Why we delete voice recordings after 90 days: Voice audio files are large and are primarily used for real-time coaching and short-term quality improvement. After 90 days, the transcripts (which we retain longer) serve the purpose of maintaining conversation history without the storage burden of audio files.

 

Inactive Account Data Retention

If you stop using Goldi, we begin a data retention countdown:

 

• After 12 months of inactivity: Your conversation transcripts and learning progress data are automatically deleted

• After 24 months of inactivity: Your account may be archived or deleted

• Exception: If you have an active subscription or ongoing institutional enrollment, your account remains active

 

What counts as activity: Logging in, having a conversation with Goldi, accessing course materials, or updating your profile.

 

Educational Institution User Data Retention

If you access Goldi through an educational institution or partner organization:

 

• Conversation transcripts: Retained for the duration of your enrollment/program participation plus 12 months

• Learning progress data: Retained for the duration of your enrollment/program participation plus 12 months

• Purpose: Allows instructors to access conversations for grading and assessment, supports program evaluation, enables you to return to your history if you re-enroll

 

Your educational institution may have additional data retention requirements under their own policies. Please consult with your institution regarding their practices.

 

Extended Retention for Legal and Business Purposes

Notwithstanding the foregoing retention periods, we will maintain your data only for as long as necessary for the purposes designated in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to:

 

• Comply with legal obligations: If required to retain your data to comply with applicable laws, regulations, or legal processes

• Resolve disputes: Maintain records necessary to resolve disagreements or enforce our agreements

• Enforce our policies: Retain information needed to enforce our Terms of Service and other agreements

• Protect rights and safety: Keep data necessary to protect the rights, property, or safety of Climb Together, our users, or others

 

Anonymized Data Retention

Anonymized data may be retained indefinitely. We may retain anonymized or aggregated data that cannot reasonably be used to identify you for:

 

• Product improvement and development

• Statistical analysis and research

• Understanding learning outcomes and coaching effectiveness

• Industry benchmarking and reporting

 

What is anonymized data? This includes usage patterns, aggregate statistics, and insights that have been stripped of all personally identifiable information. For example: "Students who complete networking practice sessions have 40% better interview outcomes" - without any connection to specific individuals.

 

Our anonymization process:

 

1. Remove direct identifiers: Name, email, phone, IP address

2. Generalize quasi-identifiers: Zip code → County/Region, Birth date → Age range

3. K-anonymity testing: Ensure each data combination appears at least 5 times

4. Validation: Verify no individual can be singled out

 

Usage Data for Security and Functionality

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to:

 

• Strengthen the security of our Services

• Improve the functionality of our Services

• Comply with legal obligations for longer retention periods

 

Your Right to Request Deletion

Regardless of the retention periods above, you can request deletion of your data at any time by contacting privacy@climbtogether.co. We will respond to your request within 30 days, subject to identity verification.

 

Exceptions to deletion requests: We may decline to delete your data if retention is necessary for:

 

• Completing transactions or providing services you requested

• Detecting and preventing security incidents or fraud

• Complying with legal obligations

• Enabling internal uses that reasonably align with your expectations

• Otherwise permitted by applicable law

 

When you request deletion:

 

1. Immediate (within 24 hours):

 

• Account access disabled

• Authentication credentials invalidated

• Active sessions terminated

 

1. Data Removal (within 30 days):

 

• Conversation transcripts permanently deleted from Langfuse

• Account information removed from all systems

• Learning progress data deleted from TalentLMS

• Voice recordings deleted from HumeAI (if within 90-day window)

• Analytics data anonymized or deleted from PostHog

 

1. Backup Purging (within 90 days):

 

• Data removed from encrypted backups

• Cryptographic erasure techniques applied

• Confirmation of complete removal documented

 

Note: Anonymized data derived from your usage may be retained indefinitely for product improvement.

 

 

Secure Data Destruction Procedures

Automated Deletion Systems

• Voice recordings: Automated permanent deletion after 90 days

• Authentication logs: Automated deletion after 90 days via Clerk

• User analytics: Automated deletion after 12 months via PostHog

• Scheduled cleanup jobs run daily to enforce retention limits

 

Manual Deletion Requests

When you request account deletion (see process above), we follow strict destruction procedures:

 

Digital Data Destruction Methods:

 

• Primary Storage: Cryptographic erasure (encryption keys destroyed)

• Database Records: Secure deletion with overwrite

• Backups: Removed during next backup cycle, encrypted backups re-keyed

• Logs: Automated purging after retention period expires

• Cloud Storage: Deletion commands issued to all service providers

 

Verification:

 

• Deletion confirmation from each service provider

• Audit logs of deletion operations maintained for 1 year

• Annual verification that retention limits are being enforced

 

Third-Party Data Destruction

Vendor Contracts Require:

 

• Data deletion within 30 days of contract termination

• Certificate of Destruction or cryptographic erasure confirmation

• Verification that all backups and replicas are deleted

• Failure to comply may result in contract termination and legal action

 

