Privacy Policy

1. Information We Collect

We collect the following categories of personal data:

• Account Data — Name, email address, and authentication credentials when you create an account or sign in via Google OAuth.
• Assessment Responses — Written answers, multiple-choice selections, and situational judgement responses submitted during assessments.
• Voice Interview Transcripts — Real-time voice recordings captured during AI voice interviews, which are transcribed and processed for competency scoring.
• Coaching Session Data — Voice recordings and transcripts from AI coaching roleplay sessions, processed for development scoring and feedback.
• Proctoring Data — If camera-based proctoring is enabled, we capture video feed metadata for face detection, look-away detection, and multiple-person detection. No video recordings are stored; only event-level flags are retained.
• B2B Lead Data — Name, work email, company, designation, mobile number, city, and team size submitted through our business enquiry forms.
• Newsletter Engagement — Email address, open rates, and click-through data for subscribers who opt in to our newsletter.
• Usage Analytics — Pages visited, device type, browser information, and interaction patterns collected via analytics cookies.

Biometric and sensitive data. Voice recordings and transcripts from voice interviews and coaching sessions, and the facial-detection signals used during camera-based proctoring, may constitute biometric or otherwise sensitive personal data. We collect and process this data only with your consent, only for the assessment or coaching purpose described, and we retain it for the limited periods set out in Section 5 (90 days for voice interview transcripts, 30 days for proctoring event flags, 1 year for coaching transcripts), after which it is permanently deleted. We do not store raw proctoring video, and we do not use this data for advertising, profiling unrelated to the assessment, or AI model training.

2. How We Use Your Information

We process your personal data for the following specific purposes:

• Assessment Scoring — Your written responses and interview transcripts are processed by AI models to generate structured scores across defined competency rubrics.
• AI-Generated Reports — Generating personalised thinking reports, competency analyses, strengths, and improvement recommendations.
• Proctoring Integrity — Monitoring assessment-taking conditions to ensure test fairness and detect irregularities.
• Communication — Sending assessment invitations, result notifications, password resets, and newsletter content you have opted into.
• Opportunity Matching — If you have created a candidate account or completed an assessment, we may email you about other relevant job opportunities on the Kaairo platform, including invitations to take assessments or interviews from other organisations hiring on the platform. These invitations do not share your existing scores, assessment responses, or profile data with any other organisation. Any new organisation evaluates you only on the basis of a fresh assessment you choose to take. You can opt out of these emails at any time using the unsubscribe link in each message or by emailing support@kaairo.ai, and opting out does not affect your account, existing applications, or assessment results.
• Platform Analytics — Understanding usage patterns to improve our platform, features, and user experience.
• B2B Enquiry Follow-up — Contacting you about Kaairo services if you submit a business enquiry form.

3. AI & Automated Decision-Making

Kaairo uses artificial intelligence extensively. We believe in transparency about how AI processes your data:

• Assessment Scoring — Your written responses are scored by OpenAI's GPT-4o-mini model using structured rubrics with defined parameters on a 0–100 scale.
• Voice Interviews — Your voice is captured via your microphone, transmitted in real time to OpenAI's Realtime API for transcription and conversation, and the resulting transcript is scored by AI for competency evaluation.
• Content Generation — AI generates assessment content, interview questions, and development recommendations based on competency frameworks.
• Hiring Decision Support — For employers on eligible plans, AI may generate an internal, organisation-only recommendation that summarises your screening, assessment, and integrity signals into a single overridable hiring brief to help a hiring manager prioritise candidates. It is decision-support only, is never shown to candidates, and the employer retains final hiring authority.

Important: No fully automated decisions with significant legal or similarly significant effects are made without human oversight. AI-generated scores are provided as decision-support tools for employers, who retain final hiring and evaluation authority.

We do not sell your personal data, and we do not use your assessment responses, voice or interview transcripts, or other personal data to train our own or any third party's general-purpose AI models. Our AI processors (such as OpenAI) handle your data under their API / business terms, which do not use API-submitted data for model training. Your data is processed only to produce the scores, reports, and features described in this policy.

4. Third-Party Data Processors

We share your personal data with the following third-party processors, strictly for the purposes described:

4a. Organisation-Controlled AI Connectors

A hiring organisation on an eligible plan may choose to connect its own AI assistant (for example ChatGPT or Claude) to its Kaairo account through our AI Connectors feature. When an organisation owner or manager authorises such a connection, Kaairo transmits that organisation's own assessment data to the AI provider the organisation has chosen, at that organisation's direction. In this flow the chosen AI provider acts as a processor for the connecting organisation, not for Kaairo.

