Privacy Policy

Last Updated: April 28, 2026
Effective Date: April 28, 2026

1. Introduction

Quarlo Software LLC ("Quarlo," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered interview preparation platform (the "Service").

By using Quarlo, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Full name, email address, password (hashed), and institution affiliation (if applicable).
  • Payment Information (individual consumers): When you purchase credits, Stripe processes your payment card information. We receive only a transaction confirmation and a Stripe customer ID. We do not store full card numbers or CVVs.
  • Resume Data: When you upload a resume for interview preparation, we process and store the text content to generate personalized prep materials.
  • Job Information: Job descriptions, company names, and role details you provide for interview preparation.
  • Recruiter/Hiring Manager Contacts: Names, email addresses, phone numbers, and LinkedIn URLs of recruiters and hiring managers you manually add to your tracked jobs.
  • Community Contributions: Interview questions, salary information, and interview experiences you voluntarily share with the community.
  • Feedback: Ratings, comments, and suggestions you provide about the platform or generated content.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, and time spent on the platform.
  • Device Information: Browser type, operating system, and device identifiers.
  • IP Address: Used for security, rate limiting, and approximate location (country/region level only).
  • Cookies: Session cookies for authentication and keeping you logged in. We do not use analytics, advertising, or cross-site tracking cookies. See Section 15 for the full list.

2.3 Voice Recordings

When you use the interview practice feature, we temporarily record your voice via your device's microphone. Recordings are used to generate a text transcript and delivery analysis, and are temporarily available for your own playback review within the session. Audio files are automatically and permanently deleted within 24 hours of transcription. We retain only the text transcript and analytical scores.

You must explicitly grant microphone consent before any recording begins. Your microphone activates only when you press the record button.

2.4 Information from Third Parties

  • Your Institution: For institutional users, we may receive your institutional affiliation from partner colleges and universities via LTI integration.
  • Stripe (payment processor): For individual consumer users, Stripe provides us with transaction confirmation, a Stripe customer ID, and payment status after a credit purchase. No card data is transmitted to Quarlo.
  • Public Data Sources: We aggregate publicly available information about companies, job markets, and career outcomes from sources like O*NET, BLS, and public job postings.

3. How We Use Your Information

We use your information for the following purposes:

  • Provide the Service: Generate personalized interview preparation materials using AI based on your resume and target job.
  • Improve AI Quality: Analyze anonymized usage patterns and feedback to improve our AI models and recommendations.
  • Community Features: Display anonymized or attributed contributions to help other users prepare for interviews.
  • Institution Analytics: Provide aggregate, anonymized statistics to partner institutions about career outcomes and platform usage.
  • Process payments: For individual consumer users, maintain credit ledger records, verify purchases, and process refunds or chargebacks via Stripe.
  • Security: Detect and prevent fraud, abuse, and unauthorized access.
  • Communication: Send service-related notifications, updates, and (with your consent) promotional materials.
  • Legal Compliance: Meet legal obligations and respond to lawful requests.

4. Third-Party Services and Data Sharing

We use the following third-party services to provide our platform. Your data may be processed by these providers in accordance with their privacy policies:

4.1 AI and Machine Learning

  • Language Model Providers: We use third-party AI services to generate interview prep content. Your resume text and job descriptions are sent to these providers' APIs. Our providers do not use API data for training their models and maintain zero-retention or short-retention policies (typically ~10 minutes for prep generation; not retained after).
  • Embedding Service: We use a vector embedding service to enable semantic search functionality. Anonymized text snippets are processed to create searchable representations of content; no directly identifying personal data is sent to this service.
  • Speech-to-Text Service: When you use the interview practice feature, your voice recording is transmitted to a third-party transcription service to generate a text transcript. The provider does not retain audio data beyond the transcription request.

4.2 Research and Data Enrichment

  • Company Research API: We use a third-party search and aggregation service to gather publicly available company and interview information. Queries use only non-personal terms (company name, role title); no personal data is shared.
  • Public Government Data Sources: We aggregate publicly available wage and occupation data from sources such as O*NET, the Bureau of Labor Statistics, and the College Scorecard. No personal data is sent to these sources.

