What We Do

Hexcelerate is an AI interviewing platform that provides live conversational face-to-face avatars, operated by Haumana Exchange LLC, a limited liability company organized under the laws of the State of Hawai'i. By using our platform, you agree to this Privacy Policy. This policy describes how we collect, use, share, and protect your personal information in compliance with applicable federal and state laws, including the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99) and the Hawai'i Revised Statutes Chapter 487N (Personal Information Protection Act).

What Information Do We Collect?

Information You Provide to Us:

• Account Information. To create an account, we collect your name and email address.
• Audio/Video Interview Recordings. We collect and store recordings of your interviews, which may include your voice, image, and shared information. These are used to analyze your responses and provide feedback. See "AI Model Training" below for how recordings may be used for service improvement.

Information We Collect Automatically:

• Usage Data. We may automatically collect information about how you use the Services, including content interactions, features used, actions taken, device and browser details, location, access times, IP address, and similar data.
• Device Information. Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.

Information We Collect From Third Parties:

• Third-Party Authentication. If you sign up or login to our Services using one of our sign-on providers (e.g., Google, Firebase, etc.), we collect authentication information provided to us by the provider to allow you to log in.

Data Classification:

We classify data we process in accordance with institutional data governance standards, including those set forth in the University of Hawai'i Executive Policy EP 2.214 (Institutional Data Classification Categories and Minimum Security Standards). The categories of data we may handle include:

• Public Data: Information you choose to make publicly available.
• Restricted Data: Internal usage and platform interaction data not intended for public disclosure.
• Sensitive Data: Student education records (protected under FERPA), interview recordings, and performance evaluations.
• Regulated Data: Any personal information as defined under HRS § 487N, including Social Security numbers, government-issued identification numbers, or financial account numbers if provided during use of the platform. We strongly discourage users from sharing regulated data during interviews.

How We Use Your Information

Core Services:

• Provide live conversational face-to-face avatar interviews for interview practice and screening
• Deliver performance feedback and improvement suggestions

AI Model Training:

For individual (non-institutional) users, we may use anonymized interview recordings and data to train and improve our AI models. Personal identifiers are removed before use in training.

Important: For users accessing the platform through an educational institution, interview recordings and education records will NOT be used for AI model training or any purpose beyond the stated educational purpose, unless the institution has provided explicit written authorization. This restriction applies in accordance with FERPA (34 CFR § 99.33(a)) and University of Hawai'i Executive Policy EP 2.215 (Institutional Data Governance), which requires that institutional data be used solely for the purpose for which access was granted.

Video/Audio Analysis:

Your interview recordings are analyzed for:

• Speech patterns and communication skills
• Performance feedback and improvement suggestions

Your interview recordings are never shared with other employers, partners, or any third parties. Recordings are used solely to provide you with performance feedback.

Purpose Limitation:

We process your data only for the purposes described in this policy. When we act on behalf of an educational institution, we use data solely for the educational purpose specified in our agreement with that institution, consistent with EP 2.215 and FERPA requirements.

How We Share Your Information

We do not share your personal information, interview recordings, or performance data with other employers, hiring companies, or any third-party partners. Hexcelerate is strictly an AI interviewing platform that provides live conversational face-to-face avatars, used by both workforce and employers for interview practice and screening. We do not share any candidate information with other employers or partners.

We may share limited data only in the following circumstances:

• With Your Employer or Institution (Screening Only): If an employer or educational institution has invited you to complete an interview on Hexcelerate as part of their own screening process, your interview results for that specific session are shared with the organization that invited you. This is limited to the inviting organization only and does not extend to any other employers or parties.
• With Educational Partners: If you're accessing through a university, we may share progress and performance data with authorized institutional representatives (e.g., academic advisors, program coordinators) as designated by your institution. Such sharing is governed by a Data Processing Agreement and FERPA.
• Legal Requirements: We may disclose information when required by law, court order, or governmental regulation, or to protect the rights, property, or safety of our platform and users.

