Effective date: May 8, 2026
Last updated: May 8, 2026
1. Personas covered by this Notice
To make the rest of this Notice easier to read, we use the following terms:
- Customer — the organization that has subscribed to a Neuroscale product. Customers are the controllers (or “businesses” under US state law) of personal information they submit to or generate within the Services about their own personnel and about Candidates.
- User — an individual user authorized by a Customer to administer or use the Services on the Customer’s behalf (e.g., recruiters, hiring managers, administrators).
- Candidate — an individual whose personal information is sourced, imported, processed, ranked, contacted, or otherwise handled within the Services as part of a Customer’s recruiting, sourcing, screening, or workforce activities.
- Visitor — an individual who visits our marketing websites, attends our events, downloads our content, or otherwise interacts with Neuroscale outside of a Customer workspace.
When we process personal information as a controller — for example, information about Visitors, prospective customers, billing contacts, or our own personnel — this Notice governs in full. When we process personal information as a processor / service provider on behalf of a Customer (typically Candidate data and User-generated content within a Customer workspace), the Customer’s privacy notice and our agreement with the Customer govern, and individuals should contact the Customer first.
2. Who we are
NEUROSCALE LLC is a Virginia limited liability company headquartered at 46175 Westlake Dr Ste 300, Sterling, VA 20165. NEUROSCALE LLC operates Arbi and other Neuroscale-branded products.
| |
|---|
| Privacy contact | privacy@neuroscale.ai |
| Postal | NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165 |
- Account & User information — name, business email, business phone, employer, role, authentication identifiers (including SSO identifiers and hashed passwords).
- Customer-provided content — inputs, prompts, files, datasets, job descriptions, and other content that Customers or their Users submit to the Services.
- Candidate / recruiting data (Arbi) — through Customer submissions, resume uploads, profile imports, ATS integrations, and email/calendar connections you authorize: resumes and CVs, cover letters, contact information, employment and education history, skills, certifications, compensation expectations where provided, interview notes, assessment results, and correspondence related to recruiting activities.
- Usage information — actions taken in the Services (features used, requests made, pages viewed), preferences, configuration.
- Device and log information — IP address, browser type and version, operating system, device identifiers, referring/exit URLs, timestamps, diagnostic logs, and approximate (city / region) location derived from IP address — not precise GPS location.
- Communications — emails, support tickets, sales inquiries, survey responses, and recordings of meetings or webinars where you have been notified and any required consent obtained.
- Marketing information — preferences, event attendance, content downloads, and engagement with our marketing emails.
- Payment and billing information — for paying Customers, billing-contact details and limited transaction metadata. Payment-card data is processed by our payment processor and is not stored by Neuroscale.
- Information from third parties — limited information from business-contact data providers, identity providers (for SSO), social platforms (where you choose to engage), and our Customers (where you act on their behalf).
We do not knowingly collect personal information from children under 16. See Children’s privacy below.
4. Sources
We collect personal information from the following sources:
- Directly from you — when you create an account, contact us, attend an event, or use the Services.
- From our Customers — when a Customer grants you access to their workspace, imports your information into Arbi, or otherwise authorizes you to use the Services on their behalf.
- Automatically — through cookies, server logs, SDKs, and similar technologies as described in our Cookie Notice.
- From third parties — including identity providers, business-information vendors, ATS and CRM platforms (where you authorize an integration), publicly available sources, marketing partners, and (for Candidate sourcing) public profiles permitted to be processed under applicable law.
We process personal information for the purposes below. Where the GDPR or UK GDPR applies, the legal basis for each purpose is identified in brackets.