4.3 Infrastructure

  • Database, Auth, and Storage Provider: Account data, resumes, preps, contributions, and uploaded files are stored with our primary cloud database provider, encrypted at rest and in transit. Data is hosted in US regions.
  • Hosting Provider: Web hosting and serverless function execution that serves the Quarlo application.
  • Payment Processor (Stripe — individual consumers only): Credit purchases are processed by Stripe on Stripe's hosted checkout domain. Your email address and a unique customer identifier are shared with Stripe to link your payment to your account. Stripe is PCI-DSS Level 1 certified and does not share card data with Quarlo. See Stripe's Privacy Policy. Stripe is named here because the Stripe Checkout flow is rendered on Stripe's own domain and is therefore directly visible to you.
  • Email Delivery Service: A third-party email delivery service sends transactional emails (account verification, password reset, notifications). Your email address is shared with this service solely for delivery purposes.
  • Error Monitoring Service: A third-party error monitoring service captures application errors to maintain reliability. Error reports may incidentally include email addresses or other identifiers when present in error context.

Named sub-processor list available on request. The current legal names, processing roles, and locations of each sub-processor referenced above are available on request to privacy@quarlo.co and are enumerated in the Data Processing Agreement executed with institutional partners. This satisfies our obligation under GDPR Article 13(1)(e) and CCPA service-provider disclosure rules.

4.4 We Do NOT Sell Your Data

Quarlo does not sell, rent, or trade your personal information to third parties for their marketing purposes. We only share data with service providers who assist in operating our platform, and only to the extent necessary to provide the Service.

5. FERPA Compliance (For Educational Institutions)

Applies to institutional users only. This section applies only when you access Quarlo through a partner educational institution. If you signed up directly at quarlo.co, your data is governed by Sections 1–4 and 6–13 of this Policy; FERPA does not apply to your account.

When Quarlo provides services to colleges and universities, we act as a "school official" with a "legitimate educational interest" under the Family Educational Rights and Privacy Act (FERPA).

  • Direct Control: Your institution maintains control over student education records. We process data only as directed by the institution.
  • Limited Use: We use student data solely for the educational purposes specified in our agreement with your institution (interview preparation and career services).
  • No Re-disclosure: We do not disclose personally identifiable information from education records to other parties without consent, except as required by law.
  • Data Security: We implement appropriate technical and organizational measures to protect student records.
  • Data Retention: Student data is retained while the account is active. Upon account deletion or institutional offboarding, personal data is deleted or anonymized within 30 days.

For questions about FERPA compliance, contact your institution's registrar or email us at privacy@quarlo.co.

6. Your Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Do Not Sell or Share My Personal Information. Quarlo does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising as those terms are defined under CPRA §1798.140. Because we do not engage in either practice, we are not required to provide a "Do Not Sell or Share My Personal Information" link, and this notice satisfies our CPRA disclosure obligation. If our practices change, we will update this Policy and provide the required opt-out mechanism before any sale or sharing occurs.

Your Rights Include:

  • Right to Know: Request what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out: We do not sell personal information, but you may opt out of any future sales.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Limit Use of Sensitive Information: Limit how we use sensitive personal information (we collect minimal sensitive data).

How to Exercise Your Rights

To exercise any of these rights, you may:

We will verify your identity before processing requests and respond within 45 days as required by law.

Do Not Track: We do not currently respond to Do Not Track browser signals.