Third-Party Service Providers (Subprocessors):

We use the following third-party service providers to deliver our Services. Each provider processes data only as necessary to perform their designated function:

• Google Cloud / Firebase — Authentication, cloud database (Firestore), and file storage (Firebase Storage). Data is encrypted at rest and in transit.
• Deepgram — Real-time audio transcription of interview sessions. Audio data is processed in real-time and is not retained by Deepgram after transcription.
• HeyGen — AI avatar generation for interactive interview experiences. Video interaction data is processed to render avatar responses.
• Stripe — Payment processing for subscription and premium features. Hexcelerate does not store complete payment card information; all payment data is handled by Stripe in accordance with PCI DSS standards.
• SendGrid (Twilio) — Transactional email delivery for interview invitations and account notifications.
• Google Dialogflow — Conversational AI engine powering interview bot interactions.
• OpenAI / Google Gemini — AI language models used for interview scoring and feedback generation.

We require each subprocessor to maintain appropriate security measures and to process personal data only for the purposes we specify. For institutional accounts, subprocessor data handling is governed by our Data Processing Agreement with the institution.

Your Data Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your account and associated personal data
• Data Portability: Request your data in a structured, commonly used format
• Withdraw Consent: Withdraw consent for specific data processing activities at any time

For students accessing through an educational institution: Under FERPA (34 CFR § 99.10), you have the right to inspect and review your education records. To exercise this right, contact your institution's designated records officer. You may also contact us directly and we will coordinate with your institution.

Contact us at lionel@hexcelerate.app to exercise any of these rights. We will respond within 30 days of receiving your request.

Data Security

Security Measures:

We implement security measures consistent with the minimum standards required by the University of Hawai'i Executive Policy EP 2.214 for the applicable data classification level, including:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest using AES-256 encryption via Google Cloud infrastructure
• Authentication: Secure user authentication through Firebase Authentication with support for multi-factor authentication (MFA)
• Access Controls: Role-based access controls (RBAC) limiting data access to authorized personnel based on the principle of least privilege
• Audit Logging: Access to sensitive data is logged for security monitoring and compliance purposes
• Secure Development: We follow secure development practices including code review, dependency scanning, and regular security assessments

Incident Response:

In the event of a data breach or suspected unauthorized access to personal information:

• We will notify affected individuals without unreasonable delay, consistent with HRS § 487N-2
• If the breach affects 1,000 or more individuals, we will notify the Hawai'i Office of Consumer Protection as required by HRS § 487N-2(f)
• For institutional accounts, we will immediately notify the institution's designated security contact and cooperate with their incident response procedures
• For University of Hawai'i data, incidents will be reported through the UH incident reporting channels as required by EP 2.214

Data Retention

• Active accounts: Data is retained while your account is active and for the duration necessary to provide the Services
• Deleted accounts: Personal data is deleted within 90 days of account deletion. Upon deletion, all personally identifiable data including interview recordings, profile information, and performance data is permanently removed from our systems
• Institutional accounts: Data retention periods for users accessing through educational institutions are governed by the Data Processing Agreement with that institution and applicable FERPA requirements
• AI training data: For non-institutional users only, anonymized and de-identified data may be retained for model improvement. Institutional user data is never retained for AI training without explicit written authorization
• Legal obligations: We may retain certain data as required by law, including for tax, legal reporting, or audit purposes

Educational Users (FERPA Compliance)

When Hexcelerate is used by or on behalf of an educational institution, we recognize that interview recordings, performance data, and other student information may constitute "education records" under FERPA (20 U.S.C. § 1232g). We commit to the following:

School Official Designation:

• Hexcelerate operates as a "school official" with "legitimate educational interest" as defined under 34 CFR § 99.31(a)(1)(i)(B) when providing services under a contract with an educational institution
• We are under the direct control of the institution with respect to the use and maintenance of education records
• Our access to education records is limited to the educational purpose(s) specified in our agreement with the institution

Data Processing Agreements:

• We execute a Data Processing Agreement (DPA) with each educational institution before processing student education records
• DPAs specify the permitted uses, security requirements, data retention periods, and breach notification procedures
• The institution maintains control over what data is shared and how it may be used

No Re-Disclosure:

• We will not disclose education records or personally identifiable information from education records to any third party without prior written consent from the institution, as required by 34 CFR § 99.33(a)
• Student data from institutional accounts will not be shared with any third party, including employers, unless the institution has provided explicit written authorization

Student Rights Under FERPA:

