HyreSure Privacy Policy

Quick Summary (Plain English)

• What we collect: Account and contact details, role/job info, usage data, device/browser info, payment details (via our payment processor), resumes/CVs you upload, and-if you use RecruitFlow’s “Kundli”-public, professional digital-footprint data we reasonably link to a candidate.
• Why we use it: To provide and secure the Services, enable AI-assisted hiring, assess candidates (when directed by our customers), improve features, support you, and meet legal requirements.
• AI use: We use reputable AI providers to power JD generation, screening/matching, interviews, assessments, and analytics. Your prompts/inputs/outputs may be processed by third-party AI vendors acting as our processors.
• B2B model: For candidate and hiring data, we typically act as a processor to our customer (the employer). For our marketing website and account billing, we act as a controller.
• Your rights: Depending on your location, you can request access, correction, deletion, portability, or objection/opt-out of certain processing (e.g., targeted ads). You can request human review for impactful automated decisions.
• Security: We use industry-standard safeguards, encryption in transit/at rest, access controls, and audit logging.
• International transfers: We use approved transfer mechanisms (e.g., EU SCCs/UK IDTA; DPDP-compliant measures in India; US State law requirements).
• Choices: Cookie preferences, marketing opt-outs, opt-outs of targeted advertising, and controls over AI/“Kundli” participation (as applicable).

1) Who We Are and How to Contact Us

Controller (marketing/billing/support): Bodhitva AI Inc., 8729 Havenwood Trail, Plano, TX 75024, USA

Email: legal@hyresure.ai

Processor (hiring workflows): For data we process on behalf of our business customers (employers/organizations using HyreSure), they are the controller and we are their processor under applicable law.

EU/UK Representative (GDPR/UK GDPR): Not currently appointed.

India Grievance Officer (DPDP): Kripa Mohapatra kripa@bodhitva.ai

2) Scope of this Policy

This Policy applies to:

• Websites: e.g., hyresure.ai, hyresure.com, hyresure.in, and pages that link here.
• Products: RecruitFlow (JD/ATS/orchestration + digital-footprint analytics “Kundli”), SkillBoard (assessments), InterviewHub (AI interviews).
• Business interactions: Sales, events, customer support, and communications.

It does not apply to third-party sites/services you integrate (e.g., job boards, identity providers, ATS/HRIS). Those are subject to their own policies.

3) Key Definitions

• Personal Information / Personal Data: Any information that identifies or relates to an identifiable individual.
• Controller / Processor: As defined by GDPR/UK GDPR.
• Sensitive Personal Information: Includes special categories (e.g., health, biometric, precise location) and any sensitive fields defined by applicable law.
• Kundli / Digital-Footprint Analytics: RecruitFlow’s optional module that compiles publicly available professional signals (e.g., LinkedIn/GitHub URLs, publications) to generate employability insights.

4) What We Collect

A. Information you provide

• Contact details (name, business email, phone), company, job title/role.
• Account credentials (hashed passwords), workspace/team info.
• Resumes/CVs, JD content, hiring notes, assessment answers, interview recordings/transcripts (when features are enabled).
• Billing and subscription data (billing name, address). Payment card data is handled by our payment provider (e.g., Zoho Payments); we do not store full card numbers. See their policy for details.
• Support requests, feedback, and survey responses.

B. Automatically collected

• Device/browser data (IP, user agent, OS), session and usage analytics, product telemetry, crash logs.
• Cookies, local storage, SDK pixels (see Cookies & Tracking).

C. From third parties / public sources

• With your direction or our customer’s: job boards, ATS/HRIS, identity providers, SSO, calendar, or video platforms.
• Public, professional sources for Kundli (e.g., public profiles or repositories) where permitted and consistent with law and platform terms.

We do not intentionally collect: government IDs, precise geolocation, or special-category data unless a customer explicitly provides it for a clear hiring purpose and lawful basis-and even then, we recommend not collecting sensitive data.

5) How We Use Personal Information (Purposes & Legal Bases)

A. As Controller (marketing, billing, website)

• Provide and improve the site and account experience.
• Communicate about features, security, and updates; send marketing with opt-out.
• Security, fraud prevention, debugging, and compliance.

Legal bases (GDPR/UK): performance of contract, legitimate interests, consent (where required), and legal obligation.

