Privacy Policy

ProfileGPT ("ProfileGPT", "we", "us", or "our") respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws, including:

• The EU General Data Protection Regulation (GDPR), and
• The Digital Personal Data Protection Act, 2023 (India) ("DPDP Act").

This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you access or use our platform available at https://www.profilegpt.in (the "Service").

1. Who We Are (Data Controller)

ProfileGPT is the Data Controller for personal data processed through the Service.

Contact for privacy matters:
Email: privacy@profilegpt.in
Grievance Officer (India – DPDP): Mihir Joshi / Director

2. Scope of This Policy

This policy applies to:

• Registered users of ProfileGPT (recruiters, hiring managers, customers)
• Individuals whose professional profiles appear on the platform ("Candidates")
• Website visitors

3. Categories of Personal Data We Process

A. User Data (Platform Users)

• Name
• Work email address
• Company name
• Login credentials (hashed)
• OAuth tokens (Gmail / Outlook)
• Usage logs and activity data

B. Candidate / Profile Data (Third-Party Sourced)

• Name
• Professional email
• Job title, employer
• Public professional profile links
• Skills, experience, education (where available)
• Enriched or inferred professional attributes

C. Technical Data

• IP address
• Browser and device metadata
• Log files and audit trails

4. Sources of Data

We collect personal data:

• Directly from users during account registration
• From licensed third-party data providers
• From publicly available professional sources
• Via OAuth authorization (Google / Microsoft)

5. Lawful Basis for Processing

Under GDPR (EU)

We process personal data on the following lawful bases:

Under DPDP Act (India)

We process personal data based on:

• Consent, where explicitly required (e.g., OAuth access)
• Deemed Consent / Certain Legitimate Uses, including business contact communication and employment-related purposes

6. OAuth (Gmail / Outlook) Data Handling

When you connect your Gmail or Outlook account:

• We collect OAuth access tokens only after explicit authorization
• Tokens are used solely to execute user-initiated email sequences
• We do not read personal inbox content beyond permitted scopes
• Tokens are encrypted at rest and in transit
• Tokens can be revoked at any time from your ProfileGPT account settings or Google / Microsoft security dashboards

7. Automated Profiling & AI Processing

ProfileGPT may use automated systems to rank profiles, enrich professional attributes, and provide recruitment insights. These processes do not produce legal or similarly significant effects on individuals.

8. Data Retention

9. Data Subject Rights

GDPR Rights (EU): Access, Rectification, Erasure, Restriction, Objection, Data portability, Withdraw consent

DPDP Rights (India): Access, Correction, Erasure, Grievance redressal, Nomination

Requests may be submitted to privacy@profilegpt.in. We respond within 30 days.

10. Data Sharing & Processors

We may share data with cloud infrastructure providers, analytics providers, email delivery services, and compliance vendors. All processors are contractually bound to comply with applicable data protection laws.

11. Cross-Border Transfers

Personal data may be processed outside India or the EU. We rely on contractual safeguards, industry-standard security measures, and applicable legal transfer mechanisms.

12. Security Measures

We implement encryption at rest and in transit, role-based access control, secure credential storage, audit logging, and incident response procedures.

13. Data Breach Notification

In the event of a personal data breach, we will notify relevant authorities and affected users as legally required.

14. Children's Data

ProfileGPT does not knowingly process data of individuals under 18.

15. Updates to This Policy

We may update this policy periodically. Material changes will be notified via the Service.