• Students have the right to inspect and review their education records (34 CFR § 99.10)
• Students have the right to request amendment of education records they believe are inaccurate (34 CFR § 99.20)
• Students have the right to consent to disclosure of personally identifiable information from their education records (34 CFR § 99.30)
• Students have the right to file a complaint with the U.S. Department of Education concerning alleged FERPA violations (34 CFR § 99.63)

No AI Training on Education Records:

Interview recordings and data collected through institutional accounts are not used for AI model training, product improvement, or any purpose beyond the educational services specified in the Data Processing Agreement, unless the institution has provided explicit written authorization. This is consistent with FERPA's prohibition on using education records for purposes beyond those for which consent was obtained.

University of Hawai'i Data Governance Compliance

When providing services to the University of Hawai'i (UH) system, we adhere to the following UH policies:

EP 2.214 — Data Classification and Minimum Security Standards:

• We classify and protect UH data according to the four-tier classification system: Public, Restricted, Sensitive, and Regulated
• Student interview recordings and performance data are treated as Sensitive data at minimum, with Regulated classification applied when personally identifiable information under HRS § 487N is present
• We implement the minimum security standards required for each data classification level, including encryption, access controls, and audit logging

EP 2.215 — Institutional Data Governance:

• We acknowledge that all UH data remains the property of the University of Hawai'i, regardless of where it is processed or stored
• UH data is used exclusively for the purposes specified in our agreement with UH and will not be repurposed, sold, or used for targeted advertising
• We support UH's right to audit our data handling practices and will cooperate with Data Governance Process reviews as required
• Data access is granted based on the principle of least privilege, with access limited to personnel who require it to perform their designated functions

AP 2.215 — Mandatory Training:

We support compliance with UH mandatory data privacy and security training requirements. Hexcelerate personnel who access UH data complete security awareness training consistent with AP 2.215 standards, including topics on data protection, password management, phishing awareness, and incident reporting.

Hawai'i Personal Information Protection (HRS Chapter 487N)

Under the Hawai'i Revised Statutes Chapter 487N, we recognize our obligations regarding "personal information," which includes an individual's first name or initial and last name combined with any of the following (when not encrypted):

• Social Security number
• Driver's license or Hawai'i state ID number
• Financial account number, credit/debit card number with any required security code, access code, or password

We strongly discourage users from disclosing any of the above information during interviews or on the platform. If such information is inadvertently captured, we treat it as Regulated data with the highest level of protection.

In the event of a security breach involving personal information as defined by HRS § 487N, we will:

• Notify affected individuals without unreasonable delay
• Provide notification to the Hawai'i Office of Consumer Protection when required
• Cooperate with law enforcement as appropriate

Important Notes

• Biometric Data: Your video/audio recordings may contain biometric information (voice patterns, facial features), which we process for interview analysis. In jurisdictions with biometric privacy laws, additional protections may apply and you may have enhanced rights regarding biometric data retention and deletion.
• Required Data: You must provide an email address to use our platform. Your email and personal information are never shared with other employers or third parties.
• No Targeted Advertising: We do not use your personal data for targeted advertising. We do not sell your personal information to third parties.

Updates

We may update this policy and will notify you of material changes via email or platform notice. For institutional accounts, we will provide at least 30 days' notice of material changes to allow institutions to review and assess the impact on their data governance obligations.

Regulatory References

• Family Educational Rights and Privacy Act (FERPA): 20 U.S.C. § 1232g; 34 CFR Part 99
• Hawai'i Personal Information Protection Act: HRS Chapter 487N
• UH EP 2.214: Institutional Data Classification Categories and Minimum Security Standards
• UH EP 2.215: Institutional Data Governance
• UH AP 2.215: Mandatory Training on Data Privacy and Security

Contact Us

For questions about this Privacy Policy, data rights requests, or to report a data security concern:

Haumana Exchange LLC (d/b/a Hexcelerate)
Email: lionel@hexcelerate.app

For institutional inquiries or Data Processing Agreement requests, please contact us at the email above with "Institutional Data Governance" in the subject line.

By using Hexcelerate, you acknowledge that your data will be used as described above. For users accessing through an educational institution, data use is further governed by the Data Processing Agreement between Hexcelerate and your institution, and is subject to FERPA and applicable institutional data governance policies.