Privacy Policy

Welcome to Rakri AI. We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how Rakri AI ('we', 'us', or 'our') collects, uses, shares, and protects your personal information when you use our website and AI-powered recruitment platform services.

Rakri AI is a GDPR-compliant recruitment automation platform that specializes in AI-powered candidate screening for European and US recruitment agencies. Our core principle is data privacy by design - we enable clients to host candidate data on their own cloud infrastructure, ensuring maximum data control and compliance.

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and applicable US state privacy laws, Rakri AI is the data controller for personal data collected through our website.

For candidate data processed through our platform, data controller responsibilities are typically shared between Rakri AI (as data processor) and our client organizations (as data controllers), as defined in our Data Processing Agreements.

This Privacy Policy applies to:

• Website visitors who browse rakriai.com
• Individuals who submit inquiries through our contact form
• Prospective clients who request demos or pricing information
• Client organization representatives who use our platform (covered by separate service agreements)
• Job candidates whose data is processed through our AI screening platform (covered by client privacy policies and our Data Processing Agreement)

• First name and last name
• Email address
• Phone number (including country code)
• Inquiry subject and message content
• GDPR consent acknowledgment

Legal Basis: Your explicit consent (GDPR Art. 6(1)(a)) and our legitimate interest in responding to business inquiries (GDPR Art. 6(1)(f)).

• Resume/CV content (name, contact information, work history, education, skills)
• Job application responses and materials
• AI-generated candidate scores and evaluation criteria
• Recruiter feedback and hiring decisions
• Application timestamps and workflow metadata

• IP address (anonymized for analytics)
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referral source (how you found our website)

We do NOT use third-party tracking cookies or analytics services on our website at this time. Any future implementation will require updated consent mechanisms.

• Sensitive personal data (health, biometrics, religious beliefs) unless explicitly provided in resumes and with appropriate legal basis
• Payment card information directly (handled by secure third-party processors)
• Social media profile data (unless candidates apply via LinkedIn with their consent)
• Location tracking or precise geolocation data

• Respond to your inquiries and provide requested information
• Schedule product demos and consultations
• Send follow-up communications about our services
• Maintain records of business communications
• Improve our customer service and support

Retention Period: Contact form submissions are retained for 24 months from the date of submission, unless you request earlier deletion or we establish an ongoing business relationship.

• Parse and analyze resumes using AI/ML models
• Generate candidate scores and ranking based on job requirements
• Provide explainable AI reasoning for screening decisions
• Enable recruiter review and decision-making workflows
• Train and improve AI models (only with explicit client consent and on anonymized data)
• Generate analytics and insights for recruitment process optimization

Retention Period: Candidate data retention is controlled by our clients according to their retention policies and applicable legal requirements. Our platform enables clients to delete candidate data at any time.

• AI Scoring: Machine learning models automatically score and rank candidates based on resume analysis and job fit criteria
• Explainability: Every automated decision includes detailed reasoning explaining scoring factors
• Human Oversight: Clients can configure workflows to require human review ('Level 1: Human-in-the-Loop') or enable fully autonomous screening ('Level 2: Fully Autonomous')
• Right to Object: Candidates have the right to object to automated decision-making and request human review

We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

• Email Service: Zoho Mail (for sending contact form confirmations and notifications)
• Database Hosting: MongoDB Atlas (for contact form data storage)
• Cloud Infrastructure: Client-selected providers (AWS, Azure, GCP) for platform hosting
• AI/ML Services: Cloud-based AI APIs (for resume parsing and natural language processing)

All service providers are contractually bound to protect your data and use it only for specified purposes. We conduct due diligence to ensure compliance with GDPR and equivalent data protection standards.

• Valid legal processes (subpoenas, court orders, regulatory requests)
• Protection of our legal rights and property
• Prevention of fraud or illegal activity
• Protection of safety and security of individuals

We will notify you of legal requests unless prohibited by law or court order.

