Legal
Privacy Policy
Last updated: June 2025 · Effective immediately on publication
SudoHire ("we", "our", or "us") operates a verification-first hiring marketplace that connects job seekers ("Candidates") with employers ("Employers"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have — including your rights under the Digital Personal Data Protection Act 2025 (DPDP 2025).
By creating an account or using our platform, you agree to the collection and use of information described in this policy. If you do not agree, please do not use the platform.
1. Who we are (Data Fiduciary)
SudoHire is the Data Fiduciary under DPDP 2025 for all personal data processed on the platform. We have appointed a Data Protection Officer (DPO) and a Grievance Officer. Their contact details are available on our Contact page.
2. What data we collect
Candidates
- Identity: Full name, date of birth (for 18+ verification), email address, phone number
- Professional profile: Work experience, education, skills, notice period, salary expectations, resume file
- AI-processed data: Resume parse output, AI-sanitised experience summaries, skill embeddings (vectors used for search — never stored as raw text outside the profile)
- Communication preferences: Email address, optional WhatsApp number (only if you opt in)
- Usage data: Login timestamps, pages visited, search activity (pseudonymised after 90 days)
- Verification signals: Results of any identity or liveness checks (pass/fail only — biometric data is not stored)
Employers
- Identity: Name, work email, job title
- Company details: Company name, website domain, GST number (for verification), registered address
- Billing: Subscription tier, credit usage (no raw card data — payments processed by our payment gateway)
- Recruitment activity: Job postings, applications reviewed, candidates unlocked, interview slots, rejection notes
All users
- IP address, browser/device type, and request logs (retained for 30 days for security purposes)
- Consent records — what you agreed to and when
3. How we use your data
We process personal data only for the purposes you have consented to:
- Sourcing (talent discovery): Making Candidate profiles discoverable to verified Employers. Candidates appear in search results only after completing profile onboarding and granting sourcing consent.
- AI processing: Parsing resumes, generating experience summaries, and building searchable skill vectors. You may withdraw AI processing consent; your profile will be removed from AI-assisted search results.
- ATS export: Pushing your application data to an Employer's applicant tracking system when you apply and consent to export.
- Communications: Sending transactional emails and (if you opt in) WhatsApp messages — application updates, interview confirmations, platform notices. We do not send marketing messages without separate opt-in.
- Platform integrity: Detecting fraud, enforcing our Terms, maintaining security.
- Legal compliance: Retaining records as required by applicable Indian law.
We do not sell your personal data to any third party. We do not use your data for profiling unrelated to employment matching.
4. Consent and how to withdraw it
We rely on your freely given, specific, informed, and unambiguous consent for each purpose listed above. You can review and withdraw any consent at any time from your Privacy & Consent Centre.
Withdrawing consent is prospective — it does not affect data processed before withdrawal. Some features (such as appearing in Employer searches) require sourcing consent to remain active; withdrawing it will remove you from search results within 24 hours.
5. Who we share your data with
- Verified Employers: After you appear in search results, an Employer may unlock your full profile by spending credits. This transfer requires your sourcing consent to be active and is logged in our audit trail. The Employer's identity is always visible to you in your Privacy Centre.
- Service providers: Cloud infrastructure (Google Cloud Platform, Mumbai region), email delivery (Resend), payment processing, and error monitoring. These processors are bound by data processing agreements and may not use your data for their own purposes.
- Law enforcement: Only when required by a valid court order or statutory obligation under Indian law.
Candidate PII (name, email, phone) is masked in search results and only revealed to an Employer after a credit unlock — it is never visible to unverified companies.
6. Data storage and security
- All data is stored on Google Cloud SQL (PostgreSQL) in the Mumbai (asia-south1) region — data does not leave India.
- Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by GCP.
- Sensitive fields (tokens, meeting credentials) are envelope-encrypted with Google Cloud KMS before storage.
- Access to production data is restricted to authorised personnel; all admin access is logged and time-boxed.
- We maintain an incident response procedure and will notify affected users and the Data Protection Board within the timeframes required by DPDP 2025 in the event of a personal data breach.
7. Retention
- Active accounts: retained while your account is active and for 24 months after the last login.
- Deleted accounts: personal data is pseudonymised within 30 days of deletion request, with audit records retained for 7 years as required by law.
- Application and recruitment records: retained for 3 years from the date of the application.
- Financial records: retained for 8 years as required by Indian tax law.
8. Your rights under DPDP 2025
As a Data Principal, you have the following rights:
- Right to access: Request a copy of the personal data we hold about you.
- Right to correction: Request correction of inaccurate or incomplete personal data.
- Right to erasure: Request deletion of your personal data (subject to legal retention obligations).
- Right to grievance redressal: Lodge a complaint about how we handle your data.
- Right to nominate: Designate a person to exercise your rights on your behalf in the event of your death or incapacity.
To exercise any of these rights, use the Privacy & Consent Centre (requires login) or contact our Grievance Officer directly at the address on our Contact page. We will respond within the time period required by DPDP 2025.
9. Cookies
We use only strictly necessary session cookies to keep you logged in. We do not use advertising trackers, third-party analytics cookies, or any cookies that require consent under applicable law. You may clear cookies at any time through your browser settings, which will log you out of the platform.
10. Children
Our platform is not intended for persons under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us immediately.
11. Changes to this policy
We may update this policy to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top and, for material changes, notify registered users by email. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Contact us
For questions about this policy or to exercise your rights, please visit our Contact / DPO page.