| Purpose | Legal basis (EU/UK) |
|---|
| Provide, operate, and maintain the Services (including AI-assisted sourcing, ranking, summarization, drafting, and screening features configured by the Customer) | Performance of a contract; legitimate interests |
| Authenticate users and secure accounts | Performance of a contract; legitimate interests; legal obligation |
| Communicate about the Services (support, transactional notices, security alerts, service changes) | Performance of a contract; legitimate interests |
| Bill Customers and process payments | Performance of a contract; legal obligation |
| Improve, develop, and troubleshoot the Services using aggregated, de-identified, or operational telemetry | Legitimate interests |
| Deidentify Customer Content under Neuroscale’s Deidentification Standard, and use the resulting Deidentified Data to train, fine-tune, evaluate, and improve Neuroscale’s own AI models | Performance of a contract; legitimate interests |
| Marketing and sales communications about Neuroscale products | Legitimate interests; consent where required |
| Personalize content and recommendations | Legitimate interests; consent where required |
| Comply with applicable law, respond to legal process, and enforce our Terms | Legal obligation; legitimate interests |
| Protect the rights, property, and safety of Neuroscale, Customers, and the public — including detecting and preventing fraud, abuse, security threats, and prohibited use | Legitimate interests; legal obligation; vital interests |
| Conduct due diligence and complete corporate transactions | Legitimate interests; legal obligation |
- With the Customer. Information submitted in connection with a Customer’s recruiting or workforce activities is available to that Customer’s authorized Users in accordance with the Customer’s internal policies.
- Service providers and sub-processors — third parties that perform services on our behalf, such as cloud hosting, monitoring, analytics, customer support, communications, and payment processing. The current list is published on our Subprocessor List. Sub-processors process personal information on our documented instructions and are bound by written agreements with confidentiality and data-protection obligations.
- Affiliates — entities under common control with Neuroscale, for the purposes described in this Notice.
- Integrations you enable. When a Customer enables an integration (ATS, CRM, calendar, email, identity provider), we exchange data with that third-party service as directed by the Customer.
- Legal, safety, and compliance — to comply with law, respond to lawful requests from public authorities, enforce our Terms, defend against legal claims, or protect against fraud, abuse, or security threats.
- Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to customary confidentiality obligations and the protections of this Notice.
- With your direction or consent — where you ask us to share or where you have provided consent.
7. We do not sell or share personal information for cross-context behavioral advertising
Neuroscale does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA) and similar state laws. We have not done so in the preceding 12 months.
We do not solicit sensitive personal information (“sensitive PI”) in the ordinary course of providing the Services. Where Customers choose to upload content that contains sensitive PI, that processing is governed by our agreement with the Customer.
In limited cases we may process the following sensitive PI as a controller:
- Account credentials — for authentication purposes only.
- Government identifiers — only where required for billing, tax, sanctions screening, or know-your-customer obligations.
We do not use or disclose sensitive PI for purposes other than those permitted by the CCPA (Cal. Civ. Code §1798.121) and analogous state laws — including providing the Services, security, fraud prevention, and complying with law. You are not required to opt in to any further use of your sensitive PI.
9. AI features, automated decision-making, and AEDT disclosures
The Services include features that use machine learning and other automated techniques to parse documents, extract structured fields, compare profiles to role requirements, generate summaries or scores, suggest outreach, and recommend prioritization within recruiting workflows (“AI Outputs”). The specific models, prompts, and thresholds applied depend on the Customer’s product configuration.
Human oversight is required. Neuroscale designs the Services to support human oversight. AI Outputs are intended to assist — not replace — recruiter and hiring-manager judgment. AI Outputs are not, and must not be used as, the sole basis for hiring, employment, promotion, compensation, or similar decisions. Customers are responsible for ensuring that their use of AI Outputs complies with employment, anti-discrimination, and data-protection laws applicable to them.
Automated employment decision tools (AEDTs). Where applicable law regulates the use of automated tools in employment decisions — including, without limitation, NYC Local Law 144 of 2021, the Illinois AI Video Interview Act, Illinois HB 3773 (effective Jan 1, 2026; amends 775 ILCS 5/2-103.1), Maryland HB 1202, the Colorado AI Act (C.R.S. §§6-1-1701 et seq., effective Feb 1, 2026), the Texas Responsible AI Governance Act, the Utah AI Policy Act, and the California Automated Decision-Making Technology regulations under the CPRA — Customers are responsible for deployer-side obligations: (i) candidate notice and any required consent; (ii) candidate-side opt-out and alternative selection processes; and (iii) applicable record-keeping. Neuroscale, as the developer of the AI features, performs developer-side obligations, including the Employment-AI Bias-Audit and Disparate-Impact Testing Procedure (independent-auditor sign-off, 4/5ths-rule disparate-impact testing per the Uniform Guidelines on Employee Selection Procedures, subgroup performance parity), the public bias-audit summary required by NYC LL 144 §20-871(b)(2), the public statement required by C.R.S. §6-1-1703(1)(a), and the algorithmic-discrimination disclosure to the Colorado Attorney General required by C.R.S. §6-1-1703(7). Bias-audit summaries and per-model training-data documentation are published at the AI Training-Data Transparency Notice.
