Last updated: 17 June 2026 · Effective date: 17 June 2026
Primary framework: UAE Federal Decree-Law No. 45 of 2021 (PDPL) · Also compliant with: GDPR, UK GDPR, CCPA
Plain English summary: CentricQ is a UAE company. We collect only what we need to run the platform. We don't sell your data. Your answers go to Claude AI for feedback and are stored so you can review them. Your audio is transcribed and then immediately deleted — we don't keep recordings. You can delete your account and all your data at any time by emailing privacy@centricq.com.
Contents
CentricQ ("we", "us", "our") is a company incorporated and operating under the laws of the United Arab Emirates, providing the interview preparation platform accessible at centricq.com ("Platform"). We are the data controller for all personal data collected through the Platform.
Primary Legal Framework: This Privacy Policy is governed by and drafted in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations ("UAE PDPL"), which is the primary data protection law applicable to our operations as a UAE-based entity.
Extraterritorial Compliance: Because we offer the Service to users globally, we also comply with the additional data protection obligations described in Section 12 where required by the law of your jurisdiction, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and the California Consumer Privacy Act (Cal. Civil Code § 1798.100 et seq.) ("CCPA").
EU/EEA Representative (GDPR Article 27): As a UAE-based entity offering services to individuals in the EU/EEA, we are required by GDPR Article 27 to maintain a representative in the EU/EEA. Our EU representative can be contacted at: eu-representative@centricq.com. This representative does not constitute establishment in the EU and does not affect the UAE governing law of our commercial terms.
Data Controller Contact: privacy@centricq.com
We collect personal data in the following categories:
(a) Account Registration Data: Full name, email address, and securely hashed password. Phone number is collected optionally.
(b) Profile and Learning Progress Data: Roles selected, chapters accessed, sub-chapters completed, question attempt records, individual question scores, performance ratings, practice streaks, and overall role completion status.
(c) Written Answer Content: The text you type in response to written-format interview questions. Stored in your account to enable review of your answer history and associated AI feedback.
(d) Audio Recordings: When you use the Spoken Answer practice mode, your device microphone captures an audio recording, which is transmitted over an encrypted connection to OpenAI's Whisper API for automated transcription. The audio recording itself is not retained by us or by OpenAI beyond the completion of the transcription API call.
(e) Transcripts and AI Feedback: The text transcript produced from your audio recording, and the AI-generated score, evaluation, and improvement suggestions produced by Anthropic's Claude API in response to your submitted answers. Both are stored in your account.
(f) JD Prep Submitted Content: The job description text you submit via the JD Prep feature. Used only to generate your practice questions and not retained after the generation session completes. Your subsequent answers and AI feedback within the JD Prep session are stored in your account.
(g) Payment Transaction Data: We do not collect, process, or store payment card details. PayPal processes all payments and provides us with a payment confirmation status and a PayPal transaction reference identifier only.
(h) Wallet and Referral Data: Your wallet credit balance, credit transaction history (earnings and redemptions), your unique referral code, the referral outcomes attributed to your code, and the details of any withdrawal requests.
(i) Company Account and Candidate Data: Where a Company Account is used to send an assessment to candidates, we collect and process the candidate's name, email address, their assessment responses, the AI-generated evaluations, and completion status. CentricQ processes this data as a data processor on behalf of the company (the data controller for this data).
(j) Technical and Device Data: IP address, browser type and version, operating system, screen resolution, referring URL, pages visited within the Platform, timestamps of sessions, and application error logs. Collected automatically by server infrastructure and third-party analytics and error monitoring tools.
(k) Support Communications: The content of any emails, messages, or other communications you send to our support or legal teams.
Under the UAE PDPL, we process personal data only where we have a valid legal basis. Our primary legal bases are:
Contractual Necessity: Processing your account registration data, answers, progress data, and subscription information is necessary to perform our contract with you (i.e., to provide the Platform services you have subscribed to).
