8x · Sales

Rep & Applicant Privacy Notice

⚠️ DRAFT — NOT LEGAL ADVICE. This document was generated to scope compliance work and MUST be reviewed and adapted by qualified counsel licensed in each operating jurisdiction (US, Brazil, Mexico, India) before any reliance or publication. Bracketed [PLACEHOLDERS] require confirmation.

Document version: [DRAFT v0.1 — YYYY-MM-DD to be set on counsel sign-off]

0. Who this notice is for

This notice explains how 8x handles the personal data of applicants and sales representatives ("reps") — the people who apply to and work in the 8x program. It is provided directly to you at the point we collect your data (Brazil LGPD Art. 9; EU/UK GDPR Art. 13), because we collect most of it from you.

This is a separate notice from the one that covers the business prospects our reps contact. If you make cold calls or send outreach as a rep, the data you collect about prospects is governed by a different notice — see privacy-notice-prospects.md — and 8x, not you, is the controller of that data. You are acting on 8x's behalf when you generate it.

The controller of your data is [8x LEGAL ENTITY NAME, a Delaware corporation] ("8x", "we", "us"), with its registered address at [REGISTERED ADDRESS]. Governing law for this notice is [Delaware/US, confirm]. The United States is our home jurisdiction; we also serve markets in Brazil, Mexico, and India, and this notice is written to meet the data-protection requirements of those jurisdictions as well.

1. The most important things to know up front

  • We do not store your password. When you sign up, your email and password are handled by our authentication provider, Supabase Auth (GoTrue). 8x's own application database never receives or stores your password — not in plaintext and not as a hash that we control. Password verification happens inside Supabase Auth. (This corrects an earlier version of our privacy page that incorrectly described 8x as storing a hashed password.)
  • 8x is a real cold-calling program, not just a simulator. As a rep you will make real telephone calls to real business prospects over Twilio, and you may send real outreach emails. Those calls are recorded and automatically transcribed and evaluated by AI. Earlier copy that said "no real third party is ever a participant" was wrong and is superseded by this notice.
  • AI evaluation affects your pay. An automated system scores your real calls. Those scores feed decisions about whether a call counts as a qualified meeting and therefore whether — and how much — you get paid. You have a right to human review of any pay-affecting evaluation (see Section 6).
  • You can contact a real person about your data. See the Data Protection Officer / Encarregado contact in Section 9.

2. What data we collect about you

2.1 At sign-up

  • Account credentials — email address and password. As noted above, the password is held by Supabase Auth (GoTrue); 8x's application stores no password value of any kind.

2.2 As you build a profile and progress

  • Identity & profile — name, short bio, self-reported LinkedIn URL, country.
  • CV / résumé file — if you upload one, stored as a file in Supabase Storage (private; access only via short-lived signed URLs to authorized admins).
  • Training & performance data — your activity in onboarding, lessons, auditions, practice and mock calls; scores and progress; and the AI evaluations of your real cold calls (call audio, transcripts, and rubric-based assessments — see Section 2.3).
  • Payout & earnings data — amounts you earn and the records needed to pay you (booking bonus on provided leads, AI-qualified-meeting payment — higher for prospects you source yourself, which carry no booking bonus — and closed-deal payment), plus the payout-account details you provide. [Specify payout processor and what 8x stores vs. what the processor stores — DECISION REQUIRED.]
  • Technical / security data — your IP address, captured for rate-limiting and abuse prevention, and standard request-log data held by our hosting provider.

2.3 Data generated when you make real cold calls

When you call prospects through the platform:

  • Call audio is recorded (Twilio, and an in-browser HD companion recording).
  • Transcripts are produced by AI (OpenAI whisper-1) — both a live segment stream during the call and a more accurate post-call per-channel transcript.
  • AI evaluations are produced by AI models (gpt-4.1, and Anthropic Claude for evaluation/summarization) that score the call against a rubric.

This data is about your performance as a rep and is covered by this notice. The same recordings and transcripts also contain the prospect's personal data, which is additionally covered by privacy-notice-prospects.md.

2.4 LinkedIn fields — not currently active

Our system is designed to support verified LinkedIn sign-in (LinkedIn OIDC), which would let us receive verified fields such as your name, email, and LinkedIn profile identifier directly from LinkedIn. This is not live. The integration is a stub today and we do not currently receive any verified data from LinkedIn. If we turn it on, we will update this notice before doing so. Any LinkedIn URL we hold now is the one you typed yourself, not a verified value.

3. Where the data is collected from

  • From you — everything you type, upload, or generate by using the platform.
  • From your use of the service — performance data, AI evaluations, IP address, and session/log data generated automatically as you use it.
  • From LinkedIn — only if and when LinkedIn OIDC is activated (see Section 2.4). Not active today.

4. Why we use your data and our lawful basis

You participate in the 8x program as an independent contractor (not an employee, at least before any promotion). We process your data on the following bases.

