Neopolis Public Privacy Policy

1) Who we are

Neopolis Global, Inc. ("Neopolis", "we", "us", "our") is an AI‑powered SaaS company. We operate:

• Our corporate site: https://neopolis.ai
• Navii (product): https://www.heynavii.ai – an AI career companion and professional agent network that helps candidates and hiring teams match, prepare, and connect.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit our Sites, use our Services, communicate with us, or otherwise interact with us. It also explains choices and rights available to you.

Controller vs Processor. For Navii direct‑to‑consumer users (professionals who sign up themselves), Neopolis is the data controller of their personal data. For enterprise customers (e.g., employers or partners who invite users or send us candidate data), Neopolis is generally a data processor/service provider acting under a written agreement and the customer's instructions. Where we act as a processor, our customer's privacy policy governs their use of personal data, and we process it to provide the Services to them.

2) Scope

This Policy applies to personal information we process about:

• Visitors to our Sites, Trust Center, and related pages
• Users of Navii and other Neopolis Services (web or mobile)
• Business contacts (e.g., prospects, customers, partners, vendors)
• Job applicants who apply for roles with Neopolis

This Policy does not apply to content that users choose to publicly post on third‑party platforms (e.g., LinkedIn), nor to third‑party sites or services that we do not control. Our processing on behalf of enterprise customers is governed by our agreements with those customers.

3) Personal information we collect

A. Information you provide directly

• Account & profile data: name, contact information, login credentials, photo/avatar, location, work preferences
• Career data: résumé/CV, employment and education history, skills, projects, portfolios, goals, preferences, salary expectations, interview recordings or practice sessions, and responses to prompts/questions in the product
• Communications: messages, emails, support requests, and feedback
• Enterprise inputs: candidate lists, interview notes, and related metadata provided by our enterprise customers about their candidates or employees

B. Information we collect automatically

• Usage data: actions in the product (e.g., feature clicks, page views), referral URLs, session timestamps
• Device & network data: IP address, browser type/version, device identifiers, operating system, language, approximate location inferred from IP, crash/diagnostic logs
• Cookies & similar technologies: pixels, SDKs, local storage, and cookies that are necessary for the Sites/Services and, with consent where required, analytics and other non‑essential categories. See Section 12 (Cookies & tracking)

C. Information from third parties and public sources

• Connected services (optional): when you connect your accounts (e.g., LinkedIn, calendars, storage), we receive information per your permissions
• Enterprise customers: candidate/employee data sent to us under contract
• Partners & vendors: enrichment, anti‑fraud, and analytics data (subject to applicable law and your choices)
• Public sources: public profiles, portfolio sites, publications, and other publicly available records related to your professional background

You may decline to provide certain information, but the Services may require some data to function.

4) How we use personal information

We use the information above to:

• Provide and operate the Services, including account creation, job matching, application assistance, interview practice, messaging, and other core features
• Improve and personalize the Services, including to tailor recommendations, content, and coaching; to measure performance and quality; and to conduct research and development
• Safety and security, including authentication, fraud prevention, abuse detection, debugging, and to protect our users and Services
• Customer support and communications, including responding to inquiries and sending transactional notices (e.g., updates, changes to terms, service alerts)
• Business operations, including billing, contract management, audits, compliance, and legal enforcement
• Marketing (with consent or as allowed by law), including sending information about features, events, or surveys, and presenting non‑essential cookies/SDKs choices
• Recruiting, for candidates who apply to work at Neopolis

5) Lawful bases for processing (EEA/UK/Swiss)

Where GDPR/UK GDPR or similar laws apply, our lawful bases include:

• Contract: to provide the Services you request
• Legitimate interests: e.g., to secure, improve, and personalize the Services, to prevent fraud/abuse, to market similar products to existing users (where permitted), and to run our business in a proportionate manner
• Consent: for specific activities (e.g., certain cookies/SDKs; connecting third‑party accounts; optional research participation). You can withdraw consent at any time
• Legal obligation: to comply with laws, defend legal claims, or respond to lawful requests

6) Automated decision‑making & AI transparency

Parts of the Services use machine learning and automation to assist with job matching, application prioritization, skill gap analysis, and interview guidance. We design these features with human‑in‑the‑loop reviews where appropriate and evaluate models for quality, bias, and safety. You may object to profiling for direct marketing at any time (see rights below). If any decision that produces legal or similarly significant effects is made solely by automated means, we will provide meaningful information about the logic involved, the significance and envisaged consequences, and offer a way to request human review, to express your point of view, and to contest the decision.

Model training and analytics

• Customer/enterprise data: We process such data only to provide the Services under our contracts with enterprise customers and do not use it to train general‑purpose foundation models
• Consumer Navii data: By default, we do not use your personal content to train third‑party foundation models. We may use de-identified, aggregated data to improve quality, safety, and performance of Neopolis‑specific models and features. We do not use any resume content, candidate chat history, or interview recordings to train our internal or external models unless explicitly consented to by the user. You can opt out of such improvement processing where required by law. You can do so by configuring choices in account settings or contact us

7) How we disclose personal information

We share personal information as follows:

• Service providers (processors): cloud infrastructure, storage, security, analytics, communications, customer support, and similar vendors bound by contract to process data only on our instructions. A list of our current subprocessors is available via our Trust Center or upon request
• Enterprise customers: For enterprise accounts, your organization (or the inviting customer) may access data about its users/candidates per the agreement
• Connected services (at your direction): if you connect third‑party services, we disclose data as needed to complete that integration
• Professional contacts: If you ask Navii to reach out or apply on your behalf, we may share your profile with prospective employers or recruiters you designate
• Legal, safety, and compliance: to comply with law, enforce our terms, protect rights and safety, and prevent fraud/abuse
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards

We do not sell personal information or share it for cross‑context behavioral advertising as those terms are defined by certain US laws. If that changes, we will update this Policy and provide required opt‑out mechanisms.

