Privacy Policy

1. Information We Collect

We collect the following categories of personal data:

• Account Data — Name, email address, and authentication credentials when you create an account or sign in via Google OAuth.
• Assessment Responses — Written answers, multiple-choice selections, and situational judgement responses submitted during assessments.
• Voice Interview Transcripts — Real-time voice recordings captured during AI voice interviews, which are transcribed and processed for competency scoring.
• Coaching Session Data — Voice recordings and transcripts from AI coaching roleplay sessions, processed for development scoring and feedback.
• Proctoring Data — If camera-based proctoring is enabled, we capture video feed metadata for face detection, look-away detection, and multiple-person detection. No video recordings are stored; only event-level flags are retained.
• B2B Lead Data — Name, work email, company, designation, mobile number, city, and team size submitted through our business enquiry forms.
• Newsletter Engagement — Email address, open rates, and click-through data for subscribers who opt in to our newsletter.
• Usage Analytics — Pages visited, device type, browser information, and interaction patterns collected via analytics cookies.

2. How We Use Your Information

We process your personal data for the following specific purposes:

• Assessment Scoring — Your written responses and interview transcripts are processed by AI models to generate structured scores across defined competency rubrics.
• AI-Generated Reports — Generating personalised thinking reports, competency analyses, strengths, and improvement recommendations.
• Proctoring Integrity — Monitoring assessment-taking conditions to ensure test fairness and detect irregularities.
• Communication — Sending assessment invitations, result notifications, password resets, and newsletter content you have opted into.
• Platform Analytics — Understanding usage patterns to improve our platform, features, and user experience.
• B2B Enquiry Follow-up — Contacting you about Kaairo services if you submit a business enquiry form.

3. AI & Automated Decision-Making

Kaairo uses artificial intelligence extensively. We believe in transparency about how AI processes your data:

• Assessment Scoring — Your written responses are scored by OpenAI's GPT-4o-mini model using structured rubrics with defined parameters on a 0–100 scale.
• Voice Interviews — Your voice is captured via your microphone, transmitted in real time to OpenAI's Realtime API for transcription and conversation, and the resulting transcript is scored by AI for competency evaluation.
• Content Generation — AI generates assessment content, interview questions, and development recommendations based on competency frameworks.

Important: No fully automated decisions with significant legal or similarly significant effects are made without human oversight. AI-generated scores are provided as decision-support tools for employers, who retain final hiring and evaluation authority.

4. Third-Party Data Processors

We share your personal data with the following third-party processors, strictly for the purposes described:

5. Data Retention

We retain personal data only as long as necessary for the purposes described:

• Account & Assessment Data — Retained for the duration of your account plus 1 year after deletion or last activity.
• Voice Interview Transcripts — Retained for 90 days after the assessment is completed, then permanently deleted.
• Coaching Session Transcripts — Retained for 1 year after the session, then permanently deleted.
• Proctoring Event Flags — Retained for 30 days after assessment completion.
• Newsletter Leads — Retained until you unsubscribe. Unsubscribed records are anonymised within 30 days.
• B2B Enquiry Data — Retained for 2 years from submission, or until you request deletion.
• Analytics Data — Governed by Google Analytics' retention settings (default 14 months).

6. Cookies & Tracking

We use the following types of cookies and tracking technologies:

• Essential Cookies — Authentication session cookies required for the platform to function. These cannot be disabled.
• Analytics Cookies — Google Analytics cookies for understanding aggregate usage patterns and improving the platform. No advertising or personalisation cookies are used.
• Newsletter Tracking — Open tracking (1×1 pixel) and click tracking for newsletter emails. You can opt out by unsubscribing from the newsletter.

You can opt out of analytics tracking at any time by using your browser's cookie settings or installing the Google Analytics Opt-out Browser Add-on.

7. Your Rights Under the DPDP Act, 2023

As a Data Principal under the DPDP Act, you have the following rights:

• Right to Access — Request a summary of your personal data and how it is being processed.
• Right to Correction — Request correction of inaccurate or incomplete personal data.
• Right to Erasure — Request deletion of your personal data, subject to legitimate retention requirements.
• Right to Withdraw Consent — Withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing done prior to withdrawal.
• Right to Grievance Redressal — Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, contact our Grievance Officer at support@kaairo.ai. We will acknowledge your request within 48 hours and respond within 90 days.

8. Children's Data

Kaairo is intended for users aged 18 and above. We do not knowingly collect personal data from children. We do not engage in targeted advertising, tracking, or behavioural profiling of minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

9. Cross-Border Data Transfers

Your personal data may be processed in the United States by our third-party processors (OpenAI, Vercel, SendGrid). Under the DPDP Act, cross-border transfers are permitted except to countries on the Government's restricted list. The United States is not currently on any restricted list.

We ensure that all processors maintain adequate security measures and process data only for the purposes described in this policy.

10. Data Security

We implement reasonable security safeguards as required under the DPDP Act:

• HTTPS/HSTS encryption for all data in transit
• Row-Level Security (RLS) policies enforcing data isolation in our database
• Encryption at rest for all stored data (via Supabase/PostgreSQL)
• Input validation and sanitisation across all API endpoints
• Prompt injection protection for AI-processed content
• Consent and audit logging for data processing operations

11. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals, we will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach
• Notify affected individuals without unreasonable delay
• Provide details of the nature of the breach, data affected, and remedial actions taken

12. Grievance Redressal

In accordance with the DPDP Act, we have appointed a Grievance Officer to address your concerns:

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDP Act.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users via email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at support@kaairo.ai