Privacy Policy

1. Introduction

Welcome to Promptster, a product of VKRA Inc ("VKRA," "we," "us," or "our"). Promptster is a B2B technical recruitment platform that captures MCP-powered process telemetry while candidates complete technical assessments using AI-assisted development environments such as Claude Code and Cursor.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at promptster.ai, use our platform, or interact with our services in any capacity. It applies to all users of Promptster, including employer customers ("Customers"), candidates who complete assessments ("Candidates"), and casual visitors to our website ("Visitors").

By accessing or using Promptster, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

We collect several categories of information depending on how you interact with Promptster:

2.1 Personal Information

When you create an account, book a demo, or otherwise interact with our platform, we may collect personal information including your name, email address, job title, company name, phone number, and billing information. For Candidates, we collect the information provided by the Customer who invited you to an assessment, which may include your name, email address, and the role you are being evaluated for.

2.2 Usage Data

We automatically collect information about how you access and use our website and platform. This includes your IP address, browser type and version, operating system, referral URLs, pages visited, time spent on pages, click patterns, and device identifiers. We use this data to understand usage patterns and improve our services.

2.3 Telemetry Data from Coding Sessions

This is central to how Promptster works. During technical assessments, our MCP-powered telemetry layer captures process telemetry from the candidate's development environment. This data includes, but is not limited to:

• Prompt strategies — the sequence, structure, and refinement patterns of prompts issued to AI coding assistants during the session.
• Tool usage patterns — which development tools, terminal commands, file operations, and debugging workflows were invoked and in what order.
• Code attribution metrics — data that distinguishes human-authored code from AI-generated code, including edit sequences, acceptance/rejection patterns of AI suggestions, and manual modifications to generated output.
• Session timeline — timestamps, idle periods, context-switching behavior, and overall session duration.
• Orchestration signals — how the candidate decomposes problems, delegates to AI tools, validates outputs, and iterates on solutions.

Candidates are informed before beginning any assessment that telemetry will be captured. Telemetry collection only occurs during active assessment sessions and does not extend to any other use of the candidate's development environment.

2.4 Cookies & Similar Technologies

We use cookies, local storage, and similar tracking technologies to maintain session state, remember your preferences, and collect analytics data. See Section 6 for more detail on cookies and your choices.

3. How We Use Information

We use the information we collect for the following purposes:

• Service delivery — to provide, operate, and maintain the Promptster platform, including generating telemetry reports, attribution analyses, and session replays for Customers evaluating Candidates.
• Analytics & insights — to produce aggregated, anonymized benchmarks and analytics that help Customers understand assessment quality and to improve our signal-to-noise ratio in candidate evaluation.
• Platform improvements — to analyze usage patterns, diagnose technical issues, and develop new features that improve the accuracy and reliability of our telemetry and assessment tools.
• Communication — to send you account notifications, assessment invitations, product updates, and respond to your inquiries. We may also send marketing communications to Customers, which you can opt out of at any time.
• Security & fraud prevention — to detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity on our platform.
• Legal compliance — to comply with applicable laws, regulations, and legal processes.

4. Legal Bases for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases under the General Data Protection Regulation (GDPR):

• Contract performance — processing is necessary to fulfill our contractual obligations to Customers and to provide the assessment platform to Candidates as invited by their prospective employer.
• Legitimate interest — we process data for analytics, security, fraud prevention, and product improvement where these interests are not overridden by your rights. For telemetry data specifically, our legitimate interest includes enabling Customers to make informed hiring decisions based on objective, process-oriented signals.
• Consent — where required by law, we obtain your consent before processing. Candidates provide informed consent before beginning any telemetry-captured assessment. You may withdraw consent at any time, though this may affect your ability to complete an assessment.
• Legal obligation — we may process your data where necessary to comply with a legal obligation to which VKRA Inc is subject.