8) International data transfers

We may transfer, store, and process information in countries outside your own (including the United States). Where required, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and UK Addendum/IDTA, and perform transfer risk assessments. Copies of relevant SCCs can be provided upon request where legally permissible.

9) Data retention

We retain personal information only for as long as necessary for the purposes described in this Policy, to comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary by data type and context (e.g., account data, logs, support records, candidate materials). Where feasible, we de‑identify or aggregate data or delete it when it is no longer needed. If you close your account or request deletion, we will delete or anonymize your personal information within applicable statutory or contractual periods, subject to any legal holds.

10) Security

We employ administrative, technical, and organizational measures appropriate to the risk, including (without limitation): role‑based access control and multi‑factor authentication for privileged access; encryption in transit and at rest; environment segmentation; secure software development practices; vulnerability management and logging/monitoring; and incident response procedures. While no system is perfectly secure, we work to protect your information and respond to incidents appropriately.

Responsible disclosure / reporting security issues: If you believe you've found a security vulnerability, please contact us at support@neopolis.ai or through our Trust Center.

11) Your privacy choices & rights

Depending on your location, you may have rights to:

• Access your personal information and receive a copy
• Correct inaccurate or incomplete data
• Delete your data (erasure)
• Object to or restrict certain processing
• Data portability (receive data in a structured, commonly used, machine‑readable format)
• Withdraw consent where processing is based on consent
• Opt‑out of certain uses (e.g., direct marketing; where applicable, targeted advertising or sale/sharing)
• Appeal certain decisions (where provided by law)

You can exercise these rights by using in‑product controls where available or contacting us at support@neopolis.ai. We may ask you to verify your identity to help protect your privacy and security. You also have the right to lodge a complaint with your local data protection authority.

• EEA/UK: If you are in the EEA/UK, you may contact your supervisory authority. A list of EU authorities is available from the European Data Protection Board; UK users may contact the ICO
• California: We provide a "Notice at Collection," disclose categories of personal information we collect, purposes, and whether we "sell" or "share" (we do not). California residents may exercise CPRA rights described above. You may also limit the use of sensitive personal information for certain purposes as required by law

12) Cookies & tracking technologies

We use:

• Strictly necessary cookies required to provide the Sites/Services
• Functional cookies to remember preferences
• Analytics/performance cookies to understand how the Services are used and to improve them
• Marketing cookies/SDKs with your consent where required

We currently do not respond to Do Not Track (DNT) signals.

You can manage non‑essential cookies via our banner or browser settings. You may also revisit or update your cookie preferences at any time through your account settings or our Trust Center. Some browsers offer Global Privacy Control (GPC) signals—where legally required, we will honor them. For mobile apps, manage permissions in your device settings.

13) Children's privacy

Our Services are not directed to children, and we do not knowingly collect personal information from children under 16 (or older, where local law requires). If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

14) Third‑party links and services

Our Sites/Services may contain links to third‑party websites, apps, and services. We do not control those third parties, and their privacy practices are governed by their own policies.

15) Regional disclosures (summary)

• EEA/UK/Swiss: Controller is Neopolis Global, Inc. (or affiliate). Lawful bases as described in Section 5. Transfers safeguarded by SCCs/UK addendum where needed. We are currently assessing our need to appoint an EU representative under Article 27 of the GDPR. Contact our EU/UK representative if appointed
• United States: State laws (e.g., California, Colorado, Virginia, etc.) may grant additional rights. We do not sell/share personal information for cross‑context behavioral advertising
• Other regions: We comply with local laws applicable to our provision of the Services

16) Changes to this Policy

We may update this Policy from time to time. When we do, we will change the "Effective date" above, post the updated version on our Sites/Trust Center, and take additional steps required by law (e.g., obtaining consent for material changes where necessary). We encourage you to review this Policy periodically.

17) Contact us

For questions or requests about this Policy or our privacy practices:

• Email: support@neopolis.ai (or hey@heynavii.ai)
• Postal: 248 Walker Drive #8, Mountain View, CA 94043

Annex A: Categories of personal information

Required = Needed to use the service | Optional = User-controlled | Auto-collected = System gathered during use

• Identifiers: name, email, phone number, device IDs, IP address
• Professional information: résumé/CV, roles, employer, skills, education, portfolios
• Account & commercial information: login, subscription and billing information
• Internet/telemetry: usage logs, interactions with our Sites/Services
• Inferences: profile attributes, skill gaps, job match scores (subject to your rights)
• Audio/visual (if enabled): interview practice/feedback audio, transcripts, and notes. We do not use biometric identifiers (such as facial recognition or voice prints), and recordings are used only for feedback purposes with appropriate safeguards
• Sensitive data: Only if you choose to provide it (e.g., diversity information during applications) or if required for background checks for Neopolis hiring—processed under applicable law and your choices

Annex B: US "Notice at Collection"

We collect the categories in Annex A for the purposes described in Sections 4 and 10. We do not sell or share your personal information for cross‑context behavioral advertising. We retain information for periods described in Section 9. California residents can exercise their rights as described in Section 11.