Privacy Policy (B2B)
Utkrusht Skill Assessment Platform — For Recruiters and Organizations
Last Updated: February 3, 2026 Effective Date: February 3, 2026 Version: 1.0 (Audit-Ready)
Scope: This privacy policy primarily addresses data practices relevant to business customers (recruiters, organizations). While it describes how candidate data is processed, a separate candidate-facing privacy notice will provide direct disclosures to candidates.
1. IDENTITY AND CONTACT DETAILS
1.1 Data Controller
Utkrusht Learning Services Private Limited
Registered Office (India) A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 Phone: +91-9023239479
US Office 572 Amboy Dr, San Jose, CA, United States of America - 95136 Phone: +1-919-793-6081
Corporate Identity Number (CIN): U85490GJ2024PTC157512
1.2 Data Protection Contact
For all privacy-related inquiries, data subject requests, or complaints:
Data Protection Officer Email: naman@utkrusht.ai
General Privacy Inquiries Email: naman@utkrusht.ai
1.3 Response Commitment
We commit to responding to all data subject requests within thirty (30) days of receipt of a verified request. Complex requests may require an additional sixty (60) days, in which case we will notify you of the extension and reasons within the initial thirty-day period.
2. CATEGORIES OF PERSONAL DATA
2.1 Candidate Data
We process the following categories of personal data for Candidates (individuals who take assessments):
| Category | Data Elements | Source |
|---|---|---|
| Identity Data | Full name, email address, phone number, user ID | Provided by recruiter or candidate directly |
| Source Tracking | Source hashcode (SHA-256), referral source, campaign identifiers | Generated from referral links |
| Professional Data | Resume/CV, LinkedIn profile, GitHub profile, work history, education, skills | Provided by candidate or recruiter |
| Assessment Responses | Text answers, audio recordings, video recordings, code submissions | Collected during assessments |
| Proctoring Data | Webcam video, screen recordings, audio recordings, transcripts, behavioral flags | Collected during proctored assessments |
| Derived Data | Scores, ratings (1-5 scale), proficiency levels, AI-generated analysis, SWOT analysis, ranking position | Generated by Platform AI |
| Technical Data | IP address, browser type, device information, session timestamps | Collected automatically |
| Communication Data | Email correspondence, SMS messages, WhatsApp messages | Generated through platform communications |
2.2 Recruiter Data
We process the following categories of personal data for Recruiters and platform Users:
| Category | Data Elements | Source |
|---|---|---|
| Identity Data | Full name, email address, phone number | Provided during registration |
| Account Data | Username, password (hashed), role, permissions | Created during onboarding |
| Professional Data | Job title, department, organization affiliation | Provided during registration |
| Activity Data | Login history, actions taken, positions created, candidates reviewed | Collected through platform usage |
| Communication Data | Support tickets, feedback, correspondence | Generated through interactions |
2.3 Organization Data
We process the following categories of data for Organizations:
| Category | Data Elements | Source |
|---|---|---|
| Business Data | Organization name, registration details, industry, size | Provided during registration |
| Billing Data | Billing address, payment method details, transaction history, credit ledger | Provided and generated through billing |
| Configuration Data | Subscription tier, resource pools, settings, branding | Set through platform configuration |
| Usage Data | Assessment volumes, candidate counts, feature usage, API calls | Collected through platform usage |
3. PURPOSES AND LEGAL BASES
3.1 Processing as Data Processor
When recruiters upload candidate data and administer assessments, Utkrusht acts as a Data Processor on behalf of the recruiting organization (the Data Controller). This processing is governed by our Data Processing Agreement.
| Purpose | Description | Legal Basis |
|---|---|---|
| Assessment Delivery | Presenting questions, recording responses, enforcing time limits | Contract performance (recruiter's instructions) |
| Score Generation | Analyzing responses and generating scores | Contract performance |
| Proctoring | Recording and monitoring assessment sessions | Contract performance |
| Reporting | Generating reports and analytics for recruiters | Contract performance |
| Data Storage | Securely storing candidate data | Contract performance |
For Processor activities, the recruiting organization determines the lawful basis. Contact the organization that invited you to take the assessment for information about their legal basis for processing your data.