Categories of Information We Collect

For CCPA disclosure purposes, we collect the following categories:

  • Identifiers (email, IP address)
  • Professional information (resume, work history)
  • Education information (institution, graduation status)
  • Internet activity (usage data, device information)
  • Inferences drawn from the above (career recommendations)
  • Sensitive personal information: audio recordings captured during the interview practice feature (deleted within 24 hours — see Section 12)

7. Data Retention

We retain your information as follows:

  • Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Interview Preps: Retained for the life of your account, and deleted within 30 days of account closure. You may delete individual preps at any time.
  • Practice Recordings: Voice recordings are automatically deleted within 24 hours of creation. Text transcripts and practice analytics are retained as long as your account is active.
  • Community Contributions: Retained indefinitely unless you request removal. Anonymized contributions may be retained after account deletion.
  • Usage Logs: Retained for 90 days for security purposes, then anonymized or deleted.
  • Legal Acceptance Records: Timestamps showing when you accepted our Terms of Service and Privacy Policy are retained in anonymized form (with your user identifier removed) after account deletion, for regulatory and audit purposes.
  • Legal Hold: Data may be retained longer if required for legal proceedings or regulatory compliance.

8. Security Measures

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access Controls: Role-based access with least-privilege principles. Row-level security enforced at the database level.
  • Authentication: Secure password hashing, email verification, and session management.
  • Monitoring: Automated threat detection and audit logging for suspicious activity.
  • Vendor Security: Our primary infrastructure providers maintain SOC 2 Type II certification or equivalent. All providers are contractually bound to industry-standard security practices.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. Report security concerns to legal@quarlo.co.

9. Data Breach Notification

In the event of a data breach affecting your personal information:

  • We will notify affected users within 72 hours of discovery
  • We will notify your institution (if applicable) per our FERPA agreement
  • We will notify relevant regulatory authorities as required by law
  • We will provide details on the nature of the breach and recommended actions

10. Children's Privacy

Quarlo is designed for college students and is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@quarlo.co.

Users between 13 and 18 should review this policy with a parent or guardian.

11. International Data Transfers and GDPR

Quarlo is based in the United States and the Service is primarily intended for users in the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the United States where our servers are located. By using the Service from outside the US, you consent to that transfer.

11.1 Lawful Basis for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 of the GDPR (and the equivalent UK GDPR provisions):

  • Performance of a contract (Art. 6(1)(b)): Creating and maintaining your account, processing credit purchases, generating interview-prep content, storing your resumes and tracked jobs, and otherwise delivering the Service you requested.
  • Legitimate interests (Art. 6(1)(f)): Securing the Service, detecting fraud and abuse, monitoring application errors via our error-monitoring service, rate-limiting and basic usage analytics, and improving Service quality. We balance these interests against your privacy rights and use the minimum data necessary.
  • Consent (Art. 6(1)(a)): Microphone access for the interview-practice feature, optional marketing communications, and any other processing where we expressly request your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): Tax recordkeeping for credit purchases, FERPA-related records for institutional users, and responses to lawful government requests.

11.2 Data Transfers

For transfers of personal data from the EEA, UK, or Switzerland to the United States and to our sub-processors, we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs), as updated in 2021, with the UK International Data Transfer Addendum where applicable; and
  • Each sub-processor's own transfer mechanism (SCCs, the EU-US Data Privacy Framework where the sub-processor is certified, or equivalent).

11.3 Your GDPR Rights

EEA, UK, and Swiss residents have the rights of access, rectification, erasure, restriction, portability, and objection under the GDPR / UK GDPR, plus the right to lodge a complaint with your local supervisory authority. To exercise these rights, email privacy@quarlo.co with "GDPR Request" in the subject line. We will respond within one month of receiving a verifiable request.

11.4 No Solely Automated Decisions (Art. 22)

Quarlo does not engage in solely automated decision-making with legal or similarly significant effects on you. Our AI generates suggestions (interview-prep content, cover letters, practice feedback); a human — you — decides whether and how to use those outputs in your job search. No automated decision made by Quarlo determines your employment, your standing with an institution, or any similar outcome.

12. Biometric Data (Illinois BIPA, Texas CUBI, Washington H.B. 1493)

This section serves as Quarlo's written policy for the collection, retention, destruction, and use of biometric data, as required by the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq., "BIPA"). It also describes our handling of biometric data under the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001, "CUBI") and Washington H.B. 1493 (RCW 19.375). This policy applies to all users, including individual consumers and institutional users, who are residents of or who access the Service from Illinois, Texas, or Washington — regardless of institutional affiliation.

