Privacy Policy

Last updated: June 8, 2026 Effective date: June 8, 2026

1. Introduction — Who We Are

Jedah is an AI interview co-pilot for hiring teams. We help interviewers run better job interviews by transcribing meeting audio in real time, summarizing candidate background, suggesting follow-up probes, and scoring responses against a rubric the interviewer defines.

Jedah is operated by Twenty Holdings ("Jedah," "we," "our," or "us"), with Peter Allgood as principal. Our registered address is 3401 N Thanksgiving Way #500, Lehi, UT 84043. You can reach our privacy team at privacy@jedah.ai.

This Privacy Policy explains what personal information we process when you or your organization uses Jedah, why we process it, how long we keep it, who we share it with, and what choices and rights you have. It applies to:

Our marketing site at https://interviewassistant1.netlify.app
Our product web app at https://interviewassistant2.netlify.app
Our Zoom App side panel at https://zoom-app-calm-meadowland-8497.fly.dev/zoom-app
Any other surfaces where Jedah is offered, including future integrations [REVIEW: confirm scope language with counsel]

We have written this policy in plain English. Defined terms (in bold on first use) are collected in the Definitions section at the end.

There are two main groups of people whose information flows through Jedah, and this policy addresses both:

Interviewers — the hiring team members who sign in, configure Jedah, and run interviews. Interviewers are our direct users.
Candidates — the job applicants being interviewed. Candidates do not sign up for Jedah directly; their information enters the product because an interviewer chose to use Jedah during a meeting in which the candidate is participating.

If you are a candidate and you have questions about how your information is used in a specific interview, the interviewer or hiring organization is generally the appropriate first contact, because they decide what to capture, what to retain, and how to use the results. We explain why below in Section 8 (User Rights).

2. Information We Collect

We have tried to be specific. We collect only what we need to run the product.

2.1 Information about interviewers (our direct users)

When an interviewer signs in or uses Jedah, we collect:

Account metadata from Zoom OAuth. When you connect Jedah to Zoom, we receive your name, email address, Zoom user ID, and OAuth tokens that let us deliver the Zoom App experience and (with your authorization) access meeting audio. We do not receive your Zoom password. [REVIEW: confirm exact Zoom OAuth scopes once Zoom App listing is finalized.]
Configuration you provide. This includes the position you are hiring for, any custom rubric or rubric overrides, default settings, and notes you type into Jedah during or after an interview.
Uploaded inputs about candidates. You may upload a candidate's resume text or paste a LinkedIn URL so Jedah can summarize background. We treat the contents of these uploads as candidate data (see 2.2) but record the fact that you, the interviewer, supplied them.
Usage and product telemetry. We log which features you use, when sessions start and end, errors, and other diagnostics needed to operate the service.
Billing and contact information. If your organization is on a paid plan, we collect contact and billing details from the person responsible for the account. [REVIEW: update once billing provider is selected — likely Stripe.]

2.2 Information about candidates (collected via the interviewer)

When an interviewer uses Jedah in a meeting with a candidate, the product processes information about the candidate even though the candidate is not our direct customer. Specifically:

Real-time meeting audio. Audio from the interview meeting is delivered to Jedah through Zoom's Real-Time Media Streams (RTMS) API or, in some configurations, through browser tab-audio capture. This audio includes the candidate's voice (and the interviewer's voice).
Transcribed text of the meeting. Zoom's RTMS feed includes a speaker-labeled real-time transcript (e.g., "speaker 0," "speaker 1") alongside the audio. Jedah uses this Zoom-provided transcript to analyze the conversation and surface suggested follow-up probes and scores. There is no separate speech-to-text vendor in the pipeline.
Candidate background data supplied by the interviewer. This includes the candidate's resume text and/or LinkedIn URL when the interviewer chooses to provide them. Jedah analyzes the supplied background to generate a written summary surfaced to the interviewer.
Derived analyses and scores. Jedah produces summaries, suggested probe questions, and rubric scores. These are derived from the inputs above. They are not separately reported by the candidate.

2.3 Technical and usage data

Like most web services, we collect technical data about your device and connection: IP address, browser type, operating system, referring URL, timestamps, page paths, and similar telemetry. We use this for security, abuse prevention, debugging, and basic product analytics. [REVIEW: confirm whether any analytics SDKs are in use; if so, list them.]