Current Vendor Deletion Commitments:

 

• Clerk: Data deleted per contract termination terms

• HumeAI: Voice recordings deleted after 90 days automatically

• Langfuse: Conversation logs deleted per retention policy

• PostHog: Analytics data deleted after 12 months

• TalentLMS: Course data deleted per contract terms

• Stripe: Payment records retained per PCI-DSS requirements (7 years for tax/audit purposes)

 

 

Data Exports and Access Controls

To protect your information:

 

• Only authorized administrators can export data from our systems

• Goldi doesn't allow users to download personal conversation data directly

• Data extraction requests require admin approval and are logged

• You can request a data export by contacting privacy@climbtogether.co

 

 

Your Rights and Choices

Climb Together endeavors to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. Whenever made possible, you can update your Personal Data directly within your account settings section or by responding to the opt-out directions in communications sent to you. If you are unable to change your Personal Data, please contact us at privacy@climbtogether.co to make the required changes.

​

Your Privacy Rights

In certain circumstances, you have the right to:

 

1. Right to Access

 

• View all data we have collected about you

• Request detailed explanation of how data is used

• Receive copy of data in accessible format

• Contact: privacy@climbtogether.co

 

2. Right to Correction

 

• Correct inaccurate or incomplete information

• Update profile details on your behalf

• Request updates to learning records

 

3. Right to Deletion ("Right to be Forgotten")

 

• Request deletion of your account and all data

• Exceptions: legal obligations, ongoing transactions, fraud prevention

• Expedited process for minors (48 hours)

• Contact: privacy@climbtogether.co

 

4. Right to Object

 

• Object to certain data processing activities

• Opt out of marketing communications

• Limit how your data is used

 

5. Right to Data Portability

 

• Download copy of your data

• Structured, commonly used format (JSON/CSV)

• Transfer data to another service

 

6. Right to Withdraw Consent

 

• Withdraw consent for data processing at any time

• Delete account to fully withdraw consent

• Does not affect prior lawful processing

 

7. Right to Lodge a Complaint

 

• File complaint with supervisory authority

• EU users: Contact your local Data Protection Authority

• CA users: California Attorney General

 

How to Exercise Your Rights

Email: privacy@climbtogether.co
Response Time: 30 days (may extend for complex requests with notification)
Verification: We may request additional information to verify your identity before responding to requests

​

Identity Verification

To protect your data, we require identity verification before responding to access, correction, or deletion requests:

 

• Confirm email address on file

• Answer security questions

• Provide additional documentation for sensitive requests

 

This prevents unauthorized access or deletion of your account.

 

 

Children's Privacy

Under 13 (COPPA Compliance)

Our services are not designed for children under 13. We do not knowingly collect information from children under 13.

 

Age Verification:

 

• Users must provide birth date at account creation

• Users under 13 are blocked from creating accounts

• Age-appropriate message displayed with parent contact information

 

If We Learn a Child Under 13 Has Provided Data:

 

1. We will delete the account and all associated data immediately (within 48 hours)

2. We will notify the educational institution (if applicable)

3. We will not use the data for any purpose

4. We will document the incident and remediation

 

Parents/Guardians: If you believe your child under 13 has created an account or provided information to Goldi:

 

• Contact us immediately: privacy@climbtogether.co

• Subject line: "COPPA - Child Under 13"

• We will investigate within 24 hours and delete all data

• No penalty or negative consequences for the child

 

Ages 13-17 (Educational Context)

We may serve minors ages 13-17 through educational institutions with appropriate safeguards.

 

How Minors Access Goldi:

 

• Through institutional partnerships (schools, community colleges, educational programs)

• Institutions act as parent/guardian agent for consent

• Schools responsible for obtaining parental consent per state law

 

Additional Protections for Minors:

 

1. No Public Profiles: Minors cannot create publicly visible profiles

2. Limited Data Sharing: Data never sold or shared for marketing

3. Instructor Oversight: Educational staff have oversight of minor accounts

4. Content Appropriateness: AI responses filtered for age-appropriate content

5. Privacy Education: Resources provided to help minors understand their privacy rights

 

Parental Rights (Ages 13-17):

 

Parents and guardians of minor users have the right to:

 

• Access all data we have collected about their child

• Request correction of inaccurate information

• Request deletion of child's account and data (48-hour expedited process)

• Object to certain data processing activities

• Limit how child's data is used

 

Contact for Parental Requests:

 

• Email: privacy@climbtogether.co

• Subject line: "Parent Request - Minor Account"

• Include: Child's name, school/institution, your relationship

• Response time: 48 hours for parent requests (expedited)

 

State-Specific Compliance

California (SOPIPA - Student Online Personal Information Protection Act):

 

• No targeted advertising to students

• No sale of student data

• No profiling for non-educational purposes

 

New York (Education Law 2-d):

 

• Parents can inspect and review student data

• Unauthorized disclosure prohibited

• Data security safeguards required

 

Other States:

 

• We monitor and comply with student privacy laws as enacted

• Institutional partners responsible for compliance with state laws

• Contracts include state-specific requirements where applicable

 

Marketing to Minors

Climb Together Does NOT:

 

• Market directly to users under 18

• Serve targeted advertising to minors

• Share minor data with third-party advertisers

• Use minor data for behavioral profiling

 

Communication with Minors:

 

• Limited to essential service notifications

• Educational content and course reminders only

• Promotional content requires parent opt-in (if account allows)

 

 

International Data Transfers

Climb Together is located in the United States. Your Personal Data will be stored on our (or our suppliers') servers and data centers located in the United States and other jurisdictions where our service providers operate.

