Legal
Privacy Policy
How we collect, use, store, share, and protect your personal data — and the rights you have as a Data Principal under the DPDP Act, 2023.
ElevateCareer.ai Learning Solutions Private Limited · Hyderabad, Telangana, India
Version 1.0
1. Introduction
ElevateCareer.ai Learning Solutions Private Limited ("ElevateCareer.ai", "we", "us", "our") operates an AI-powered hiring assessment and career guidance platform serving corporate organisations, educational institutions, government bodies, candidates, and students (the "Platform").
This Privacy Policy describes how we collect, use, store, share, and protect personal data, and the rights available to you as a Data Principal under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"). It should be read together with our Data Collection Policy and Terms and Conditions.
By using the Platform after receiving notice of this policy, or by providing consent through the mechanisms we offer, you acknowledge the processing described here.
2. Who Is Responsible for Your Data
When you sign up directly (e.g., as a student with parental consent, or as an individual candidate using our career tools), ElevateCareer.ai is the Data Fiduciary responsible for your personal data.
When an organisation enrols you (e.g., a company invites you to an AI interview, or a government department registers you in a skilling programme), that organisation is generally the Data Fiduciary, and ElevateCareer.ai acts as its Data Processor. In such cases, the organisation’s privacy notice governs the purpose of processing, and requests concerning your data may be routed to that organisation. We will assist in fulfilling your rights as contractually and legally required.
3. Personal Data We Process
A detailed breakdown by user category is in our Data Collection Policy. In summary:
- Identity and contact data — name, email, phone, date of birth, photograph.
- Professional and academic data — resumes, qualifications, work history, school and class details.
- Assessment and interview data — test responses, psychometric instrument responses, video/audio recordings and transcripts of AI-assisted interviews.
- Derived data — competency scores, fitment indices, career interest profiles, and recommendations generated by our scoring engine.
- Technical and usage data — device information, IP address, log data, cookies, and (where enabled by the assessing organisation) proctoring signals.
- Billing and business data — for corporate and institutional clients.
4. How AI Is Used — and Its Limits
Because we are an AI-native assessment platform, we want to be explicit:
- What our AI does: transcribes and analyses interview and assessment responses against defined competency frameworks; generates structured scores, evidence summaries, and recommendation tiers.
- What our AI does not do: make final hiring, admission, or selection decisions. Outputs are decision-support inputs for human evaluators at the engaging organisation. We contractually require clients to maintain human oversight over final decisions.
- No biometric or emotion scoring: we do not score candidates using facial expression analysis, voice-stress analysis, or emotion recognition.
- Fairness and validity: our scoring engine is built on competency-based assessment principles. We conduct periodic validity and adverse-impact reviews, and where we qualify as a Significant Data Fiduciary, we will undertake the algorithmic due diligence, Data Protection Impact Assessments, and audits required under the DPDP framework.
- Model improvement: we improve our models using aggregated, de-identified data. We do not use identifiable candidate or student data for model training without separate, explicit consent.
5. Lawful Bases for Processing
We process personal data on the following grounds under the DPDP Act:
- Consent — for assessments, interviews, career guidance, and communications (the default basis for individuals).
- Verifiable parental consent — for all processing of children’s data (users under 18).
- Legitimate uses recognised under the Act — such as processing for employment-related purposes where permitted, compliance with law or court orders, and responding to medical emergencies.
- Contractual necessity — for client account administration and billing.
6. Children’s Privacy (Students Under 18)
Our school career guidance platform is designed for students of Classes 6–12. We:
- Process a child’s personal data only after verifiable consent of a parent or lawful guardian, obtained via mechanisms consistent with the DPDP Rules (directly or through the partnering school under documented authority);
- Do not carry out behavioural tracking, profiling for advertising, or targeted advertising directed at children;
- Limit processing to career interest mapping, aptitude assessment, learning recommendations, and progress reporting to the student, parents, and school;
- Provide parents/guardians the ability to review, correct, and request erasure of their child’s data and to withdraw consent at any time;
- Apply heightened security controls and access restrictions to student data.
7. How We Share Personal Data
We share personal data only with:
- The engaging organisation — assessment reports, scores, and recordings go to the employer, school, or government department that commissioned the assessment, as notified to you before the assessment begins;
- Service providers (Data Processors) — cloud hosting, video infrastructure, communications, analytics, and payment providers, bound by data processing agreements with confidentiality, security, and deletion obligations;
- Legal and regulatory recipients — courts, law enforcement, tax, and regulatory authorities where disclosure is required by law;
- Corporate transactions — a successor entity in a merger, acquisition, or restructuring, subject to this policy’s protections.
- We do not sell personal data, and we do not share candidate or student data with advertisers.
8. Cross-Border Transfers and Data Residency
Our primary data infrastructure is located in India. If any personal data is transferred outside India (for example, to a global cloud or communications provider), we ensure the transfer complies with the DPDP Act, any restrictions notified by the Central Government, and contractual safeguards. Government client data is hosted and processed in accordance with the residency requirements of the relevant contract or tender.
9. Data Security
We implement reasonable security safeguards aligned with the DPDP Rules and industry practice, including:
- Encryption of data in transit (TLS 1.2+) and at rest;
- Role-based access control, least-privilege administration, and multi-factor authentication for administrative access;
- Logical separation of client environments;
- Security logging and monitoring, with access logs retained for at least one year;
- Vendor security due diligence and contractual flow-down of obligations;
- Periodic vulnerability assessments and an incident response plan.
10. Data Breach Notification
In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in the form, manner, and timelines prescribed under the DPDP Rules, including intimation to the Board within 72 hours of becoming aware of the breach (or such period as prescribed), and clear, plain-language communication to affected individuals describing the nature of the breach, likely consequences, and protective measures. Where we act as Data Processor, we will notify the engaging Data Fiduciary without undue delay so it can meet its statutory obligations.
11. Data Retention and Erasure
We retain personal data only as long as necessary for the notified purpose or as required by law, per the schedule in our Data Collection Policy. When retention ends, or when you validly withdraw consent, we erase or irreversibly anonymise the data and instruct our processors to do the same, unless retention is required by law. Where the DPDP Rules require, we will notify you in advance before erasing data due to prolonged inactivity.
12. Your Rights as a Data Principal
Under the DPDP Act, you have the right to:
- Access — obtain a summary of your personal data being processed, the processing activities, and the identities of entities with whom it has been shared;
- Correction and updating — have inaccurate or incomplete data corrected or updated;
- Erasure — request deletion of your personal data where it is no longer necessary or where you withdraw consent;
- Withdraw consent — at any time, as easily as it was given;
- Grievance redressal — raise complaints with our Grievance Officer and receive a response within prescribed timelines;
- Nominate — designate another individual to exercise your rights in the event of death or incapacity.
- To exercise these rights, write to [email protected] with your registered details. We may verify your identity before acting. Where we act as a Data Processor, we will route or support the request with the responsible Data Fiduciary. If you are unsatisfied with our resolution, you may approach the Data Protection Board of India.
- You also have a corresponding duty under the DPDP Act not to impersonate others, suppress material information, or register false or frivolous complaints.
13. Cookies and Tracking
We use:
- Essential cookies — authentication, session integrity, security (cannot be disabled);
- Functional cookies — preferences and language settings;
- Analytics cookies — aggregated usage measurement to improve the Platform, enabled only with consent where required.
- We do not use third-party advertising cookies on candidate or student experiences. Cookie preferences can be managed via the in-product banner and your browser settings.
14. Communications
We send transactional communications (assessment invitations, results notifications, account and security alerts) as part of the service. Marketing communications to business contacts are sent with the ability to opt out at any time. We do not send marketing communications to children.
15. Changes to This Policy
We may update this policy to reflect legal, technical, or business changes. Material changes will be notified through the Platform or by email, with the revised effective date displayed above. Continued use after notice constitutes acknowledgement; where the change requires fresh consent under law, we will seek it.
16. Grievance Officer and Contact Details
Grievance Officer / Data Protection Officer, ElevateCareer.ai Learning Solutions Private Limited, Registered Office, Hyderabad, Telangana, India.
Email: [email protected] · [email protected]. Hours: Monday–Friday, 10:00–18:00 IST.
We acknowledge grievances within 72 hours and aim to resolve them within the timelines prescribed under the DPDP Act and Rules.
This document is provided for transparency under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. For questions, contact our Grievance Officer at [email protected].
