Metrux AI
Draft - pending counsel review. This document captures the structure and factual claims of our final legal text. The exact wording will be provided by outside counsel before we accept any paid contract. Questions to legal@metrux.ai.

Privacy Policy

Last updated: 2026-04-30 · Effective: 2026-04-24

This Privacy Policy describes how Metrux AI (“we”) collects, uses, retains, and deletes personal data from Customers (companies using our platform for hiring) and Candidates (people completing assessments). It applies globally, including to EU/UK residents (GDPR) and California residents (CCPA).

1. Data we collect

From Candidates

  • Email address (from the invite).
  • Session events: prompts sent to AI, code edits, test runs, terminal output, timing.
  • Candidate-authored code and documents produced during the assessment.
  • IP address and user-agent of requests (for rate limiting and incident response).
  • Scorecard: computed scores across metrics, summary of the session.

From Customers (companies)

  • Account information: company name, domain, contact emails, member roles.
  • Wrapped Anthropic API key (AES-256-GCM encrypted; plaintext never persisted). Only the last four characters are retained for display.
  • Billing information (when paid plans launch; not applicable to closed beta).

Technical / operational

  • Structured application logs (scrubbed for secret patterns at emission).
  • Audit events (append-only) of every admin action and every customer-key unwrap.

2. Why we collect it (legal basis)

  • Contract: operating the service the Customer signed up for.
  • Legitimate interest: fraud prevention, rate limiting, security incident response, product improvement via de-identified analytics.
  • Legal obligation: tax and regulatory retention (billing records, audit logs).
  • Consent: only where we rely on it explicitly (cookie notice, optional analytics if/when deployed).

3. Retention

The canonical retention table is maintained internally and mirrors the policy configured in code. The full document is available on request to legal@metrux.ai. In summary:

  • Session data (prompts, edits, events, code): 180 days after session completion, then soft-deleted. Hard-deleted 30 days later.
  • Candidate profile: retained while the account is active. After 2 years of inactivity (no login, no invited assessment) we send a 30-day pre-deletion notice; if the candidate doesn't sign in within that window, the account is auto-deleted. Self-serve deletion is also available at any time and is anonymized within 30 days. Aggregated de-identified analytics may persist.
  • Company data: for the duration of the contract + a 30-day grace window after closure. After grace: anonymized.
  • Audit events: append-only (database trigger refuses UPDATE and DELETE). Retention target 2 years in the primary database with additional long-term archival deployed as part of our cloud infrastructure baseline. After a candidate or session is hard-deleted, audit rows referencing them retain the row id (as text) but the foreign-key link is set to NULL, so per-session forensic JOIN queries narrow to the 30-day pre-hard-delete window; older records stay individually queryable by id.
  • Billing: 7 years where applicable (tax law). Paid billing is not active during closed beta.
  • Backups: managed backup retention (point-in-time recovery + daily snapshots) is configured as part of our cloud infrastructure baseline. A deletion request completes in the primary database within 30 days; residual data in any backups ages out on its own rotation schedule. The Privacy Policy will be updated with the exact backup schedule when the production deployment is live.

4. Who sees the data

  • The Candidate's session data is visible to the Customer that issued the invite, and only to members of that Customer with sufficient role.
  • Metrux operators may access data for support purposes; every such access is logged to the append-only audit trail and is visible to the Customer on their audit page.
  • We do not sell personal data, ever. We do not share with advertisers.
  • Sub-processors (vendors that process data on our behalf) are listed at /legal/subprocessors.

5. International transfers

Processing occurs in AWS us-east-1 today. For EU/UK residents, transfer to the United States is covered under the EU−U.S. Data Privacy Framework (when applicable) or Standard Contractual Clauses, as negotiated in the Data Processing Addendum with enterprise Customers.

6. Your rights

Regardless of where you live, you can exercise these rights with respect to your data. Candidates can do so directly via the API (closed beta) or contact us.

  • Access / export. Candidates can download a JSON dump of their data: GET /v1/auth/me/export (authenticated candidate, returns profile + sessions + audit events + key-decrypt audit).
  • Delete / erase. Candidates can submit a deletion request: POST /v1/auth/me/delete-request. We process within 30 days; backups age out within 30 additional days. Some aggregated de-identified analytics may persist as permitted by law.
  • Correct. Contact privacy@metrux.ai to correct data about you.
  • Object / restrict. Contact privacy@metrux.ai.
  • Withdraw consent. Where processing relies on your consent, you can withdraw it at any time.
  • Complain to a supervisory authority. EU/UK residents have the right to lodge a complaint with their national data protection authority.

7. Security

Controls enforced today:

  • Customer-supplied Anthropic API keys are AES-256-GCM wrapped at rest. The plaintext key is never persisted; every per-session decrypt writes an audit row.
  • Append-only audit log (a database-level trigger refuses UPDATE and DELETE) of every admin-endpoint access, every key decrypt, and every cross-tenant read by platform operators.
  • Per-tenant isolation at the application and API layers. Every cross-tenant access by a platform operator is automatically audited.
  • Secret-pattern redaction in both audit rows and application logs: Anthropic, OpenAI, GitHub, AWS, Bearer, JWT, and password-assignment patterns are replaced before emission.
  • Rate limits (per-IP + per-identity) and an incident-response IP blocklist with automated brute-force detection on invite-token lookups.
  • Responsible-disclosure contact at /.well-known/security.txt; email security@metrux.ai.

Additional controls deployed with our cloud infrastructure baseline (TLS 1.2+ transport termination, managed-database encryption at rest, KMS-backed key wrapping, managed backup retention) are in active rollout and will be live before any Customer-facing production traffic. Until then, closed-beta participants run on isolated developer environments.

8. Cookies

We use only essential cookies (login session, UI preferences). We do not set analytics or advertising cookies during closed beta. If that changes, the change will be announced in advance and the cookie notice will gate non-essential cookies behind explicit consent.

9. Children

The service is not directed at children. We do not knowingly collect personal data from anyone under 16 (under 13 in the United States, consistent with COPPA). If you believe a child has submitted data, contact privacy@metrux.ai and we will delete it.

10. Changes

Material changes are announced to Customers at least 30 days in advance. We maintain version history.

11. Contact

Privacy questions: privacy@metrux.ai.
Security disclosures: security@metrux.ai.
Legal: legal@metrux.ai.