5. How We Share Information

We do not sell your personal information. We share data only in the following circumstances:

5.1 With Employers / Customers

Telemetry data, attribution reports, session replays, and assessment results for Candidates are shared with the Customer who initiated the assessment. This is the core purpose of the Promptster platform. Customers receive these insights to evaluate engineering candidates based on process quality rather than output alone.

5.2 Stripe (Payment Processing)

We use Stripe, Inc. as our payment processor. When Customers subscribe to Promptster or make payments, billing information (including payment card details) is transmitted directly to Stripe and processed under Stripe's Privacy Policy. We do not store full credit card numbers on our servers.

5.3 Langfuse (LLM Observability)

We use Langfuse for LLM observability and telemetry pipeline monitoring. Langfuse helps us trace, monitor, and debug the AI interactions captured during assessments to ensure data quality and platform reliability. Data shared with Langfuse includes prompt and response metadata, latency metrics, and trace identifiers. Langfuse processes this data as a sub-processor under our data processing agreements.

5.4 Other Sub-Processors & Service Providers

We may engage additional third-party service providers who assist with hosting, infrastructure, analytics, email delivery, and customer support. These providers are contractually bound to use your data only as necessary to perform services on our behalf and are subject to confidentiality obligations. A current list of sub-processors is available upon request by contacting privacy@promptster.ai.

5.5 Legal & Safety Disclosures

We may disclose your information if required to do so by law, in response to valid legal process (such as a subpoena, court order, or government request), or where we believe disclosure is necessary to protect the rights, property, or safety of VKRA Inc, our users, or the public.

5.6 Business Transfers

If VKRA Inc is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

6. Cookies & Tracking Technologies

Promptster uses the following categories of cookies and similar technologies:

• Essential cookies — required for the platform to function, including authentication tokens, session identifiers, and CSRF protection. These cannot be disabled.
• Analytics cookies — help us understand how Visitors and Customers use our website. We use these to measure traffic, identify popular features, and improve user experience.
• Preference cookies — remember your settings, such as language or display preferences, across sessions.

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, though doing so may impair certain functionality of the platform. We do not currently use third-party advertising cookies.

7. Data Retention

We retain personal information and telemetry data for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account data — retained for the duration of the Customer's active subscription, plus up to 90 days after account closure for administrative purposes.
• Assessment telemetry data — retained for 24 months from the date of the assessment, unless the Customer requests earlier deletion or applicable law requires a shorter period.
• Aggregated & anonymized data — may be retained indefinitely, as it cannot be used to identify individuals.
• Billing records — retained as required by applicable tax and financial regulations, typically for a minimum of 7 years.

When data is no longer needed, we securely delete or anonymize it in accordance with our internal data management policies.

8. International Data Transfers

VKRA Inc is headquartered in the United States. If you access Promptster from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country of residence.

For transfers of personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we conduct transfer impact assessments where required. You may request a copy of the relevant safeguards by contacting us at privacy@promptster.ai.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR (EEA & UK Residents)

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may request that we correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") — you may request deletion of your personal data, subject to certain legal exceptions (for example, where we are required to retain data for compliance purposes).
• Right to restriction of processing — you may request that we limit how we process your data in certain circumstances.
• Right to data portability — you may request a machine-readable copy of the personal data you provided to us.
• Right to object — you may object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9.2 Rights Under CCPA (California Residents)

• Right to know — you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom it has been shared.
• Right to delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale — VKRA Inc does not sell personal information. However, if this practice changes, we will provide a "Do Not Sell My Personal Information" mechanism.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at privacy@promptster.ai. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request.

10. Children's Privacy

Promptster is a B2B platform designed for professional use in technical recruitment. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@promptster.ai.

11. Security

We implement and maintain reasonable administrative, technical, and physical security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls and authentication requirements, regular security assessments, and incident response procedures.

Telemetry data captured during assessments is encrypted end-to-end and access is restricted to authorized personnel at VKRA Inc and the Customer who initiated the assessment. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@promptster.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, provide you with additional notice (such as a banner on our website or an email notification).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of Promptster after any changes to this policy constitutes your acceptance of the updated terms.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the EEA or UK and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority.