Your360 AI Privacy Policy

Effective Date: September 30, 2025
Last Updated: April 1st, 2026

1. INTRODUCTION

Your360 AI, Inc. ("Your360 AI," "we," "us," or "our") provides AI-powered 360-degree feedback services for Professional Development. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website (your360.ai), platform, and services (collectively, the "Services").

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of your information as described herein.

Definition: Throughout this Privacy Policy, "Professional Development" or "Development" means improving your work-related skills and effectiveness through feedback and coaching provided by our Services.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Information

  • Name, email address, job title, role
  • Phone number (optional)
  • Company/organization affiliation
  • Password and account credentials

Development Information

  • Development goals and focus areas
  • Optional context documents (resume, performance reviews)
  • Selection of feedback providers
  • Coaching conversation content

Feedback Provider Information

  • Name and email address
  • Relationship to feedback recipient
  • Feedback content (via voice or text)
  • Voice recordings and transcripts

2.2 Information Collected Automatically

Usage Information

  • IP address and device information
  • Browser type and settings
  • Date, time, and duration of visits
  • Pages viewed and features used
  • Referring and exit pages

Cookies and Analytics

  • First-party cookies for session management
  • Analytics data (PostHog, Google Analytics)
  • Session recordings (with sensitive content obscured)

2.3 Information from Third Parties

We may receive information about you from:

  • Your employer (if they sponsor your account)
  • Feedback providers you select
  • Third-party authentication services
  • Business partners and service providers

3. HOW WE USE YOUR INFORMATION

3.1 Primary Uses

We use your information to:

  • Provide and operate the Services
  • Conduct AI-powered feedback interviews
  • Generate 360 feedback reports and Development insights
  • Facilitate communication between users and feedback providers
  • Process payments and maintain accounts

3.2 Service Improvement

We analyze aggregated, de-identified data to:

  • Improve our AI interview techniques
  • Enhance feedback synthesis quality
  • Develop new features and services
  • Conduct research on Professional Development

3.3 AI and Machine Learning

What We Do:

  • Use AI to conduct voice interviews
  • Analyze feedback patterns and themes
  • Generate personalized Development insights
  • Improve our interview questions and synthesis

What We Don't Do:

  • Train third-party AI models (OpenAI, Anthropic) with your data
  • Use your personal feedback for other users
  • Create identifiable profiles for non-service purposes

3.4 Communications

We may use your information to:

  • Send service-related notifications
  • Respond to inquiries and support requests
  • Provide updates about new features (with consent)
  • Send marketing communications (with opt-out options)

4. HOW WE SHARE INFORMATION

4.1 With Organizations

If your employer sponsors your account, they can see:

  • Who was invited to provide feedback
  • Who has completed feedback sessions
  • Participation and completion rates
  • Aggregated, anonymized insights (minimum 5 participants)

They cannot see:

  • Individual feedback content
  • Your Development report
  • Coaching conversations
  • Specific feedback from providers

4.2 With Service Providers

We share information with third-party service providers who help us operate our Services:

  • Cloud infrastructure providers
  • Communication services (email, SMS)
  • Payment processors
  • Analytics providers
  • AI/ML services

All service providers are contractually bound to protect your information and use it only as directed by us.

Accountability for Onward Transfers (DPF)

When we transfer personal data received under the DPF Frameworks to third-party service providers acting as agents on our behalf, we do so pursuant to written contracts that require the agent to provide at least the same level of privacy protection as required by the DPF Principles. We take reasonable and appropriate steps to ensure that our agents process such personal data in a manner consistent with our obligations under the DPF Principles, and we take reasonable and appropriate steps to stop and remediate unauthorized processing by an agent upon becoming aware of it. Your360 AI remains liable under the DPF Principles if an agent processes personal data received under the DPF Frameworks in a manner inconsistent with the DPF Principles, unless we prove we are not responsible for the event giving rise to the damage.

4.3 With Feedback Recipients

Feedback providers should understand:

  • Their feedback contributes to synthesized insights
  • Select quotes may be included for authenticity
  • Manager feedback is attributed by default
  • Other feedback is presented anonymously (solely on a ‘best efforts’ basis; we cannot guarantee complete anonymity)

4.4 Legal Requirements

We may disclose information when required by law or to:

  • Comply with legal process
  • Protect rights, property, or safety
  • Enforce our Terms of Service
  • Respond to government requests

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4.6 With Your Consent

We may share information for any other purpose with your explicit consent.

5. DATA RETENTION

Voice Recordings: Retained while your account is active. Deleted within 60 days of account termination or closure, consistent with the Post-Termination Deletion timeline below.

Transcripts and Reports: Retained while your account is active. Deleted within 60 days of account termination or closure, consistent with the Post-Termination Deletion timeline below.

Account Information: Retained until you request deletion or account is inactive for 24 months. This retention period enables long-term Development tracking and year-over-year progress comparison.

Aggregated Data: May be retained indefinitely in de-identified form

Post-Termination Deletion: Upon account termination or closure, personal data (including transcripts, reports, and account information) will be deleted within 60 days, except where retention is required by applicable law, regulatory obligations, or legitimate business purposes. Aggregated, de-identified data is excluded from this commitment.

6. DATA SECURITY

We implement administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training and confidentiality agreements

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

Breach Notification: In the event of a data breach affecting your personal information, we will notify affected users and applicable regulators within 72 hours of confirming the breach, to the extent required by applicable law.

7. YOUR RIGHTS AND CHOICES

7.1 Access and Portability

You may request:

  • Access to your personal information
  • A copy of your 360 reports and insights
  • Export of your Development data

7.2 Correction and Deletion

You may:

  • Update your account information
  • Request correction of inaccuracies
  • Request deletion of your account and data

Note: Some information may be retained for legal or legitimate business purposes.

7.3 Communication Preferences

You may:

  • Opt-out of marketing emails
  • Adjust notification settings
  • Unsubscribe from non-essential communications

7.4 Feedback Provider Rights

Feedback providers may:

  • Supplement feedback before report generation
  • Create an account to manage multiple feedback requests
  • Request recall or withdrawal of feedback only where (a) required by applicable law, or (b) a limited recall feature is made available by Your360 AI at its sole discretion (such features, if offered, may be subject to conditions such as recall before synthesis and may be modified or discontinued at any time)

7.5 Rights Under the EU-U.S. Data Privacy Framework

If your personal data is transferred to us from the European Economic Area, the United Kingdom, or Switzerland in reliance on the DPF Frameworks, you have the following additional rights:

Choice (Opt-Out): You have the right to opt out of: (a) disclosure of your personal data to third parties not acting as agents on our behalf; and (b) use of your personal data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. To opt out, contact us at privacy@your360.ai.

Access: You have the right to access personal data about you that we hold, and to correct, amend, or delete that information where it is inaccurate or processed in violation of the DPF Principles, except where the burden or expense of providing access would be disproportionate to the risks to your privacy, or where the rights of persons other than you would be violated. To exercise this right, contact us at privacy@your360.ai.

Recourse and Complaints: You have the right to raise a complaint regarding our DPF compliance. We commit to resolving complaints about your privacy and our collection or use of your personal data transferred to the United States. EEA, UK, and Swiss individuals with inquiries or complaints should first contact us at privacy@your360.ai.

We have committed to refer unresolved privacy complaints under the DPF Frameworks to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information and to file a complaint free of charge.

Under certain conditions, you may be able to invoke binding arbitration for complaints regarding DPF compliance not resolved by any other means. For more information, see Annex I of the EU-U.S. DPF Principles: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

8. CALIFORNIA PRIVACY RIGHTS

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request information about the personal information we collect, use, and disclose.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out: You may opt-out of the "sale" of personal information. Note: We do not sell personal information.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact privacy@your360.ai.