B. As Processor (hiring operations for customers)

• Execute employer-directed workflows: JD creation, publishing, resume parsing, matching/scoring, assessments, interviews, and analytics.
• Generate reports (e.g., candidate scorecards, interview transcripts).
• Provide RecruitFlow Kundli where enabled by the customer.

Legal bases: Determined by the customer (controller). We process under the customer’s instructions and our Data Processing Addendum (DPA).

C. AI-enabled features

We use AI to assist with JD drafting, resume matching, interview Q&A, scoring/analytics, and assessment content. See Section 8 for details.

6) When We Share Information

• Service providers (processors): hosting, storage, analytics, security, logging/observability, communications, payments, AI inference, video/voice (e.g., LiveKit), transcription (e.g., STT), TTS, and email.
• Customer’s direction: with job boards, ATS/HRIS, or other integrations they configure.
• Affiliates: for internal operations consistent with this Policy.
• Business transfers: M&A, financing, or reorganization.
• Legal: compliance with law, valid requests, defending rights, preventing harm.
• Advertising/analytics on websites only: limited data for measurement and to manage ads (no sale of candidate data processed on behalf of customers).

We do not sell candidate data processed as a processor. For website analytics/ads, see US State Notices and Cookies & Tracking.

7) Cookies & Tracking

We use cookies/SDKs for:

• Strictly necessary (security, auth, load-balancing)
• Functionality (preferences)
• Analytics (usage/feature performance)
• Advertising/retargeting on public web pages (not inside product UIs unless disclosed)

You can manage preferences via our Cookie Settings (or your browser). Where required, we obtain consent (e.g., EEA/UK).

8) AI, Automated Processing & Human Oversight

• Providers: We may use third-party AI providers (e.g., OpenAI, Anthropic, Groq, Deepgram for STT, Cartesia/other TTS, and similar) as processors under contract. Inputs (prompts, resumes, JD text), outputs, and limited technical metadata may be processed to deliver features.
• Model training: We do not permit AI vendors to use your inputs/outputs to train their models unless (a) you bring your own vendor/key and accept their terms that allow it, or (b) you explicitly consent through in-product controls or a separate agreement.
• Automated scoring/matching: Our outputs (e.g., resume match scores, interview analytics, assessment scores, Kundli insights) are decision-support tools. Customers should not rely solely on automated outputs for hiring decisions.

Your choices:

• Customers can disable specific AI features.
• Individuals can request human review of impactful automated assessments where applicable law provides this right.
• Individuals can opt out of Kundli processing where we are controller (website trials, demos). Where we are processor, contact the employer (controller) directly; we assist them in fulfilling your request.

9) RecruitFlow “Kundli” (Digital-Footprint) Disclosures

• Sources: We compile publicly available professional signals reasonably linked to a candidate (e.g., public profiles, publications, repositories). We do not deliberately collect non-public or sensitive data, nor circumvent access controls.
• Purpose: To provide decision-support analytics to hiring teams: identity corroboration signals, skills evidence (e.g., public repos), activity recency, endorsements, and topical affinity.
• Fairness & accuracy: Signals can be incomplete or context-dependent. Customers should use them as one input among many and offer candidates a chance to provide corrections or context.
• Contest/Correction: Individuals may request correction or suppression of specific URLs/signals; we will validate and action where appropriate and technically feasible.
• Respect for platforms & law: We honor robots.txt and platform terms and avoid rate/abuse patterns. We comply with applicable IP, ToS, and privacy laws.

10) Retention

• Customer (processor) data: As directed by the customer’s agreement and retention settings; typically deleted or anonymized within 90 days after contract end unless law requires longer.
• Website/account (controller) data: Kept as long as needed for the purposes described, then deleted or anonymized (typical horizons: billing records 7 years; support logs 24 months; telemetry 12–24 months).
• Backups: Data in backups is securely stored and rotated on a set schedule; if immediate deletion is impracticable, we isolate from further processing until overwritten.

11) Security

We implement administrative, technical, and physical safeguards, including:

• Encryption in transit and at rest;
• Role-based access controls and SSO/MFA options;
• Least-privilege and segregation of duties;
• Audit logging and anomaly detection;
• Secure SDLC, vulnerability management, and third-party risk reviews;
• Incident response and breach notification procedures consistent with applicable law.

No system is 100% secure; we continuously improve our defenses.

