Privacy Policy — Eight Point Solutions Portal (EPS Portal)

Plain-language summary

EPS Portal is a hybrid learning management system (LMS) plus recruiting and employer/HR dashboard. We process data in two ways:

• As a "controller" for core platform operations (security, authentication, account administration).
• As a "processor/service provider" for employer-directed HR and recruiting processing when third-party employers use EPS Portal to manage candidates, employees, and training.

1) Who we are

Eight Point Solutions LLC ("Eight Point Solutions," "EPS," "we," "us," or "our") provides the EPS Portal platform.

Contact

2) Scope

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use EPS Portal and related services (the "Services"), including:

• LMS features (courses, assessments, certificates)
• Job seeker and recruiting features (job postings, applications)
• Employer/HR features (workforce administration, attendance, leave workflows, payroll-related administration where enabled)

This Privacy Policy does not replace an employer's own privacy notice or employment notices. If you interact with EPS Portal as a candidate, employee, or contractor of a third-party employer, that employer may provide additional notices describing how they use your data.

3) Roles and responsibilities (Controller vs Processor)

A) When Eight Point Solutions is a Controller

We act as an independent "controller" for personal data we process to operate and secure EPS Portal, such as:

• Creating and administering accounts
• Authenticating users and maintaining sessions
• Preventing fraud, abuse, and unauthorized access
• Platform monitoring, debugging, and reliability
• Customer support and service communications
• Billing and subscription administration (if applicable)

B) When Third-Party Employers are Controllers

If a third-party employer (an "Employer Customer") uses EPS Portal for recruiting, HR administration, training management, pay administration, or workforce compliance, then:

• The Employer Customer is the "controller" for the personal data it uploads, enters, or otherwise processes through EPS Portal for its business purposes.
• Eight Point Solutions acts as a "processor" (GDPR) and "service provider/contractor" (CPRA/CCPA) for that Employer Customer.

Employer Customers are responsible for:

• Providing legally required notices to their candidates/employees
• Establishing a lawful basis for processing (where required)
• Making hiring and employment decisions
• Responding to employment-law obligations (EEOC/OFCCP/FLSA/IRS, etc.)
• If they run background checks, complying with the Fair Credit Reporting Act (FCRA) and other applicable laws

C) Data Processing Addendum (DPA)

Employer Customers must enter into a Data Processing Addendum (DPA) and/or a service-provider contract with us where required by law.

4) Information we collect

A) Account and Profile Information

• Name, email address, username/role labels
• Profile photo (optional)
• Password (stored hashed; we do not store the plaintext password)

B) LMS and Training Data

• Course enrollments and progress
• Quiz attempts, submissions, and grading data
• Certificates and completion records
• Activity logs (e.g., course access dates)

C) Recruiting and Job Seeker Data

• Applications, resumes/CVs, cover letters
• Job preferences and contact information
• Interview scheduling details and recruiter feedback
• Communications related to applications

D) Employer/HR Data

• Attendance, time tracking, clock-in/out records
• Leave requests and approvals
• Payroll-related administration data (if enabled by the employer)
• Uploaded documents (e.g., certifications, employment forms)

E) Sensitive Data Classification

We require Employer Customers to limit sensitive data collection to what is necessary and to configure access controls. We do not intentionally request or require special-category data (GDPR) unless an Employer Customer enables it for a lawful and documented purpose.

F) Usage Data (Automatic Collection)

• IP address, device and browser attributes
• Log-in timestamps, session identifiers
• Pages/screens visited, feature usage
• Security and audit logs

G) Cookies and Similar Technologies

We use essential cookies for authentication and session management, and security cookies to help prevent fraud. We do not use third-party advertising cookies.

5) How we use information

• Providing and operating the Services (LMS, recruiting workflows, HR workflows)
• Authenticating users and administering accounts
• Supporting Employer Customers
• Messaging and service notifications
• Security and fraud prevention, auditing, and incident response
• Legal compliance and enforcing our terms and policies

6) Google integrations and OAuth

We offer Google authentication and (optionally) Google Calendar synchronization.

