beyond generating that transcript. The optional on-device transcription fallback processes audio in your browser and does not leave your device.

5. Redacting confidential detail

You rarely need real names or exact figures for effective practice — the panel cares about your reasoning and the technical substance. Before you paste a document, consider replacing identifying detail with placeholders:

• Client / employer / project names → [Client], [Employer], [Project].
• Exact figures → keep the magnitude, blur the precision (e.g. ~£14m).
• People's names, addresses and reference numbers → remove or replace.

We surface this same guidance at the point you submit a document, so it's easy to do before anything is sent for analysis.

6. How long we keep it (retention)

• Account & submissions: kept while your account is active. When you delete your account, the data is permanently removed (see section 9).
• Demo / trial sessions: anonymous demo sessions that are not converted to a permanent account are automatically deleted after roughly 24 hours.
• Voice audio: not retained beyond producing the transcript (section 4).
• Usage analytics: retained in aggregate for product improvement; it contains no submission content and is not tied to your documents.
• Operational logs: kept only as long as needed for security and troubleshooting, then rotated out.

7. Transport, storage & data residency

All traffic is encrypted in transit (TLS), and the datastore encrypts data at rest. API keys and other secrets are held only on the server and are never exposed in your browser. We never include the content of your submissions or interview transcripts in application logs or analytics.

The hosting region of the datastore (for example UK, EU or Gulf) is chosen at deployment time, and some processors (such as the AI provider) may process data outside your country under appropriate safeguards. If you have a data-residency requirement, contact us before you sign up so we can confirm the region.

8. Cookies & consent

We use a single, essential, HTTP-only session cookie to keep you logged in. It is strictly necessary for the service to work, so it is always on; you cannot opt out of it without being unable to use your account.

Non-essential analytics are off by default. The content-free usage analytics described above only run if you accept them in the cookie banner. You can decline (“essential only”) and still use everything. We use no advertising or third-party tracking cookies.

9. Your rights

You can, at any time and free of charge:

• Access & export all of your data as a file from Settings.
• Delete an individual document (for example, your case study) from Settings without deleting the rest of your account.
• Delete your account and all associated data permanently from Settings — this cannot be undone.
• Rectify inaccurate data (edit your profile and documents directly), withdraw consent (e.g. stop using AI features, decline analytics), and object or restrict processing.

You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

10. Contact for data requests

For any privacy request or question, contact us at privacy@panelready.app. We aim to respond within one month, as UK GDPR requires.

11. Changes to this policy

We may update this policy; material changes will be reflected by the “last updated” date above. Continued use after a change means you accept the updated policy.