Pythia

Legal

Privacy Policy

Last updated: June 9, 2026

Pythia ("we", "us", or "our") operates a personality assessment platform that analyzes interview recordings to produce Big Five personality profiles. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it. By using Pythia you agree to the practices described here.

1. Who this policy applies to

This policy applies to two categories of users:

  • Managers — individuals who create job postings, invite candidates, and review personality reports on behalf of an organisation.
  • Candidates — individuals who are invited to participate in an interview assessment through Pythia.

2. Data we collect

Account data

When you register, we collect your name, email address, and (for managers) your organisation details. Passwords are stored as one-way cryptographic hashes and are never accessible in plaintext.

Interview recordings

When a manager initiates a recording during an interview session, the audio is captured in the manager's browser and uploaded to our servers. The recording captures audio from the device's microphone and system audio output (e.g. a video call). Candidates are informed when an interview has been recorded and can see the recording status in their dashboard.

Personality assessment data

We process interview recordings to produce a Big Five (NEO) personality profile. This includes trait scores (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism) and sub-facet scores. These are considered sensitive personal data and are handled accordingly.

Usage data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security and operational purposes. We do not use third-party analytics trackers.

3. How we use your data

  • To provide and operate the Pythia platform.
  • To process interview recordings and generate personality profiles.
  • To display personality results to the assessed candidate and to authorised managers.
  • To send transactional emails (invite links, account notifications). We do not send marketing emails without explicit consent.
  • To maintain platform security and investigate abuse.
  • To improve our models, using only anonymised and aggregated data.

We do not sell your personal data. We do not use your data to train AI models without separate, explicit consent.

4. Legal basis for processing (GDPR)

Where applicable, we rely on the following legal bases:

  • Contract — processing necessary to deliver the service you have signed up for.
  • Legitimate interest — platform security, fraud prevention, and service improvement.
  • Consent — for interview recordings. Candidates are notified before a recording begins. Consent can be withdrawn by contacting us; the relevant recording will be deleted.

5. Data sharing

We share your data only in the following limited circumstances:

  • Within your assessment — a candidate's personality profile is visible to the manager(s) who invited them and to the candidate themselves.
  • Service providers — we use third-party infrastructure providers (cloud hosting, email delivery, AI transcription) bound by data processing agreements that prohibit them from using your data for their own purposes.
  • Legal obligations — we may disclose data if required by law or to protect the rights and safety of users.

6. Data retention

  • Account data is retained for as long as your account is active, plus 90 days after deletion to allow for recovery.
  • Interview recordings are retained for 12 months from the date of recording, then permanently deleted unless a longer retention period is legally required or explicitly requested by the candidate.
  • Personality profile scores are retained for 24 months.
  • You may request earlier deletion at any time (see Section 8).

7. Security

We use industry-standard measures to protect your data: encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. No system is completely immune to breaches. In the event of a data breach that is likely to result in a high risk to your rights, we will notify affected users and relevant supervisory authorities as required by law.

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for any processing based on consent, including recordings.

To exercise any of these rights, email us at privacy@pythia.ai. We will respond within 30 days.

9. Cookies

Pythia uses only a single session cookie required for authentication. We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required as the cookie is strictly necessary for the service to function.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or by a prominent notice on the platform at least 14 days before they take effect. Continued use of Pythia after the effective date constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions or requests, contact our data protection team at privacy@pythia.ai or write to us at the address on our contact page.