Privacy Policy — Cavileo - Workforce Intelligence Platform

// 01

Overview

Cavileo, Inc. ("Cavileo," "we," "us," or "our") operates a workforce intelligence platform that helps employers identify potential overemployment risk among their remote and hybrid workforces. This Privacy Policy describes how we collect, use, store, share, and protect information in connection with our services, website, and platform (collectively, the "Services").

This policy applies to:

Customers — organizations that subscribe to and use the Cavileo platform
Authorized Users — HR professionals and administrators who access the platform on behalf of a Customer
Monitored Individuals — employees whose information is submitted to Cavileo by a Customer for risk assessment
Website Visitors — individuals who visit cavileo.com

By using our Services, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Services.

// 02

Who We Are

Cavileo, Inc. is a Delaware corporation with its principal place of business in the United States. We are the data controller for information collected directly through our website and platform. For employee roster data submitted by Customers, we act as a data processor operating on behalf of the Customer (the data controller).

Our Data Protection contact can be reached at: privacy@cavileo.com

// 03

Data We Collect

We collect information in three ways: directly from Customers, from Monitored Individuals via public sources, and automatically through your use of our website.

Category	Data Types	Source
Account & Billing	Company name, contact name, email, billing address, payment method (tokenized)	Provided by Customer
Employee Roster	Employee name, work email, job title, department, start date, employment type	Uploaded by Customer
Public OSINT Signals	Public social media profiles, public social media handles, publicly listed job titles, resume submissions, public work submissions, code respositories, public activity timestamps	Gathered by Cavileo from various public and private sources
Risk Scores & Events	Risk score (0–100), score history, analyst review notes, event log entries	Generated by Cavileo and our partners
Usage & Log Data	IP address, browser type, pages visited, feature usage, login timestamps	Collected automatically
Communications	Support tickets, email correspondence, demo request submissions, sales inquiries	Provided by Customer or User

ℹ️ What we do NOT collect: We do not collect Social Security numbers, government IDs, financial account details, health information, private messages, device activity logs, keystrokes, screenshots, or any data that requires accessing a private account or system.

// 04

How We Use Data

We use the data we collect for the following purposes:

Service Delivery: To generate, maintain, and update risk scores for Monitored Individuals on behalf of Customers
Platform Operations: To authenticate users, manage accounts, process payments, and maintain platform functionality
Analyst Review: To enable Cavileo analysts to review public signals and apply risk scoring methodology
Security & Integrity: To detect fraud, unauthorized access, and abuse of the platform
Compliance: To comply with applicable laws, regulations, and legal obligations
Product Improvement: To improve our scoring models, features, and service quality (using aggregated, de-identified data only)
Customer Support: To respond to inquiries, troubleshoot issues, and communicate service updates
Marketing: To send product updates and promotional communications to Customers who have opted in (opt-out available at any time)

We do not use personal data for automated decision-making that produces legal effects on Monitored Individuals. Risk scores are intelligence tools provided to Customers — employment decisions remain solely with the Customer.

// 05

OSINT & Employee Monitoring Data

A core component of the Cavileo platform involves gathering and analyzing publicly available information about individuals submitted to us by Customers. This practice — known as Open Source Intelligence (OSINT) — is distinct from invasive monitoring and operates within established legal frameworks.

🔍 What "public" means: We only access information that has been voluntarily published by an individual in a publicly accessible format — such as a public LinkedIn profile, a public Twitter/X account, or a publicly listed job title. We do not access private profiles, direct messages, email accounts, or anything requiring a login credential.

How OSINT data is processed:

Public signals are gathered by automated monitoring agents and reviewed by trained Cavileo analysts
Each data point is evaluated against our scoring methodology and combined into a 0–100 risk score
Scores are updated on a regular review cycle and stored in the Customer's secure dashboard
No OSINT data is shared with third parties outside Cavileo's internal analyst team

Legal basis for OSINT collection: The collection of publicly available information for legitimate business purposes is lawful under U.S. law. Employers have a recognized interest in ensuring workforce integrity, and the monitoring of public-facing information does not constitute a violation of reasonable privacy expectations in publicly accessible spaces. Customers remain responsible for ensuring their use of Cavileo complies with applicable employment law in their jurisdiction.

⚠️ For EU/UK Customers: If you are processing data about employees located in the EU or UK, additional GDPR obligations apply. Please see Section 11 and contact us to discuss your specific data processing agreement requirements.