3.2 Processing as Data Controller
For the following purposes, Utkrusht acts as an independent Data Controller with its own lawful basis:
3.2.1 Legitimate Interest Processing
| Purpose | Legitimate Interest | Necessity | Data Subject Impact | Safeguards |
|---|---|---|---|---|
| AI Model Training | Improving assessment accuracy and service quality | Essential for maintaining competitive AI systems | Minimal - data is de-identified before use | Aggregation, pseudonymization, no re-identification |
| Cross-Organization Benchmarking | Providing accurate candidate rankings and industry benchmarks | Core platform feature that benefits all users | Moderate - rankings visible to recruiters | Opt-out available, transparency, no PII shared across orgs |
| Platform Analytics | Understanding usage patterns and improving services | Necessary for product development | Minimal - statistical aggregation only | No individual identification possible |
| Fraud Prevention | Maintaining assessment integrity and preventing cheating | Essential for platform trust | Low - limited additional data collection | Clear disclosure, human review for adverse decisions |
| Security Monitoring | Protecting platform and user data from threats | Legal and contractual security obligations | Low - standard security logging | Minimal retention, access controls |
Balancing Test Documentation: For each legitimate interest purpose, we have conducted and documented a balancing test weighing our interests against data subject rights. These assessments are available upon request to our Data Protection Officer.
Your Right to Object: You may object to processing based on legitimate interests by contacting naman@utkrusht.ai. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
3.2.2 Contract Performance
| Purpose | Description |
|---|---|
| Account Management | Creating and maintaining user accounts |
| Service Delivery | Providing access to platform features |
| Billing | Processing payments and managing subscriptions |
| Support | Responding to inquiries and resolving issues |
3.2.3 Legal Obligations
| Purpose | Description | Legal Requirement |
|---|---|---|
| Tax Records | Maintaining payment and invoice records | Indian tax law (7-year retention) |
| Audit Trail | Maintaining immutable credit ledger | Financial compliance requirements |
| Legal Requests | Responding to valid legal process | Applicable law |
3.2.4 Consent
Where required by law, we obtain explicit consent for:
| Purpose | How Consent is Obtained |
|---|---|
| Marketing Communications | Opt-in checkbox during registration |
| Cross-Organization Data Usage (where legally required) | Notice and acknowledgment before assessment |
You may withdraw consent at any time by contacting naman@utkrusht.ai or using unsubscribe links in communications.
4. RECIPIENTS AND THIRD-PARTY SHARING
4.1 Sub-processors
We share personal data with the following third-party service providers (sub-processors):
| Provider | Location | Data Shared | Purpose | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (S3) | Mumbai, India | Assessment recordings, documents, proctoring videos | Cloud storage | Adequacy (India-based) |
| Supabase | Singapore | All platform data | Database, authentication | SCCs |
| OpenAI (via Portkey) | USA | Assessment responses (text only, no PII) | AI-powered response analysis | SCCs + Supplementary Measures |
| AssemblyAI | USA | Audio/video recordings | Transcription services | SCCs + Supplementary Measures |
| Sarvam AI | India | Audio recordings (Indic languages) | Transcription services | Adequacy (India-based) |
| MSG91 | India | Phone numbers, message content | SMS/OTP delivery | Adequacy (India-based) |
| WhatsApp/Meta | Ireland/USA | Phone numbers, message content | Candidate messaging | SCCs |
| Dodo Payments | India | Billing information, transaction details | Payment processing | Adequacy (India-based) |
| GitHub | USA | Code submissions, usernames | Task submission hosting | SCCs |
| USA | Email address, profile info (if OAuth used) | Authentication | SCCs | |
| Sentry | USA | Error logs (may contain user context) | Error monitoring | SCCs |
Sub-processor Updates: We maintain an up-to-date list of sub-processors at this URL. Organizations may subscribe to notifications of sub-processor changes through the platform settings.
4.2 Sharing with Recruiting Organizations
When you take an assessment, we share the following with the recruiting organization:
| Data Shared | Purpose |
|---|---|
| Your identity information (name, email, phone) | Contacting you about opportunities |
| Assessment responses | Evaluating your candidacy |
| Scores and AI-generated analysis | Informing hiring decisions |
| Proctoring flags (if any) | Verifying assessment integrity |
| Ranking position | Comparing candidates |
The recruiting organization becomes an independent controller of data we share with them. Contact them directly regarding their data practices.
4.3 Other Disclosures
We may disclose personal data:
- Legal Requirements: When required by law, regulation, or legal process
- Rights Protection: To protect our rights, property, or safety
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice)
- With Consent: When you have provided explicit consent
We do not sell personal data to third parties.
5. INTERNATIONAL TRANSFERS
5.1 Transfer Destinations
Personal data may be transferred to and processed in:
| Country | Services | Adequacy Status |
|---|---|---|
| India | Primary processing, storage | N/A (domestic) |
| Singapore | Database services (Supabase) | No adequacy decision - SCCs used |
| USA | AI services, transcription, code hosting | No adequacy decision - SCCs used |
| Ireland | Messaging services (Meta) | EU adequacy |
5.2 Transfer Mechanisms
For transfers to countries without adequacy decisions, we rely on:
(a) Standard Contractual Clauses (SCCs): We execute EU-approved SCCs with all sub-processors in non-adequate countries.
(b) Supplementary Measures: Following the Schrems II decision, we implement additional safeguards:
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transfers |
| Encryption at Rest | AES-256 encryption for stored data |
| Pseudonymization | Removing direct identifiers before AI processing |
| API-Only Access | Sub-processors access data only through controlled APIs |
| Minimal Persistence | AI services process data in memory without long-term storage |
| Access Controls | Strict limits on who can access data at sub-processors |
5.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for high-risk transfers, evaluating:
- Legal framework in the destination country
- Practical risk of government access
- Technical and organizational safeguards
- Nature and sensitivity of the data
TIA summaries are available upon request to our Data Protection Officer.
6. RETENTION PERIODS
We retain personal data only as long as necessary for the purposes collected:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Assessment Responses | 3 years from assessment completion | Dispute resolution, reference checks, audit requirements |
| Proctoring Videos/Audio | 1 year from assessment completion | Assessment integrity verification |
| Proctoring Transcripts | 1 year from assessment completion | Red flag review and appeals |
| Derived Scores/Analysis | 3 years from assessment completion | Same as assessment responses |
| Candidate Account Data | Until deletion requested or 3 years of inactivity | Service provision |
| Recruiter Account Data | Duration of organization subscription + 1 year | Service provision, audit |
| Payment Records | 7 years from transaction | Indian tax compliance (GST) |
| Credit Ledger | 7 years from transaction | Financial audit requirements (immutable) |
| Communication Logs | 1 year from communication | Support and dispute resolution |
| Security Logs | 1 year from event | Security monitoring and incident response |
| De-identified/Aggregated Data | Indefinite | No longer personal data |
6.1 Retention After Account Deletion
When you request account deletion:
- Active personal data is deleted within 30 days
- Backup copies are deleted within 90 days
- Data already shared with recruiters must be addressed with them directly
- Data required for legal compliance is retained as specified above
- De-identified data is retained (no longer linked to you)
6.2 Retention After Organization Termination
When an organization terminates their subscription:
- 30-day data export period
- Candidate and assessment data deleted from active systems after export period
- Backup deletion within 90 days
- Payment and audit records retained per legal requirements
7. DATA SUBJECT RIGHTS
7.1 Your Rights Under GDPR
If GDPR applies to you (EU/EEA residents, or if an EU-based organization administers your assessment), you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your personal data and information about how it's processed | Email naman@utkrusht.ai |
| Rectification | Correct inaccurate personal data | Email naman@utkrusht.ai or update in-app |
| Erasure ("Right to be Forgotten") | Request deletion of your personal data | Email naman@utkrusht.ai |
| Restriction | Limit how we process your data | Email naman@utkrusht.ai |
| Portability | Receive your data in a machine-readable format | Email naman@utkrusht.ai |
| Object | Object to processing based on legitimate interests | Email naman@utkrusht.ai |
| Automated Decision Review | Request human review of automated decisions | Email naman@utkrusht.ai |
| Withdraw Consent | Withdraw previously given consent | Email naman@utkrusht.ai or unsubscribe links |
| Lodge Complaint | Complain to a supervisory authority | Contact your local data protection authority |
7.2 Exceptions to Erasure
We may be unable to fully comply with erasure requests when:
| Exception | Explanation |
|---|---|
| Legal Obligations | Tax records must be retained for 7 years |
| Legal Claims | Data needed to establish, exercise, or defend legal claims |
| Audit Requirements | Credit ledger entries are immutable for financial compliance |
| Already Shared | Data shared with recruiters must be addressed with them |
| De-identified | Data that has been de-identified is no longer personal data |
When exceptions apply, we will:
- Delete what we can
- Explain what we cannot delete and why
- Provide information on how to address remaining data (e.g., recruiter contact)
7.3 Cross-Organization Data Opt-Out
You may opt out of cross-organization data usage (AI training, benchmarking) by:
- Emailing naman@utkrusht.ai with subject "Cross-Org Opt-Out"
- Providing your name and email address for verification
- We will process your opt-out within 30 days
Effect of Opt-Out:
- Your future assessment data will not be used for cross-organization purposes
- Previously de-identified data cannot be removed (it's no longer linked to you)
- Your assessment results for the recruiting organization are not affected
7.4 Verification Requirements
To protect your data, we verify identity before processing requests:
- Candidates: Email verification from registered address, or government ID for sensitive requests
- Recruiters: Verification through organization admin or registered email
- Response Time: 30 days (may extend to 90 days for complex requests with notice)
7.5 Requests via Recruiting Organizations
If you were invited to an assessment by a recruiting organization:
- You may contact them directly to exercise your rights
- They are obligated to forward requests to us
- We will assist them in responding within required timeframes
- You may also contact us directly at naman@utkrusht.ai
8. AUTOMATED DECISION-MAKING AND PROFILING
8.1 AI-Powered Analysis
We use artificial intelligence to analyze assessment responses. This includes:
| AI Function | Description | Output |
|---|---|---|
| Response Evaluation | Analyzing the quality and relevance of your answers against competency criteria | Quality scores, relevance ratings |
| Competency Rating | Generating ratings on a 1-5 scale with proficiency levels (Novice to Expert) | Competency ratings per skill area |
| SWOT Analysis | Identifying strengths, weaknesses, opportunities, and threats | Narrative analysis |
| Code Analysis | Evaluating code submissions for correctness, efficiency, and style | Technical scores, feedback |
| Ranking | Positioning candidates relative to others for a position | Rank position, percentile |
8.2 Smart Ranking Algorithm
Our ranking algorithm considers:
- Assessment scores and competency ratings
- Resume and profile information
- Position requirements and preferences
- Anonymized benchmark data from assessments across organizations
The algorithm provides recommendations to recruiters but does not make hiring decisions. All final decisions involve human review.
8.3 Proctoring Analysis
During proctored assessments, AI monitors for:
| Behavior | Detection Method | Consequence |
|---|---|---|
| Face not visible | Video analysis | Red flag logged |
| Multiple faces | Video analysis | Red flag logged |
| Tab switching | Browser monitoring | Red flag logged |
| External audio | Audio analysis | Red flag logged |
| Suspicious objects | Video analysis | Red flag logged |
Red flags are indicators for human review, not automatic disqualification. Recruiters review flagged sessions and make final integrity determinations.
8.4 Safeguards
We implement the following safeguards for automated processing:
| Safeguard | Description |
|---|---|
| Transparency | Clear disclosure of AI usage before assessments |
| Human Review | All significant decisions involve human judgment |
| No Solely Automated Hiring | AI informs but does not make final hiring decisions |
| Appeal Process | You may request human review of AI-generated assessments |
| Bias Monitoring | Regular audits of AI outputs for unfair bias |
| Explanation | Upon request, we provide meaningful information about AI logic |
8.5 Your Rights Regarding Automated Decisions
You have the right to:
- Not be subject to solely automated decisions with significant effects - all hiring involves humans
- Request human review of any AI-generated assessment
- Express your point of view and contest automated outputs
- Receive meaningful information about the logic involved
To exercise these rights, contact naman@utkrusht.ai.
9. SECURITY MEASURES
9.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 for all connections |
| Encryption at Rest | AES-256 for stored data |
| Authentication | Multi-factor authentication for administrative access |
| Password Security | Passwords hashed with bcrypt, minimum complexity enforced |
| Access Logging | Comprehensive audit logs of data access |
| Vulnerability Scanning | Regular automated security scans |
| Backup Encryption | All backups encrypted with separate keys |
| Network Security | Firewalls, intrusion detection, DDoS protection |
9.2 Organizational Measures
| Measure | Implementation |
|---|---|
| Least Privilege | Staff access limited to job requirements |
| Background Checks | Screening for employees with data access |
| Security Training | Annual security awareness training |
| Confidentiality | All personnel bound by confidentiality agreements |
| Vendor Assessment | Security review before engaging sub-processors |
| Incident Response | Documented procedures for security incidents |
| Business Continuity | Disaster recovery and data backup procedures |
9.3 Incident Response
In the event of a data breach:
- Detection: Automated monitoring and manual review
- Containment: Immediate action to limit impact
- Assessment: Determine scope and affected data
- Notification:
- Recruiting organizations within 48 hours
- Supervisory authorities within 72 hours (where required)
- Affected individuals without undue delay (where required)
- Remediation: Fix vulnerabilities and prevent recurrence
- Documentation: Maintain breach register
10. COOKIES AND LOCAL STORAGE
10.1 Essential Cookies Only
We use only essential cookies and local storage required for platform functionality:
| Cookie/Storage | Purpose | Duration |
|---|---|---|
| Session Token | Authentication state | Session |
| Auth Token | Persistent login (if selected) | 30 days |
| CSRF Token | Security against cross-site attacks | Session |
| Preferences | UI settings (language, theme) | 1 year |
10.2 No Advertising or Tracking Cookies
We do not use:
- Advertising cookies
- Third-party tracking cookies
- Social media tracking pixels
- Analytics cookies that track individual users across sites
10.3 Analytics
We collect aggregate analytics (page views, feature usage) for service improvement. This data is:
- Aggregated and not linked to individual users
- Processed by our own systems, not third-party analytics
- Not shared with advertisers
11. CHILDREN'S DATA
11.1 Age Restrictions
The Platform is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.
11.2 Discovery of Children's Data
If we discover that we have collected personal data from a child under 16:
- We will promptly delete all associated data
- We will notify the recruiting organization
- We will document the incident and remediation
11.3 Reporting
If you believe we have collected data from a child under 16, please contact naman@utkrusht.ai immediately.
12. POLICY UPDATES
12.1 Notification of Changes
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- For material changes: Email notification at least 30 days before changes take effect
12.2 Material Changes
Material changes include:
- New categories of personal data collected
- New purposes for processing
- New third-party recipients
- Changes to retention periods
- Changes to your rights
12.3 Version History
We maintain version history of this Privacy Policy. Previous versions are available upon request from naman@utkrusht.ai.
| Version | Date | Changes |
|---|---|---|
| 1.0 | February 2, 2026 | Initial publication |
12.4 Continued Use
Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should stop using the Platform and exercise your deletion rights.
13. CONTACT US
13.1 Privacy Inquiries
Data Protection Officer Email: naman@utkrusht.ai
General Privacy Questions Email: naman@utkrusht.ai
13.2 Mailing Addresses
Utkrusht Learning Services Private Limited
Registered Office (India) A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 Phone: +91-9023239479
US Office 572 Amboy Dr, San Jose, CA, United States of America - 95136 Phone: +1-919-793-6081
13.3 Supervisory Authority
If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with a supervisory authority:
For EU/EEA Residents: Contact your local Data Protection Authority
For India: [Once established] Data Protection Authority of India Currently: You may contact us or seek legal remedies under applicable law
13.4 Response Times
| Request Type | Response Time |
|---|---|
| General inquiries | 5 business days |
| Data subject requests | 30 days (extendable to 90 days with notice) |
| Breach notifications | 72 hours to authorities, without undue delay to individuals |
APPENDIX: LEGAL BASIS SUMMARY
For Candidates
| Processing Activity | Legal Basis | Controller |
|---|---|---|
| Delivering your assessment | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Generating your scores | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Proctoring your session | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Improving AI models | Legitimate interest | Utkrusht |
| Cross-org benchmarking | Legitimate interest | Utkrusht |
| Fraud prevention | Legitimate interest | Utkrusht |
| Security monitoring | Legitimate interest | Utkrusht |
For Recruiters
| Processing Activity | Legal Basis | Controller |
|---|---|---|
| Account management | Contract performance | Utkrusht |
| Service delivery | Contract performance | Utkrusht |
| Billing | Contract performance | Utkrusht |
| Tax records | Legal obligation | Utkrusht |
| Marketing (with consent) | Consent | Utkrusht |
| Service improvement | Legitimate interest | Utkrusht |
This Privacy Policy was last updated on February 2, 2026.
VERSION ROADMAP
V1.0 (Current — Audit-Ready)
This version provides full GDPR Article 13/14 disclosures and is immediately publishable. All data subject rights can be exercised through manual processes.
V1.0 Capabilities:
- Manual data access request fulfillment (30-day response)
- Manual erasure request processing
- Manual cross-org opt-out handling
- Email-based consent withdrawal
- Static sub-processor list in this document
V2.0 (Target — Enhanced Automation)
| Enhancement | Description | Target |
|---|---|---|
| Self-service data access | In-app "Download My Data" feature | Q2 2026 |
| Automated erasure | One-click account deletion with cascade | Q2 2026 |
| Consent management | Granular consent preferences UI | Q3 2026 |
| Cookie consent banner | Dynamic consent for future analytics | Q3 2026 |
| Privacy dashboard | Real-time view of data processing | Q4 2026 |
Utkrusht Learning Services Private Limited India: A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 USA: 572 Amboy Dr, San Jose, CA 95136 Email: naman@utkrusht.ai
Document Version: 1.0 (Audit-Ready)