2.4 What we do not collect

We do not knowingly collect:

Government-issued identifiers (Social Security numbers, passport numbers, etc.) from candidates or interviewers. If an interviewer pastes such an identifier into a notes field, we treat it as ordinary text and recommend they not do so. [REVIEW]
Biometric identifiers in the legal sense. Audio is processed for transcription only; we do not perform voiceprint identification, facial recognition, or emotion classification. [REVIEW: confirm with engineering before publication. This claim must be accurate at launch.]
Payment card numbers directly. Billing, when applicable, is handled by our payment processor. [REVIEW]

3. How We Use Information

We use the information described above to:

Transcribe meeting audio so the interviewer has a written record they can review.
Generate AI-assisted suggestions during the interview, including suggested follow-up probes and rubric-aligned scoring of candidate responses.
Summarize candidate background from resume text or LinkedIn content the interviewer provides.
Operate the service — authentication, session management, presenting your data back to you, syncing across the Zoom App side panel and the web product.
Secure the service — detect abuse, prevent fraud, investigate incidents.
Improve the product — fix bugs, prioritize features, measure reliability. We do not use candidate audio, candidate transcripts, or candidate background data to train third-party AI models. [REVIEW: confirm contract language with Anthropic and Zoom disables training on customer data; both providers offer this option, but the contract terms must back up the claim.]
Comply with legal obligations — respond to lawful requests, enforce our terms, defend legal claims.

We do not sell personal information, and we do not share personal information with third parties for their own advertising or marketing purposes. See Section 12 for the CCPA-specific version of this statement.

To deliver the service we rely on a small number of vendors ("subprocessors"). Each one only receives the data it needs to perform its function, and each is bound by a written agreement requiring confidentiality and appropriate security.

Note: Jedah uses Zoom's native real-time transcription, delivered alongside the audio stream over RTMS. We do not use a separate third-party speech-to-text vendor.

Subprocessor	Purpose	Data shared	Privacy page
Anthropic (Claude API)	AI scoring, summary, and probe suggestions	Transcript text, candidate background text, rubric configuration	https://www.anthropic.com/legal/privacy
Zoom	RTMS audio and real-time transcript delivery; OAuth authentication; Zoom App hosting surface	Meeting audio (in transit), speaker-labeled transcript (in transit), Zoom account metadata	https://www.zoom.com/en/trust/privacy/
Fly.io	Application hosting (compute)	All data passing through the application layer in transit; encrypted environment variables at rest	https://fly.io/legal/privacy-policy/
Netlify	Static site hosting and serverless functions for the marketing and product front ends	Web request data, function inputs/outputs	https://www.netlify.com/privacy/
Netlify Blobs	Transcript storage when the interviewer opts in	Stored transcript text and associated session metadata	https://www.netlify.com/privacy/

[REVIEW: counsel should confirm this list is complete and exact at the time of publication. Add billing processor (Stripe or equivalent) when chosen. Add any analytics or error-tracking vendors (e.g., Sentry, PostHog) if introduced.]

We will update this list when we add or change subprocessors. Material changes will be communicated as described in Section 14.

We may also disclose information:

In response to lawful requests (subpoena, court order, or other legal process) where we believe disclosure is required by law. We will, where lawful and practical, notify the affected user before complying. [REVIEW]
To protect rights and safety — to investigate fraud, security incidents, violations of our terms, or threats to any person's safety.
In a corporate transaction — if Jedah is acquired, merged, or its assets are sold, personal information may transfer to the successor entity, which will be bound by terms at least as protective as this policy.

5. Where Data Is Processed

Jedah is operated from the United States and our primary processing takes place in the United States. Our hosting providers (Fly.io, Netlify) and our primary AI provider (Anthropic) are US-based. Zoom, which delivers both the meeting audio and the native real-time transcript via RTMS, is US-based.

Some of our subprocessors operate globally and may process data in regions outside the United States, including the European Union, depending on their infrastructure. [REVIEW: confirm Fly.io region selection at launch — if the app is pinned to a US region, say so explicitly. Same for Anthropic and Zoom processing regions.]

If you are accessing Jedah from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your personal information will be transferred to and processed in the United States. See Section 11 for the safeguards we apply to international transfers.

6. How Long We Keep Information (Retention)

We have written specific retention periods for each type of data, rather than relying on a vague "as long as necessary" formula.