• EU to US Transfers: We comply with the EU-US Data Privacy Framework and/or use Standard Contractual Clauses (SCCs) approved by the European Commission
• Client-Controlled Hosting: Candidate data remains in client-specified geographic regions (typically EU for European clients, US for American clients)
• Transfer Safeguards: All international transfers are protected by appropriate safeguards (SCCs, adequacy decisions, binding corporate rules)

We implement industry-standard security measures to protect your personal data:

• Encryption: All data transmitted over the internet is encrypted using TLS 1.2+ (HTTPS)
• Data at Rest: Candidate data stored in client clouds is encrypted at rest using AES-256 or equivalent
• Access Controls: Role-based access control (RBAC) limits data access to authorized personnel only
• Authentication: Multi-factor authentication (MFA) for platform access
• Audit Logging: Comprehensive logs of all data access and modifications
• Regular Security Audits: Quarterly security assessments and penetration testing

• Employee Training: Regular data protection and security awareness training
• Confidentiality Agreements: All employees and contractors sign strict confidentiality agreements
• Incident Response Plan: Documented procedures for data breach detection and response
• Data Minimization: We collect and retain only data necessary for specified purposes
• Secure Development: Security-by-design principles in software development lifecycle

• We will notify affected individuals within 72 hours of discovering the breach (GDPR Art. 33)
• We will notify relevant supervisory authorities as required by law
• Notification will include the nature of the breach, likely consequences, and measures taken to mitigate harm
• For candidate data breaches, we will immediately notify affected client organizations

Depending on your location, you have specific rights regarding your personal data:

• Right to Access (Art. 15): Request a copy of your personal data we hold
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure/'Right to be Forgotten' (Art. 17): Request deletion of your personal data in certain circumstances
• Right to Restriction of Processing (Art. 18): Request limitation of how we use your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time (does not affect lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

• Right to Know: Request disclosure of personal data collected, used, and shared
• Right to Delete: Request deletion of personal data (subject to legal exceptions)
• Right to Correct: Request correction of inaccurate personal data
• Right to Opt-Out: Opt-out of 'sale' or 'sharing' of personal data (Note: We do not sell personal data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

California residents: Please see Section 11 for additional CCPA/CPRA-specific disclosures.

• Right to Human Intervention: Request human review of automated screening decisions
• Right to Explanation: Receive clear explanation of AI scoring logic and factors
• Right to Contest: Challenge and appeal automated decisions
• Right to Object: Object to solely automated decision-making with legal or significant effects

• Email us at connect@rakriai.com with 'Privacy Rights Request' in the subject line
• Provide sufficient information to verify your identity (name, email, phone number)
• Specify which right(s) you wish to exercise and the scope of your request
• We will respond within 30 days (GDPR) or 45 days (US state laws), with possible extensions for complex requests

Response Time: We aim to respond to all privacy rights requests within 30 days. For complex or numerous requests, we may extend this period by an additional 60 days with notice.

Verification: To protect your privacy, we may request additional information to verify your identity before fulfilling rights requests.

Our website currently uses minimal cookies and tracking technologies.

• Session Cookies: Maintain your session while navigating the website (expire when you close your browser)
• Security Cookies: Prevent cross-site request forgery (CSRF) and ensure secure connections

These cookies are essential for the website to function and cannot be disabled.

• Google Analytics or similar analytics platforms
• Facebook Pixel or social media tracking
• Third-party advertising cookies
• Retargeting or remarketing cookies

• LinkedIn Apply/Share buttons (if implemented): Subject to LinkedIn's privacy policy
• Embedded videos or content: Subject to third-party provider privacy policies

• Most browsers allow you to block or delete cookies
• Browser settings: Chrome (Settings > Privacy > Cookies), Firefox (Options > Privacy > Cookies), Safari (Preferences > Privacy)
• Note: Disabling essential cookies may affect website functionality

For more information about cookies, visit www.allaboutcookies.org

Rakri AI's services are not directed to individuals under the age of 16 (or other applicable age of digital consent in your jurisdiction).