// 06

Data Sharing & Disclosure

We do not sell personal data. We do not share personal data for advertising purposes. We share data only in the following limited circumstances:

With Customers: Risk scores and supporting data are shared exclusively with the Customer who submitted the relevant employee roster
With Service Providers: We use vetted third-party providers for cloud hosting (AWS), payment processing (Stripe), and analytics. These providers are bound by data processing agreements and may only use data to provide services to Cavileo
For Legal Compliance: We may disclose data when required by law, court order, or lawful government request, or to protect the rights, property, or safety of Cavileo, our customers, or the public
In Business Transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity, subject to the same privacy commitments
With Your Consent: We may share data for purposes not described here with your explicit consent

// 07

Data Retention & Deletion

We retain data only as long as necessary to provide the Services or as required by law:

Employee roster and risk score data is retained for the duration of the Customer's subscription, or as required by Customer and regulatory data retention requirements.
Account and billing data is retained for 7 years to comply with financial recordkeeping requirements
Usage and log data is retained for at least 12 months
Support communications are retained for 3 years

Customers may request deletion of their data and all associated employee records at any time by contacting privacy@cavileo.com. Deletion requests are processed within 30 days. Certain data may be retained longer where required by legal obligation.

// 08

Security

We implement industry-standard technical and organizational measures to protect data against unauthorized access, loss, alteration, or disclosure:

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access to customer data by Cavileo personnel requires multi-factor authentication and is logged with full audit trails
Our infrastructure is hosted on SOC 2 Type II certificatied infrastructure.
We conduct periodic security assessments and penetration testing
All Cavileo employees with data access complete annual security and privacy training

No method of electronic transmission or storage is 100% secure. In the event of a data breach that affects your data, we will notify you in accordance with applicable law.

// 09

Your Rights

Depending on your location and role, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data, subject to legal retention requirements
Portability: Request your data in a structured, machine-readable format
Objection: Object to certain processing of your data
Restriction: Request restriction of processing in certain circumstances
Opt-Out of Marketing: Unsubscribe from marketing communications at any time via the link in any email or by contacting us

To exercise any of these rights, contact us at privacy@cavileo.com. We will respond within 30 days. Note: for data about Monitored Individuals submitted by a Customer, requests should be directed to the relevant employer (the data controller), who will coordinate with Cavileo as needed.

// 10

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt out of the sale or sharing of personal information.

Cavileo does not sell or share personal information for cross-context behavioral advertising.

To submit a California privacy rights request, contact us at privacy@cavileo.com with the subject line "California Privacy Request." We will respond within 45 days. You may designate an authorized agent to make a request on your behalf.

We do not discriminate against individuals who exercise their California privacy rights.

// 11

GDPR (EU & UK)

For Customers operating in the European Union or United Kingdom, or processing data about individuals located in those regions, the General Data Protection Regulation (GDPR) and UK GDPR apply.

Legal basis for processing: We process Customer account data on the basis of contractual necessity. We process employee roster data submitted by Customers on the basis of the Customer's legitimate interests or legal obligations (the Customer determines and is responsible for the lawful basis).

International transfers: Data is stored and processed in the United States. For EU/UK Customers, transfers are governed by Standard Contractual Clauses (SCCs). Please contact us to execute a Data Processing Agreement (DPA).

EU/UK individuals may lodge a complaint with their local supervisory authority if they believe their data has been processed unlawfully.

// 12

Cookies & Tracking

Our website uses a minimal set of cookies to operate and improve the service:

Essential cookies: Required for authentication and platform functionality. Cannot be disabled.
Analytics cookies: Used to understand how visitors use our site (e.g., pages visited, session duration). We use privacy-respecting analytics that do not fingerprint or track individuals across sites.
Preference cookies: Used to remember your settings and preferences.

We do not use advertising cookies or allow third-party advertising trackers on our platform. You can control cookies through your browser settings.

// 13

Children's Privacy

The Cavileo platform is designed for use by business professionals and is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child under 16, we will delete it promptly. If you believe we have collected such information, please contact us at privacy@cavileo.com.

// 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify Customers by email and/or by displaying a prominent notice in the platform at least 30 days before the change takes effect.

The "Last Updated" date at the top of this page reflects the most recent revision. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

// 15

Contact Us

For privacy-related inquiries, data requests, or to report a concern, please reach out through any of the following channels:

Cavileo Privacy Team

Email: privacy@cavileo.com

General: hello@cavileo.com

Mail: Cavileo, Inc., Attn: Privacy, [Address], United States

We aim to respond to all privacy inquiries within 5 business days and to fulfill verifiable data requests within 30 days.