Generative AI training-data transparency (California AB 2013). Where Neuroscale trains, fine-tunes, evaluates, or improves its own generative AI models, a public summary of the training-data sources, time period, data categories, deidentification method, and bias-audit result is published at the AI Training-Data Transparency Notice per Cal. Civ. Code §22610.
FCRA non-CRA disclaimer. Neuroscale does not act as a “consumer reporting agency” within the meaning of the Fair Credit Reporting Act (15 U.S.C. §§1681 et seq.) and does not furnish “consumer reports” to third parties. AI Outputs that score, rank, or qualify Candidates are provided to the Customer for human-review-supported decision-making and are not consumer reports. Customers using AI Outputs in adverse-action contexts are responsible for FCRA-compliant adverse-action notices where applicable to their separate background-check workflows.
Not a data broker. Neuroscale is not a data broker under California (Cal. Civ. Code §§1798.99.80 et seq.), Texas (Tex. Bus. & Com. Code Ch. 509), Vermont (Vt. Stat. Ann. Tit. 6 §4727), Oregon (Or. Rev. Stat. §646A.600 et seq.), or analogous state laws. Neither Customer Content nor Deidentified Data derived from it is sold, shared, or licensed to third parties for the third party’s commercial use; the Deidentified Data is retained solely for Neuroscale’s own model training and improvement per Section 7 of the Terms of Service.
EU and UK candidates — GDPR / UK GDPR posture. Where Customer Content includes the Personal Data of EU or UK candidates, the Customer is the controller and Neuroscale acts as processor under GDPR Art. 28 / UK GDPR Art. 28 on the Customer’s documented instructions. The Customer is responsible for the indirect-collection notice required by GDPR Art. 14, the sole-automated-decision rights and safeguards required by Art. 22, the data-protection impact assessment required by Art. 35 (which Neuroscale supports with developer-side technical inputs per the Employment-AI Bias-Audit and Disparate-Impact Testing Procedure and the Reidentification Audit Procedure), and the lawful-basis analysis under Arts. 6 and 9 (including special-category data, which is removed at Stage 4 of the Deidentification Standard before training). Neuroscale, as a Provider of high-risk AI under EU AI Act Annex III(4), performs the developer-side obligations of Arts. 9–17 of the EU AI Act before any feature is placed on the EU market.
Profile of AI features. We work to provide transparency into how AI features function at a high level. We do not guarantee that AI Outputs are complete, current, or error-free. Where applicable law grants individuals rights related solely to automated decision-making producing legal or similarly significant effects, we will support Customers in responding to such requests, and we will comply with our direct obligations to the extent required.
Candidate questions. Candidates with questions about a specific automated assessment, ranking, or hiring decision should contact the organization (the Customer) that is using the Services to recruit for the relevant role. Neuroscale will assist verified Customers in responding.
10. International data transfers
Neuroscale is headquartered in the United States, and personal information we process is generally transferred to and stored in the United States. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or another third country, we rely on the following safeguards:
- The EU-U.S. Data Privacy Framework, the UK Extension to the DPF, and the Swiss-U.S. DPF where applicable to the Neuroscale entity or the relevant sub-processor;
- The European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) incorporated into our Data Processing Addendum; and
- Supplementary measures including encryption in transit and at rest, access controls, and contractual confidentiality obligations.
Customers who deploy the Services across borders remain responsible for ensuring their use of the Services complies with applicable transfer and employment laws, including providing any required notices to or obtaining authorizations from Candidates.
You may request a copy of the safeguards we use for a specific transfer by contacting privacy@neuroscale.ai.
11. Your rights and choices
Depending on where you live, you may have some or all of the rights below. Subject to verification of your identity (and any agent’s authority), we will respond within the timelines required by law — typically 45 days under US state laws (extendable once for an additional 45 days) and one month under the GDPR / UK GDPR (extendable up to two further months for complex requests).
Rights available under the GDPR / UK GDPR
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object to processing (including direct marketing)
- Right not to be subject to a decision based solely on automated processing — see Section 9 below for how this applies to AI Outputs and AEDTs
- Right to withdraw consent at any time, where processing is based on consent
- Right to lodge a complaint with your local supervisory authority
Rights available to US state residents
The following rights are available to residents of states with comprehensive privacy laws — currently including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, and Rhode Island. Specific rights and exceptions vary by state.
- Right to know / access — confirm whether we process your personal information and obtain a copy.
- Right to delete — request deletion of personal information we have collected from you.
- Right to correct — request correction of inaccurate personal information.
- Right to portability — receive a copy of your personal information in a portable format.
- Right to opt out of sale, sharing for cross-context behavioral advertising, and certain profiling — Neuroscale does not engage in these activities; this opt-out applies if our practices change.
- Right to limit use of sensitive personal information — see Section 8.
- Right to opt out of automated decision-making and profiling (CO, CA, CT, VA, and others) — where state law grants you the right to opt out of profiling or automated decision-making technology that produces legal or similarly significant effects, you may exercise that right by writing to privacy@neuroscale.ai with the subject line “ADM/Profiling Opt-out.” Note that AI Outputs generated by Neuroscale features for a Customer’s hiring workflow are governed by that Customer’s deployer-side obligations under California ADMT, the Colorado AI Act, NYC Local Law 144, and analogous laws; Candidates with concerns about a specific automated assessment should also contact the hiring Customer directly.
- Right to opt out of Neuroscale model training — independent of subscription tier, any Candidate may request that Neuroscale exclude their personal information from training-related Processing of Customer Content by writing to privacy@neuroscale.ai with the subject line “Training opt-out — Candidate.” Opt-outs apply prospectively from the date Neuroscale acknowledges the request and do not require Neuroscale to retract Deidentified Data already incorporated into training. See the AI Training-Data Transparency Notice for further detail.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
- Right to appeal (CO, VA, CT, and others) — if we decline a request in whole or in part, you may appeal by replying to our response or by emailing privacy@neuroscale.ai with the subject line “Privacy Rights Appeal.”
Universal opt-out signals. Neuroscale honors the Global Privacy Control (GPC) signal on its public-facing websites and treats a GPC signal from your browser as a request to opt out of “sale,” “sharing,” and (where state law so provides) targeted-advertising and certain profiling, to the extent feasible for Neuroscale’s processing as a business or controller. Because Neuroscale does not engage in sale or share of Personal Information for cross-context behavioral advertising, a GPC signal will primarily affect optional analytics on the Neuroscale marketing site and any state-law-mandated opt-outs.
Marketing emails
You may opt out of marketing emails at any time by clicking “unsubscribe” in any marketing message or by contacting privacy@neuroscale.ai. We will continue to send you transactional, security, and service-related communications.
If you are a Candidate whose data was uploaded to or processed by the Services as part of a Customer’s recruiting activities, the Customer is the controller of that data and is the appropriate first point of contact for access, correction, deletion, and similar requests. If you do not know which organization to contact, email privacy@neuroscale.ai with the role or company you applied to and we will route your request.
How to exercise your rights
- Email privacy@neuroscale.ai with a description of your request and the personal information you want us to act on; or
- Use the in-product privacy controls (where available) in your Neuroscale account.
You may use an authorized agent to submit a request on your behalf, subject to verification. We will not charge a fee for most requests; for repetitive or excessive requests, we may charge a reasonable fee or decline as permitted by law.
If we process your personal information on behalf of a Customer (as a processor / service provider), please direct your request to that Customer; we will assist them as required by our agreement.
Canada (PIPEDA)
If you are a resident of Canada, you have rights of access and correction under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada.