Data type	Retention
Raw meeting audio	Processed in transit only. Never stored at rest. Audio is received from Zoom via RTMS alongside the speaker-labeled transcript and discarded as it is processed.
Transcripts	Not stored by default. Stored only if the interviewer explicitly opts in. When stored, default retention is 90 days from session end. Interviewers can delete a transcript at any time before the 90-day mark. After 90 days, stored transcripts are deleted automatically.
Candidate background analyses (summary of resume/LinkedIn content)	Stored only for the duration of the interview session. Deleted at session end unless the interviewer downloads the XLSX export, in which case the exported file lives on the interviewer's device under their control.
Rubric scores	Same as background analyses: session-lifetime only, unless exported.
Account metadata (interviewer name, email, OAuth tokens)	Retained for the life of the account. Deleted within 30 days of account closure, subject to legal and accounting hold requirements. [REVIEW]
Audit logs	Retained for 1 year for security and compliance purposes.
Billing records	Retained as required by applicable tax and accounting law (typically 7 years in the US). [REVIEW]
Backups	Backups of stored transcripts (where applicable) are encrypted and rotated on a 30 days cadence; deletions propagate to backups within [REVIEW: 30 days is a defensible default].

If a legal hold or active investigation requires us to preserve specific records longer, we will do so for the minimum period required, then return to the schedule above.

7. Your Choices and the Settings That Matter Most

Most of the decisions about candidate data are made by the interviewer at the time of the meeting. The most important ones are:

Transcript storage is off by default. Interviewers must opt in to store transcripts. Real-time processing happens either way; storage is a separate choice.
The in-meeting banner. When Jedah begins analyzing a meeting, candidates see an on-screen banner indicating that an AI assistant is active. We describe this further in Section 10.
Exports. Interviewers can export rubric scores and background analyses as an XLSX file. Once exported, the file is under the interviewer's control and outside Jedah's systems.
Deletion. Interviewers can delete stored transcripts at any time from the product UI. Account-level deletion can be requested at privacy@jedah.ai.

8. User Rights

We separate this section because candidates and interviewers come to Jedah in very different ways.

8.1 Rights of candidates

Candidates do not have a direct account with Jedah. The interviewer's organization decides what to record and what to keep. Under privacy laws including the GDPR (Europe), the UK GDPR, the CCPA/CPRA (California), and similar laws in other US states and countries, candidates may have the right to:

Access the personal information held about them.
Correct information that is inaccurate.
Delete information ("right to erasure"), subject to lawful exceptions.
Restrict or object to certain processing.
Receive a copy of their information in a portable format.
Withdraw consent where processing is based on consent (for example, the in-meeting banner consent for EU/UK candidates).

Where to send a candidate request. Because the interviewing organization (the controller in GDPR terms) usually decides what is captured and what is retained, candidates should generally direct requests to the company they interviewed with. If that is not possible, candidates can write to us at privacy@jedah.ai and we will (a) identify the relevant interviewing organization where we are able, (b) forward the request to that organization, and (c) act on the request directly with respect to any data we hold in our own right (for example, logs).

We will respond within the timeframes required by law (generally 30 days under GDPR; 45 days under CCPA, extendable as permitted). [REVIEW]

8.2 Rights of interviewers

Interviewers are our direct users and can exercise rights directly:

Access — see your account data and configurations in the product, or request a copy via privacy@jedah.ai.
Correct — update profile and configuration data in the product, or contact us.
Delete — delete stored transcripts and other session data in the product; request full account deletion via privacy@jedah.ai.
Portability — request a machine-readable export of your account data.
Restrict / object — contact us at privacy@jedah.ai.
Withdraw OAuth authorization — revoke Jedah's Zoom access at any time from your Zoom account's Apps page.

We do not discriminate against you for exercising any of these rights.

9. Children's Data

Jedah is a business tool for hiring teams. It is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children, and we have no reason to believe candidates participating in job interviews on the platform are children.

If you believe we have inadvertently received information about a person under 18, contact us at privacy@jedah.ai and we will delete it promptly.

[REVIEW: counsel may want to align language with COPPA (under 13) and certain state laws that extend additional protections to minors under 16 or 18.]

