Privacy Policy

Grievance Officer / Data Protection Officer
Abhishek Porwal
Founder
abhishek@hirojet.com
Request access to your data
View, download, or delete the data we hold on you.
Can't access the email registered with us?
Download the offline DSAR Request Form (PDF) and email it to abhishek@hirojet.com.
Privacy Policy Hirojet Consulting Private Limited ("HiroJet", "we", "us", or "our") Effective Date: 1 May 2026 Last Updated: 1 May 2026 Version: 1.0 1. About This Policy Hirojet Consulting Private Limited ("HiroJet", "we", "us", or "our") is a recruitment technology company headquartered in Noida, India. We provide an integrated platform combining recruiter-led services with proprietary technology to source, evaluate, and place technical talent with hiring companies in India and internationally. This Privacy Policy explains how we collect, use, store, share, and protect personal data of candidates and prospective candidates (referred to as "you" or "Data Principals") who interact with us through any channel, including: • Our website at hirojet.com and any subdomains • Direct outreach by our recruitment team via email, phone, LinkedIn, or other professional channels • Job applications submitted through external platforms such as LinkedIn that route candidates to us • Referrals from existing candidates, clients, or other third-party sources • Data enrichment from professional networks and public databases This policy applies to personal data of candidates. A separate document governs our handling of client (employer) contact information and is available on request. 2. Our Role Under the Digital Personal Data Protection Act, 2023 We act as a Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). This means we determine the purpose and means of processing your personal data and accept the corresponding legal obligations. Where we engage third-party service providers (such as cloud hosting, AI platforms, or communication infrastructure) to process personal data on our behalf, those providers act as Data Processors under contractual obligations aligned with the DPDP Act. 3. Personal Data We Collect 3.1 Information You Provide Directly When you apply for a position through our website, respond to a recruiter's outreach, or otherwise engage with our services, we may collect: • Identity and contact details: full name, email address, phone number, postal location • Professional details: current employer, job title, years of experience, skills, salary expectations, notice period, work authorization status • Career history: previous employers, roles held, educational qualifications, certifications • Professional profiles: LinkedIn profile URL and publicly available information from your professional online presence • Resume or curriculum vitae documents you upload or share with us • Communication content: emails, messages, and conversation transcripts when you communicate with our team • Consent records: timestamped records of consent provided through our forms or communications 3.2 Information We Generate In the course of providing recruitment services, we generate additional data associated with your profile: • Internal recruiter notes documenting our assessment, conversation summaries, and pipeline status • AI-assisted call summaries and transcripts when you participate in voice screening or interview scheduling calls • Categorization tags such as seniority level, primary role function, and engagement status • Application history showing positions you have been submitted to and the outcome of each submission • Match-confidence scores generated by our matching technology when applications are routed from external sources 3.3 Information from Third-Party Sources We may obtain or enrich information about you from the following sources: • LinkedIn application notification emails when you apply to a position we have posted on LinkedIn • Professional data enrichment providers including Apollo.io and People Data Labs for verification of publicly available professional information • Public sources including company websites, GitHub profiles, and other professional online presences • Referrals from existing candidates or clients (with notice provided to you at first contact) 3.4 Sensitive Information We do not intentionally collect sensitive personal data (such as financial account information, biometric data, health records, or political/religious affiliations). If sensitive information appears incidentally in materials you provide (for example, in a resume), we do not use it for any purpose beyond the immediate professional context. 