Privacy Policy

Last updated on April 05, 2024

CarrotHR, Inc. (d/b/a “Assembly,” “we,” “us,” “our”) is committed to protecting your privacy through our compliance with the policies and practices in this notice.

This notice describes the types of information we may collect from you or that you may provide to us when you visit our website at or use the Assembly service. In this notice we refer to our website and our service collectively as the "Site." This notice also describes our practices for collecting, using, maintaining, protecting, and disclosing that information. Your use of the Site is subject to our Terms of Service or other written agreement between you or your organization and us.

This notice applies to information we collect:

  • on the Site;
  • in email, text, or other electronic messages between you and us or other users in your organization through the Site;
  • through mobile and computer applications you access, enable or integrate through the Site; and

It does not apply to information collected by:

  • on the Site;
  • us offline or through any other means, including on any other website operated by us or any third party; or
  • any third party, including through any application or content that may link to or be accessible from the Site.

By accessing or using the Site, you agree to the policies and practices described in this notice. If you do not agree with our policies and practices as described in this notice, you may not use the Site. We may change this notice from time to time. Your use of the Site at any time indicates your acceptance of the version of this notice posted on the Site at such time, so please check this notice periodically for updates.

Children Under the Age of 13

The Site is not intended for use by children under 13 years of age, and we do not knowingly collect any information from or about children under 13. If you are under 13, do not use the Site for any reason. If we learn we have collected or received personal information from or about a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information about a child under 13, please contact us at

Information We Collect About You

We collect several types of information from and about users of the Site, including information:

  • by which you may be personally identified, such as name, e-mail address or other contact information, or any other identifier by which you may be contacted online or offline ("personal information"); and
  • that is about you but individually does not identify you, such as information about your internet connection, the equipment you use to access the Site and usage details.

We collect this information:

  • directly from you when you provide it to us;
  • automatically as you navigate through the Site, such as usage details, IP addresses, and information collected through cookies and other tracking technologies; and
  • from third parties, such as Hubspot, Google Analytics, Intercom, Fullstory, or Heap Analytics.

Information You Provide to Us

The information we collect on or through the Site may include:

  • information that you provide by filling in forms on the Site, including information you provide when you register to use the Site or send us a request or report a problem with the Site; and
  • details of transactions you carry out through the Site.

You also may provide information to be posted on areas of the Site that are visible on the Site, such as to other users in your organization or that are transmitted to third parties as part of your or your organization’s use of the Site (collectively, "User Contributions"). Your User Contributions are posted and/or transmitted at your own risk. We limit access to certain pages according to our your or your organization’s usage and privacy settings, but you acknowledge that no security measures are perfect or impenetrable. In addition, you acknowledge that we cannot completely control the actions of other users of the Site with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with the Site, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • details of your visits to the Site, such as traffic data, logs, navigation data and other communication data and the resources that you access and use on Site; and
  • information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is statistical data and may include personal information. This information helps us to:

  • understand our user base and usage patterns;
  • store information about your preferences, allowing us to customize our Site;
  • improve the Site and deliver a better and more personalized service; and
  • recognize you when you return to our Website.

The technologies we use for automatic data collection may include:

  • Browser cookies. A browser cookie is a small file placed on the storage unit of your device. You may refuse to accept browser cookies by adjusting the settings on your browser, and you may delete cookies that have already been placed there. However, if you refuse or delete our browser cookies, you may be unable to access certain parts of the Site or have to re-enter information in order to use the Site.
  • Web beacons. Pages of the Site and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

We do not collect personal information automatically, but we may tie this information to personal information about you that we collect from other sources or you provide to us.

Third-Party Use of Tracking Technologies

Some content or features on the Site are served by third-parties, such as ad networks and servers, content providers, and application providers. These third parties may use cookies or other tracking technologies to collect information about you when you use the Site. For example, we use the Invisible reCAPTCHA for security purposes, and Google Analytics for analytics. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about any targeted content on the Site, you should contact the responsible provider directly. You can read more about Google Analytics and Invisible reCAPTCHA at

How We Use Your Information

We use information that we collect about you or that you provide to us:

  • to present the Site and its contents to you;
  • to provide you with information, products, or services that you request from us;
  • to fulfill any other purpose for which you provide it;
  • to provide you with notices about your account or about changes to the Site;
  • to carry out our obligations and enforce our rights under any contracts entered into between you or your organization and us;
  • to allow you to participate in interactive features on the Site;
  • in any other way we may describe when you provide the information; and
  • for any other purpose with your specific consent.

Enhancing Services with OpenAI API:

  • To offer innovative and improved functionalities within our Assembly service, we may utilize the OpenAI API for specific features, including but not limited to, natural language processing and automation tasks. It is our priority to ensure the privacy and security of our users' information in the following ways:
  • No Personal Data Sharing: We do not share any personal information of our users with OpenAI. The use of OpenAI's API is carefully managed to ensure that any data processed does not include personal information, thus safeguarding your privacy.
  • Prohibition on Data Training Usage: We have taken measures to ensure that our customers' data are not used by OpenAI for the purpose of training their AI models. Data sent to OpenAI's API is strictly for fulfilling the requested service without contributing to the training of OpenAI's algorithms.
  • Commitment to Data Privacy and Security: Our use of the OpenAI API adheres to our stringent data privacy and security standards. We implement robust safeguards to prevent any unintended data sharing and continuously monitor our processes to ensure full compliance with our privacy commitments.
  • By continuing to use our Site and services, you acknowledge our use of the OpenAI API under these specified conditions. We are dedicated to transparency and encourage any inquiries or concerns regarding our data practices to be directed to

We may also use your information to contact you about our own products and services that may be of interest to you. If you do not want us to use your information in this way, please click the ‘unsubscribe’ link in the bottom of any marketing email we’ve sent you.

