Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how LETSDECODE TECHNOLOGIES LLP("Company", "we", "us", "our"), a Limited Liability Partnership registered in India, collects, uses, stores, shares, and protects your personal data when you access or use Rehurz("Platform", "Service").

We are committed to protecting your privacy in compliance with the following frameworks:

• India: Digital Personal Data Protection (DPDP) Act, 2023; Information Technology Act, 2000; IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
• European Union / United Kingdom: General Data Protection Regulation (GDPR) and UK GDPR.
• United States — California: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

By using the Platform, you consent to the data practices described in this Policy. If you do not agree, please discontinue use of the Platform.

2. Data Controller / Fiduciary Identity

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account and Identity Data

• Registration data: Full name, email address, password (stored as a bcrypt hash — plaintext is never retained).
• Profile data: Target job role, work experience, education history, skills, and professional projects (as entered in your profile settings).
• Google OAuth data: If you sign in via Google, we receive your Google profile name and email address from Google's Identity Services. We do not receive your Google password.

3.2 Interview and Content Data

• Resume data: Resume text you upload or paste into the Platform, used exclusively for interview simulation.
• Job description data: Job description text you provide for domain detection and interview preparation.
• Audio data: Your voice is captured in real-time during the interview session and processed immediately for speech-to-text transcription. Raw audio recordings are not permanently stored — they are discarded at the end of each interview session.
• Transcript data: Text transcriptions of your spoken responses during interviews, retained as part of your interview record.
• AI evaluation data: Scores, competency ratings, feedback narratives, and performance reports generated by our AI in response to your interview session.

3.3 Payment and Billing Data

• Transaction IDs, Razorpay order IDs, payment status, and credit purchase history.
• GST invoice data: name, email, GSTIN (if provided), billing state, invoice number, and amount.
• We do not store card numbers, CVV codes, UPI PINs, net banking credentials, or any sensitive payment instrument data. All payment processing is handled by Razorpay.

3.4 Organisational Data

• Organisation name, slug, registered domain, GSTIN, billing address, and administrator contact details (for B2B accounts).
• Member roles, credit allocation records, and member activity data within an organisation.

3.5 Usage and Technical Data

• Browser type and version, operating system, device type, and screen resolution.
• IP address (used for security logging and approximate regional analytics — not used for tracking).
• Session timestamps, page visit durations, feature interaction patterns, and error logs.
• Authentication tokens (JWT) stored in your browser's localStorage.

3.6 Data We Do Not Collect

• We do not collect biometric identifiers beyond voice (which is not permanently stored).
• We do not collect sensitive personal data such as health information, caste, religion, political opinions, or criminal records.
• We do not use third-party advertising trackers or marketing pixels.

4. Lawful Basis for Processing

4.1 Under Indian Law (DPDP Act, 2023)

We process your personal data on the basis of your freely given, specific, informed, and unambiguous consent provided at the time of account registration, as required under Section 6 of the DPDP Act, 2023. You may withdraw consent at any time (see Section 11).

4.2 Under GDPR (EU/UK Users)

We rely on the following lawful bases under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)): Processing necessary to deliver the interview service you have contracted for (account management, interview sessions, report generation, billing).
• Consent (Art. 6(1)(a)): For processing audio data during interviews, marketing communications (if opted in), and any processing beyond strict service delivery.
• Legal Obligation (Art. 6(1)(c)): Retention of tax invoices and financial records as required under Indian GST law (8 years).
• Legitimate Interests (Art. 6(1)(f)): Platform security monitoring, fraud prevention, and anonymised usage analytics to improve the service.

4.3 Under CCPA (California Users)

We collect and use personal information as described in this Policy. We do not "sell" your personal information as defined by the CCPA. See Section 13 for your California-specific rights.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

• Service Delivery: To create and manage your account, conduct AI mock interview sessions, generate performance reports, and deliver learning resources.
• Payment Processing: To process credit purchases, generate GST-compliant invoices, and maintain billing records.
• Communication: To send transactional emails (welcome, password reset, interview completion, invoice, organisation invitations). We do not send promotional marketing emails unless you separately opt in.
• Security and Fraud Prevention: To authenticate users, detect unauthorised access, investigate suspicious activity, and protect platform integrity.
• AI Improvement (Anonymised Only): To improve the accuracy and quality of our AI systems using fully anonymised and aggregated data. We will never use your identifiable content to train AI models without your explicit written consent.
• Legal Compliance: To comply with applicable laws, respond to lawful government requests, and enforce our Terms and Conditions.
• Support: To respond to your enquiries, resolve disputes, and provide customer support.

6. Audio Processing and Interview Data

Interview audio is captured via your microphone and transmitted over an encrypted WebSocket connection to our servers for real-time speech-to-text transcription. Key points:

• No permanent audio storage: Raw audio data is processed in real-time and immediately discarded after transcription. We do not store audio files on our servers.
• Transcriptions are retained as part of your interview record for the duration defined in our retention schedule (see Section 8).
• AI-generated interview content (questions, evaluations, feedback) is processed via Google Gemini APIs. Resume text, job description text, and transcribed responses are sent to Google's AI services for this purpose.
• You may request deletion of your interview transcripts and reports at any time (see Section 11).

7. Third-Party Data Processors

We engage the following third-party processors to deliver the Service. All processors are contractually bound to protect your data in accordance with applicable law:

International Transfers: When your data is transferred outside India or the EEA by the processors above, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards as required by applicable law.