Legitimate Interests: We process technical and usage data to maintain Platform security, detect and prevent fraud and abuse, improve service quality, and analyse aggregated performance patterns. We have assessed that our legitimate interests in these activities are not overridden by your rights and interests.
Legal Obligation: We retain financial transaction records to comply with UAE VAT obligations (Federal Decree-Law No. 8 of 2017) and applicable financial record-keeping requirements.
Consent: We rely on consent for: (i) sending marketing and promotional communications (you may withdraw consent at any time by clicking "unsubscribe" in any such communication or by emailing privacy@centricq.com); and (ii) capturing audio recordings during Spoken Answer sessions. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
For users in the EU/EEA and UK, we additionally identify the following specific lawful bases under GDPR Article 6:
Article 6(1)(b) — Contract Performance: Processing necessary to deliver the Service under our contract with you, including storing answers, generating AI feedback, and managing subscriptions.
Article 6(1)(f) — Legitimate Interests: Processing of technical data and aggregated analytics for Platform security, fraud prevention, and service improvement. Our Legitimate Interests Assessment is available on request at privacy@centricq.com.
Article 6(1)(c) — Legal Obligation: Retention of financial records to comply with applicable tax and accounting law.
Article 6(1)(a) — Consent: Marketing communications and audio recording for spoken answer practice. You may withdraw consent at any time without affecting the lawfulness of prior processing.
We do not process special category personal data (Article 9 GDPR) as part of our Service. You should not submit sensitive personal data (health, biometric, political, religious, or similar data) through the Platform.
Service Delivery: Authenticate you, save and display your progress and scores, generate AI-powered feedback on your answers, issue Completion Certificates, and process subscription payments.
JD Prep Question Generation: Transmit your submitted job description to Anthropic's Claude API to generate bespoke practice questions. The job description is not retained after generation.
Wallet and Referral Programme: Record referral activity, apply credits to transactions, and process credit withdrawals.
Company Assessment Management: Enable authorised Company Account users to administer assessments and view candidate AI evaluation results.
Service Improvement: Analyse aggregated, anonymised usage patterns — such as commonly answered questions, common error types, and session duration — to improve question quality, AI evaluation accuracy, and Platform design. No identifiable User Content is used for AI model training without a separate, explicit consent.
Transactional Communications: Send payment receipts, subscription expiry reminders, Completion Certificate notifications, and password reset emails. These communications are necessary for Service delivery.
Marketing Communications: Send promotional content, product updates, and offers, only where you have given explicit consent. Every marketing communication includes an easy, one-click unsubscribe mechanism.
Security and Integrity: Monitor for, detect, and prevent unauthorised access, fraud, referral abuse, scraping, and violations of our Terms of Service.
Legal and Regulatory Compliance: Respond to lawful requests from courts, governmental authorities, and regulatory bodies. Exercise and defend legal claims. Comply with applicable UAE laws.
Claude (Anthropic, United States): Your written answers and audio transcripts are transmitted to Anthropic's Claude API for the sole purpose of generating evaluation feedback. Anthropic processes this data as our contracted sub-processor under a Data Processing Agreement. Under Anthropic's current API usage policies, content submitted via the API is not used to train Anthropic's general-purpose models. For full details, see Anthropic's Privacy Policy at anthropic.com/privacy.
Whisper (OpenAI, United States): Audio recordings captured during Spoken Answer sessions are transmitted to OpenAI's Whisper API exclusively for automated speech-to-text transcription. OpenAI does not retain audio data submitted via the API beyond the response to the API call, per OpenAI's API data usage policies. See openai.com/policies/privacy-policy for details.
No Legally Significant Automated Decisions: We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing of your personal data, without human involvement.
Data Minimisation for AI Processing: We transmit to AI Providers only the minimum data necessary for the evaluation function — the answer text or transcript, the relevant question context, and a scoring rubric. We do not transmit your name, email address, or other directly identifying information to AI Providers as part of evaluation requests.
