Legal

Privacy Policy

The assessment records how you work — so this page is unusually specific about what is captured, what never leaves your browser unencrypted, and who can see what.

Last updated: June 10, 2026

1. Who we are

40X (“we”, “us”), operating from the United States (Delaware), runs the service at 40x.ai. For data you give us as an individual account holder, we are the data controller. For assessment data we collect about employees at the direction of their employer, the employer is the controller and we process it on their behalf — that relationship is set out in Part B of the Data Use Agreement.

Privacy contact: hello@40x.aiwith “Privacy request” in the subject.

2. What we collect

Account data

Name, email address, sign-in identifiers, role (job seeker, employee, employer admin), organization affiliation and work email where an employer invited you. Sign-in options and the data they share with us: Google (your email), GitHub (basic profile and email — scopes read:user, user:email), email + password, or a one-time email code. If you optionally connect a GitHub portfolio, we additionally read public repository metadata (public_repo).

Assessment recordings

While an assessment is running — and only then — we record:

  • Your screen — the entire screen, captured at a low frame rate (5 frames per second). No audio is recorded.
  • Your webcam — video only, to confirm you are the person doing the work. No audio is recorded.
  • In-page activity — tab and window switches, copy and paste events, fullscreen changes, whether multiple monitors are present, clicks on assessment controls, and per-task timings.
  • What you type in the assessment fields — short snippets (up to 600 characters at a time) of your working text. Before any snippet leaves your browser, it is scrubbed locally: email addresses, phone numbers, API keys, and authentication tokens are replaced with [redacted]. A cryptographic hash (SHA-256) of the original text is kept so the record is tamper-evident.

Eye tracking — currently off

The product contains an optional attention-tracking capability (WebGazer). It is disabled. If we ever enable it, we will ask for explicit opt-in consent first, and we would store only a derived “attention on screen” ratio — never raw gaze coordinates and never facial-recognition data.

Scoring artifacts

Our scoring pipeline produces transcripts of your recorded session, derived features, rubric scores, percentiles, and identified skill gaps. Recordings are processed by Google's Gemini models to produce these artifacts (Section 6).

Site analytics

Standard server logs, a small set of product events (such as page views and course views, rate-limited per user), and Google Analytics 4 on the public website. We use no third-party advertising trackers.

3. How we use it

  • to run your assessment, score it, and show results to the people entitled to see them (Section 5);
  • to verify the work is yours — the recordings and activity log exist to keep results fair and defensible;
  • to recommend training based on the gaps the assessment found;
  • to calibrate benchmarks in aggregate, using de-identified statistics;
  • to operate, debug, and secure the service.

We do not sell personal data, and we do not use it for third-party advertising.

4. Encryption on your device

During an assessment, everything captured — recordings, your typed work, attached files, and the activity log — is encrypted in your browser with AES-256-GCM before it is stored locally. The encryption key is generated on your device and never transmitted. Uploads happen over TLS through short-lived signed URLs; direct access to the storage bucket is denied. If your connection drops, the encrypted local copy lets you resume without losing work; it is purged after a successful submission.

5. Who sees what

  • Job seekers: you see your own score, percentile, skill breakdown, and report. Nobody else does, unless you opt in to sharing (for example, a candidate profile for employers).
  • Employees invited by an employer: your employer receives your result — your name, work email, score, percentile, and identified skill gaps. You do not see a numeric score yourself. This is enforced server-side and disclosed before you begin the assessment.
  • Employers: see results only for people who completed an assessment through their invitation, plus organization and department aggregates. Employers never see raw screen or webcam recordings.
  • 40X staff: access on a need-to-know basis to operate the service and review integrity flags.

6. Processors & sharing

We share personal data only with the processors that run the service:

ProviderPurposeLocation
Google Firebase / Google CloudAuthentication, database, file storage, application hostingUnited States (us-central1 / nam5)
Google Gemini APITranscribing and scoring assessment recordingsUnited States
Google Analytics 4Public-website analyticsUnited States
WebGazer (Brown University CDN)Eye-tracking script — only loaded if the feature is ever enabledUnited States

We may also disclose data if required by law, to protect the rights and safety of users, or as part of a corporate transaction (with notice).

7. International transfers

The service is hosted in the United States. If you use it from the EU, UK, or Switzerland, your data is transferred to the US under standard contractual clauses with our processors.

8. Retention

  • Raw screen and webcam recordings: automatically deleted 30 days after upload.
  • Extended raw-telemetry retention: off by default. An employer organization can opt in to retain raw assessment telemetry for a configured window between 1 and 365 days (default 30) for audit purposes; outside that opt-in, only derived data is kept.
  • Scores, percentiles, skill gaps, and audit records: kept for the life of the account.
  • Account deletion: primary records are removed within 30 days of a verified deletion request; de-identified aggregates may be retained for benchmark integrity.

9. Your rights

You can request access to, correction of, deletion of, or export of your personal data, and you can object to or ask us to restrict certain processing. Email hello@40x.aiwith “Privacy request” in the subject from the address on your account; we respond within 30 days.

If you are in the EU or UK, these are your GDPR rights, and you can also complain to your supervisory authority. If you are a California resident, the CCPA/CPRA gives you the rights to know, delete, and correct — and to opt out of sale or sharing, which is moot here: we do not sell or share personal data for cross-context advertising. If you took an assessment at an employer's direction, we may route your request to that employer as the data controller (see the Data Use Agreement).

10. Children

The service is not directed to children and may not be used by anyone under 16. Employer organizations agree to invite only adults.

11. Security

TLS in transit, encryption at rest in Google Cloud, client-side AES-256-GCM for assessment data (Section 4), short-lived signed URLs for uploads and report downloads, server-side enforcement of the visibility rules in Section 5, and audit logging of administrative actions. No system is perfectly secure; report suspected vulnerabilities to hello@40x.ai (subject “Security”).

12. Cookies

We use cookies and similar storage for sign-in sessions and security, and Google Analytics 4 on the public website. We do not use third-party advertising cookies. Note that the assessment also uses your browser's local storage to hold the encrypted recovery copy described in Section 4.

13. Changes

We will post changes here and update the date above; for material changes we will notify you by email or in the product before they take effect.