We may use the information we have collected from you to enable us to display advertisements for our products and services. We only retain personal information for as long as your (or your organization’s) account is active or as necessary to provide services to you or your organization under our Terms and Conditions of Service or other agreement between you or your organization and Assembly.

Please note: The California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to state in their privacy policy whether or not they disclose personal information in exchange for monetary or other valuable consideration. While CCPA only covers California residents, when it goes into effect we will voluntarily extend its core rights for people to control their data to all of our users in the United States, not just those who live in California. You can learn more about the CCPA and how we comply with it here.

Disclosure of Your Information

We may disclose aggregated, anonymized information about our users without restriction.

We may disclose personal information that we collect or you provide as described in this notice:

  • to fulfill the purpose for which you provide it, such as to notify another user in your organization of recognition received, to activate an integration that you select with a third-party service, or to redeem points from a third-party vendor;
  • to service providers, such as payment processors, we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;
  • to a buyer or other successor of our company in the event of a merger, acquisition, sale of assets or other major corporate event in which the Site is among the transferred assets;
  • for any other purpose disclosed by us when you provide the information;
  • for any other purpose with your consent;
  • to comply with any court order, law, or legal process, or to enforce or apply our terms of use or other agreements between you or your organization and us; or
  • if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Assembly or its personnel, customers, or others.
Accessing, Deleting, or Correcting Your Information

You can review and change certain elements of your personal information by logging into the Site and visiting your account profile page.

You may also send us an email at to request access to, correct or delete any personal information that you have provided to us. We cannot delete all of your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect or if we have a separate legal basis for possessing and processing such information, such as to fulfill the terms of a contract between you or your organization and us.

Copies of some information, such as your User Contributions, may remain viewable in cached and archived pages, or might have been copied or stored by other Site users. We will take reasonable steps to delete such information upon request, but cannot guarantee immediate deletion in all cases.

AI Integrations:

At Assembly, we are committed to safeguarding the privacy and security of our users' data, especially when it comes to our AI integrations. Below, we outline our data retention policies specific to different features that involve AI technology.

App Connections

App connections Sync: For files synchronized through App connections, our data retention policy ensures that these files are indexed for immediate use and then deleted after a period of 24 hours. This brief retention period is designed to balance operational needs with privacy considerations.

File Uploads

Retention Period: Files uploaded through our file upload feature are retained indefinitely until the account is canceled. However, recognizing the need for a definitive data clean-up policy once an account is canceled, we have established a 90-day retention period for these files, after which they will be permanently deleted. 

AI Analytics

For platform usage data utilized by our AI reporting tool and generated reports, we are committed to a principle of minimal data retention, retaining data only as long as necessary for the intended analytical or operational purposes. This period varies based on the specific requirements of each AI feature and is regularly reviewed to ensure compliance with legal standards and privacy best practices. While the exact duration may adjust as our AI features evolve, we aim to limit data retention to a maximum of 60 days, unless operational needs or user actions dictate a shorter period. We empower our users with the ability to manage their data, including the option to close threads, thereby prompting the deletion of associated data within the specified retention period.

Handling of Personally Identifiable Information (PII)

In our use of AI technologies, we take the utmost care to protect your personal information:

Limited Sharing of PII: Only essential personal data, such as basic employee information necessary for answering user queries and providing AI platform usage analysis, is shared with the AI tool. This approach minimizes the risk to your privacy and ensures that the data used is limited to what is strictly necessary for the service provided.

Data Usage by OpenAI: It is important to note that none of the personal data shared with the OpenAI tools is used for training their AI models. This is a key aspect of our partnership with the 3rd Party, aimed at preserving the integrity and confidentiality of your personal information.

Deletion by OpenAI: Our OpenAI partner commits to deleting the limited personal data shared with them after 30 days. This period allows our OpenAI partner to identify any potential abuse of the API while ensuring that data retention is kept to a minimum, in line with our privacy principles.

Data Security

We have implemented reasonable and appropriate measures to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. The Site is hosted on secure servers provided by our hosting services provider in the United States ("US"). By using the Site or providing us with any information, you acknowledge that the processing of your information, including personal information, will take place in the US as set forth in this notice and our Terms and Conditions of Service or other agreement between you or your organization and Assembly.

The safety and security of your information also depends on you. For example, where we have given you (or where you have chosen) a password for access to certain parts of the Site, you are responsible for keeping this password confidential.

Unfortunately, the transmission of information online is not completely secure, and we cannot guarantee the security of your personal information transmitted to or through the Site, which is done at your own risk.

European Union and Switzerland Users - Privacy Shield

Assembly complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. Assembly has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit

Pursuant to the Privacy Shield Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to

In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Assembly’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Assembly remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Assembly proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, Assembly commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, UK, and Swiss individuals with Privacy Shield inquiries or complaints should first contact Assembly at:

Assembly has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at

With respect to personal information received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Changes to Our Privacy Policies and Practices

We will inform you of any changes we make to our privacy policies and practices that affect this notice by posting an updated notice on this page and/or by sending you a notice of the update. The date this notice was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting the Site and this notice to check for any changes.

Contact Information

To ask questions or comment about this notice and our privacy policies and practices, please contact us at: