Privacy and data handling training module
Last reviewed 2026-05-07
Purpose
This is the required privacy and data-handling training module for HiringCoachAI personnel. It translates the public privacy policy, data map, and data-classification policy into the day-to-day rules a person must follow before receiving sensitive access.
Complete this module before customer-data access, production access, vendor-dashboard access, source-code access, or ongoing operational responsibility is granted, and annually thereafter.
1. Use The Minimum Data Needed
Only access personal data when there is a clear business purpose. Use the smallest amount of data needed to complete the task. If a screenshot, export, log excerpt, or support note can be redacted, redact it before sharing internally.
Customer content includes resumes, cover letters, interview answers, job applications, contact records, account details, support context, and uploaded or pasted career material.
2. Know The Data Classes
HiringCoachAI classifies data by where it lives and how sensitive it is:
| Class | Plain meaning | Examples |
|---|---|---|
| Public | Intended for publication | Marketing pages, public trust-center documents |
| Internal | Non-public business information | Roadmaps, internal process notes |
| Confidential | Customer or business data that could harm someone if exposed | Resumes, job-search records, emails, support context, audit logs |
| Restricted | Secrets or highly sensitive operational data | API keys, OAuth tokens, service-account keys, backup keys |
If unsure, treat the data as Confidential and ask the Security Officer before moving or sharing it.
3. Keep Customer Data In Approved Systems
Do not copy customer data into personal accounts, public documents, unapproved spreadsheets, public issue trackers, consumer AI tools, or local files unless the task requires it and the destination is approved.
If local handling is unavoidable for a short operational task, remove the local copy when the task is complete.
4. Handle Data Subject Requests Carefully
Users may request access, export, correction, deletion, objection, restriction, or portability. Do not promise a legal outcome on your own. Route privacy requests to [email protected] or the Privacy Officer.
HiringCoachAI targets a 30-day response window, with extension where the law allows for complex requests.
5. Report Privacy Issues Immediately
Report any possible privacy issue immediately, including:
- Sending customer data to the wrong person.
- Sharing a document with broader access than intended.
- Finding customer data in an unapproved system.
- Losing a device that may contain customer data.
- Seeing logs, screenshots, or AI prompts that contain unnecessary personal data.
Do not delete evidence. Preserve what happened and escalate.
6. Respect Prohibited Data Boundaries
HiringCoachAI is not designed to process health data, payment card numbers, government ID numbers, SSNs, driver's license numbers, or biometric data. If a user includes unexpected regulated data in uploaded or pasted content, treat it as a privacy issue and escalate.
Stripe handles payment card capture. HiringCoachAI stores Stripe identifiers and subscription status, not card numbers.
7. Use Vendors And AI Tools Only As Approved
Only approved sub-processors may receive customer data. Standard vendor dashboards, support tools, AI providers, and analytics tools have different data-handling rules, so do not add a new processor or paste customer data into a new tool without approval.
AI-specific handling rules are in responsible AI training module.
Acknowledgment
By acknowledging this module in /admin/onboarding, I confirm that I understand HiringCoachAI privacy and data-handling expectations, will use only the minimum data needed, will keep customer data in approved systems, and will report privacy concerns promptly.