Privacy Policy

1. Who we are

MockLabs is operated by Sofia Gilardini, a sole trader based in the United Kingdom. For the purposes of UK GDPR, this individual is the data controller.

Contact: privacy@mocklabs.ai

2. What we collect

When you create an account, we collect:

• Email address — to identify your account and send verification, password reset, and security notifications.
• Password — stored as an Argon2id hash. We never see or store your plaintext password.
• Display name and onboarding answers (track, seniority) — to tailor the practice experience.

When you use the service, we record:

• Your practice sessions — the questions the AI asked, your answers, the AI's evaluation, scores, hints used, and timestamps.
• Mastery scores derived from your performance, per topic.
• Aggregate usage events — which features you used and when (e.g. “started training session”, “completed mock interview”). These are tied to your user account.
• OpenAI usage metrics — the number of tokens each of your interactions consumed, so we can track our cost of serving you. We do not store these for marketing.

Automatically when you visit:

• Essential cookies for authentication and security (see §7).
• Anonymous page-view analytics via Vercel Web Analytics. This does not use cookies and does not identify you. It tells us aggregate pageviews and approximate country, derived from your IP at request time and discarded.
• Your IP address is briefly visible to our servers for rate limiting and abuse prevention. We do not persist it in a log.

We do not collect: payment data (the service is free during this early-access period), location beyond country, browser fingerprints, or any special-category data (health, political opinions, etc.).

3. Why we collect it (lawful bases)

Under Art. 6 UK GDPR, we rely on:

• Performance of a contract (Art. 6(1)(b)) — to provide the practice service you signed up for. This covers your account data, sessions, mastery scores, and the AI interactions needed to give you feedback.
• Legitimate interests (Art. 6(1)(f)) — for security (rate limiting, abuse detection), service operation (OpenAI cost tracking), and aggregate, non-identifying analytics. We've assessed that these uses are necessary and proportionate, and don't override your rights.
• Legal obligation (Art. 6(1)(c)) — to retain limited records where required by law (e.g. tax records once we begin charging).

We do not currently rely on consent as a lawful basis because we don't run marketing analytics or send marketing email. If that changes, we'll ask you first.

4. Who we share it with

MockLabs is a small operation. Your data is processed by a small number of named providers, each under a written contract that requires them to protect it:

• OpenAI, L.L.C. (USA) — receives the content of your practice sessions (the questions, your answers, the AI's evaluation prompts) so it can generate responses. OpenAI states that API data is not used to train their models and is retained for up to 30 days for abuse monitoring. See OpenAI's Enterprise Privacy page.
• Resend (USA) — sends our transactional email (verification, password reset, security notifications). Receives your email address and the message content.
• Vercel (USA) — hosts our frontend. Receives standard HTTP request data and runs Vercel Web Analytics.
• Railway (USA) — hosts our backend and database. Receives everything you submit to the API.

We do not sell your data, share it with advertisers, or use it to train AI models.

5. International transfers

All four processors above are in the USA. We rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses (SCCs) with UK addendum, as published by each provider in their Data Processing Addendum. These contractual safeguards are the mechanism approved by the UK ICO for transfers to countries without an adequacy decision.

6. How long we keep it

• Account data — for as long as your account is active, plus 30 days after deletion to allow recovery from accidental deletion. After that, all rows are permanently removed.
• Session and mastery data — same lifecycle as your account.
• Aggregated, anonymised usage statistics — may be retained indefinitely for product analytics. These cannot be linked back to you.
• Email verification and password reset tokens — 24 hours and 1 hour respectively, single-use.
• Server logs containing IP addresses — not persisted; held only in memory for rate-limiting.
• Inactive accounts — if you don't log in for 24 months, we'll email you a warning and then delete the account 30 days later.

7. Cookies

We use only strictly necessary cookies. Under the Privacy and Electronic Communications Regulations (PECR), these don't require consent:

We don't use marketing cookies, advertising cookies, or third-party trackers. Vercel Web Analytics is cookieless.

8. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct anything inaccurate (e.g. update your display name in settings)
• Erase your account and all associated data
• Restrict or object to specific processing
• Portability — receive your data in a machine-readable format
• Withdraw consent at any time, where consent is the lawful basis
• Complain to the UK Information Commissioner's Office at ico.org.uk if you believe we've mishandled your data

To exercise any of these, email privacy@mocklabs.ai. We'll respond within one calendar month. We may need to verify your identity (typically by emailing a confirmation link to your account address) before acting.

9. Automated decision-making

The AI generates feedback and mastery scores from your answers. These are not decisions with legal or similarly significant effects on you — they're practice feedback. You can ignore them.

10. Changes

If we change this policy materially, we'll email you at least 14 days before the change takes effect. The “last updated” date at the top reflects the current version.