12) Children

Our Services are for professional hiring and are not directed to children. We do not knowingly collect data from individuals under 18. If you believe a minor provided data, contact legal@hyresure.ai and we will delete it.

13) Your Privacy Rights

Depending on your location, you may have rights to:

• Access, correct, or delete your Personal Information;
• Receive a portable copy;
• Object to or restrict certain processing;
• Opt out of targeted advertising, certain profiling, or “sale”/“sharing” (as defined by law);
• Withdraw consent where processing is based on consent;
• Request human review of impactful automated decisions (where applicable).

How to exercise:

• If you are a candidate whose data is processed for an employer, please contact that employer (controller). We will support them in fulfilling your request.
• For website/account data or demos where we are controller, email legal@hyresure.ai or use the in-product request form (if available). We will verify your identity and respond as required by law.
• You may use an authorized agent where permitted (e.g., California); we will require proof of authorization and may verify directly.

14) Do-Not-Track & Global Privacy Control

Industry standards for DNT are not finalized, but we honor applicable Global Privacy Control (GPC)/universal opt-out signals where required (e.g., in California/Colorado) for website tracking categories that constitute “sale”/“sharing” or targeted advertising.

15) US State-Specific Notices (e.g., CA/VA/CO/CT, etc.)

• We provide the rights and controls described above.
• On public web pages, certain analytics/ads may be considered “selling” or “sharing” under California law. You can opt out via Cookie Settings or our Do Not Sell/Share My Personal Information page, and via applicable GPC signals.
• We do not sell candidate data we process as a processor for employers.

Notice at Collection (California): We collect identifiers, commercial information (limited to subscription/billing metadata; card data handled by the payment processor), internet/network information, professional and education information, and inferences. We use them for the purposes described above. Retention follows Section 10.

16) GDPR/UK GDPR Disclosures (EEA/UK)

• Controllers: For website/account/billing, Bodhitva AI Inc. is controller.
• Processors: For hiring data, the customer (employer) is controller; we are processor.
• Legal bases: Contract, legitimate interests (e.g., product telemetry, security), consent (e.g., cookies/marketing in EEA/UK), legal obligation.
• Transfers: We use approved mechanisms (e.g., EU Standard Contractual Clauses (SCCs), UK Addendum/IDTA).
• Rights: Access, rectification, erasure, portability, restriction, objection, and consent withdrawal; complain to your supervisory authority.

EU/UK Representative: Not currently appointed.

17) India (DPDP Act) Disclosures

• Role: We may act as a Data Fiduciary (controller) for website/account data and as a processor for employer-directed hiring data.
• Grounds: Consent or “deemed consent” where applicable (e.g., employment/hiring context), plus legitimate uses allowed by DPDP and other sectoral rules.
• Rights: Access, correction, updating, and erasure; grievance redressal.
• Cross-border: Transfers conducted per DPDP rules and any notified restrictions.
• Grievance Officer: Kripa Mohapatra kripa@bodhitva.ai

18) International Data Transfers

We operate globally. When transferring Personal Information internationally, we rely on:

• Contractual safeguards (e.g., SCCs/UK IDTA),
• Applicable statutory allowances (DPDP), and
• Additional technical/organizational measures (encryption, access controls).

19) Subprocessors

We engage carefully vetted subprocessors for hosting, storage, analytics, logging, communications, video/voice, transcription, TTS, and AI inference.

We maintain an up-to-date Subprocessor List.
We require contractual data protection commitments and assess security posture.

20) Your Choices

• Marketing: Opt out via unsubscribe links or by emailing legal@hyresure.ai.
• Cookies: Manage via Cookie Settings and browser controls; withdraw EEA/UK consent anytime.
• AI Features: Customers can disable modules. Individuals can request human review for impactful decisions and may object to Kundli in controller contexts.

21) Data Processing Addendum (DPA)

For B2B customers, our DPA (including SCCs/UK IDTA as applicable) governs processor activities, security, assistance with data subject requests, breach notification, and deletion/return of data.

View our Data Processing Addendum (DPA). For questions, email legal@hyresure.ai or contact your account team.

22) Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. We’ll revise the Effective date and, where required, provide prominent notice.

23) Contact

For candidate data controlled by an employer using HyreSure, please contact that employer first. We will support them in fulfilling your request.