We engage the following third-party processors, each under a data processing agreement providing appropriate contractual data protection safeguards:
Anthropic (United States) — AI answer evaluation via Claude API. DPA in place restricting data use to evaluation. See: anthropic.com/privacy
OpenAI (United States) — Audio transcription via Whisper API. API data not retained for training. See: openai.com/policies/privacy-policy
PayPal (United States / Luxembourg for EU-facing operations) — Payment processing. CentricQ does not transmit personal data to PayPal beyond what is required to complete a transaction. See: paypal.com/privacy
Cloud Infrastructure Provider — Encrypted hosting of the Platform application and database. Subject to a data processing agreement including security, sub-processor, and data location obligations.
Sentry (United States) — Application error monitoring. Error reports and stack traces transmitted to Sentry are sanitised to exclude User Content, answer text, audio, and directly identifying personal data. See: sentry.io/privacy
Microsoft Clarity (United States) — Session analytics for UX improvement, including click maps and scroll heatmaps. Clarity does not capture answer text, audio recordings, or financial information. Session data is aggregated and not used to identify individuals. See: privacy.microsoft.com
We do not sell, rent, or otherwise make personal data available to any third party for their own marketing, advertising, or commercial purposes.
CentricQ is a UAE-based company serving users globally. Accordingly, personal data may be transferred from your country of residence to the UAE and to the United States (where our AI Providers and some infrastructure providers are located).
UAE Data Localisation: The UAE PDPL imposes conditions on transfers of personal data outside the UAE. We transfer data internationally only where the receiving country provides an adequate level of protection, or where appropriate safeguards are in place, including contractual protections.
Transfers from EU/EEA: For transfers of personal data from EU/EEA member states to the UAE and the United States (neither of which has a current EU adequacy decision), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), incorporated into our data processing agreements with sub-processors.
Transfers from the UK: For transfers of personal data from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) issued by the ICO, or the UK Addendum to the EU SCCs, as appropriate.
Copies of the transfer mechanisms applicable to your data are available on request at privacy@centricq.com.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention periods are:
Account, Profile, and Learning Progress Data: Retained for the duration your account is active. Deleted within 30 days of account closure or verified deletion request.
Written Answer Transcripts and AI Feedback: Retained for the lifetime of your account. Deleted within 30 days of account closure.
Audio Recordings: Not retained. Deleted by CentricQ systems immediately upon receipt of the Whisper API transcription response (typically within seconds).
JD Prep Job Description Content: Not retained. Deleted at the conclusion of the generation session.
JD Prep Session Answers and AI Feedback: Retained for the lifetime of your account. Deleted within 30 days of account closure.
Payment Transaction Records: Retained for 7 years from the date of the transaction, as required by UAE VAT law (Federal Decree-Law No. 8 of 2017) and applicable accounting obligations.
Server Access and Security Logs (IP addresses, session timestamps): Retained for 90 days for fraud detection and security purposes, then automatically deleted.
Marketing Consent Records: Retained for 3 years from the date of consent or the date of last marketing interaction, to demonstrate compliance with applicable law.
Company Account and Candidate Assessment Data: Retained for the duration of the Company Account, plus 30 days after account closure, unless a longer period is required by applicable employment or legal proceedings obligations.
Support Communications: Retained for 2 years from the date of resolution of the relevant matter.
Authentication Token (localStorage): We store a JSON Web Token (JWT) in your browser's localStorage to maintain your authenticated session. This token expires after 30 days and is accessible only by our application. It is not a cookie and is not accessible to third-party scripts.
User Preferences (localStorage): We use localStorage to store non-identifying user interface preferences, such as your selected theme, dismissed notices, and sidebar state. No personal data beyond session authentication is stored in localStorage.