  • Data collected: Audio recordings of your voice captured during the interview-practice feature. To the extent these recordings contain a unique biometric identifier (voiceprint), they are treated as biometric data under the statutes above.
  • Purpose: Generating a speech-to-text transcript and a delivery analysis (pace, filler-word frequency, clarity), and providing temporary self-playback for your own review within the practice session. We do not use voiceprints for identification, security, or any purpose unrelated to your practice session.
  • Consent: Quarlo records audio only after you explicitly grant microphone consent and press the record button. The consent prompt informs you that audio will be recorded, transmitted to our designated speech-to-text provider, and deleted on the schedule below. By granting consent and recording, you provide written consent under BIPA §15(b), Texas CUBI, and Washington H.B. 1493.
  • Retention: Audio recordings are automatically and permanently deleted within 24 hours of transcription. Only the resulting text transcript and delivery scores are retained for the account lifetime. The maximum retention period for biometric data is therefore 24 hours from collection — well within the BIPA §15(a) requirement to destroy biometric data within three years of the individual's last interaction or when the initial purpose has been satisfied, whichever occurs first.
  • Destruction on request: You may request immediate destruction of any biometric data at any time by contacting privacy@quarlo.co. We will confirm destruction in writing within three (3) business days.
  • No sale, lease, or profit: Quarlo will not sell, lease, trade, or otherwise profit from any biometric data. Audio is transmitted only to our designated speech-to-text sub-processor, which is contractually bound to a compatible no-retention-beyond-request policy.
  • Disclosure to third parties: Biometric data is not disclosed to any third party except (a) the speech-to-text sub-processor solely for transcription, (b) where you provide separate written consent, or (c) where required by law, warrant, or subpoena.

Texas CUBI specifics: Quarlo collects voice biometric identifiers only with your prior informed consent (granted by clicking through the microphone consent prompt), uses those identifiers only for the practice feature, and destroys them within 24 hours.

Washington H.B. 1493 specifics: Quarlo enrolls voice biometric identifiers in a database only insofar as the audio file exists during transcription; the audio is destroyed within 24 hours and is not used for a commercial purpose beyond the practice feature you initiated.

Questions about biometric data, or to request immediate destruction, contact privacy@quarlo.co.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new effective date
  • Sending an email notification for significant changes
  • Displaying a prominent notice in the application

Your continued use of Quarlo after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Quarlo Software LLC

Email: privacy@quarlo.co

For specific inquiries:

15. Cookies

15.1 What Are Cookies

Cookies are small text files placed on your device by a website. They allow the site to remember your session, preferences, and actions across pages. Similar technologies include local storage and session storage.

15.2 Strictly Necessary Cookies

These cookies are required for the platform to function. You cannot opt out of them.

  • Authentication session cookies — set by our authentication provider to keep you logged in. Stored as HTTP-only cookies. Expire when you sign out or after the session timeout.
  • CSRF protection tokens — prevent cross-site request forgery. Session-scoped.
  • Stripe checkout state — temporary cookies set by Stripe during the payment flow to maintain checkout session state. These are set and controlled by Stripe on their hosted checkout domain, not by Quarlo.

15.3 What We Do NOT Use

  • We do not use analytics cookies (no Google Analytics, Mixpanel, PostHog, or similar).
  • We do not use advertising or retargeting cookies.
  • We do not share cookie data with ad networks or data brokers.
  • We do not use cross-site tracking or fingerprinting.

15.4 Third-Party Cookies

The following third-party services may set cookies on pages where they are active:

  • Stripe — sets cookies during the hosted checkout flow on their domain. See Stripe's Privacy Policy.
  • Error Monitoring Service — our error-monitoring service may set a session identifier to group error reports. No marketing data is collected.

15.5 Managing Cookies

You can control cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from logging in and using Quarlo. Clearing cookies will sign you out of Quarlo.

Related Documents