1. Introduction
SkillSync ("we," "us," or "our") operates an AI-driven talent management platform that revolutionizes recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization. This Privacy Policy outlines our comprehensive data practices in compliance with global regulations including the General Data Protection Regulation (GDPR), Singapore's Personal Data Protection Act 2012, India's Digital Personal Data Protection Act 2023, and other applicable laws.
By clicking the "I Accept" button below, you hereby:
- Acknowledge that you have read, understood, and agreed to the terms and conditions of this Privacy Policy
- Agree and consent to the collection, storage, and processing of your Personal Data for the purposes of enabling recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization
- Acknowledge that you have been given due notice about how your data will be used for the stated purposes
- Acknowledge your right to withdraw consent and access our grievance redressal process
2. Scope & Definitions
- Platform Services: AI-powered interviews, job postings, candidate matching, skill assessments, interview scheduling, analytics, and photo verification for identity authentication.
- Data Subjects: Candidates, clients (employers), recruiters, platform administrators, and verification personnel.
- Personal Data: Any information relating to an identifiable individual, directly or indirectly, including biometric identifiers used temporarily for verification purposes.
- AI Processing: Automated analysis of data to generate insights, scores, or recommendations through machine learning algorithms, including bias detection and mitigation.
- Photo Verification Data: Photographic images captured solely for identity verification purposes that are processed in real-time and immediately deleted after verification completion.
3. Data Collection Categories
A. Candidate Data
Identification Information:
- Full name, email address, phone number, physical address, nationality
- Government-issued ID verification (processed temporarily, not stored)
Professional Data:
- Resumes/CVs, work history, educational background
- Skills, certifications, salary expectations
- Portfolio links and professional references
AI Interview Data:
- Real-time voice transcripts and video recordings (when consented)
- Behavioral analytics (problem-solving approach, communication style)
- AI-generated competency scores (technical skills)
- Bias detection flags and mitigation recommendations
- Interview performance metrics and feedback
Technical Data:
- IP addresses, device identifiers, browser type, operating system
- Usage patterns, session data, and platform interaction analytics
Photo Verification Data:
Important: Photos captured during identity verification are processed in real-time using AI verification technology and are immediately deleted after verification completion. No photographic images are stored in our systems.
B. Client/Recruiter Data
Corporate Information:
- Company name, industry, size, tax identification numbers
- Business registration details and verification documents
User Account Data:
- Admin credentials, role permissions, activity logs
- User preferences and platform customization settings
Hiring Process Data:
- Job descriptions, candidate requirements, interview feedback
- Hiring decisions, offer details, and recruitment analytics
C. Derived & Anonymized Data
Analytics and Insights:
- Aggregated hiring metrics and platform usage statistics
- Performance benchmarks and industry trend analysis
- Anonymized datasets used for AI model training and improvement
Research Data:
- De-identified data for bias detection research
- Algorithm performance optimization data
- Statistical analysis for platform enhancement
All data categories listed above are relevant, required, and necessary for enabling recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization.
4. Data Processing Purposes & Legal Bases
| Purpose | Processing Activities | Legal Basis | Retention Period |
|---|
| Identity Verification | Real-time photo verification and immediate deletion | Legitimate Interest | Not stored (immediate deletion) |
| Recruitment Automation | AI-driven candidate screening and matching | Contractual Necessity | 24 months post-activity |
| Dynamic AI Interviews | Real-time adaptive questioning and analysis | Explicit Consent | 12 months unless requested |
| Bias Mitigation | Algorithmic fairness audits and adjustments | Legitimate Interest | Anonymized indefinitely |
| Platform Security | Fraud detection and prevention measures | Legal Obligation | 7 years |
| Service Improvement | Anonymized data analytics and AI training | Legitimate Interest | Anonymized indefinitely |
| Compliance & Audit | Record keeping for regulatory compliance | Legal Obligation | 7 years |
5. Infrastructure & Data Security
Cloud Infrastructure
Compute & Hosting:
- Microsoft Azure: GDPR-compliant hosting with ISO 27001 certification
- DigitalOcean: AICPA SOC 2 Type II certified infrastructure
Database Solutions:
- Supabase: Enterprise-grade PostgreSQL with row-level security
- MongoDB Atlas: SOC 2 Type II and HIPAA compliant NoSQL database
Network & Security:
- Cloudflare: Enterprise DDoS protection and global CDN with TLS 1.3 encryption
- Multi-region redundancy for data protection and availability
Security Measures
Encryption Standards:
- AES-256 encryption for data at rest
- TLS 1.3 for all data in transit
- End-to-end encryption for sensitive communications
Access Controls:
- Role-based access management (RBAC)
- Multi-factor authentication enforcement
- Zero-trust security architecture
- Regular access reviews and privilege management
Operational Security:
- Continuous security monitoring and threat detection
- Regular penetration testing and vulnerability assessments
- Immutable audit logs for all data access
- Security incident response protocols
Photo Verification Security:
- Real-time processing with immediate deletion
- No storage of verification images
- Encrypted transmission during verification process
- Access restricted to automated verification systems only
6. Data Sharing & Third Parties
Controlled Sharing
Legitimate Business Purposes:
- With client organizations for authorized hiring purposes
- With candidates regarding their own application status and results
- With service providers under strict data processing agreements
Service Providers:
- Cloud Infrastructure: Microsoft Azure, DigitalOcean
- Database Providers: Supabase, MongoDB Atlas
- Security Services: Cloudflare
- AI/ML Services: Approved vendors for model training (anonymized data only)
International Transfers
Cross-Border Safeguards:
- All international data transfers utilize GDPR-approved mechanisms
- Standard Contractual Clauses (SCCs) for non-adequate countries
- EU-US Data Privacy Framework compliance where applicable
