Privacy Policy

1. Introduction

Readiness Engine, Inc. (the “Company,” “we,” “us,” or “our”) operates Readiness Engine — an AI-powered developmental assessment platform at readinessengine.io (the “Platform” or “Services”). This Privacy Policy (“Policy”) describes how we collect, use, disclose, retain, and protect personal information. Readiness Engine generates developmental leadership profiles from assessment inputs, including video interview responses. Because our outputs include inferences about psychological and developmental characteristics, we treat this information with the heightened care that applicable law requires.

This Policy applies to individuals located in the United States (all states), Canada (including Quebec), and Europe (EU, UK, EEA, and Switzerland). It does not apply to processing by third-party services you reach through links on the Platform or to information collected outside the Platform.

By using the Services you acknowledge this Policy. Where consent is a lawful basis for processing, we will request it separately and you may withdraw it as described in Section 12.

2. Who This Policy Covers

This Policy covers four categories of individuals:

• Participants — individuals who complete a Readiness Engine assessment.
• Clients — organizations (and their representatives) commissioning assessments: investors, employers, accelerators, educational institutions.
• Website Visitors — individuals visiting readinessengine.io without completing an assessment.
• Contacts — individuals corresponding with us or subscribing to communications.

Where a Client commissions an assessment, the Client is a separate controller (GDPR) / business (US) with respect to its own use of the results. Participant rights take precedence over conflicting Client requests to the extent applicable law so requires.

3. Key Definitions

“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular individual.

“Special Category Data” (GDPR Article 9) and “Sensitive Personal Information” (CCPA/CPRA and comparable state laws) mean the subset of Personal Information afforded heightened protection. As explained in Section 4.4, Readiness Engine assessment inputs and outputs fall within this category.

“Biometric Information” means data generated from measurements or technical processing of an individual's physiological or behavioral characteristics, including facial geometry, voice prints, and similar identifiers derived from video or audio, as regulated by the Illinois Biometric Information Privacy Act (“BIPA”), Texas Capture or Use of Biometric Identifier Act (“CUBI”), Washington RCW 19.375 and HB 1493, and comparable laws.

“Applicable Privacy Laws” includes, as relevant to a specific individual: the EU General Data Protection Regulation 2016/679 (“GDPR”); the UK GDPR and Data Protection Act 2018 (“UK GDPR”); California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; the Utah Consumer Privacy Act; the Texas Data Privacy and Security Act; the Tennessee Information Protection Act; the Minnesota Consumer Data Privacy Act; the Maryland Online Data Privacy Act (“MODPA”); the Delaware Personal Data Privacy Act; the New Jersey Data Privacy Act; the Indiana Consumer Data Protection Act; the Kentucky Consumer Data Protection Act; the Rhode Island Data Transparency and Privacy Protection Act; the Illinois BIPA; the Illinois Artificial Intelligence Video Interview Act (“AIVIA”); the Washington My Health My Data Act where applicable; the California Shine the Light Act; Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”); Quebec's Act respecting the protection of personal information in the private sector (“Quebec Law 25”); and the EU Artificial Intelligence Act (Regulation 2024/1689) (“EU AI Act”).

4. Information We Collect

4.1 Information You Provide

• Identity Data — name, email, role, organization, account credentials.
• Consent Records — specific consents given, withdrawn, or declined, with timestamps.
• Assessment Inputs — responses, reflections, ratings submitted during an assessment.
• Video Interview Responses — audio and video recordings submitted via our Willo integration (see Section 4.5 on Biometric Information).
• Derived Assessment Outputs — scores, profiles, narrative interpretations, developmental-stage classifications.
• Correspondence — support and communication records.
• Billing Information — payment records. Cardholder data is processed by a PCI-certified processor and not retained by us.

4.2 Information Collected Automatically

• Device and Connection Data — IP address, device identifiers, browser type, OS, language, time zone.
• Usage Data — pages and features accessed, time spent, navigation paths, interaction events.
• Cookie and Analytics Data — see Section 14.
• Audit Trail — internal record of consent events, data exports, deletions, and corrections. Available to you on request.

