SkillSync.

SkillSync Privacy Policy & Data Consent Framework

Effective Date: 25 June 2025
Last Updated: 25 June 2025
Version: 2.0

1. Introduction

SkillSync ("we," "us," or "our") operates an AI-driven talent management platform that revolutionizes recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization. This Privacy Policy outlines our comprehensive data practices in compliance with global regulations including the General Data Protection Regulation (GDPR), Singapore's Personal Data Protection Act 2012, India's Digital Personal Data Protection Act 2023, and other applicable laws.

By clicking the "I Accept" button below, you hereby:

Acknowledge that you have read, understood, and agreed to the terms and conditions of this Privacy Policy
Agree and consent to the collection, storage, and processing of your Personal Data for the purposes of enabling recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization
Acknowledge that you have been given due notice about how your data will be used for the stated purposes
Acknowledge your right to withdraw consent and access our grievance redressal process

2. Scope & Definitions

Platform Services: AI-powered interviews, job postings, candidate matching, skill assessments, interview scheduling, analytics, and photo verification for identity authentication.
Data Subjects: Candidates, clients (employers), recruiters, platform administrators, and verification personnel.
Personal Data: Any information relating to an identifiable individual, directly or indirectly, including biometric identifiers used temporarily for verification purposes.
AI Processing: Automated analysis of data to generate insights, scores, or recommendations through machine learning algorithms, including bias detection and mitigation.
Photo Verification Data: Photographic images captured solely for identity verification purposes that are processed in real-time and immediately deleted after verification completion.

3. Data Collection Categories

A. Candidate Data

Identification Information:

Full name, email address, phone number, physical address, nationality
Government-issued ID verification (processed temporarily, not stored)

Professional Data:

Resumes/CVs, work history, educational background
Skills, certifications, salary expectations
Portfolio links and professional references

AI Interview Data:

Real-time voice transcripts and video recordings (when consented)
Behavioral analytics (problem-solving approach, communication style)
AI-generated competency scores (technical skills)
Bias detection flags and mitigation recommendations
Interview performance metrics and feedback

Technical Data:

IP addresses, device identifiers, browser type, operating system
Usage patterns, session data, and platform interaction analytics

Photo Verification Data:

Important: Photos captured during identity verification are processed in real-time using AI verification technology and are immediately deleted after verification completion. No photographic images are stored in our systems.

B. Client/Recruiter Data

Corporate Information:

Company name, industry, size, tax identification numbers
Business registration details and verification documents

User Account Data:

Admin credentials, role permissions, activity logs
User preferences and platform customization settings

Hiring Process Data:

Job descriptions, candidate requirements, interview feedback
Hiring decisions, offer details, and recruitment analytics

C. Derived & Anonymized Data

Analytics and Insights:

Aggregated hiring metrics and platform usage statistics
Performance benchmarks and industry trend analysis
Anonymized datasets used for AI model training and improvement

Research Data:

De-identified data for bias detection research
Algorithm performance optimization data
Statistical analysis for platform enhancement

All data categories listed above are relevant, required, and necessary for enabling recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization.

4. Data Processing Purposes & Legal Bases

Purpose	Processing Activities	Legal Basis	Retention Period
Identity Verification	Real-time photo verification and immediate deletion	Legitimate Interest	Not stored (immediate deletion)
Recruitment Automation	AI-driven candidate screening and matching	Contractual Necessity	24 months post-activity
Dynamic AI Interviews	Real-time adaptive questioning and analysis	Explicit Consent	12 months unless requested
Bias Mitigation	Algorithmic fairness audits and adjustments	Legitimate Interest	Anonymized indefinitely
Platform Security	Fraud detection and prevention measures	Legal Obligation	7 years
Service Improvement	Anonymized data analytics and AI training	Legitimate Interest	Anonymized indefinitely
Compliance & Audit	Record keeping for regulatory compliance	Legal Obligation	7 years

5. Infrastructure & Data Security

Cloud Infrastructure

Compute & Hosting:

Microsoft Azure: GDPR-compliant hosting with ISO 27001 certification
DigitalOcean: AICPA SOC 2 Type II certified infrastructure

Database Solutions:

Supabase: Enterprise-grade PostgreSQL with row-level security
MongoDB Atlas: SOC 2 Type II and HIPAA compliant NoSQL database

Network & Security:

Cloudflare: Enterprise DDoS protection and global CDN with TLS 1.3 encryption
Multi-region redundancy for data protection and availability

Security Measures

Encryption Standards:

AES-256 encryption for data at rest
TLS 1.3 for all data in transit
End-to-end encryption for sensitive communications

Access Controls:

Role-based access management (RBAC)
Multi-factor authentication enforcement
Zero-trust security architecture
Regular access reviews and privilege management

Operational Security:

Continuous security monitoring and threat detection
Regular penetration testing and vulnerability assessments
Immutable audit logs for all data access
Security incident response protocols

Photo Verification Security:

Real-time processing with immediate deletion
No storage of verification images
Encrypted transmission during verification process
Access restricted to automated verification systems only

6. Data Sharing & Third Parties

Controlled Sharing

Legitimate Business Purposes:

With client organizations for authorized hiring purposes
With candidates regarding their own application status and results
With service providers under strict data processing agreements

Service Providers:

Cloud Infrastructure: Microsoft Azure, DigitalOcean
Database Providers: Supabase, MongoDB Atlas
Security Services: Cloudflare
AI/ML Services: Approved vendors for model training (anonymized data only)

International Transfers

Cross-Border Safeguards:

