Privacy Policy

1. Overview

This Privacy Policy explains how Best Life Systems, Inc. ("Best Life Systems," "we," "us") collects, uses, stores, and shares information when you use the Best Life Systems executive recruiting platform ("Service"). We are committed to protecting your data and being transparent about our practices.

2. Information We Collect

2a. Account and Organization Data

• Name, work email address, and password (hashed; we never store plaintext passwords)
• Company or organization name
• Billing information (processed and stored by our payment processor; we do not store raw card data)

2b. Candidate Data

You (the recruiter) are the controller of candidate data you enter into Best Life Systems. This may include names, contact information, resumes, interview notes, and communication history. We process this data solely on your behalf to operate the Service.

2c. Usage Data

• Pages and features accessed, timestamps, session duration
• Device type, browser, and operating system
• IP address (used for security and fraud prevention; not sold or shared for advertising)
• Error logs and crash reports

2d. Communications Data

If you use our SMS features, we log message content and metadata (sender, recipient, timestamp) for compliance and troubleshooting. You are responsible for ensuring you have appropriate consent from candidates to receive SMS messages.

2e. AI Interaction Data

Prompts and context you submit to AI features may be processed by third-party AI providers (currently Anthropic, Inc.) to generate responses. See Section 5 for details.

3. How We Use Your Data

• To provide, operate, and maintain the Service
• To process payments and send billing communications
• To send transactional emails (account confirmations, password resets, billing notices)
• To improve the Service through aggregated, anonymized analytics
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not use your data or candidate data to train AI models or for advertising purposes.

4. Data Security and Encryption

We take data security seriously and implement the following protections:

• Encryption at rest: All data stored in our databases is encrypted at rest using AES-256.
• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS).
• Password hashing: Passwords are hashed with bcrypt before storage; plaintext passwords are never retained.
• Access controls: Data access is restricted to personnel with a need-to-know basis and audited regularly.
• Incident response: In the event of a data breach, we will notify affected users within 72 hours of discovery, consistent with applicable law.

Note: As an alpha product, we are continuing to harden our security posture. We will update this section as controls mature.

5. Third-Party Service Providers

We share data with the following categories of third parties to operate the Service:

• AI providers (Anthropic): Prompts and context are sent to Anthropic's API to generate AI responses. Anthropic's data handling is governed by their privacy policy and our API agreement. We do not authorize Anthropic to use your data to train models under our current agreement.
• SMS providers: Outbound candidate SMS is routed through a third-party messaging provider (e.g., Twilio). Message content and metadata are shared with the provider as necessary for delivery.
• Payment processors: Billing is handled by a PCI-DSS compliant payment processor. We receive a payment token; raw card data is not stored on our systems.
• Cloud infrastructure: Our Service runs on cloud infrastructure (currently AWS). Data is stored in US-East regions by default.

We do not sell your personal data or candidate data to any third party.

6. Data Retention

• Account data: Retained for the duration of your account and 30 days after account termination, then deleted.
• Candidate data: Retained for the duration of your account. Upon account termination, candidate data is deleted within 30 days unless you request earlier deletion.
• Usage logs: Retained for 90 days for security and debugging purposes.
• Billing records: Retained for 7 years to comply with financial record-keeping requirements.
• SMS logs: Retained for 12 months for compliance and dispute resolution.

You may request deletion of your data at any time by contacting us at privacy@bestlifesystems.com. Deletion requests will be processed within 30 days, subject to legal retention requirements.

7. Your Rights — CCPA (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the following rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information. No opt-out needed.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@bestlifesystems.com. We will respond within 45 days.

8. Your Rights — GDPR (EEA/UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR or UK GDPR:

• Access: Obtain a copy of your personal data.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion ("right to be forgotten").
• Restriction: Restrict processing in certain circumstances.
• Portability: Receive your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.

Our lawful basis for processing is typically (a) performance of a contract (to provide the Service), (b) legitimate interests (security, fraud prevention), or (c) legal obligation. We do not rely on consent as a primary basis for processing account data.

Data transfers: If you are located outside the US, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA.

To exercise GDPR rights, contact privacy@bestlifesystems.com. You also have the right to lodge a complaint with your local supervisory authority.

Note: We do not currently have a designated EU representative. This will be addressed before any meaningful EU market presence.

9. Cookies

We use session cookies strictly necessary to keep you logged in. We do not use third-party analytics cookies, advertising cookies, or tracking pixels at this time.

10. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The current effective date is always shown at the top of this page.

12. Contact Us

Privacy questions or requests: privacy@bestlifesystems.com

Best Life Systems, Inc.
[Address — to be added before beta]