4.3 Information From Third Parties

• From a Client, we may receive contact information and context about the purpose of the assessment.
• From identity providers you use to sign in, basic account identifiers.

4.4 Special Category Data / Sensitive Personal Information

A Readiness Engine assessment reveals information about psychological and developmental characteristics. Under the GDPR and UK GDPR, certain assessment inputs and outputs may constitute Special Category Data depending on the exact content, jurisdiction, and context of use (Article 9). Under Quebec Law 25, the assessment outputs may also be considered sensitive personal information.

We process this data only where:

• You have given explicit, informed, and unbundled consent at the start of the assessment (GDPR Article 9(2)(a)); or
• Another specific lawful basis under applicable law applies and is disclosed at collection.

You are informed about AI processing, the assessment's purpose, and how your information will be used before you begin. You may decline consent, in which case the assessment cannot proceed.

4.5 Biometric Information

Video interview responses processed through our Willo integration may include biometric identifiers and biometric information as defined under Illinois BIPA (740 ILCS 14/), Texas CUBI (Tex. Bus. & Com. Code § 503.001), Washington RCW 19.375, Washington HB 1493, and comparable state laws. Where applicable:

• We provide a written notice at or before collection informing you that biometric data is being collected, the specific purpose, and the length of time for which it will be stored and used.
• We obtain your written consent (including electronic signature, as permitted by the 2024 BIPA amendments) before collection or use.
• We will not sell, lease, trade, or otherwise profit from your biometric information.
• We use reasonable care to protect biometric information with the same or greater standard of care as other confidential information we hold.
• We will permanently destroy biometric information when the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the Company, whichever occurs first.

If you are an Illinois resident participating in a video interview, you are also subject to protections under the Illinois Artificial Intelligence Video Interview Act (820 ILCS 42/). Before any AI analysis of your video interview, we will (through the Client who commissioned the assessment or directly) notify you that AI may be used to analyze the interview, provide information about how the AI works and what general characteristics it uses in the evaluation, and obtain your consent.

5. How We Use Personal Information and Lawful Bases

The table below summarizes principal processing purposes and lawful bases under GDPR and UK GDPR. For individuals in Canada and the US, we process on a comparable basis consistent with PIPEDA, Quebec Law 25, and applicable US state laws.

Where we rely on legitimate interests, we have conducted or will conduct a Legitimate Interests Assessment (LIA) balancing our interests against your rights and freedoms. A summary of any LIA is available upon request.

6. Artificial Intelligence

Readiness Engine uses artificial intelligence to analyze assessment inputs and generate developmental leadership profiles. This section discloses AI practices in detail given their sensitivity and the specific regulatory requirements that apply.

6.1 Role of AI

We use AI for (i) Inference — generating your developmental profile at the time of your assessment; and (ii) Evaluation — ongoing assessment of model performance using anonymized or aggregated data.

6.2 AI sub-processors

AI Inference is performed in part using Google Cloud Platform services. Our contract with Google prevents Google from using Platform data to train its own models.

6.3 AI training

We do not use identifiable Assessment Inputs, Video Interview Responses, or Derived Assessment Outputs to train or fine-tune AI or machine learning models without separately obtained, explicit consent from the Participant. Where we seek that consent, it is presented as a distinct, unbundled choice and may be withdrawn at any time. Anonymized and aggregated data that cannot reasonably be used to identify you may be used for research and improvement without additional consent.

6.4 Effect of deletion on models

Where AI training has occurred with your consent and you later request deletion, we will remove your identifiable data from our active systems and exclude it from future training cycles. We will also take reasonable steps to remove your contribution from trained models, which may require retraining the affected model.

6.5 Meaningful information about AI logic

In accordance with GDPR Recital 63 and Article 15(1)(h), and comparable requirements under Canadian and US state law, you have the right to receive meaningful information about the logic involved in our automated processing. We make available high-level documentation describing our AI system's intended purpose, categories of inputs and outputs, and applicable human oversight measures. Such documentation reflects our practices as of the date published and may be updated from time to time.