- Regular adequacy assessments for destination countries
Transfer Limitations:
- Photo verification data is not transferred internationally (processed locally and deleted)
- Sensitive personal data transfers require additional safeguards
- Transfer impact assessments conducted for high-risk transfers
7. AI Ethics & Governance
Algorithmic Accountability
Bias Detection & Mitigation:
- Continuous monitoring for discriminatory patterns
- Human-in-the-loop review for critical decisions
- Regular algorithm performance assessments across demographic groups
Model Management
Version Control & Monitoring:
- Comprehensive version control for all production AI models
- Rollback protocols for model drift detection
- Performance monitoring and accuracy tracking
- Regular model retraining with updated datasets
Explainable AI:
- Implementation of interpretable machine learning models
- Decision explanation capabilities for all AI-driven recommendations
- Documentation of model logic and decision factors
- User-friendly explanations of AI scoring methodologies
8. Data Subject Rights
Available Rights
Access & Portability:
- Right to access personal data and processing information
- Data portability in commonly used, machine-readable formats
- Right to obtain copies of data processing records
Correction & Completion:
- Right to rectification of inaccurate personal data
- Right to complete incomplete personal data
- Right to update outdated information
Erasure & Restriction:
- Right to erasure ("Right to be Forgotten")
- Right to restrict processing in specific circumstances
- Right to object to processing based on legitimate interests
Automated Decision-Making:
- Right to object to automated decision-making
- Right to human review of automated decisions
- Right to explanation of AI-driven decisions
Request Process
Submission Methods:
- Submit verified requests to [email protected]
- Online portal for data subject rights requests
- Secure verification process to protect against fraudulent requests
Response Timeline:
- Initial response within 30 days of verified request
- Possible 60-day extension for complex requests
- Regular status updates for extended processing periods
Identity Verification:
- Secure identity verification process required
- Multiple verification methods accepted
- Protection against unauthorized access to personal data
9. Incident Response
Breach Notification
Regulatory Notification:
- 72-hour notification to supervisory authorities for GDPR incidents
- Immediate notification for high-risk breaches
- Comprehensive incident documentation and impact assessment
Individual Notification:
- Direct notification to affected individuals for high-risk breaches
- Clear communication about incident scope and impact
- Guidance on protective measures individuals can take
Response Protocol
Immediate Response:
- Automatic isolation of affected systems
- Emergency response team activation
- Preliminary risk assessment and containment measures
Investigation & Remediation:
- Forensic investigation by certified cybersecurity professionals
- Root cause analysis and vulnerability assessment
- Implementation of remediation measures
- Regulatory consultation and cooperation
Recovery & Improvement:
- System restoration with enhanced security measures
- Lessons learned documentation
- Security protocol updates and improvements
- Staff training updates based on incident findings
10. Policy Administration
Governance Structure
Data Protection Officer:
Compliance Reviews:
- Quarterly comprehensive compliance assessments
- Annual third-party privacy audits
- Regular legal and regulatory update reviews
- Continuous monitoring of global privacy law developments
Version Control
Change Management:
- Publicly accessible change log with version history
- 30-day advance notice for material policy changes
- Clear communication of changes to all stakeholders
- User consent verification for significant modifications
Documentation:
- Comprehensive privacy documentation maintenance
- Regular legal review and updates
- Stakeholder feedback incorporation process
- Transparent communication of privacy practices
11. Grievance Redressal Mechanism
Complaint Process
Contact Information:
Resolution Timeline:
- Initial acknowledgment within 48 hours
- Preliminary response within 30 days
- Final resolution within 60 days (with possible extension)
- Regular status updates throughout the process
Escalation Process:
- Internal review and escalation procedures
- Independent dispute resolution options
- Regulatory authority referral when appropriate
- Legal remedy information and guidance
12. Withdrawal of Consent
Withdrawal Process
Notification Methods:
- Email notification to[email protected]
- Online consent management portal
- Written request with identity verification
- Phone-based withdrawal with secure verification
Processing Timeline:
- Consent withdrawal acknowledgment within 48 hours
- Data processing cessation within 30 days
- Data erasure completion within 60 days (where required)
- Confirmation of withdrawal processing provided
Important Notes:
- Withdrawal does not affect the lawfulness of processing before withdrawal
- Some data may be retained for legal compliance purposes
- Withdrawal may affect platform service availability
- Clear information provided about consequences of withdrawal
13. Photo Verification Data - Special Provisions
Processing Purpose
Photo verification is conducted solely for identity authentication during the registration and interview process to ensure platform security and prevent fraud.
Data Handling
- Capture: Photos are captured in real-time during verification
- Processing: Immediate AI-powered identity verification
- Storage: No photos are stored in any system or database
- Deletion: Immediate and permanent deletion after verification completion
- Access: Only automated verification systems process photos
User Rights
- Right to refuse photo verification (may limit platform access)
- Right to information about verification process
- Right to technical explanation of verification technology
- Right to human review in case of verification failures
Technical Safeguards
- Encrypted transmission during verification process
- No backup or caching of verification images
- Audit logs of verification attempts (without storing images)
- Regular security assessments of verification systems
14. Contact Information
SkillSync (A product of ZOFA AI SOLUTIONS PVT LTD)
10 ANSON ROAD, #22-02A, INTERNATIONAL PLAZA, SINGAPORE 079903
UEN: 202519486W
Emergency Contact:
This Privacy Policy is designed to be transparent, comprehensive, and compliant with global data protection regulations. Regular updates ensure continued compliance with evolving privacy laws and best practices.
This policy is effective as of the "Effective Date" and supersedes all previous versions.