PurposeLawful basis (LGPD)Lawful basis (GDPR — EU/UK in scope)
Create and operate your account; deliver training; let you make calls; calculate and make your payoutsExecution of a contract / pre-contractual steps at your request (LGPD Art. 7 V)Performance of a contract (Art. 6(1)(b))
Evaluate your real calls to determine eligibility, call validity, qualified meetings, and payExecution of the contract (Art. 7 V); see Section 6 on automated decisionsPerformance of a contract (Art. 6(1)(b)); see Section 6 / Art. 22
Security, rate-limiting, abuse prevention (incl. IP)Legitimate interest (Art. 7 IX), with a documented assessmentLegitimate interests (Art. 6(1)(f))
Comply with legal, tax, accounting, and recordkeeping obligationsCompliance with a legal obligation (Art. 7 II)Legal obligation (Art. 6(1)(c))

Note: the lawful basis for processing prospect data is different (legitimate interest / business prospecting in Brazil, with the India-specific constraint that there is no legitimate-interest basis for cold outreach there). That analysis lives in privacy-notice-prospects.md and is not repeated here.

We do not intentionally collect sensitive personal data from you. A plain voice recording is ordinary data; we do not build or use voiceprint / biometric voice identification, which would be sensitive data under LGPD Art. 11. [Confirm CV files are not used to infer sensitive categories — DECISION REQUIRED.]

5. Who we share your data with (sub-processors)

We use third-party service providers ("sub-processors") to run the platform. Each receives only the data needed for its function. The current, authoritative list — including each provider's role, the data categories it receives, and its processing region — is maintained in sub-processors.md. In summary, the providers that may process rep/applicant data include:

  • Supabase — database, authentication (your credentials), and file storage (CV, recordings). Region [CONFIRM].
  • Twilio — telephony and call recording (US).
  • OpenAI — whisper-1 transcription and gpt-4.1 evaluation of your calls (US). [DECISION REQUIRED: elect zero-data-retention / enterprise terms; not yet elected.]
  • Anthropic — Claude evaluation/summarization of transcripts (US).
  • Vercel — hosting; your IP appears in request logs (US/global).
  • Resend — transactional and outreach email; your email address (US).
  • Cal.com — scheduling. Region [CONFIRM].
  • LinkedIn — OAuth/OIDC verified sign-in — intended, not yet live (see Section 2.4).

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising as those terms are used under US state privacy laws.

6. Automated decisions about you (this affects your pay)

What is automated. When you make a real cold call, the recording is transcribed by AI and then scored by an AI evaluator against a defined rubric. That score is used to decide:

  • whether a call is valid (clean conduct),
  • whether a call produced an AI-qualified meeting, and
  • consequently whether you are paid (and at which tier — booking $15, AI-qualified meeting $50, closed deal $250).

So this is automated processing that can produce a significant effect on you (your earnings) and that evaluates your performance/behavior.

The criteria. The evaluation is based on rubric dimensions [LIST THE EXACT RUBRIC DIMENSIONS — e.g. discovery, objection handling, conduct/disclosure, scenario-appropriate behavior — CONFIRM against the live rubric] applied to what you, the rep, controlled during the call.

Your right to human review and to contest. For any evaluation that affects your pay, you may request human review and contest the outcome. To do so, contact us at the address in Section 9 and identify the call. A person — not the automated system — will re-examine the call and the score, and you may provide your own explanation.

  • Under GDPR Art. 22 (if you are an EU/UK data subject), you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, including the rights to obtain human intervention, to express your point of view, and to contest the decision, together with meaningful information about the logic involved.
  • Under LGPD Art. 20 (as amended after 2019), you have the right to request review of decisions taken solely on the basis of automated processing that affect your interests, and to receive clear information about the criteria and procedures used. (LGPD Art. 20, as amended in 2019, currently does not expressly mandate a human reviewer, but this position is unsettled and ANPD guidance may evolve — [CONFIRM WITH BRAZILIAN COUNSEL]. Regardless, 8x commits to human review of any pay-affecting evaluation.)

7. How long we keep your data

We retain data only as long as needed for the purpose it was collected, then delete it on a schedule. The current schedule is also documented in the retention schedule in internal-compliance-artifacts.md.

DataRetention
Cold-call audio recordingsPurged at approximately 90 days after the call (automated job).
Live transcript segments (the streamed segments)12 months.
Uploaded real_calls records + their metadata12 months.
Post-call accurate transcript (the consolidated JSONB) and the AI assessments[DEFINED RETENTION — DECISION REQUIRED], after which they are purged on a defined schedule. (Remediation note: these are currently not being purged in the running system; 8x is committing to a finite retention here and must implement the purge job before this notice is published. Do not publish an indefinite-retention claim and do not publish a finite figure 8x has not yet implemented.)
Account, profile, training, and payout recordsFor as long as your relationship with 8x is active, plus any period required for legal, tax, and accounting obligations. You may request earlier deletion (Section 8), subject to those obligations.
Deletion audit rowsAppend-only audit records (containing no raw PII — e.g. a hash of the deleted identifier, reason, and actor) are retained to demonstrate that retention limits are honored.

