Privacy Policy

Last Updated: May 26th, 2025

Introduction

CandID (“we” or “us”) is a software company providing web-based solutions deployed on a per-client basis, either in the cloud or on-premises. We are committed to protecting the privacy of our clients and users. This Privacy Policy explains what data we collect from users of the CandID platform, how we use and store that data, and the measures we take to keep it secure. It applies to all users invited or registered via their organization’s CandID deployment in the United States, the Middle East, or other regions where we operate. We collect and process personal data only as needed to operate our software’s features (such as our EPC models and search functionality) and do not use customer data to train our AI models. Because CandID’s platform is web-based (with no mobile applications), our data collection is limited to information provided through the web interface or generated during web usage.

By using CandID’s services, you acknowledge that you have been informed of our data practices as described in this Policy. If you do not agree with this Policy, please refrain from using the CandID platform. We may update this Privacy Policy from time to time, and will notify clients of significant changes. If you have any questions about this Policy or our data handling, please contact us using the information provided at the end of this document.

Data We Collect and How We Use It

CandID collects only the data necessary to provide, secure, and support our services. The types of data we collect, and their purposes, include:

Account Information: When a user account is created by an organization’s administrator, we collect personal identifiers such as name, work email address, role, and login credentials. This information is used for authenticating users, managing access to the platform, and associating user actions with an account. We also may record administrative settings (e.g. user roles or permissions) as configured by your organization. Purpose: To create and maintain user accounts, verify identity at login, and allow your organization’s administrators to manage user access.

User-Provided Content: CandID’s platform allows client organizations and their authorized users to input, upload, or generate content relevant to EPC projects – for example, project data, engineering documents, models, or search queries run through our system. All content and data that you or your organization enter into CandID (“Customer Data”) is stored and processed strictly to fulfill that organization’s needs (such as indexing data for search results or running CandID’s EPC analytics models on the provided data). Purpose: To enable core functionality of the CandID software, such as providing intelligent search across project documents and running analytic models. We do not use Customer Data for any purpose outside of providing the agreed-upon services to that client, and we do not use customer-provided content to train our machine learning models or improve our algorithms without explicit permission. Each client’s data is logically isolated so that no other client or unauthorized party can access it.

Usage Data: We collect certain information automatically about how users interact with the CandID platform. This may include log data such as user actions within the software (e.g. search queries, menu selections), timestamps of activities, IP addresses, browser type, and other technical details transmitted by your web browser. We do not use third-party analytics, tracking pixels, or profiling tools on our platform; all usage data is collected by CandID solely for our internal operational purposes. Purpose: To operate and maintain the service (for example, to execute search requests and model computations), to monitor system performance, to troubleshoot issues, and to ensure the security of the platform (such as detecting misuse or unauthorized access). Usage logs may also be used in aggregate form to help us understand overall system usage and improve reliability, but not to profile individual users.

Support and Correspondence: If you contact CandID for support or with inquiries (for example, via email or an in-platform help interface), we may collect your contact information and any details you provide about your issue. Purpose: To respond to your requests, provide customer support, and improve the support experience. We may retain communications to keep a record of support history.

CandID does not collect sensitive personal data such as home addresses, personal phone numbers, social security numbers, or financial information through the normal use of the platform, as our service is business-oriented. We do not intentionally collect any special categories of personal data (such as health, biometric, or biometric identifiers) or any data from children, as the platform is intended for use by adult professionals under their organization’s supervision.

Data Storage and Security

We understand the importance of securing the data entrusted to us. CandID implements robust data storage and security measures to protect personal and customer data against unauthorized access, alteration, disclosure, or destruction:

Cloud Deployments: For clients who choose a cloud deployment, customer data (including user account info, content, and usage logs) is stored in CandID’s or the clients secure cloud environment. CandID's servers are located in controlled data centers with security measures in place such as physical security, firewalls, and intrusion detection. We utilize encryption to protect data both in transit (e.g. using HTTPS for data exchange) and at rest in our databases. Access to cloud-stored customer data is restricted to a limited number of authorized CandID personnel who require it to maintain the service or provide support. Our staff are bound by confidentiality obligations and use of customer data is strictly limited to the purposes outlined in this Policy. Importantly, we do not use or access customer data for any reason other than to operate and support the CandID platform for that customer. In line with our principles, customer data in the cloud is not mined for product development or marketing, and we never use it to train general models.