6.6 Data Protection Impact Assessment

Readiness Engine's processing involves special category data, large-scale profiling, and automated decision-supporting outputs. Where required by applicable law, we conduct and maintain Data Protection Impact Assessments addressing our processing activities. DPIAs are reviewed and updated periodically based on material changes in risk, processing scope, or regulatory guidance.

The DPIA is available to regulators on request and a summary is available to Participants on reasonable request.

7. Automated Decision-Making and the Three-Tier Service Model

Under GDPR Article 22, UK GDPR, several US state laws, Quebec Law 25, and the EU AI Act, you have rights and we have obligations when automated processing is used to make or inform decisions that significantly affect you. Readiness Engine is structured to address these obligations through a three-tier service model.

7.1 The three tiers

• Standard Tier — Outputs generated by a single AI model. Advisory only. Not a basis for Consequential Decisions.
• Triangulated Tier — Outputs generated by three AI models cross-referenced for robustness. Advisory only. Not a basis for Consequential Decisions.
• Human-Reviewed Tier — AI-generated Outputs reviewed by a qualified human reviewer exercising meaningful oversight. Required for any use of Output as a basis for Consequential Decisions, including hiring, promotion, admissions, investment selection, or program eligibility.

7.2 Your rights in connection with AI-informed decisions

• Be informed about AI use before you consent to the assessment.
• Receive meaningful information about the logic of the assessment (Section 6.5).
• Request human review where applicable law grants that right.
• Contest an output and provide additional context.
• Object to further processing for profiling that produces significant effects.

To exercise these rights, email support@readinessengine.io.

7.3 EU AI Act

Where applicable use cases fall within the scope of the EU AI Act and are classified as high-risk under Annex III, the Company acts as a provider of a high-risk AI system and complies with applicable requirements. We maintain technical documentation, a risk management system, data governance practices, automatic logging, human oversight procedures (through the Human-Reviewed Tier), post-market monitoring, and where applicable we will affix the CE marking and register the system in the EU AI Act database. We cooperate with our Clients on their deployer obligations under Article 26, including worker notification requirements, and provide appropriate documentation under a data processing agreement.

8. How We Share Personal Information

8.1 Clients

Where your assessment was commissioned by a Client, we share the agreed-upon outputs with that Client. The Client is a separate controller/business. Review the Client's privacy practices for their handling.

8.2 Sub-Processors

We use the following third-party sub-processors. Each is bound by a written agreement requiring appropriate security, confidentiality, and use restrictions. An up-to-date list is maintained at readinessengine.io/sub-processors.

We provide Clients with advance notice of material changes to our sub-processor list through the Platform or by email, together with the right to object as described in our Terms of Service.

8.3 Legal and Safety

We may disclose Personal Information to comply with a subpoena, court order, or legal process; respond to lawful regulatory requests; enforce our Terms of Service; protect rights, property, or safety of the Company, users, or the public; or in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to the commitments in this Policy.

8.4 Sale or Sharing

The Company does not sell Personal Information. The Company does not share Personal Information for cross-context behavioral advertising as defined by CCPA/CPRA. We do not use third-party advertising or retargeting pixels.

9. Where Your Data Is Stored and International Transfers

Identity Data for European Participants is stored in the European Union (Belgium, Google Cloud eu-west1). Certain processing activities, including scoring, may occur in the United States. All data is encrypted in transit and at rest.

For cross-border transfers:

• For EU/UK/Swiss transfers to the US: Google Cloud Platform Standard Contractual Clauses (2021 SCCs), UK IDTA or UK Addendum as applicable, supplementary technical and organizational measures following Schrems II.
• For Canadian Participants: PIPEDA-compliant contractual safeguards; disclosure of cross-border processing per Office of the Privacy Commissioner of Canada guidance. Quebec Participants receive specific notice under Quebec Law 25 section 17.

A copy of specific safeguards is available on request at support@readinessengine.io.

10. How Long We Keep Your Data

The retention periods described below represent our standard retention practices and may be extended where reasonably necessary for legal, regulatory, security, or contractual purposes.

Assessment data — including Assessment Inputs, video interview responses, and Derived Assessment Outputs — is retained for 12 months from the date of assessment completion unless a longer retention is required by a specific Client contract or by law. Records are automatically flagged for deletion at the end of the retention period and deleted in normal course.