8. Your rights and how to exercise them

Depending on where you are, you have rights to confirm processing, access your data, correct it, delete / anonymize it, port it, object to or restrict certain processing, withdraw consent where processing is based on consent, and to obtain review of automated decisions (Section 6).

How to exercise them. Email the contact in Section 9. We may ask reasonable questions to verify your identity before acting.

Timelines.

  • Brazil (LGPD Art. 19): we will respond to access requests within 15 days. (This corrects an earlier "30 days" statement, which did not reflect LGPD Art. 19.)
  • EU/UK (GDPR Art. 12(3)): we will respond within one month, extendable by up to two further months for complex or numerous requests, with notice to you.
  • United States / other jurisdictions: we will respond within the period required by applicable law, or otherwise without undue delay. [Confirm CCPA/CPRA applicability against the statutory thresholds — DECISION REQUIRED.]

You also have the right to lodge a complaint with your local supervisory authority — in Brazil, the ANPD; in the EU/UK, your national data-protection authority; and in other jurisdictions, the competent regulator.

9. Data Protection Officer / Encarregado — contact

For any privacy request or question — access, correction, deletion, automated-decision review, or a complaint — contact our data-protection contact:

  • Role: Data Protection Officer / Encarregado de Proteção de Dados
  • Name: [DPO/PRIVACY CONTACT NAME]
  • Email: privacy@8x.social (proposed role-based address)
  • Postal: [REGISTERED ADDRESS]

We use a role-based address, not an individual's personal email. (This corrects an earlier version of our privacy page that listed a personal Gmail address as the DPO contact.) A documented assessment confirms that, given the nature, scope, and risk of our processing, an Encarregado is appointed for Brazil; the small-agent exemption is treated as unavailable here because the processing is high-risk. [Appoint and name the individual / role holder — DECISION REQUIRED.]

10. International transfers

8x is based in the United States and most of our sub-processors are in the United States (see sub-processors.md). If you are in Brazil, Mexico, India, or the EU/UK (the EU/UK is in scope), your personal data is transferred to the United States and processed there.

We rely on the transfer mechanisms required by each jurisdiction:

  • Brazil → US: ANPD International Data Transfer Standard Contractual Clauses (Resolution CD/ANPD 19/2024). [Status — DECISION REQUIRED: these clauses must be put in place with sub-processors; 8x is currently working toward compliance.]
  • EU/UK → US (EU/UK is in scope): EU Standard Contractual Clauses (Module 2) plus a documented transfer impact assessment (TIA). We do not rely on the EU-US Data Privacy Framework alone — it is treated as unstable pending the Latombe appeal, so we default to SCCs + TIA.
  • Mexico → US: transfers to our US sub-processors are disclosed in the Spanish-language aviso de privacidad. [CONFIRM WITH MEXICAN COUNSEL.]

11. Cookies

The 8x site uses only first-party, essential and functional cookies. We do not use analytics, advertising, or third-party tracking cookies, so no cookie-consent banner is required — this is disclosure only. The cookies are:

  • Supabase authentication session cookies — essential, to keep you logged in.
  • __Host-8x_view_as_rep — functional, used for admin "view as rep" impersonation.
  • __Host display-locale preference — functional, remembers your chosen language.
  • __Host li_oauth_state — a LinkedIn OAuth CSRF token — not active (LinkedIn sign-in is not live).

Full detail is in cookie-notice.md. [Verify the live site sets no Vercel edge or other third-party trackers — DECISION REQUIRED.]

12. Security

Structured data is stored in Supabase Postgres and uploaded files (CV, recordings) in Supabase Storage, encrypted at rest with platform-managed AES-256 keys. Files are private by default and accessed only via short-lived signed URLs issued to authorized admins. Your password is never received or stored by 8x; it is managed by Supabase Auth (Section 1). [Confirm breach-notification procedures: Brazil requires notice to the ANPD and affected subjects within 3 business days under ANPD Resolution 15/2024 — ensure an internal runbook exists.]

13. Changes to this notice

We may update this notice. When we make material changes — for example, activating LinkedIn sign-in or changing the AI evaluation that affects pay — we will update this notice and the version line below before the change takes effect.

14. Related documents

  • privacy-notice-prospects.md — how 8x handles the data of the business prospects reps contact.
  • sub-processors.md — full, authoritative list of third-party processors, roles, data categories, and regions.
  • internal-compliance-artifacts.md — detailed retention schedule and deletion jobs (plus LIA, DPIA, RoPA, DNC policy, automated-decisions/contest procedure, roles & contacts roster).
  • cookie-notice.md — full cookie detail.

End of draft. All bracketed items require confirmation by counsel and/or a business decision before publication.