Skip to main content

CCPA Notice at Collection

California Consumer Privacy Act (Cal. Civ. Code § 1798.100(b)) — as amended by the California Privacy Rights Act (CPRA)

Version 1.0 | Last updated: 11 May 2026

SummitBridge Horizon Ltd | Companies House 16419201

This Notice applies to California consumers as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and supplements our general Privacy Policy. It explains what personal information we collect, why, and your rights.

Categories of personal information we collect

In the past twelve (12) months we may collect the following CCPA categories:

  • Identifiers (§ 1798.140(v)(1)(A)) — name, email address, phone, postal address, IP address, online account credentials.
  • Customer records (§ 1798.140(v)(1)(B)) — billing data, license keys, support ticket history.
  • Commercial information (§ 1798.140(v)(1)(D)) — product purchases, subscription tier, payment status.
  • Internet or other electronic network activity (§ 1798.140(v)(1)(F)) — pages visited, search queries on our site, interaction with our AI agents.
  • Geolocation data (§ 1798.140(v)(1)(G)) — approximate location derived from IP address (city-level only).
  • Professional or employment-related information (§ 1798.140(v)(1)(I)) — CV/résumé content if you are assessed via HumanBaseIQ.
  • Inferences (§ 1798.140(v)(1)(K)) — aggregated candidate scoring outputs from our AI systems.
  • Sensitive personal information (§ 1798.140(ae)) — account credentials (login + password); biometric expression analysis where you opt into video interview (see AI Transparency Report).

Purposes

  • Provide, operate, and improve our products and services;
  • Process orders, payments, refunds, and customer support;
  • Run AI-assisted recruitment workflows for HumanBaseIQ customers;
  • Comply with legal obligations (UK GDPR, EU GDPR, CCPA, tax law);
  • Detect fraud, security incidents, and abuse;
  • Transactional communications (account, billing, security).

We use sensitive personal information only for the purposes permitted under § 1798.121(a) and do not use it to infer characteristics about a consumer.

Sale or sharing of personal information

We do not sell personal information.

We do not “sell” or “share” personal information for cross-context behavioural advertising as those terms are defined in §§ 1798.140(ad) and 1798.140(ah). Accordingly, our Do Not Sell or Share My Personal Information link confirms that no opt-out is technically required, but we honour requests to that effect as a courtesy and as a record-keeping measure.

Retention

We retain each category of personal information for no longer than is reasonably necessary for the purpose for which it was collected (§ 1798.100(a)(3)). Concrete retention windows:

  • Server access logs: 90 days;
  • Customer account & billing records: 6 years (UK HMRC requirement);
  • HumanBaseIQ candidate assessments: 12 months from interview, then deleted;
  • Marketing prospect data: 24 months from last interaction.

Your rights under CCPA/CPRA

  • Right to know (§ 1798.110) — what categories and specific pieces we have collected about you.
  • Right to delete (§ 1798.105) — subject to statutory exceptions.
  • Right to correct (§ 1798.106) — inaccurate personal information.
  • Right to opt out of sale/sharing (§ 1798.120) — see /legal/do-not-sell.
  • Right to limit use of sensitive personal information (§ 1798.121).
  • Right to non-discrimination (§ 1798.125) for exercising any of the above.

How to exercise these rights

  • Email: [email protected] with the subject line “CCPA Request”.
  • Web form: /legal/data-subject-rights (we treat CCPA requests through the same channel as GDPR requests).
  • Postal: Privacy Team, SummitBridge Horizon Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.

We will respond within 45 days (§ 1798.130(a)(2)), extendable by 45 days with notice. We may verify your identity before disclosing specific pieces of personal information (§ 1798.140(aj); CCPA Regulations § 7060).

Authorised agents

You may designate an authorised agent to submit requests on your behalf. The agent must provide signed written permission, and we may require you to verify your own identity directly (CCPA Regulations § 7063).