12. Retention
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, including to provide the Services, comply with legal and accounting obligations, resolve disputes, and enforce our agreements. Specific retention periods are documented in our internal Records Retention Schedule and reflect:
- The nature and sensitivity of the information;
- Contractual commitments to Customers;
- Legal, tax, and regulatory retention requirements; and
- The purposes for which we process the information and whether those purposes can be achieved through other means.
Customer-controlled data. Customer Content and Candidate data are generally retained according to the Customer’s subscription term, account settings, and instructions, including deletion or export requests submitted through the Services or to support. Where a Customer instructs deletion, residual copies may persist for a limited period in encrypted backups before being rotated out in accordance with our backup-retention schedule.
De-identified data. Where we anonymize or aggregate data such that it can no longer reasonably be linked to an individual, we may retain it without limitation.
13. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit and at rest, role-based access controls, multi-factor authentication, logging and monitoring, vulnerability management, vendor due diligence, and personnel training. The current status of our independent third-party assessments (including the SOC 2 Type I observation and the SOC 2 Type II audit window) and our ISO/IEC 27001:2022 alignment is published in our Trust Center.
Customers are responsible for configuring access permissions for their Users, safeguarding credentials, and using integrations in line with their own security policies.
No method of transmission or storage is 100% secure. If we become aware of a personal data breach affecting your information, we will notify affected individuals and authorities as required by law and our agreements with Customers.
14. Cookies and similar technologies
We and our service providers use cookies, pixels, SDKs, and similar technologies on our websites and in the Services. See our Cookie Notice for details and your choices, including how we honor browser-based opt-out signals such as Global Privacy Control (GPC) where required.
15. Children’s privacy
The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. The Services are intended for business-to-business use in professional recruiting and workforce contexts. If you believe a child has provided us with personal information, contact privacy@neuroscale.ai and we will take appropriate steps to delete it. Customers should not use the Services to process children’s personal information except where permitted by law and with appropriate safeguards.
16. California-specific notices
This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the CPRA, the California Online Privacy Protection Act (CalOPPA), and other California laws.
Notice at Collection
We collect the following CCPA categories of personal information for the business and commercial purposes described in Section 5:
| CCPA category | Collected |
|---|
| Identifiers (e.g., name, email, IP) | Yes |
| Customer records (Cal. Civ. §1798.80(e)) | Yes |
| Characteristics of protected classifications | No |
| Commercial information (transactions, services purchased) | Yes |
| Biometric information | No |
| Internet/network activity (browsing, interactions) | Yes |
| Geolocation data (general; not precise) | Yes |
| Audio, electronic, visual information (e.g., support recordings) | Limited |
| Professional or employment information | Yes |
| Education information | Yes (for Candidate data, where provided) |
| Inferences drawn from the above | Limited |
| Sensitive personal information | Limited (see Section 8) |
Categories disclosed for a business purpose (last 12 months)
We disclosed each of the categories above to the sub-processors and recipients listed in Section 6 and on our Subprocessor List, for the business purposes set out in Section 5.
Categories sold or shared (last 12 months)
None. Neuroscale has not sold personal information and has not shared personal information for cross-context behavioral advertising in the preceding 12 months.
Financial incentives
Neuroscale does not offer financial incentives or price/service differences in exchange for personal information.
Shine the Light (Cal. Civ. §1798.83)
California residents may request information about our disclosures (if any) of personal information to third parties for those parties’ direct marketing purposes. To make a Shine the Light request, email privacy@neuroscale.ai with the subject line “Shine the Light.”
CalOPPA — Do Not Track
Our websites do not respond to “Do Not Track” signals at this time, but we honor Global Privacy Control (GPC) for purposes of opt-out preference signals where required. See our Cookie Notice.
California job applicants & personnel
If you are a California applicant for employment with Neuroscale, an employee, director, officer, contractor, or consultant of Neuroscale, please refer to our separate California Applicant & Personnel Privacy Notice, which describes our processing of applicant, personnel, and contractor information.
17. Changes to this Notice
We may update this Notice from time to time. The “Last updated” date at the top of this page reflects the most recent revision. If we make material changes, we will notify Customers and, where appropriate, individuals — by email (where we have your address) or by prominent notice in the Services — before the change becomes effective.