9. WASHINGTON PRIVACY RIGHTS

Washington residents have rights under the My Health My Data Act. While Your360 AI is not a health service, we acknowledge that feedback may touch on well-being topics. We:

  • Do not sell health-related data
  • Will delete such information upon request
  • Obtain consent for processing any health-related information

10. INTERNATIONAL DATA TRANSFERS

EU-U.S. Data Privacy Framework

Your360 AI, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (collectively, the "DPF Frameworks") as set forth by the U.S. Department of Commerce. Your360 AI is in the process of certifying with the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland in reliance on the respective DPF Framework. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework program and to view our certification, visit https://www.dataprivacyframework.gov.

Other International Transfers

For transfers not covered by the DPF Frameworks, we rely on appropriate safeguards including Standard Contractual Clauses where required by applicable law.

11. CHILDREN'S PRIVACY

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn we have collected information from a child under 18, we will delete it promptly.

12. SPECIAL INFORMATION REGARDING SENSITIVE DATA

Our AI coach focuses on workplace behaviors and performance. While personal characteristics may naturally arise in conversation, our system is designed to synthesize feedback around professional capabilities and growth areas. We do not intentionally collect special categories of personal information (race or ethnic origin, sex life or sexual orientation, criminal records, religion, political opinions, trade union membership, genetic/biometric data used for identification purposes, health conditions, etc.), and instruct users to focus on professional contexts.

13. DATA OWNERSHIP AND PORTABILITY

Individual Development Data: You retain access to your reports and insights regardless of employment status. Your Development journey belongs to you.

Organization Rights: Organizations may request deletion of data related to their employees but cannot access confidential feedback content.

Data Portability: You may export your Development reports and insights at any time.

14. AUTOMATED DECISION-MAKING

We use AI to analyze feedback and generate insights. These are recommendations for Professional Development, not automated decisions about you. All AI-generated content should be reviewed with human judgment and is not intended as the sole basis for employment decisions.

15. SESSION RECORDING DISCLOSURE

We use session recording tools (currently PostHog) to improve our Services and debug technical issues. Session recordings may capture interactions with the platform interface, including navigation and clicks. All form input fields are masked and audio is not captured. Recordings are retained while the account is active and are accessible only to our technical team for internal purposes.

16. PRIVACY PROTECTION THRESHOLDS

To protect individual privacy:

  • Minimum 3 feedback providers required to generate a report
  • Minimum 3 responses per category for category-specific insights
  • Minimum 5 participants for organizational aggregated insights

17. HOW TO CONTACT US

For privacy-related questions or to exercise your rights:

Email: privacy@your360.ai
Support: support@your360.ai

Response time: We will acknowledge requests within 30 days and respond substantively within 45 days, with possible extension if needed.

18. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending notice to your registered email
  • Displaying a notice in the platform

Your continued use after changes constitutes acceptance of the updated policy.

19. LEGAL BASIS FOR PROCESSING AND INTERNATIONAL TRANSFER MECHANISMS

Legal Basis (EEA Users)

We process personal data based on:

  • Consent: For marketing and optional features
  • Contract: To provide Services you have requested
  • Legitimate Interests: For service improvement and security
  • Legal Obligations: When required by law

Data Privacy Framework

For personal data transferred from the EEA, UK, or Switzerland, Your360 AI relies on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as the legal mechanism for such transfers, as described in Section 10.

FTC Jurisdiction and Enforcement

Your360 AI is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). The FTC has jurisdiction over our compliance with the DPF Frameworks, and our DPF commitments are enforceable under U.S. law.

20. DATA PRIVACY FRAMEWORK — REGULATORY DISCLOSURES

Government Authority Disclosure

Notwithstanding anything to the contrary in this Privacy Policy, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Annual Recertification

Your360 AI's DPF certification will be renewed annually. You may verify our current certification status at any time at https://www.dataprivacyframework.gov.

This Privacy Policy is effective as of April 1st, 2026 and supersedes all previous versions.