All international data transfers utilize GDPR-approved mechanisms
Standard Contractual Clauses (SCCs) for non-adequate countries
EU-US Data Privacy Framework compliance where applicable
Regular adequacy assessments for destination countries

Transfer Limitations:

Photo verification data is not transferred internationally (processed locally and deleted)
Sensitive personal data transfers require additional safeguards
Transfer impact assessments conducted for high-risk transfers

7. AI Ethics & Governance

Algorithmic Accountability

Bias Detection & Mitigation:

Continuous monitoring for discriminatory patterns
Human-in-the-loop review for critical decisions
Regular algorithm performance assessments across demographic groups

Model Management

Version Control & Monitoring:

Comprehensive version control for all production AI models
Rollback protocols for model drift detection
Performance monitoring and accuracy tracking
Regular model retraining with updated datasets

Explainable AI:

Implementation of interpretable machine learning models
Decision explanation capabilities for all AI-driven recommendations
Documentation of model logic and decision factors
User-friendly explanations of AI scoring methodologies

8. Data Subject Rights

Available Rights

Access & Portability:

Right to access personal data and processing information
Data portability in commonly used, machine-readable formats
Right to obtain copies of data processing records

Correction & Completion:

Right to rectification of inaccurate personal data
Right to complete incomplete personal data
Right to update outdated information

Erasure & Restriction:

Right to erasure ("Right to be Forgotten")
Right to restrict processing in specific circumstances
Right to object to processing based on legitimate interests

Automated Decision-Making:

Right to object to automated decision-making
Right to human review of automated decisions
Right to explanation of AI-driven decisions

Request Process

Submission Methods:

Submit verified requests to [email protected]
Online portal for data subject rights requests
Secure verification process to protect against fraudulent requests

Response Timeline:

Initial response within 30 days of verified request
Possible 60-day extension for complex requests
Regular status updates for extended processing periods

Identity Verification:

Secure identity verification process required
Multiple verification methods accepted
Protection against unauthorized access to personal data

9. Incident Response

Breach Notification

Regulatory Notification:

72-hour notification to supervisory authorities for GDPR incidents
Immediate notification for high-risk breaches
Comprehensive incident documentation and impact assessment

Individual Notification:

Direct notification to affected individuals for high-risk breaches
Clear communication about incident scope and impact
Guidance on protective measures individuals can take

Response Protocol

Immediate Response:

Automatic isolation of affected systems
Emergency response team activation
Preliminary risk assessment and containment measures

Investigation & Remediation:

Forensic investigation by certified cybersecurity professionals
Root cause analysis and vulnerability assessment
Implementation of remediation measures
Regulatory consultation and cooperation

Recovery & Improvement:

System restoration with enhanced security measures
Lessons learned documentation
Security protocol updates and improvements
Staff training updates based on incident findings

10. Policy Administration

Governance Structure

Data Protection Officer:

Compliance Reviews:

Quarterly comprehensive compliance assessments
Annual third-party privacy audits
Regular legal and regulatory update reviews
Continuous monitoring of global privacy law developments

Version Control

Change Management:

Publicly accessible change log with version history
30-day advance notice for material policy changes
Clear communication of changes to all stakeholders
User consent verification for significant modifications

Documentation:

Comprehensive privacy documentation maintenance
Regular legal review and updates
Stakeholder feedback incorporation process
Transparent communication of privacy practices

11. Grievance Redressal Mechanism

Complaint Process

Contact Information:

Privacy-related complaints: [email protected]
General privacy inquiries: [email protected]

Resolution Timeline:

Initial acknowledgment within 48 hours
Preliminary response within 30 days
Final resolution within 60 days (with possible extension)
Regular status updates throughout the process

Escalation Process:

Internal review and escalation procedures
Independent dispute resolution options
Regulatory authority referral when appropriate
Legal remedy information and guidance

12. Withdrawal of Consent

Withdrawal Process

Notification Methods:

Email notification to[email protected]
Online consent management portal
Written request with identity verification
Phone-based withdrawal with secure verification

Processing Timeline:

Consent withdrawal acknowledgment within 48 hours
Data processing cessation within 30 days
Data erasure completion within 60 days (where required)
Confirmation of withdrawal processing provided

Important Notes:

Withdrawal does not affect the lawfulness of processing before withdrawal
Some data may be retained for legal compliance purposes
Withdrawal may affect platform service availability
Clear information provided about consequences of withdrawal

13. Photo Verification Data - Special Provisions

Processing Purpose

Photo verification is conducted solely for identity authentication during the registration and interview process to ensure platform security and prevent fraud.

Data Handling

Capture: Photos are captured in real-time during verification
Processing: Immediate AI-powered identity verification
Storage: No photos are stored in any system or database
Deletion: Immediate and permanent deletion after verification completion
Access: Only automated verification systems process photos

User Rights

Right to refuse photo verification (may limit platform access)
Right to information about verification process
Right to technical explanation of verification technology
Right to human review in case of verification failures

Technical Safeguards

Encrypted transmission during verification process
No backup or caching of verification images
Audit logs of verification attempts (without storing images)
Regular security assessments of verification systems

14. Contact Information

SkillSync (A product of ZOFA AI SOLUTIONS PVT LTD)
10 ANSON ROAD, #22-02A, INTERNATIONAL PLAZA, SINGAPORE 079903
UEN: 202519486W

Emergency Contact:

Security Incidents: [email protected]
Urgent Privacy Matters: +1 778 872 4596

This Privacy Policy is designed to be transparent, comprehensive, and compliant with global data protection regulations. Regular updates ensure continued compliance with evolving privacy laws and best practices.

This policy is effective as of the "Effective Date" and supersedes all previous versions.

Return to Homepage