4. Lawful Basis and Purpose of Processing We process your personal data based on your consent and where applicable, legitimate uses as enumerated under Section 7 of the DPDP Act. Specifically: 4.1 Consent-Based Processing When you submit an application through our website, complete a form, or affirmatively accept our terms during a recruiter conversation, you provide consent for the following purposes: • Evaluating your candidacy for current and future relevant positions • Sharing your profile with prospective employer clients for roles we determine may be a fit • Communicating with you about opportunities, scheduling interviews, and providing application updates • Maintaining your profile in our active candidate database for future relevant opportunities • Processing your data through AI-assisted tools we use for resume parsing, candidate matching, and communication assistance 4.2 Legitimate Uses Without Specific Consent In limited circumstances, we may process certain data without obtaining specific fresh consent, including for: • Compliance with legal obligations including tax records, statutory audits, and lawful requests from government authorities • Prevention of fraud or misuse of our platform • Protection of the legitimate interests of HiroJet and its clients in the recruitment context 5. How We Share Your Data We share your personal data only with the following categories of recipients, and only as necessary to deliver our recruitment services: 5.1 Hiring Companies (Clients) We share your profile, resume, and relevant professional information with prospective employer clients when we believe a role may be a fit for you. We share only what is professionally relevant to the position. We will identify the client to you before sharing where commercially feasible. In limited cases where the client has asked to remain anonymous during early-stage screening, we will share the role description and ask your interest before disclosing the client's identity. 5.2 Service Providers (Data Processors) We use the following categories of third-party service providers, all of whom process data under contractual data protection obligations: • Cloud infrastructure: Cloudflare, Inc. (United States) for content delivery and storage; MongoDB Atlas (United States) for database hosting • Communication services: Plivo Communications Pvt Ltd (India) for telephony; Google LLC for email infrastructure • AI service providers: OpenAI (United States), Anthropic (United States), and Google (United States) for resume parsing, conversation summarization, and matching assistance • Voice technology: ElevenLabs Inc. (United States), Deepgram Inc. (United States), and Smallest.ai for voice synthesis and speech-to-text in voice-screening features • Data enrichment: Apollo.io (United States) and People Data Labs (United States) for verification of professional information 5.3 Cross-Border Data Transfers Several of our service providers are located outside India. We rely on the cross-border transfer provisions under Section 16 of the DPDP Act, which permit transfers to jurisdictions not specifically restricted by the Central Government. We monitor relevant Government notifications and update our practices accordingly. By accepting this policy, you acknowledge that your personal data may be transferred to and processed in jurisdictions outside India, including the United States. We require all service providers to maintain commercially reasonable security and confidentiality standards. 5.4 Legal and Regulatory Disclosures We may disclose your personal data when required by law, court order, government request, or to: • Comply with legal process or statutory obligations • Respond to lawful requests from regulators including the Data Protection Board of India • Protect our legal rights, the safety of our personnel, or the integrity of our platform 5.5 What We Do Not Do • We do not sell your personal data. • We do not share your data for advertising purposes. • We do not rent or lease candidate databases to third parties. • We do not use your data to train AI models for purposes beyond our internal recruitment-matching technology. 6. Storage, Security, and Confidentiality 6.1 Storage Location Your personal data is stored on managed cloud infrastructure with redundancy across multiple availability zones. Database storage is provided by MongoDB Atlas. Document storage is provided by Cloudflare R2. Both providers offer encryption at rest and TLS encryption in transit. 6.2 Security Measures We have implemented technical and organizational measures appropriate to the risk of processing, including: • Encryption at rest for sensitive credentials, OAuth tokens, and integration secrets using industry-standard symmetric encryption • TLS encryption in transit for all data transmitted between systems • Role-based access controls limiting employee access to candidate data based on their role • Multi-factor authentication for administrator accounts where available • Audit logging of significant data access and modification events • Regular security reviews and timely application of security patches • Mandatory data handling training for all employees who handle candidate data 6.3 Breach Notification In the event of a personal data breach affecting your data, we will notify the Data Protection Board of India and affected Data Principals within the timelines required under the DPDP Act and applicable rules. 7. Data Retention As a recruitment technology company, our legitimate purpose for processing your personal data extends across years. Our retention practice reflects the reality that career relationships evolve over multiple cycles. 7.1 Active Records We retain your personal data while you remain in our active candidate database. The active period continues as long as we are providing recruitment services to you, sharing relevant opportunities, or maintaining recruiter contact. 