8. Data Retention

After the applicable retention period, data is securely deleted or anonymised such that it can no longer be linked to an identifiable individual.

9. Data Security

We implement technical and organisational security measures as required under the IT (Reasonable Security Practices) Rules, 2011, GDPR Article 32, and DPDP Act, 2023:

• Encryption in transit: All API communication and WebSocket connections are encrypted using HTTPS/TLS 1.2+.
• Encryption at rest: Data stored on cloud databases is encrypted at rest.
• Password security: Passwords are hashed using bcrypt. Plaintext passwords are never stored.
• Authentication: JWT-based session tokens with a 7-day expiry; tokens are stored in browser localStorage and transmitted only over HTTPS.
• Access controls: Database and API access is restricted to authorised application services.
• Input sanitisation: User inputs are sanitised before being passed to AI services to mitigate prompt injection risks.
• Data isolation: Organisation accounts enforce strict multi-tenant data isolation.

If you become aware of a potential security vulnerability, please report it to security@rehurz.com. In the event of a personal data breach, we will notify affected users and relevant authorities as required by applicable law (within 72 hours for GDPR; per DPDP Act timelines).

10. Cookies and Tracking Technologies

Rehurz uses minimal client-side storage for essential functionality only:

• localStorage: Stores your authentication token (JWT) after login. Required for the Platform to function. Not shared with third parties.
• Session preferences: Stores UI preferences (e.g., sidebar state) in localStorage for your convenience.

We do not use:

• Third-party advertising cookies or tracking pixels.
• Cross-site tracking technologies.
• Social media widgets that track activity across sites.
• Analytics services that collect identifiable user behaviour for advertising purposes.

11. Your Privacy Rights

Regardless of your location, you have the following rights regarding your personal data:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Correction: Request correction of inaccurate, incomplete, or misleading personal data.
• Right to Erasure: Request deletion of your personal data. Note: data subject to legal retention obligations (e.g., tax records) cannot be deleted before the statutory period expires.
• Right to Data Portability: Request an export of your personal data in a machine-readable format (JSON or CSV).
• Right to Withdraw Consent: Withdraw your consent to data processing at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.
• Right to Object: Object to processing of your personal data for AI improvement or anonymised analytics.
• Right to Restrict Processing: Request restriction of processing in certain circumstances.

To exercise any of these rights, send an email to reach@rehurz.comfrom your registered email address with the subject line "Data Rights Request — [Type of Request]". We will acknowledge your request within 72 hours and fulfil it within 30 days.

You may also delete your account directly at any time from the Account Settings page. Account deletion permanently removes your profile, interview history, and reports. Tax invoices and payment records are retained as required by law.

12. Additional Rights — EU and UK Users (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the GDPR and UK GDPR:

• Right to Object to Automated Decision-Making: AI-generated interview scores involve automated processing. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI feedback is for educational purposes only and does not produce such decisions.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, or your local EU supervisory authority).
• International Transfers: When your data is transferred from the EEA/UK to India or other countries, we rely on Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms.
• Legal Representative: Direct all GDPR enquiries to reach@rehurz.com.

13. Additional Rights — California Residents (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA provides you with the following additional rights:

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected: Identifiers (name, email, IP address); Professional or Employment-Related Information (resume, work experience, job descriptions); Audio and Electronic Data (voice recordings — transient, not stored permanently; interview transcripts); Inferences (AI-generated performance scores); Commercial Information (transaction history).

13.2 We Do Not Sell or Share Your Personal Information

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioural advertising.

13.3 Your CCPA Rights

• Right to Know: Request disclosure of categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: We do not sell or share personal information, so no opt-out is required.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, email reach@rehurz.com with the subject line "CCPA Rights Request — [Type of Request]". We will respond within 45 days.

14. India — Digital Personal Data Protection Act, 2023

In our capacity as a Data Fiduciary under the DPDP Act, 2023, we:

• Collect and process personal data only for the specified, explicit purposes described in this Policy.
• Obtain your free, specific, informed, and unambiguous consent prior to processing personal data for non-essential purposes.
• Maintain the accuracy of your personal data and facilitate corrections upon your request.
• Implement reasonable technical and organisational safeguards to prevent unauthorised processing, breach, or loss.
• Notify you and the Data Protection Board of India (DPBI) of any personal data breach in a timely manner.
• Honour your rights as a Data Principal, including access, correction, erasure, and grievance redressal.
• Not process the personal data of children (under 18) without verifiable parental consent.

As the Data Principal, you have the right to:

• Obtain a summary of personal data being processed and related activities.
• Identify all Data Fiduciaries and Processors with whom your personal data has been shared.
• Seek redressal through the Grievance Officer or the Data Protection Board of India.
• Nominate another individual to exercise your rights on your behalf in the event of death or incapacity.

15. Children's Privacy

Rehurz is not directed at individuals under the age of 16 ("children"). We do not knowingly collect personal data from children without verifiable parental or guardian consent.

Under the DPDP Act, 2023, processing of personal data of individuals under 18 requires verifiable parental consent. If you are under 18, please obtain consent from your parent or legal guardian before using the Platform.

If you believe a child has provided us with personal data without consent, please contact us at reach@rehurz.com.

16. Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, the designated Grievance Officer is:

17. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via email to your registered address and/or a prominent notice on the Platform at least 14 days before the updated Policy takes effect.

18. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data: