Privacy Policy

Hyrefox Consultants Limited (CIN: U74999RJ2018PTC061025, GSTIN: 08AAECH5205M1ZH) ("Company", "we", "us", "our") operates the Easyhyre recruitment marketplace platform ("Platform"). This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in connection with the Platform, and describes the rights available to individuals whose data we process.

This Policy applies to all users of the Platform, including recruitment agency administrators and recruiters ("Agency Users"), vendor recruiters ("Vendor Users"), employer representatives ("Employers"), and candidates seeking employment ("Candidates").

We are committed to complying with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and associated rules, and, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Where users are located in the European Economic Area or United Kingdom, the GDPR or UK GDPR applies in addition to Indian law.

By using the Platform, you acknowledge that you have read and understood this Policy. Please also read our Terms of Service.

For the purposes of applicable data protection law, the data controller is:

Where Agency Users process Candidate Data through the Platform for their own purposes (such as managing a talent pool), the Agency User acts as a separate data controller in respect of that processing. The Company acts as a data processor on the Agency User's behalf with respect to the Platform's technical hosting and storage functions.

3.1 Agency and Vendor Users

• Name, job title, business email address, and phone number;
• Company name, address, GSTIN, PAN, and KYC documents;
• Account credentials (email; passwords are stored as salted hashes);
• Transaction records, invoices, and payment history;
• Usage data and activity logs within the Platform.

3.2 Candidates

• Full name, email address, and phone number (including WhatsApp number);
• Resume / CV, employment history, educational qualifications, and skills;
• Current and expected salary, notice period, and location preferences;
• Application data including status, notes, interview feedback, and offer details;
• AI-generated screening scores, strengths, areas for improvement, and interview question responses;
• Photographs, where included in a resume or profile.

3.3 Technical and Usage Data

• IP address, browser type and version, device type, and operating system;
• Pages visited, features used, click-stream data, and session duration;
• Cookies and similar tracking technologies (see Section 9);
• Error reports and diagnostic data automatically submitted by the Platform.

3.4 Communications Data

• Messages sent through the Platform's integrated WhatsApp Business API channel;
• Feedback submissions, support tickets, and other correspondence with us.

We process personal data only for the purposes and on the legal bases set out below. Under the DPDP Act, our primary legal basis is the consent of the Data Principal or the legitimate uses specified under the Act. Under the GDPR, applicable bases include consent, contract, legitimate interests, and legal obligation.

We do not sell personal data. We may share personal data in the following circumstances:

5.1 Within the Platform Ecosystem

Candidate Data submitted by a Vendor User will be visible to the Agency User who assigned the vacancy to that Vendor. Agency Users may share read-only candidate snapshots with Employers via unique public links (see our Terms of Service, clause 8). Agency Users are responsible for ensuring such sharing complies with applicable data protection law.

5.2 Service Providers

We engage carefully selected third-party processors to provide infrastructure, analytics, communications, and AI services. These processors act only on our documented instructions and are bound by data processing agreements. Current categories include:

• Cloud infrastructure and hosting providers;
• AI/ML model providers (for candidate screening features);
• WhatsApp Business API service providers;
• Payment gateways;
• Email service providers;
• Error monitoring and analytics services.

5.3 Legal Requirements

We may disclose personal data where required to do so by law, court order, or in response to valid demands from government or regulatory authorities, or where we believe disclosure is necessary to prevent harm or protect our legal rights.

5.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same level of protection as described in this Policy.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to resolve disputes and enforce our agreements. Our standard retention periods are:

• Active accounts: for the duration of the account;
• Candidate Data (active application): until the application is concluded plus 24 months, to allow legitimate re-engagement;
• Candidate Data (rejected or withdrawn): 12 months from rejection or withdrawal, unless a longer period is required by law or the Candidate consents to a talent-pool hold;
• Financial and invoice records: 8 years from the date of the transaction, as required by Indian taxation law;
• Security and access logs: 90 days;
• Deleted accounts: up to 30 days to allow for recovery, then permanently deleted unless a longer period is required for legal proceedings.

After the applicable retention period, data is securely deleted or anonymised.

Subject to applicable law, you have the following rights in relation to your personal data. To exercise any of these rights, please contact our Grievance Officer (see Section 11).

7.1 Right of Access

You may request confirmation of whether we process personal data about you, and a copy of that data along with information about how it is used.

7.2 Right to Correction

You may request correction of inaccurate or incomplete personal data. Many fields are editable directly through your account settings.

7.3 Right to Erasure

You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other lawful basis for processing. This right is subject to overriding legal obligations (e.g., retention required by tax law).

7.4 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7.5 Right to Data Portability

Where technically feasible and required by applicable law, you may request a copy of your personal data in a structured, machine-readable format.

7.6 Right to Nominate

Under the DPDP Act, you may nominate an individual to exercise your privacy rights on your behalf in the event of your death or incapacity.

7.7 Right to Object / Restrict

Under the GDPR, EEA/UK residents may object to processing based on legitimate interests, and may request restriction of processing in certain circumstances.

We will respond to verified requests within 30 days. Complex requests may require up to 60 days; we will notify you of any extension. We may need to verify your identity before processing a request.

The Platform is primarily hosted in India. Where we transfer personal data to service providers located outside India, we ensure that appropriate safeguards are in place in accordance with the DPDP Act and, where applicable, the GDPR (such as Standard Contractual Clauses approved by the European Commission, or adequacy decisions). A list of countries to which data may be transferred is available on request.

We use cookies and similar technologies to operate the Platform, remember your preferences, analyse usage, and improve our services. The types of cookies we use include:

• Strictly necessary cookies: Required for authentication and core Platform functionality. These cannot be disabled.
• Functional cookies: Store your preferences such as theme and language settings.
• Analytics cookies: Help us understand how the Platform is used so we can improve it.

You can control non-essential cookies through your browser settings. Disabling cookies may affect the functionality of the Platform. We do not currently use cookies for advertising or cross-site tracking.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. Measures include encryption of data in transit (TLS) and at rest, hashed credential storage, access controls, regular security assessments, and incident response procedures.

No transmission over the Internet is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the relevant authority and affected individuals as required by applicable law.

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDP Act, we have appointed a Grievance Officer to address data-related concerns:

If you are located in the European Economic Area or the United Kingdom and are not satisfied with our response, you may lodge a complaint with your local data protection supervisory authority.

The Platform is intended for use by individuals aged 18 or above. We do not knowingly collect personal data from children under 18 years of age. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.

The Platform may contain links to third-party websites or integrate with third-party services (such as WhatsApp, Google OAuth, and LinkedIn). This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Platform at least 30 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.