 

Transfer and Processing:

 

• Information that we collect will be stored and processed in the United States in accordance with this Privacy Policy

• This Privacy Policy shall apply even if we transfer Personal Information to other countries

• By accessing our websites and the Services, you consent to this transfer, processing, and storage of your Personal Data in the United States or other jurisdictions

 

Important Notes:

 

• Privacy laws in the United States and other jurisdictions may not be as comprehensive as those in the country where you reside

• Your Personal Data may be available to government agencies under legal process in the United States

• Climb Together will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy

• No transfer of your Personal Data will take place to an organization or country unless there are adequate controls in place, including the security of your data and other personal information

 

Data Protection Measures for International Transfers:

 

• Standard Contractual Clauses (SCCs) with EU-based users

• Adequate security controls with all service providers

• Data Processing Addendum (DPA) available upon request

• Compliance with GDPR requirements for international transfers

 

 

Security of Data

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure.

 

Our Security Measures:

 

Climb Together has implemented a security program that includes appropriate administrative, technical, and physical safeguards intended to keep the Personal Data stored in our systems protected from unauthorized access and misuse:

 

• Encryption: Data encryption at rest (AES-256) and in transit (TLS 1.2+)

• Firewalls: Industry-standard firewalls configured to protect our systems

• Authentication: Multi-factor authentication (MFA) for staff system access

• Access Controls: Role-based access control (RBAC) with least privilege principles

• Monitoring: Continuous security monitoring and alerting

• Testing: Regular security testing and vulnerability assessments

• Vendor Security: All vendors must meet SOC 2, ISO 27001, or equivalent standards

• Incident Response: Documented procedures for security incident handling

• Business Continuity: Daily encrypted backups, disaster recovery tested quarterly

 

Security Limitations:

 

Please be aware that no information system is totally secure. While we use reasonable security and monitoring controls in accordance with general industry standards to secure information you provide to us consistent with our legal requirements, we cannot guarantee that such information will not be unlawfully or illegitimately obtained by unauthorized parties.

 

If you have questions about the security of your personal information, you can contact us at security@climbtogether.co.

 

 

"Do Not Track" Signals

We do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

 

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

 

 

Changes to This Policy

We may update this policy from time to time. If we make significant changes, we'll notify you by email or by posting a notice on this page. The latest version will always be available at climbtogether.co/privacy.

 

Notification of Changes:

 

• Significant Changes: Email notification to all users + in-app notice

• Minor Updates: Notice on website + updated "Last Updated" date

• Effective Date: Changes become effective 30 days after posting (allows time for review)

• Change Log: Available upon request showing what was updated

 

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

 

Previous Versions:

 

• We maintain archived versions of our Privacy Policy

• Previous versions available upon request

• Helps demonstrate our commitment to transparency over time

 

 

Policy Review Schedule

Annual Reviews (Minimum):

 

• Privacy Policy reviewed annually and updated as needed

• Security Policies reviewed annually by security team

• AI Governance reviewed annually with bias audit results

• Vendor agreements reviewed during annual security audits

 

Triggered Reviews:

 

• Regulatory changes (GDPR, CCPA, FERPA, state laws)

• Significant product changes or new features

• Security incidents or data breaches

• Changes in AI providers or processing methods

• User feedback indicating policy gaps

 

Review Process:

 

• Led by Chief Product & Technology Officer

• Involves legal counsel for compliance verification

• Security team participation for technical accuracy

• User testing for readability and comprehension

• Institutional partner feedback incorporated

 

 

Contact Us

If you have questions about this policy or want to exercise your rights:

 

Privacy Inquiries:

 

• Email: privacy@climbtogether.co

• Response time: 30 days for formal requests, 48 hours for parent/minor requests

 

Security Concerns:

 

• Email: security@climbtogether.co

• Response time: 1 hour for critical issues, 24 hours for standard

 

General Questions:

 

• Email: contact@climbtogether.co

• Support: Available via in-app chat or email

 

AI Governance Questions:

 

• Email: ai@climbtogether.co (starting Q1 2026)

• See: climbtogether.co/ai-governance (coming Q1 2026)

 

Transparency Reports:

 

• Available: climbtogether.co/transparency-report (starting Q2 2026)

• Quarterly publication schedule

 

Mail: Climb Together
[Physical Address]
Attention: Privacy Team

 

By using Climb Together, you acknowledge you have read and understand this Privacy Policy.