Several US states require that all parties to a conversation consent before it is recorded or analyzed. Jedah's transcription and AI analysis can be treated as a form of recording for legal purposes, so we take a conservative approach and design the product to support all-party consent.

The following US states are commonly considered two-party (or all-party) consent jurisdictions:

California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington.

[REVIEW: case law in some of these states (e.g., Nevada, Michigan) is unsettled and the list of "two-party" states is debated. Counsel should confirm the final list before publication and may want to add neighboring jurisdictions for safety. Consider also Delaware, Oregon. International equivalents exist in many countries.]

Interviewer responsibility. The interviewer is responsible for ensuring that any consent required by applicable law has been obtained before initiating Jedah analysis. This includes — where applicable — informing the candidate that an AI assistant will transcribe and analyze the conversation, and obtaining the candidate's agreement to proceed.

What Jedah does to help. When Jedah is active in a meeting, the product surfaces an in-meeting banner to all participants stating that an AI assistant is transcribing and analyzing the conversation. The banner is intended to give candidates clear notice and the opportunity to object before analysis begins. The banner is not a substitute for legally required consent in jurisdictions that demand affirmative consent — interviewers must still obtain that consent as required.

If a candidate objects. The interviewer should disable Jedah for the remainder of the meeting and may need to delete any partial transcript created up to that point. The product UI provides a single control to do this. [REVIEW: confirm this control exists at launch.]

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following applies in addition to the rest of this policy.

11.1 Controller / processor roles

When an interviewer's organization uses Jedah to assess a candidate, that organization generally acts as the data controller of candidate personal data, and Jedah acts as a processor on its behalf, under a data processing agreement (DPA). [REVIEW: counsel should produce or review the DPA template Jedah will offer to EU-exposed customers. The split-controller analysis under EDPB guidance is nuanced and may apply differently to derived AI outputs.]

For interviewer account data and product telemetry, Jedah acts as a controller.

11.2 Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

Legitimate interest (Art. 6(1)(f)) — for processing interviewer account data and product telemetry that is needed to operate, secure, and improve the service. We have balanced this interest against interviewer rights and concluded that the processing is proportionate. [REVIEW: counsel may prefer "performance of a contract" for some of this.]
Explicit consent (Art. 6(1)(a)) — for processing of candidate audio, transcripts, and derived analyses. The in-meeting banner is the consent mechanism. [REVIEW: counsel should confirm whether the banner UX meets GDPR's standard for "freely given, specific, informed, and unambiguous" consent for candidates whose continued participation in an interview may not feel "freely given." This is a known tension in candidate-facing AI tools and may push the legal basis toward legitimate interest with a robust LIA.]
Legal obligation (Art. 6(1)(c)) — for retention of records we are required to keep.

11.3 International transfers

Because our processing primarily takes place in the United States, EU/UK/Swiss personal data is transferred outside the EEA/UK. For such transfers we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the UK International Data Transfer Addendum where applicable.
The EU–US Data Privacy Framework where one of our subprocessors is certified. [REVIEW: confirm which subprocessors are DPF-certified at the time of publication.]
Additional technical and organizational safeguards (encryption in transit, access controls, contractual limits on government access requests).

11.4 Data subject rights

In addition to the rights listed in Section 8, EU/UK/Swiss data subjects have the right to lodge a complaint with their supervisory authority. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en (EU) or https://ico.org.uk (UK).

12. California Consumer Privacy Act (CCPA / CPRA) Disclosures

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights regarding your personal information.

12.1 Categories collected (in the last 12 months)

Using the CCPA's category names, we have collected:

Identifiers (name, email, IP address, OAuth user ID)
Internet or other network activity information (usage logs, telemetry)
Audio, electronic, visual, or similar information (meeting audio in transit; transcripts where the interviewer opts in)
Professional or employment-related information (resume text, LinkedIn-supplied content, interview rubric scores)
Inferences drawn from the above (AI-generated summaries, suggested probes, scores)

[REVIEW: ensure no other CCPA categories apply at launch. Counsel should also confirm whether any of the above qualifies as "sensitive personal information" under the CPRA — voice recordings arguably do.]

12.2 Purposes

We use these categories for the purposes described in Section 3 (operating the service, transcription, scoring, security, compliance).

12.3 Sources

We collect this information from interviewers, from candidates indirectly (through audio captured during meetings the interviewer initiates), and from Zoom (OAuth metadata).