Microsoft Clarity Cookies: Clarity uses first-party cookies and browser APIs to collect session interaction data (clicks, scrolls, mouse movements). This data is used solely to improve the Platform's usability and user interface. Clarity does not capture answer text, audio, payment information, or other sensitive content. You may opt out of Clarity data collection by enabling the "Do Not Track" signal in your browser settings. We honour this signal.
Sentry Session Identifier: Sentry assigns a session identifier to correlate related error events for debugging purposes. This identifier is scoped to your device session and does not track your behaviour across third-party websites.
No Advertising Cookies: We do not use, place, or permit advertising cookies, cross-site tracking pixels, or social media tracking technologies on the Platform. We have no advertising network relationships.
Future Cookies: If we introduce any cookies requiring consent under applicable law (such as the EU ePrivacy Directive), we will implement a cookie consent mechanism before setting any such cookies and provide clear options to accept or decline.
We implement the following technical and organisational security measures in accordance with the requirements of the UAE PDPL and recognised international standards:
— TLS 1.2 or higher encryption for all data transmitted between your browser and our servers.
— bcrypt password hashing with a current-standard cost factor. Passwords are never stored in plaintext.
— Role-based access controls ensuring that access to personal data is restricted to authorised personnel who require it for their job function.
— Database encryption at rest for all stored personal data.
— Segregated error monitoring logs — answer content, transcripts, and direct personal identifiers are explicitly excluded from error reports.
— Periodic security reviews including dependency audits and code review.
Data Breach Notification: In the event of a personal data breach that is reasonably likely to result in material risk to your rights or interests, we will: (i) notify the UAE Data Office in accordance with the UAE PDPL breach notification requirements; and (ii) notify affected users without undue delay where required by applicable law, including within 72 hours where required under the GDPR.
Responsible Disclosure: If you identify a security vulnerability in the Platform, please report it to security@centricq.com. We operate a responsible disclosure programme and commit not to take legal action against researchers who report vulnerabilities in good faith.
To exercise any of the rights below, contact privacy@centricq.com with the subject line "Privacy Rights Request". We will verify your identity before processing your request and respond within 30 days (or 45 days for complex requests, with notification of the extension).
— UAE PDPL Rights (All Users): Under UAE Federal Decree-Law No. 45/2021, you have the right to: (i) be informed of how your personal data is processed; (ii) access a copy of your personal data; (iii) correct inaccurate personal data; (iv) request erasure of personal data where no longer necessary; (v) object to processing for specific purposes; (vi) withdraw consent where processing is consent-based.
— GDPR Rights (EU / EEA Users): In addition to UAE PDPL rights, you have the following GDPR rights: (i) Right of Access (Article 15); (ii) Right to Rectification (Article 16); (iii) Right to Erasure (Article 17); (iv) Right to Restriction of Processing (Article 18); (v) Right to Data Portability (Article 20) — receive your data in a structured, machine-readable format; (vi) Right to Object to processing based on legitimate interests (Article 21); (vii) Rights related to automated decision-making (Article 22) — we do not carry out solely automated decisions with legal effects on you.
— UK GDPR Rights (UK Users): The same GDPR rights listed above apply under the UK GDPR and Data Protection Act 2018.
— CCPA Rights (California Residents): You have the right to: (i) know what personal information we collect, use, disclose, and sell (we do not sell personal information); (ii) request deletion of your personal information, subject to legal exceptions; (iii) opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising (we do not engage in such activities); (iv) correct inaccurate personal information; (v) limit use of sensitive personal information (we do not process CCPA-defined sensitive personal information beyond what is necessary for the Service); (vi) not be discriminated against for exercising your CCPA rights.
— Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You may request deletion of your account and all associated personal data at any time by: (i) using the account deletion option in your account settings; or (ii) emailing privacy@centricq.com with the subject line "Account Deletion Request" from your registered email address.