Biometric information is destroyed when the initial purpose has been satisfied or within three years of your last interaction with the Company, whichever is earlier, consistent with BIPA.

Anonymized research data, which cannot reasonably be used to identify you, may be retained indefinitely for research and improvement.

Where a Maryland resident's data is subject to MODPA data minimization requirements, we retain only data reasonably necessary and proportionate to provide the Services. You may request earlier deletion at any time (Section 12).

11. Data Minimization (Maryland MODPA and general practice)

Consistent with Maryland MODPA and as a general practice across all jurisdictions, we collect and retain only the Personal Information reasonably necessary and proportionate to provide the Services requested by you or a Client, and for the specific, explicit purposes disclosed in this Policy. We do not use Sensitive Personal Information unless strictly necessary to provide the product or service you request.

12. Your Rights

12.1 Right of Access (DSAR)

You have the right to request a complete export of the Personal Information we hold about you, including identity data, consent records, assessment metadata, Derived Assessment Outputs, and your audit trail. We fulfill access requests within 30 days of receipt and verification, at no cost. Email support@readinessengine.io.

12.2 Right to Withdraw Consent

You may withdraw your consent at any time by emailing support@readinessengine.io. Upon withdrawal:

• Upon withdrawal of consent, we will cease future processing of your Personal Information that relies on consent as its lawful basis, subject to processing that is required or permitted by law, necessary to fulfill contractual obligations, or required for the establishment, exercise, or defense of legal claims.
• If you withdraw all consents, your Personal Information is placed on a deletion schedule per Section 10.
• Withdrawal does not affect the lawfulness of prior processing, or reports and results already delivered to a Client.

12.3 Rights Under GDPR and UK GDPR

• Access — obtain confirmation and a copy of your Personal Information.
• Rectification — correct inaccurate or incomplete Personal Information.
• Erasure — have your Personal Information deleted.
• Restriction — ask us to pause processing in certain circumstances.
• Portability — receive your Personal Information in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, including profiling; object at any time to direct marketing.
• Withdraw consent — under Section 12.2.
• Lodge a complaint with the supervisory authority in your member state or the location of an alleged infringement.

12.4 Rights Under CCPA/CPRA (California)

• Know the categories and specific pieces of Personal Information collected, sources, purposes, and categories of third parties with whom we share.
• Delete your Personal Information, subject to exceptions.
• Correct inaccurate Personal Information.
• Opt out of the sale or sharing of Personal Information. The Company does not sell or share (Section 8.4).
• Limit the use of Sensitive Personal Information to uses necessary to provide the Services.
• Non-discrimination for exercising rights.

California residents may designate an authorized agent. We verify agent authorization and your identity before fulfilling the request.

12.5 California Shine the Light Act

California Civil Code § 1798.83 permits California residents to request, once per calendar year, information about the categories of Personal Information we have disclosed to third parties for their direct marketing purposes in the prior calendar year and the identity of those third parties. The Company does not currently disclose Personal Information to third parties for direct marketing. To make a Shine the Light request, email support@readinessengine.io.

12.6 Rights Under Other US State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Tennessee, Minnesota, Maryland, Delaware, New Jersey, Indiana, Kentucky, and Rhode Island have rights that are largely consistent with those listed above, including access, deletion, correction, portability, and the right to opt out of targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects. We honor these rights as required by each applicable state law.

12.7 Appeal of a Denied Request (US state laws)

If we deny a rights request received under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Tennessee TIPA, Minnesota MCDPA, Maryland MODPA, Delaware DPDPA, New Jersey DPA, Indiana CDPA, Kentucky CDPA, Rhode Island DTPPA, or Texas TDPSA, you may appeal the denial by emailing support@readinessengine.io with the subject line “Privacy Appeal.” We will respond to the appeal within 60 days (45 days in some states) and, if the appeal is denied, provide you with a written explanation and information on how to submit a complaint to your state attorney general.