• We do not knowingly collect personal information from children under 16
• Our website and platform are designed for business use by recruitment professionals
• If we learn we have collected data from a child under 16, we will delete it immediately
• Parents or guardians who believe we have collected data from a child should contact us at connect@rakriai.com

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Identifiers: Name, email address, phone number, IP address
• Commercial Information: Inquiry details, service preferences
• Professional Information: Job titles, company information (if provided)
• Internet Activity: Website usage data, browser information
• Inferences: Preferences and characteristics derived from your activity

• Providing and improving our services
• Responding to inquiries and customer support
• Marketing and communications (with consent)
• Security, fraud prevention, and legal compliance
• Business operations and analytics

• Service providers (email, hosting, cloud infrastructure)
• Professional advisors (legal, accounting, auditing)
• Business partners (with your consent)
• Legal authorities (when required by law)

• Sell personal information to third parties
• Share personal information for cross-context behavioral advertising
• Process sensitive personal information beyond purposes allowed by CPRA

• Know what personal information we collect, use, and disclose
• Request deletion of personal information
• Correct inaccurate personal information
• Opt-out of sale/sharing (not applicable as we don't sell data)
• Limit use of sensitive personal information
• Non-discrimination for exercising your rights

To exercise California privacy rights, contact us at connect@rakriai.com or call [PHONE NUMBER] (toll-free).

Authorized Agent: California residents may designate an authorized agent to make requests on their behalf. We require written authorization and verification of the agent's authority.

We retain personal data only as long as necessary for the purposes outlined in this Privacy Policy:

• Active Inquiries: Retained for 24 months from submission date
• Business Relationships: Retained for duration of relationship plus 7 years for tax/legal compliance
• Marketing Communications: Retained until you unsubscribe or request deletion

• Active Applications: Retained per client retention policy (typically 6-24 months)
• Historical Data: Retained for analytics only if anonymized and aggregated
• Client Control: Clients can delete candidate data at any time through platform controls

• Security Logs: Retained for 12 months for incident investigation
• Audit Trails: Retained for 7 years for compliance and legal requirements
• Backup Data: Deleted according to backup rotation policies (typically 90 days)

• Product improvement and AI model training
• Industry research and benchmarking
• Statistical analysis and reporting

After retention periods expire, we securely delete or anonymize data using industry-standard methods (secure deletion, cryptographic erasure, degaussing).

Our website and platform may contain links to third-party websites, services, or integrations:

• LinkedIn: For candidate applications and professional networking
• Client ATS Systems: Applicant tracking systems integrated with our platform
• Cloud Providers: AWS, Azure, Google Cloud Platform (client-controlled)
• Social Media: Links to our LinkedIn and Twitter profiles

Third-Party Service Providers: Our platform integrates with third-party services for specific functions (email, cloud hosting, AI processing). These providers are contractually obligated to protect your data and use it only as directed by Rakri AI.

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices or services
• New legal or regulatory requirements
• Technological developments and security enhancements
• Feedback from users and privacy authorities

When we make changes:

• We will update the 'Last Updated' date at the top of this policy
• For material changes, we will provide prominent notice on our website or via email
• We will obtain your consent if required by applicable law (e.g., new processing purposes)
• Previous versions will be archived and available upon request

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en
• UK Information Commissioner's Office (ICO): https://ico.org.uk/
• Irish Data Protection Commission: https://www.dataprotection.ie/ (if applicable)

We encourage you to contact us first so we can address your concerns directly.

• Email: connect@rakriai.com with 'US Privacy Rights' in subject
• Toll-Free Number: [TO BE ADDED]
• Online Form: [TO BE ADDED - Consider implementing]

In accordance with GDPR Article 30 (Records of Processing Activities), we maintain detailed internal records of all data processing activities. These records are available to supervisory authorities upon request.

• Categories of data subjects (website visitors, candidates, clients)
• Categories of personal data processed
• Purposes of processing and legal basis
• Categories of recipients of personal data
• International data transfers and safeguards
• Retention periods
• Technical and organizational security measures

• AI-powered automated decision-making (candidate scoring)
• Large-scale processing of candidate personal data
• Cross-border data transfers to third countries
• New technologies or processing methods

DPIA summaries are available to data subjects and supervisory authorities upon request.