We do not sell personal information for money or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. [REVIEW]

12.5 California rights

California residents have the right to:

Know what personal information we have collected.
Delete personal information, subject to exceptions.
Correct inaccurate personal information.
Limit the use and disclosure of sensitive personal information.
Opt out of sale or sharing (not applicable, as we do not sell or share).
Be free from retaliation for exercising these rights.

To exercise a California right, contact us at privacy@jedah.ai. We will verify your identity using information we already hold about you. You may use an authorized agent to make a request on your behalf, with written authorization.

12.6 Other US state privacy laws

Comparable rights exist in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws. Where you are a resident of one of those states, the same request process applies. [REVIEW: counsel may want a separate state-by-state appendix for higher-traffic states.]

13. How We Protect Information (Security)

We apply commercially reasonable technical and organizational measures to protect personal information. These include:

TLS in transit — all connections between your browser, the Zoom App side panel, our application, and our subprocessors use TLS 1.2 or higher.
No audio at rest — raw audio is processed in memory and discarded as it is transcribed. It is not written to disk and not retained.
Encrypted environment variables on Fly.io for all secrets and credentials. Application secrets are never checked into source control.
Principle of least privilege — application code and personnel only have access to the data they need to perform their function. Production access is restricted and logged.
Subprocessor diligence — we choose subprocessors that publish security documentation (SOC 2 or equivalent) and contractually commit to protecting customer data. [REVIEW]
Audit logging — security-relevant events are recorded and retained for 1 year (see Section 6).

No system is perfectly secure. If we become aware of a breach of personal information, we will notify affected users and regulators as required by applicable law and within the timeframes those laws prescribe (for example, 72 hours to the supervisory authority under GDPR, where feasible).

[REVIEW: counsel should align this section with whatever SOC 2 / ISO 27001 / pen-test posture Jedah will claim to customers. Do not overstate.]

14. Changes to This Policy

We may update this Privacy Policy from time to time — to reflect new product features, new subprocessors, new laws, or feedback from users.

When we make a material change, we will:

Update the "Last updated" date at the top of this policy.
Notify interviewer account holders by email at the address we have on file, at least 15 days before the change takes effect, unless an immediate change is required for legal or security reasons. [REVIEW: 15 days is a defensible default; counsel may prefer 30 days.]
For changes that materially affect candidates (for example, a new subprocessor that receives transcript content), we will also update the in-meeting banner language so that future interviews surface the change.

Your continued use of Jedah after the effective date of an update constitutes acceptance of the updated policy. If you do not agree, you should stop using the service and contact us to close your account.

15. Contact Us

If you have questions, complaints, or requests about this policy or about how Jedah handles personal information, please contact us:

Email: privacy@jedah.ai
Postal mail: Twenty Holdings — Privacy, 3401 N Thanksgiving Way #500, Lehi, UT 84043
EU representative (if appointed): Not applicable — Jedah does not currently offer the service to EU data subjects
UK representative (if appointed): Not applicable — Jedah does not currently offer the service to UK data subjects
Data Protection Officer: No Data Protection Officer appointed at this stage

We respond to all good-faith inquiries within 10 business days and to formal data subject requests within the timelines set out in Section 8.

16. Definitions

Candidate — a person being interviewed in a meeting where an interviewer has activated Jedah.
Controller — under GDPR, the party that determines the purposes and means of processing personal data. For candidate data, this is typically the interviewer's organization; for interviewer account data, it is Jedah.
Interviewer — a hiring team member with a Jedah account who initiates and runs interview sessions.
Personal information / personal data — any information relating to an identified or identifiable individual. We use "personal information" and "personal data" interchangeably in this policy.
Processor — under GDPR, a party that processes personal data on behalf of a controller. Jedah typically acts as a processor with respect to candidate data.
RTMS — Zoom's Real-Time Media Streams API, which delivers meeting audio together with a speaker-labeled real-time transcript to authorized applications.
Subprocessor — a third party we use to help deliver the service, who in turn processes personal information.
Session — a single interview meeting in which Jedah is active, from start to end.
Transcript — the speaker-labeled text of the meeting, delivered by Zoom's native real-time transcription service over RTMS alongside the audio stream.
Two-party consent state — a US state whose wiretapping or eavesdropping statutes require the consent of all parties to a conversation before it may be recorded or analyzed.