A) Google Sign-In

If you sign in using Google, we may request openid, email, and profile scopes.

B) Google Calendar Integration

If an Employer Customer enables calendar integration for authorized users, we may request Google Calendar scope(s) necessary for two-way synchronization.

C) Revoking Access

You can revoke Google permissions in your Google Account settings or disconnect the integration from within EPS Portal.

7) AI features and AI service providers

EPS Portal may offer AI-assisted features (e.g., lesson generation, summarization, or course narration), which may involve third-party AI providers.

A) What We Send to AI Providers

We design AI features to use the minimum data necessary. Employer Customers should avoid placing sensitive personal data into free-text fields intended for AI processing.

B) Automated Employment Decision-Making

Eight Point Solutions does not make employment eligibility decisions through EPS Portal. If an Employer Customer uses AI-based screening, it is the Employer Customer's responsibility to provide legally required notices and ensure human review where required.

C) Training Use and DPAs

OpenAI: Data sent via its API is not used to train models by default.

ElevenLabs: Used for text-to-speech when enabled; processes data per its published DPA.

8) Sharing and disclosure

We do not sell personal information.

A) To Employer Customers

If you apply for a job or are an employee of an Employer Customer, that Employer Customer will have access to the data you submit in that employer's workspace.

B) Service Providers and Subprocessors

We use vendors to host infrastructure, store files, send emails, provide security, and provide optional integrations.

C) Legal and Safety

We may disclose information to comply with law, court orders, or lawful requests, and to protect rights, safety, and security.

D) Business Transfers

If we undergo a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.

9) Data retention

A) General Rule

We retain personal data only as long as necessary for the purposes described in this Privacy Policy.

B) Employer-Controlled Retention

Employer Customers control retention for data in their workspaces.

C) Default Platform Retention

• Account data: retained while active; deleted/deidentified after account closure.
• Security logs: retained for 12–24 months for security and audit purposes.
• Support communications: retained for up to 2 years after ticket closure.
• OAuth tokens: retained only as necessary for session and integration functionality.

10) Security

We use reasonable administrative, technical, and organizational measures to protect information, such as:

• TLS/HTTPS in transit
• Access controls and least-privilege policies
• Security logging and monitoring
• Token-based authentication and secure session handling

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11) Security incidents and breach notification

If we become aware of a security incident affecting personal information, we will:

• Investigate and take steps to contain and remediate the incident
• Notify Employer Customers without undue delay
• Provide notices to affected individuals and regulators as required by applicable law

12) International data transfers

Our primary operations are in the United States. If you access EPS Portal from outside the U.S., your information may be transferred to and processed in the U.S.

Where GDPR applies and data is transferred internationally, we will use appropriate safeguards such as Standard Contractual Clauses (SCCs).

13) Your privacy rights and choices

A) Rights for All Users

• Access to certain account data
• Correction of inaccurate data
• Deletion of your account data (subject to legal holds)
• Withdrawal of consent for optional integrations

B) California Privacy Rights (CCPA/CPRA)

California residents may have the right to know/access, delete, correct, and opt out of sale/sharing of personal information. Response timing: within 45 days.

C) EEA/UK Rights (GDPR)

Where GDPR applies, you may have rights to access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

D) How to Exercise Rights

14) Cookies and Do Not Track

You can control cookies in your browser settings. Disabling essential cookies may limit platform functionality.

We do not respond to browser "Do Not Track" signals. EPS Portal does not use third-party advertising cookies and does not conduct cross-context behavioral advertising.

15) Children and minors

EPS Portal is not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent.

16) Background checks (FCRA)

EPS Portal is not a consumer reporting agency and does not itself furnish consumer reports. If an Employer Customer obtains background checks, it is responsible for FCRA compliance.

17) Changes to this policy

We may update this Privacy Policy. We will update the Effective Date and provide additional notice if changes are material.

18) Contact us