Privacy Policy

The MSK Career Portal is a private, invitation-only platform designed to support executive and senior-level career coaching engagements. The platform handles highly sensitive professional information including coaching session notes, career strategy documents, performance reviews, personal career histories, goal-setting records, and communications between coach and client.

We treat all information shared within the portal as strictly confidential. Our data practices are designed to support — not undermine — the trust that is fundamental to an effective coaching relationship. We do not sell, rent, or trade your personal or professional information to any third party for commercial purposes, under any circumstances.

We collect information in the following categories:

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health or medical information, biometric data, or financial account details through this portal.

The coaching relationship is built on a foundation of trust and confidentiality. All information shared during coaching sessions — including session notes, personal disclosures, career challenges, organisational dynamics, and strategic plans — is treated as strictly confidential and is governed by the following principles:

Access is strictly limited. Coaching session notes, workbook responses, and personal career documents stored in the portal are accessible only to you (the client) and your assigned coach. No other MSK staff member, contractor, or third party may access this information without your explicit written consent, except in the narrow circumstances described below.

Exceptions to confidentiality. Consistent with professional coaching ethics (including ICF standards), confidentiality may be overridden only in the following circumstances: (a) you provide explicit written consent to share specific information; (b) there is a credible risk of serious harm to you or others; (c) we are required to disclose information by applicable law, court order, or regulatory authority. In such cases, we will notify you in advance wherever legally permissible.

Organisational coaching engagements. If your coaching engagement is sponsored by your employer or another organisation, we may be required to provide high-level progress reports (e.g., session completion status, general development themes) to that organisation. The specific content of your coaching conversations, personal disclosures, and session notes will never be shared with your employer without your explicit consent. The scope of any reporting obligations will be set out in your coaching agreement.

No AI training. Your coaching session notes, career documents, and personal data are never used to train artificial intelligence models, whether by MSK or any third-party provider.

We use the information we collect for the following purposes:

Service delivery. To provide, operate, and maintain the MSK Career Portal, including displaying your coaching sessions, career vault, goals, and progress data to you and your coach.

Communication. To send you session reminders, coaching resources, industry insights newsletters (where you have subscribed), and important service notifications. You may unsubscribe from marketing communications at any time.

Personalisation. To tailor the coaching experience, surface relevant resources, and track progress against your stated career goals.

Security & fraud prevention. To monitor for unauthorised access, enforce rate limits, detect abuse, and protect the integrity of the platform and your data.

Legal compliance. To comply with applicable laws, respond to lawful requests from public authorities, and enforce our terms of service.

Service improvement. To analyse aggregated, anonymised usage patterns to improve the platform's functionality and user experience. Individual coaching data is never used for this purpose.

We will not use your information for any purpose that is incompatible with those listed above without first obtaining your explicit consent.

We do not sell your data. We will never sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

We may share limited information with the following categories of recipients, solely to operate the portal:

Infrastructure providers. Cloud hosting, database, and file storage providers (operating under strict data processing agreements) that host the portal and store your data on our behalf. These providers are contractually prohibited from accessing or using your data for any purpose other than providing services to us.

Authentication provider. We use Manus OAuth for secure login. Your authentication credentials are handled by this provider and are never stored in plain text by MSK.

Legal requirements. We may disclose your information if required to do so by law, subpoena, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of MSK, our clients, or the public.

Business transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

In all cases, we require any third party that receives your data to maintain confidentiality and to use the data only for the purposes for which it was disclosed.

We retain your personal information for as long as your account is active and for a reasonable period thereafter to fulfil the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Active accounts. All data associated with your account is retained for the duration of your coaching engagement and for up to three (3) years following the conclusion of your engagement, to allow you to access your coaching history and career documents.

Coaching session notes. Session notes and workbook responses are retained for up to five (5) years following the conclusion of your engagement, consistent with professional coaching record-keeping standards.

Career Vault documents. Documents you upload to the Career Vault are retained until you delete them or request account deletion.

Account deletion. Upon your request, we will delete or anonymise your personal data within 30 days, except where retention is required by law or for the resolution of ongoing disputes. Residual copies may remain in encrypted backups for up to 90 days following deletion.

Technical logs. Server access logs and security logs are retained for up to 12 months.

We take the security of your confidential career and coaching data seriously and implement layered technical and organisational safeguards:

Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced to prevent downgrade attacks.

Encryption at rest. All data stored in our database and file storage systems is encrypted at rest using industry-standard AES-256 encryption.

Access controls. Access to coaching session data is restricted by role-based access controls. Only you and your assigned coach can view your coaching notes and personal documents. Administrative access to the platform is limited to authorised personnel and is logged.

Authentication. The portal uses secure OAuth 2.0 authentication with signed JWT session tokens stored in httpOnly, Secure, SameSite cookies — not in browser storage — to protect against cross-site scripting attacks.

HTTP security headers. The portal enforces Content Security Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), and Referrer-Policy headers on all responses.

Rate limiting. Authentication endpoints, API calls, and file uploads are rate-limited to protect against brute-force and denial-of-service attacks.

File upload validation. Uploaded documents are validated against a strict MIME type allowlist on the server. File names are sanitised to prevent path traversal attacks.

While we implement these and other security measures, no system is completely impenetrable. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

You have the following rights with respect to your personal information, regardless of your location:

Right of access. You may request a copy of the personal information we hold about you at any time.

Right to rectification. You may request that we correct any inaccurate or incomplete personal information we hold about you.

Right to erasure. You may request that we delete your personal information, subject to our legal obligations and legitimate interests in retaining certain records.

Right to data portability. You may request that we provide your personal data in a structured, machine-readable format so that you can transfer it to another service.

Right to restrict processing. You may request that we restrict the processing of your personal information in certain circumstances.

Right to object. You may object to the processing of your personal information for direct marketing purposes at any time.

Right to withdraw consent. Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation applies to our processing of your personal data.

Legal basis for processing. We process your personal data on the following legal bases: (a) performance of a contract — to deliver the coaching services you have engaged us to provide; (b) legitimate interests — to operate and secure the platform, prevent fraud, and improve our services; (c) legal obligation — to comply with applicable laws; and (d) consent — for newsletter subscriptions and any processing not covered by the above bases.

International transfers. Your data may be stored and processed in countries outside the EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

Right to lodge a complaint. You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights regarding your personal information.

Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions.

Right to opt out of sale. We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising.

Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days.

The MSK Career Portal uses a minimal set of cookies necessary for the secure operation of the platform:

Session cookie. A single httpOnly, Secure, SameSite=Lax session cookie is used to maintain your authenticated session. This cookie is essential for the portal to function and cannot be disabled. It is automatically deleted when you log out or when your session expires.

Analytics. We may use privacy-respecting analytics to understand aggregate usage patterns (e.g., page views, feature usage). This data is anonymised and is not linked to your identity.

We do not use third-party advertising cookies, tracking pixels, or behavioural advertising technologies. We do not permit third parties to place tracking cookies on the portal.

The MSK Career Portal is intended exclusively for professional use by adults aged 18 and over. We do not knowingly collect personal information from individuals under the age of 18. If you believe that a minor has provided us with personal information, please contact us immediately at [email protected] and we will take steps to delete that information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (using the address associated with your account) and by posting a prominent notice in the portal at least 14 days before the changes take effect.

The "Last Updated" date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically. Your continued use of the portal after the effective date of any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to working with you to resolve any concerns about your privacy. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.