On-Premises Deployments: For clients deploying CandID on-premises within their own IT infrastructure, all data remains on the client’s servers and environment. In these cases, CandID does not host the data on our servers; the client organization is responsible for the physical storage and security of the data in their on-site system. CandID’s access to on-premises data is nonexistent or extremely limited – we do not have routine access to data stored in an on-prem deployment. Any maintenance or support that requires access to on-premises data would be performed under the client’s control and authorization (for example, a client may send us a subset of data for troubleshooting, or temporarily grant access during a support session, if needed). By keeping on-prem data within the client’s own network, we ensure that such data remains completely within the client’s control and complies with any data residency or segregation requirements they may have.

Data Isolation: Each client’s deployment (whether cloud or on-prem) is isolated from others. In cloud deployments, we use logical access controls and separate databases or data stores for each client to prevent any data leakage between organizations. Users can only access data associated with their own organization’s CandID instance. For on-prem deployments, the software is configured to operate within the client’s internal network, further ensuring isolation.

Security Practices: CandID follows industry best practices for cybersecurity. This includes regular security audits, applying updates and patches to our software to address vulnerabilities, and continuously monitoring for suspicious activities or threats. We employ measures such as access controls, authentication requirements, and administrative safeguards to protect user accounts and data. All CandID employees undergo security and privacy training, and internal policies govern how we handle customer information. In the event of a security incident or data breach, we have an incident response plan to promptly address and mitigate any potential harm, and we will notify affected clients in accordance with applicable laws and our contractual obligations.

Data Sharing and Disclosure

CandID respects the confidentiality of your data. We do not sell or rent personal data to any third parties for marketing or any commercial purposes. In fact, our platform uses no third-party analytics or advertising integrations that collect user data. This means we do not send your information to third-party analytics platforms, social media trackers, or ad networks.

Generally, CandID does not disclose your personal information or Customer Data to outside parties except in a few narrow circumstances, such as:

Service Providers (Subprocessors): We do not utilize any external subprocessor for our core service (all processing is done by CandID’s software). In cloud deployments, the cloud hosting provider (for example, a reputable data center or IaaS provider) may technically handle data storage on our behalf. Any such infrastructure providers are under strict contractual obligations (including data protection agreements) and cannot use your data for any purpose except to provide the infrastructure services to us. We do not otherwise share data with third-party vendors because our solution is self-contained without external integrations.

Legal Compliance: We may disclose data if required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests (such as a court order or subpoena). In such cases, we will only disclose the minimum amount of information necessary and, whenever legally permissible, we will notify the client organization of the request. Our policy is to carefully review each request to ensure it has valid legal authority.

Protection of Rights and Safety: If necessary, we may share information to enforce our terms of service or other agreements, or to investigate and protect against fraudulent or illegal activity affecting CandID. This includes exchanging information with law enforcement or other entities for security or fraud prevention, but only when appropriate and lawful.

Other than the above scenarios, your information stays within the CandID environment (or strictly within your own environment for on-premise deployments). CandID does not use data for any advertising purposes, nor do we engage in “profiling” of users beyond what is needed to operate the service. Clients have control over their data; for example, administrators at your organization may choose to export or integrate their data with other systems via CandID’s features (if available), but such actions are initiated and managed by the client, not CandID. In those cases, the client assumes responsibility as a controller for any data they choose to extract and use outside our system.

User Account Management and Choices

CandID’s platform is accessible only to authorized users who belong to a client organization. Users must be invited or created by their organization’s administrator in order to have an account on the platform. There is no public self-service signup. Your organization’s CandID administrator provides us with your basic account details (name, email, etc.) to create your user profile. They also control your access privileges (such as what projects or data you can see in the platform).

Account Access and Responsibilities: As a user, you are responsible for maintaining the confidentiality of your login credentials. CandID’s authentication system may integrate with your organization’s single sign-on (SSO) or identity provider if configured, in which case your organization manages your login security. You should notify your administrator immediately if you suspect any unauthorized use of your account. CandID will never ask you for your password. Our system may log account activities (like login time, IP address) to help your organization monitor account security.

Profile Information: The only personal profile data CandID typically stores is your name, contact information (such as email), job title/role, and any preferences or settings you configure in the app. This information is visible to your organization’s admins and possibly other users within your organization’s CandID workspace (for example, your name and email might appear on comments or content you add within the platform). CandID does not expose your profile information to the public or to other client organizations.

User Choices and Control: Because CandID is an enterprise tool, individual users have limited direct control over data retention – this is largely handled by the client organization. However, you may have certain rights under privacy laws (depending on your jurisdiction) to access, correct, or delete personal information. We honor all valid requests, but because we act as a service provider for your organization, we may refer your request to your organization’s administrator. For example, if you wish to have your user account removed, you should contact your organization’s CandID admin; they can deactivate or delete your account which will remove or anonymize personal data in the platform. If your organization requests CandID to delete data (for instance, upon contract termination or an individual’s departure), we will comply, provided that it is in accordance with our legal obligations and backup retention policies.

International Data Transfers and Regional Privacy

CandID primarily serves businesses in the United States and the Middle East, and we are mindful of the different data protection expectations in these regions. Where We Store Data: For cloud deployments, customer data is generally stored on servers located in the region agreed upon with the client. U.S.-based clients’ data will typically reside on servers in the United States. Clients in the Middle East may opt to have their cloud deployment hosted in a data center within or near their region (subject to availability), to satisfy data residency requirements. We will not transfer a client’s Customer Data out of the originally agreed region unless instructed by the client or required for support purposes, and even then, always with adequate protections.

Compliance with Local Laws: CandID complies with applicable data protection laws and regulations in the jurisdictions where we operate. Privacy laws in the Middle East (for example, in jurisdictions like the UAE, Saudi Arabia, etc.) may impose certain requirements on how personal data is handled and whether it can leave the country. For clients operating under such regulations, our on-premises deployment option helps ensure all data stays on-site under the client’s control, while our cloud deployments can be configured to use regional hosting when necessary. In all cases, we implement appropriate safeguards for personal data. If data is transferred from one country to another (for instance, if a U.S. support engineer must access data from a Middle Eastern client with permission), we ensure that lawful transfer mechanisms are in place (such as standard contractual clauses or equivalent measures), and that the data remains protected to the standards of the originating region.

International Users: If you are accessing CandID from outside of the United States, be aware that your personal data may be processed in the U.S. or another region where our servers are located or where our personnel are based. Those countries might not have the same data protection laws as your home jurisdiction. However, we will always handle your information as described in this Privacy Policy, and we will take steps to ensure applicable legal protections are respected (for example, we will obtain any required consents or agreements for transfer). By using CandID, or by providing information to us, you consent to the transfer of your data to the U.S. or other relevant country, in accordance with this Policy.

Data Retention

We retain personal data for as long as it is necessary to fulfill the purposes outlined in this Policy or as required by our contractual agreements and applicable law. In practice, this means:

Account Data: is kept active for as long as your CandID user account exists. If you leave your organization or your account is deleted by an admin, we will remove or anonymize personal information associated with your account upon request or in accordance with our agreement with the client. Some metadata (like logs of system activity) may persist in backups or audit logs for a limited period, but such data will eventually be purged according to our retention schedules.

