Privacy Policy.

IT Custom Solution LLC (“OpsTicket,” “we,” “us”) is the data controller for personal data collected through tryopsticket.com, our candidate assessment product, our recruiter pipeline product, and our hiring APIs.

Our registered mailing address is 420 Lexington Avenue, Suite 1402, POB 1005, New York, NY 10170, USA. For European Economic Area and United Kingdom users, the contact channels in §12 reach our data-protection mailbox; we have not yet appointed an Article 27 representative and will publish that designation here when made.

This policy applies to data we collect from candidates (people practicing scenarios or applying through OpsTicket), recruiters (people on a paid seat reviewing candidates), educators (verified school users), and visitors to our marketing pages. Where the roles diverge, we say so plainly.

From candidates: name, email, optional handle, profile photo if you upload one, track and scenario history, scenario submissions (responses, terminal output, written reasoning, timing), and self-reported preferences (e.g., visa status, time zone).

From recruiters: name, work email, employer, role, billing details processed by Stripe, and your search and shortlist activity inside the pipeline product.

From visitors: IP address, user agent, referrer, and minimal first-party analytics events (page views, button clicks). We do not use third-party advertising trackers.

We do not knowingly collect data from anyone under 13. Education accounts may include students 13+ with institutional consent under FERPA. If you believe a minor has created an account, write to [email protected] and we will delete it.

We process personal data to (a) operate the product: provisioning sessions, scoring submissions against the rubric, generating profiles; (b) communicate with you about account, billing, and security matters; (c) keep the service safe: fraud detection, abuse triage, incident response; and (d) improve the product in aggregate, anonymously.

We do not use candidate data to train third-party AI models. We do not sell personal data. We do not run behavioral advertising. Where we use first-party analytics to understand product usage, we strip direct identifiers before analysis.

When you solve a scenario, we record the input and output of your session: typed responses, commands, written messages, scoring metadata, and timing. This is the core of the product, both for scoring and for the playback experience recruiters use.

Sessions are private by default. A recruiter cannot view a session unless you have either (i) published it to your public profile, or (ii) been matched to a posting and explicitly accepted that recruiter’s access request. You can revoke access at any time from Settings.

Public leaderboards and competitions are opt-in. You do not appear on any public board unless you explicitly opt in and choose a public handle. When you opt in, we publish your chosen handle, your best graded score, and, for timed competitions (the Gauntlet), your finish time. We never publish your legal name, email, or session contents on a public board. You can remove yourself at any time from Settings or your results page, which deletes your leaderboard entries.

Session artifacts you delete from your account are removed from primary storage within 30 days and from encrypted backups within 90 days.

• Contract. Operating your account, running scenarios, billing recruiters.
• Legitimate interests. Product analytics, fraud detection, incident response, defending legal claims.
• Consent. Optional marketing emails; opt-in to use anonymized session data for rubric calibration.
• Legal obligation. Tax records, lawful disclosure requests with valid legal process.

You can withdraw consent at any time. Withdrawal does not affect processing that has already happened.

We share personal data with: (a) subprocessors providing infrastructure, payments, and email, listed at /subprocessors and bound by a DPA; (b) recruiters and recruiter organizations to whom you have explicitly granted access; (c) professional advisors under confidentiality; and (d) acquirers in the event of a corporate transaction (we will give you notice).

We disclose data in response to lawful legal process. We require valid legal authority, we challenge requests that are overbroad or out of jurisdiction, and we publish a transparency note on this page if we receive any compelled-disclosure requests in a given year.

Our current critical subprocessors are: Cloudflare (edge, CDN, WAF), Railway (backend hosting, US-East), Supabase (managed Postgres, auth, storage, US-East), Stripe (recruiter billing), Anthropic (AI scoring, no PII training), SendGrid (transactional email), PostHog (product analytics), Sentry (error monitoring), Crisp (in-app chat), and Google / GitHub (OAuth sign-in only).

We give 30 days’ notice before adding a subprocessor that handles personal data. If you object on reasonable grounds, contact us during the notice period.

The current, complete list is published at tryopsticket.com/subprocessors and is part of this policy by reference.

• Account. Retained while active. Deleted within 30 days of your deletion request.
• Scenario sessions. Retained while account is active or until you delete them, whichever comes first.
• Billing records. Seven years, US tax requirement.
• Security logs. 13 months, then deleted.
• Backups. Encrypted, 90-day rolling. Deletions propagate.

Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, LGPD, and similar regimes), you have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to lodge a complaint with your supervisory authority.

To exercise a right, email [email protected] from the address on your account. We may verify identity by asking you to confirm specific account details: never a copy of government ID unless legally required. We honor requests within 30 days; complex requests may take up to 45.

We will not retaliate against you for exercising a right. Specifically, candidates exercising deletion rights will not be removed from any recruiter pipeline they were previously matched to before the deletion: the pipeline match becomes inactive, but no records you have already published to a recruiter are clawed back.

We encrypt data in transit (TLS 1.2+) and at rest (AES-256, via Supabase managed Postgres). Row-level security is enforced on every table that holds customer data; role-based access governs both the backend and the database.

Access to production systems is restricted to named engineers, audited, and protected by MFA. Critical patches are applied within 72 hours; high-severity within 7 days. Incidents are escalated within 2 hours of detection. We do not currently hold an SSAE-18 attestation and we do not represent that one is in progress: if procurement requires that level of attestation, we will tell you on the first call.

If you find a vulnerability, please report it to [email protected]. We will respond within two business days and we will not threaten good-faith researchers.

IT Custom Solution LLC is incorporated in the United States. Production infrastructure is hosted on Cloudflare (global edge), Railway (US-East), and Supabase (US-East). Some operational metadata may transit US infrastructure.

Where data moves out of the EEA or UK, we rely on (i) the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), (ii) the UK International Data Transfer Agreement and Swiss extensions where applicable, and (iii) supplementary measures including encryption in transit and at rest.

We update this policy from time to time. The “effective” date at the top reflects the version currently in force; the “last updated” date reflects any change since. For material changes: meaning a change that expands the categories of data we collect, adds a new processing purpose, or affects your rights: we will send notice to the email on your account at least 30 days before the change takes effect.

Contact. IT Custom Solution LLC, Attn: Legal, 420 Lexington Avenue, Suite 1402, POB 1005, New York, NY 10170, USA. Phone: (646) 671-3399. Email: [email protected]. Data protection inquiries: [email protected].