Privacy Policy

Last updated: 2025-10-01

This Privacy Policy describes how Bearing collects, uses, and protects your information. We build for privacy: minimal collection, strong security, and controls for owners and participants. We do not sell personal information.

Scope

Applies to our web apps (careerfit.app, bearing.careerfit.app, fli.careerfit.app) and related services (emails, API). If a customer signs a Data Processing Addendum (DPA), the DPA governs where it differs from this notice.

Information we collect

  • Account & org data: name, email, language, organization membership/roles.
  • Survey content: chosen question template, invitations, participation status, responses (scores & free text).
  • Device & logs: IP (truncated where possible), browser/OS, timestamps, error logs.
  • Commercial: support interactions, email delivery/open/click events.

How we use information

  • Provide and secure authentication, access control, and multi‑tenant isolation.
  • Run surveys: invitations, reminders (opt‑in), aggregation, analytics, reports.
  • Improve product quality and reliability; troubleshoot deliverability.
  • Comply with legal obligations and enforce terms.

Legal bases (EEA/UK)

  • Contract — to provide the product you requested.
  • Legitimate interests — product analytics, security, anti‑abuse.
  • Consent — optional analytics, marketing categories, where applicable.
  • Legal obligation — accounting, fraud prevention, court orders.

Sharing and disclosure

We share data with service providers under contract who process it on our behalf:

  • Google Firebase — Auth & Firestore (EU/US data centers as configured).
  • Vercel — hosting, edge caching, logs.
  • SendGrid — transactional email.
  • Analytics vendors — Google Analytics (if enabled, aggregate use).

We do not sell personal data. We do not share for cross‑context behavioral advertising. We may disclose if required by law, to protect users, or in a business transfer with notice.

International transfers

Data may be processed in the country of the service provider. Where laws require, we use appropriate safeguards (e.g., SCCs) and minimize transfers.

Retention

  • Account & org membership — while the account is active or as required by law.
  • Survey content — until the owner deletes it or until a configured retention window elapses.
  • Logs & diagnostics — typically 30–180 days.
  • Email deliverability records — 18–24 months (aggregate/metadata).

Security

We use encryption in transit, role‑based access, audit logging, rate limiting, and defense‑in‑depth. No system is 100% secure; please report incidents to security@careerfit.app.

Your rights

Depending on your region, you may request access, correction, deletion, export, or restriction of your data, and object to certain processing.

  • Self‑service: owners can export or delete surveys; admins can manage org membership.
  • Contact: email privacy@careerfit.app with your request.
  • Appeals: if we decline, we’ll tell you why and how to appeal.

Children

The service is not intended for children under 16 (or as defined by local law). We do not knowingly collect children’s data.

Changes

We will update this Policy as our product evolves. Material changes will be notified in‑app or via email.

Contact

Data Controller: CareerFit / Bearing. Email privacy@careerfit.app or support@careerfit.app.

This notice is for transparency and does not create contractual obligations. For enterprise customers, the Master Services Agreement and DPA prevail where different.