Customer Content: Data that your organization stores in CandID (project files, indices, etc.) is retained for the duration of the service contract. If a client decides to terminate the service or delete certain content, we follow their instructions to delete or return the data. On contract termination, CandID will either return all client data to the client or securely erase it from our systems (except for any data we are required to retain by law, or which resides in secure backups which will expire). For on-prem deployments, data retention is under the client’s direct control on their own systems.

Usage Logs: Basic usage and log data are typically retained for a short period for troubleshooting and security (for example, maintaining log files for a few weeks or months). We may retain aggregated, non-identifiable usage statistics longer to help improve system performance. If any logs contain personal identifiers, we treat them as personal data and limit retention as per our policies or legal requirements.

CandID conducts periodic reviews of the data we hold and deletes or anonymizes information that is no longer needed for any legitimate business purpose. We also honor specific client requests for data deletion, export, or other actions as required under law (for example, assisting a client in fulfilling an individual’s request under GDPR or other laws, if applicable).

Your Privacy Rights

Depending on your location and applicable privacy laws, you may have certain rights regarding your personal data. These can include the right to access your data, correct or update it, request deletion, restrict or object to certain processing, or obtain a copy of your data in a portable format. CandID is committed to helping our clients and their users exercise these rights:

Access and Correction: You can review and update some of your account information by logging into your CandID profile (if editing features are available) or by contacting your organization’s administrator. If you need assistance accessing data that isn’t available through the platform, you or your administrator can contact us and we will help provide the information we have about you, within a reasonable timeframe.

Deletion: If you wish to delete personal data, you should typically request this through your organization (who controls the data in the platform). Upon a valid request from the client or from you via the client, CandID will delete or anonymize the requested personal data from the active systems, unless retention is required by law. Note that complete erasure from backups may take additional time as per our normal backup lifecycle.

Objection or Restriction: You may have the right to object to certain processing (for instance, if we were using your data for marketing — which we currently do not). Since CandID does not process user data for marketing or unrelated purposes, this is usually not applicable. If you have concerns about how your data is being used, please contact your administrator or CandID to discuss any limitations or preferences.

Portability: We support data portability through export features for our client organizations. If an individual user needs a copy of their personal data (such as profile info or content they personally uploaded), we can assist the client in providing that in a structured, commonly used format.

CandID will not discriminate against any individual for exercising their privacy rights. If you contact us directly about your personal data and we act as a data processor for your organization, we may advise you to coordinate with your data controller (your employer) as necessary. We will cooperate with our clients to ensure that privacy rights requests are fulfilled in accordance with applicable laws.

Cookies and Tracking

Our CandID platform uses minimal cookies and similar technologies, primarily to ensure secure authentication and session management. These are first-party cookies (placed by CandID) and are essential for the service to function (for example, remembering that you are logged in as you navigate between pages). We do not use any advertising or analytics cookies. As noted, we have no third-party trackers on our application. Because our cookies are only functional in nature, the platform may not present a cookie consent banner for logged-in use, since we do not engage in cookie-based profiling or marketing. However, if our public corporate website (outside the CandID app) uses any cookies, we provide a separate Cookie Notice on that site. Within the application, you cannot opt out of essential cookies without impacting functionality (like logging in), but since they are only used for providing the service, they are exempt from many consent requirements. Should we ever introduce non-essential cookies, we will update our policies accordingly and obtain necessary consents.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or CandID’s data practices, please contact us:

Email: info@candidintelligence.com
Address: 506 Market St, San Francisco, CA 94105, USA

We also welcome you to reach out to us through your account representatives or our support channels for any privacy or data security inquiries. If you need to report a potential security issue or incident, please email us at info@candidintelligence.com.

Your privacy is important to us, and we are committed to protecting your personal information. If you believe that we have not addressed your concern satisfactorily, depending on your jurisdiction, you may have the right to lodge a complaint with a supervisory authority or regulator. We would, however, appreciate the chance to address your concerns directly first.

Thank you for trusting CandID with your data. We strive to maintain that trust through our ongoing commitment to privacy and security.