By default these connections are read-only and pseudonymised: they expose assessment scores, competency bands, rankings, and a stable record identifier, but not candidate names, email addresses, written responses, interview transcripts, reviewer notes, or proctoring signals. The connecting organisation can re-identify a record only inside Kaairo. Access to identifiable candidate data through a connector is not enabled by default and would require separate, explicit authorisation.

Because the organisation selects and controls the AI provider, that provider's own privacy terms and data-handling practices (including whether inputs may be used to train models, and the country in which it processes data) govern the data once it leaves Kaairo. The connecting organisation is responsible for ensuring its use of a connected AI tool complies with applicable law and the consents it has obtained from candidates. Connections can be revoked at any time in the organisation's Kaairo settings or from the AI tool.

5. Data Retention

We retain personal data only as long as necessary for the purposes described:

• Account & Assessment Data — Retained for the duration of your account plus 1 year after deletion or last activity.
• Voice Interview Transcripts — Retained for 90 days after the assessment is completed, then permanently deleted.
• Coaching Session Transcripts — Retained for 1 year after the session, then permanently deleted.
• Proctoring Event Flags — Retained for 30 days after assessment completion.
• Newsletter Leads — Retained until you unsubscribe. Unsubscribed records are anonymised within 30 days.
• B2B Enquiry Data — Retained for 2 years from submission, or until you request deletion.
• Analytics Data — Governed by Google Analytics' retention settings (default 14 months).

6. Cookies & Tracking

We use the following types of cookies and tracking technologies:

• Essential Cookies — Authentication session cookies required for the platform to function. These cannot be disabled.
• Analytics Cookies — Google Analytics cookies for understanding aggregate usage patterns and improving the platform. No advertising or personalisation cookies are used.
• Marketing-Page Session Analytics — Microsoft Clarity sets cookies on public marketing pages (homepage, pricing, blog, product tours) for heatmaps and session-replay UX analytics. Clarity is not loaded on /auth, /apply, /interview, /internal, /org, or /admin.
• Newsletter Tracking — Open tracking (1×1 pixel) and click tracking for newsletter emails. You can opt out by unsubscribing from the newsletter.

You can opt out of analytics tracking at any time by using your browser's cookie settings or installing the Google Analytics Opt-out Browser Add-on.

7. Your Rights Under the DPDP Act, 2023

As a Data Principal under the DPDP Act, you have the following rights:

• Right to Access — Request a summary of your personal data and how it is being processed.
• Right to Correction — Request correction of inaccurate or incomplete personal data.
• Right to Erasure — Request deletion of your personal data, subject to legitimate retention requirements.
• Right to Withdraw Consent — Withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing done prior to withdrawal.
• Right to Grievance Redressal — Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, contact our Grievance Officer at support@kaairo.ai. To withdraw a specific consent, email us with the subject line Withdraw Consent: <type> — for example Withdraw Consent: Voice Interviews or Withdraw Consent: Newsletter. You can also opt out of marketing and opportunity-matching emails using the unsubscribe link in any such email. We will acknowledge your request within 48 hours and respond within 90 days.

8. Children's Data

Kaairo is intended for users aged 18 and above. We do not knowingly collect personal data from children. We do not engage in targeted advertising, tracking, or behavioural profiling of minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

9. Cross-Border Data Transfers

Your personal data may be processed in the United States by our third-party processors (OpenAI, Vercel, SendGrid). Under the DPDP Act, cross-border transfers are permitted except to countries on the Government's restricted list. The United States is not currently on any restricted list.

We ensure that all processors maintain adequate security measures and process data only for the purposes described in this policy.

Where your organisation enables an AI Connector (section 4a), pseudonymised assessment data may also be processed by the AI provider your organisation has chosen (for example OpenAI or Anthropic) in the regions where that provider operates, under that provider's own terms.

10. Data Security

We implement reasonable security safeguards as required under the DPDP Act:

• HTTPS/HSTS encryption for all data in transit
• Row-Level Security (RLS) policies enforcing data isolation in our database
• Encryption at rest for all stored data (via Supabase/PostgreSQL)
• Input validation and sanitisation across all API endpoints
• Prompt injection protection for AI-processed content
• Consent and audit logging for data processing operations

11. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals, we will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach
• Notify affected individuals without unreasonable delay
• Provide details of the nature of the breach, data affected, and remedial actions taken

12. Grievance Redressal

In accordance with the DPDP Act, we have appointed a Grievance Officer to address your concerns:

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDP Act.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users via email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at support@kaairo.ai