Upon a verified deletion request, we will: (a) permanently delete your account profile, learning progress, written answers, transcripts, AI feedback, wallet balance, referral history, and Completion Certificates within 30 days; (b) retain payment transaction records for 7 years as required by UAE VAT and financial record-keeping law; (c) retain anonymised, aggregated analytics data from which you cannot be re-identified — this data has no personal data character and is not subject to deletion obligations.
We will send a confirmation email to your registered address upon completion of the deletion process.
Effect on Certificates: Completion Certificates associated with a deleted account are also deleted. If you wish to retain a record of your completion, we recommend downloading your certificate before requesting account deletion.
The Platform is intended for users aged 16 and above. We do not knowingly collect personal data from individuals under the age of 16.
United States (COPPA): We do not knowingly collect personal data from children under 13 years of age in the United States. If we become aware that a user under 13 has registered, we will immediately delete the account and all associated data.
EU / EEA: Under GDPR Article 8, the minimum age for a child to provide consent to data processing in the context of information society services varies by member state between 13 and 16 years. Where applicable, users below the relevant national minimum age require verifiable parental or guardian consent.
If you are a parent or guardian and believe your child has created an account without appropriate consent, please contact us immediately at privacy@centricq.com and we will delete the account.
We respect browser-level "Do Not Track" (DNT) signals and Global Privacy Control (GPC) signals where we are technically able to do so.
Microsoft Clarity respects DNT signals at the browser level. Enabling DNT will disable Clarity session recording for your browser.
These signals do not affect authentication or core Platform functionality.
CCPA users: The GPC signal, where transmitted, is treated as a valid opt-out of the "sale" or "sharing" of personal information for cross-context behavioural advertising. We do not engage in such activities in any case.
We may update this Privacy Policy from time to time to reflect: changes in applicable law (including UAE PDPL implementing regulations); changes in our data processing activities; changes to the Platform's features; or changes to our AI Provider relationships.
For material changes, we will: (i) notify you by email to your registered address not less than 30 days before the change takes effect; and (ii) post a prominent notice on the Platform.
Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated terms. If you do not agree with a material change, you may close your account before it takes effect.
If you are not satisfied with our response to a privacy concern, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority for your jurisdiction.
UAE — UAE Data Office: The primary regulatory body for data protection complaints concerning CentricQ as a UAE-based controller. Contact: dataoffice.gov.ae
European Union / EEA: Lodge a complaint with the data protection authority ("DPA") of your country of habitual residence, workplace, or the place of the alleged infringement. A list of EU/EEA DPAs is available at: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom: Information Commissioner's Office (ICO). Website: ico.org.uk. Helpline: 0303 123 1113.
Australia: Office of the Australian Information Commissioner (OAIC). Website: oaic.gov.au
Canada: Office of the Privacy Commissioner of Canada (OPC). Website: priv.gc.ca
Singapore: Personal Data Protection Commission (PDPC). Website: pdpc.gov.sg
India: Under the Digital Personal Data Protection Act 2023 (DPDPA), data principal rights may be exercised by contacting us at privacy@centricq.com. We will respond in accordance with DPDPA requirements as implementing regulations are published.
All jurisdictions: We encourage you to contact us first at privacy@centricq.com. We commit to responding within 30 days and to resolving concerns in good faith.
Data Controller: CentricQ — centricq.com
Registered jurisdiction: United Arab Emirates
Privacy and data protection enquiries: privacy@centricq.com
Account deletion and data erasure requests: privacy@centricq.com (subject: "Account Deletion Request" or "Erasure Request")
Subject access requests: privacy@centricq.com (subject: "Subject Access Request")
EU/EEA GDPR representative: eu-representative@centricq.com
Security vulnerabilities: security@centricq.com
Company DPA requests: privacy@centricq.com
Response time: We aim to respond to all privacy enquiries within 30 days.
Legal disclaimer
This Privacy Policy has been drafted to reflect UAE PDPL requirements and applicable international data protection obligations. For specific legal advice, contact privacy@centricq.com or visit our Contact page.