12.8 Rights Under PIPEDA (Canada)

• Access to your Personal Information and the right to challenge its accuracy.
• Withdrawal of consent, subject to legal or contractual restrictions.
• Correction of inaccurate information.
• Complaint to the Office of the Privacy Commissioner of Canada.

12.9 Rights Under Quebec Law 25

• Right to be informed of technology that identifies, locates, or profiles you.
• Right to request de-indexation or cessation of dissemination where applicable.
• Right to data portability in a structured, commonly used technological format (in force since September 2024).
• Right not to be subject to a decision based exclusively on automated processing, and to request human review of significant decisions.
• Right to complain to the Commission d'accès à l'information du Québec.

12.10 Washington My Health My Data Act

To the extent Readiness Engine processes data that could be considered “consumer health data” under the Washington My Health My Data Act (RCW 19.373), Washington residents may have additional rights and we will honor them as required by that Act. Please contact support@readinessengine.io for requests.

12.11 How to Exercise Your Rights

Submit a request by emailing support@readinessengine.io. Response timeframes:

• GDPR / UK GDPR: 30 days, extendable by up to 60 additional days for complex requests.
• CCPA/CPRA and US state laws: 45 days, extendable by 45 additional days.
• PIPEDA: 30 days.
• Quebec Law 25: 30 days.

We verify your identity before fulfillment; for sensitive actions we may require additional verification. We do not discriminate against you for exercising rights.

13. Children's Privacy

Readiness Engine is not directed to children and is not intended for use by anyone under 18 years of age. We do not knowingly collect Personal Information from anyone under 18. If we learn that we have collected information from a minor, we will delete it promptly. Contact support@readinessengine.io if you believe a minor has provided us with information.

14. Cookies and Tracking Technologies

The Readiness Engine dashboard uses cookies and similar technologies for two purposes:

• Essential cookies — required for the Platform to function. Always active.
• Analytics cookies — Google Analytics, loaded only after you consent via our cookie banner.

We do not currently use advertising, marketing, or cross-site tracking cookies. We honor the Global Privacy Control (GPC) signal as an opt-out for jurisdictions requiring recognition. Cookie preferences may be changed at any time through the footer preference center.

15. Security

We implement technical and organizational measures to protect Personal Information: encryption in transit (TLS 1.2+) and at rest, least-privilege access, SSO for personnel with data access, employee training, vendor due diligence, and periodic security reviews. No method of transmission or storage is perfectly secure.

If we become aware of a breach affecting your Personal Information, we will notify you and applicable regulators without undue delay and in accordance with applicable law — including within 72 hours of awareness where required by GDPR. For US state laws with specific breach-notice deadlines, we comply with those timeframes.

16. Accessibility

We aim for this Policy and the Platform to meet Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you have difficulty accessing any content, email support@readinessengine.io and we will provide the information in an alternate accessible format.

17. Third-Party Links and Services

The Platform may contain links to third-party services. This Policy does not apply to third parties.

18. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email, through the Platform, or by other means required by applicable law, at least 30 days before the changes take effect. Prior versions are archived and available on request. The “Last Updated” date at the top reflects the most recent revision.

19. Data Controller, DPO, and Representatives

Data controller: Readiness Engine, Inc., 2140 S. Dupont Highway, Camden, DE 19934, USA.

EU Representative (GDPR Article 27): To be designated — Readiness Engine is not currently established in or actively offering Services to data subjects in the European Union. An EU Representative will be designated before the Services are made available to EU data subjects.

UK Representative (UK GDPR): To be designated — Readiness Engine is not currently established in or actively offering Services to data subjects in the United Kingdom. A UK Representative will be designated before the Services are made available to UK data subjects.

Data Protection Officer / Privacy Lead: Benjamin Whitehurst — dpo@readinessengine.io.

20. Contact Us

For questions about this Policy or to exercise your rights:

• Email: support@readinessengine.io
• Privacy appeals: subject line “Privacy Appeal” at support@readinessengine.io
• Mail: Readiness Engine, Inc., 2140 S. Dupont Highway, Camden, DE 19934, USA

If you are located in the EU/UK/Switzerland, you may also lodge a complaint with your national supervisory authority. If you are located in Canada, you may complain to the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec.