Privacy Policy

ProfileGPT ("ProfileGPT", "we", "us", or "our") respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws, including:

  • The EU General Data Protection Regulation (GDPR)
  • The Digital Personal Data Protection Act, 2023 (India) ("DPDP Act")
  • The California Privacy Rights Act (CPRA) - California, USA

✓ Compliance Status: FULLY COMPLIANT

Our platform implements industry-standard security measures, including strong encryption, minimal session storage, and comprehensive audit trails to ensure your data is protected at all times.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you access or use our platform available at https://www.profilegpt.in (the "Service").

1. Who We Are (Data Controller)

ProfileGPT is the Data Controller for personal data processed through the Service.

Contact for privacy matters:
Email: privacy@profilegpt.in
Grievance Officer (India – DPDP): Mihir Joshi / Director

2. Scope of This Policy

This policy applies to:

  • Registered users of ProfileGPT (recruiters, hiring managers, customers)
  • Individuals whose professional profiles appear on the platform ("Candidates")
  • Website visitors

3. Categories of Personal Data We Process

A. User Data (Platform Users)

  • Name
  • Work email address
  • Company name
  • Login credentials (hashed)
  • OAuth tokens (Gmail / Outlook)
  • Usage logs and activity data

B. Candidate / Profile Data (Third-Party Sourced)

  • Name
  • Professional email
  • Job title, employer
  • Public professional profile links
  • Skills, experience, education (where available)
  • Enriched or inferred professional attributes

C. Technical Data

  • IP address
  • Browser and device metadata
  • Log files and audit trails

4. Sources of Data

We collect personal data:

  • Directly from users during account registration
  • From licensed third-party data providers
  • From publicly available professional sources
  • Via OAuth authorization (Google / Microsoft)

5. Lawful Basis for Processing

Under GDPR (EU)

We process personal data on the following lawful bases:

PurposeLawful Basis
Recruitment intelligence, profile displayLegitimate Interest
Platform access & account managementContract
Email sequencing via OAuthConsent
Analytics & product improvementLegitimate Interest
Legal complianceLegal Obligation

Under DPDP Act (India)

We process personal data based on:

  • Consent, where explicitly required (e.g., OAuth access)
  • Deemed Consent / Certain Legitimate Uses, including business contact communication and employment-related purposes

6. OAuth (Gmail / Outlook) Data Handling

🔒 Security Implementation

We maintain strict separation between authentication and integration tokens to maximize your security. Only essential identifiers are stored in your main login session, and integration tokens are stored separately and encrypted using industry-standard methods.

When you connect your Gmail or Outlook account:

  • We collect OAuth access tokens only after explicit authorization
  • Tokens are used solely to execute user-initiated email sequences
  • We do not read personal inbox content beyond permitted scopes
  • All tokens are encrypted at rest using strong, industry-standard encryption
  • All data transmission is encrypted
  • OAuth tokens are NEVER stored in your main login session
  • Tokens can be revoked at any time from your ProfileGPT account settings or Google / Microsoft security dashboards
  • Sessions expire automatically after 30 days of inactivity

7. Automated Profiling & AI Processing

ProfileGPT may use automated systems to rank profiles, enrich professional attributes, and provide recruitment insights. These processes do not produce legal or similarly significant effects on individuals.

8. Data Retention

Data TypeRetention
User account dataUntil account deletion
Main session data30 days of inactivity
OAuth integration tokensUntil revoked + 30 days
Candidate profiles12 months from last activity
Audit logs & security data3 years (compliance requirement)
Inactive accountsAuto-deleted after 2 years
Deleted accounts90 days (permanent deletion)

9. Data Subject Rights

Your Rights Under GDPR, DPDP, and CPRA

🔍 Right to Access

Request a copy of all personal data we hold about you

✏️ Right to Rectification/Correction

Request correction of inaccurate or incomplete data

🗑️ Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal obligations)

⛔ Right to Restrict Processing

Request limitation of how we process your data

📦 Right to Data Portability

Receive your data in a structured, machine-readable format

🚫 Right to Object

Object to processing of your data for certain purposes

🤖 Automated Decision-Making Rights

Right not to be subject to decisions based solely on automated processing

❌ Right to Withdraw Consent

Withdraw your consent at any time (without affecting prior lawful processing)

GDPR Rights (EU): Access, Rectification, Erasure, Restriction, Objection, Data portability, Withdraw consent

DPDP Rights (India): Access, Correction, Erasure, Grievance redressal, Nomination

CPRA Rights (California, USA): Right to know, Right to delete, Right to correct, Right to opt-out, Right to limit use of sensitive information, Non-discrimination

Requests may be submitted to privacy@profilegpt.in. We respond within 30 days as required by law.

10. Data Sharing & Processors

We may share data with cloud infrastructure providers, analytics providers, email delivery services, and compliance vendors. All processors are contractually bound to comply with applicable data protection laws.

11. Cross-Border Transfers

Personal data may be processed outside India or the EU. We rely on contractual safeguards, industry-standard security measures, and applicable legal transfer mechanisms.

12. Security Measures

🔒 Security Practices

Encryption at Rest

All personally identifiable information (PII) is encrypted before storage in our databases using strong, industry-standard encryption methods.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted to ensure secure communication at all times.

Minimal Session Storage

We follow strict data minimization principles. Your main authentication session contains only essential identifiers and never stores OAuth tokens. Integration tokens are stored separately and encrypted.

Comprehensive Audit Trails

All candidate submissions, data access, and modifications are logged with timestamps for accountability and security monitoring. Audit logs are retained for compliance purposes.

Additional Security Measures

  • Role-based access control
  • Secure credential storage
  • Real-time security event monitoring
  • Incident response procedures
  • Regular security audits and penetration testing
  • Employee security training

We implement strong encryption, access controls, secure credential storage, audit logging, and incident response procedures to protect your data.

13. Data Breach Notification

In the event of a personal data breach, we will notify relevant authorities and affected users as legally required.

14. Children's Data

ProfileGPT does not knowingly process data of individuals under 18.

15. Updates to This Policy

We may update this policy periodically. Material changes will be notified via the Service.

Last Updated: January 29, 2026

✓ Compliance Summary

GDPR Compliant

European Union

DPDP Compliant

India

CPRA Compliant

California, USA

🔒 Strong Encryption | 📝 Comprehensive Audit Trails | 🔑 Minimal Session Storage

← Back to Home