7.2 Inactivity Review If you have had no engagement with us — defined as no application, response to outreach, or recruiter contact — for five (5) consecutive years, your record is flagged for review. We may attempt to re-confirm your interest. If we receive no response within a reasonable period, your record is moved to an archived state. 7.3 Archived Records Archived records are retained for an additional five (5) years (a total of ten (10) years from your last engagement) and are not used for active outreach during this period. After ten years from last engagement, archived records are permanently deleted from our active systems. 7.4 Limited Anonymized Retention After deletion of your identifiable data, we may retain anonymized aggregate statistics (such as count of applications by year and role category) that cannot be linked back to you, for legitimate business analytics, statutory accounting, and audit purposes. 7.5 Your Right to Earlier Deletion You may request deletion of your data at any time, regardless of the retention schedule above, using the procedure in Section 8. 8. Your Rights as a Data Principal Under the DPDP Act, you have the following rights with respect to your personal data: 8.1 Right to Access You have the right to a summary of personal data we process about you, the categories of recipients with whom your data has been shared, and other prescribed information. You may exercise this right at any time through our self-serve portal at hirojet.com/privacy/my-data, where a one-time access link will be sent to your registered email. 8.2 Right to Correction You have the right to ask us to correct inaccurate or misleading personal data, complete incomplete data, or update outdated data. Submit corrections by emailing abhishek@hirojet.com. We will action verified correction requests within seven (7) working days. 8.3 Right to Erasure You may request that we permanently delete your personal data through the "Request Deletion" function on our self-serve portal or by emailing our Data Protection Officer. We will fulfill verified deletion requests within thirty (30) days, except where retention is required by law (such as financial records related to placements) or where data has already been anonymized. 8.4 Right to Withdraw Consent You may withdraw your consent for processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. The simplest way to withdraw consent is to use the "Request Deletion" function on the self-serve portal. 8.5 Right to Grievance Redressal If you have a complaint about how we handle your personal data, contact our Grievance Officer (details below). We will respond to grievances within seven (7) working days. If your complaint is not satisfactorily resolved, you have the right to escalate to the Data Protection Board of India. 8.6 Right to Nominate You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity. To register a nominee, please contact our Data Protection Officer. 9. Children's Data Our services are intended for individuals who are at least 18 years of age and possess the legal capacity to enter into employment. We do not knowingly process personal data of children. If you believe we have inadvertently collected data of an individual below 18 years of age, please contact our Data Protection Officer immediately so we may delete the record. 10. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will: • Update the "Last Updated" date at the top of this policy • Post the revised policy on our website at hirojet.com/privacy • Where the change materially affects how your data is processed, send a notification to your registered email and request fresh consent where legally required We encourage you to review this policy periodically. Your continued use of our services after a material policy change indicates your acceptance of the updated terms, subject to your right to withdraw consent at any time. 11. Contact Information For any questions, concerns, or to exercise your rights under this Privacy Policy, please contact: Data Protection Officer & Grievance Officer Name: Abhishek Porwal Designation: Founder & Chief Executive Officer Email: abhishek@hirojet.com Postal Address: Hirojet Consulting Private Limited, Noida, Uttar Pradesh, India Response Time: Within 7 working days for general inquiries; within 30 days for formal data requests as required under the DPDP Act. If your concern is not resolved through our internal grievance process, you may file a complaint with the Data Protection Board of India through the channels published by the Board from time to time. 12. Defined Terms • "DPDP Act" means the Digital Personal Data Protection Act, 2023, and any rules, regulations, or notifications issued thereunder. • "Data Principal" means the individual to whom personal data relates — that is, you. • "Data Fiduciary" means any person who alone or in conjunction with others determines the purpose and means of processing personal data — that is, HiroJet. • "Personal Data" means any data about an individual who is identifiable by or in relation to such data. • "Processing" means a wholly or partly automated operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, retrieval, use, disclosure, alignment, and erasure.
Version 2 · Last updated 2026-05-05