Privacy policy

1. Who we are

The Services are operated by Kaaspo Enterprises Private Limited, a company incorporated in India with its registered office in Chennai, Tamil Nadu, doing business as pPULSE. References in this policy to "we", "us", or "our" mean Kaaspo Enterprises Private Limited unless the context indicates otherwise.

For the purposes of the Digital Personal Data Protection Act, 2023 (the "DPDP Act"), and where applicable the EU and UK General Data Protection Regulations (together, "GDPR"), we act as a data fiduciary (or "controller") in respect of personal data we collect about visitors to our marketing websites and prospective customers, and as a data processor in respect of personal data our customers upload to or generate within the Services.

2. Scope of this policy

This policy applies to:

• Visitors to our public websites at ppulse.com and any subdomains.
• Customer administrators, recruiters, hiring managers, and other authorised users who sign in to the Services on behalf of their organisation (each a "Customer User").
• Job candidates, referrers, employees, and other individuals whose personal data is uploaded to or generated within the Services by our customers (each a "Subject").
• People who interact with us by email, phone, or in person (sales, support, events).

It does not apply to third-party websites, employers, or services that link to or from the Services. Those are governed by their own privacy notices.

3. Information we collect

3.1 Information you provide to us

When you create an account or correspond with us, we collect identifiers and contact details such as full name, work email, phone number, job title, organisation name, billing address, and any other information you choose to share. If you book a demo or fill in a form, we collect the details of your request.

3.2 Information our customers upload

Our customers use the Services to manage hiring and human-resources workflows. As part of that, customers upload information about job candidates and employees, which may include:

• Identifying information (name, contact details, photograph, government identifiers where required by law).
• Resumes, work history, education, certifications, and skills.
• Assessment responses, interview notes, ratings, and feedback.
• Background-verification documents that the candidate or a third-party verifier uploads.
• Compensation, offer letters, payroll inputs, attendance records, and leave history.

Customers control what is uploaded and for how long it is kept. We process this information on our customers' instructions in our role as a processor.

3.3 Information collected automatically

When you visit our websites or use the Services, we automatically collect technical information including IP address, device type, browser, operating system, referring page, pages viewed, actions taken within the Services, and approximate location derived from IP. We log this for security, abuse prevention, and to operate and improve the Services.

3.4 Information from third parties

We may receive information from publicly available sources, marketing partners, single sign-on providers (Google, Microsoft), and from job-board integrations our customers connect (such as LinkedIn, Indeed, and Naukri) when they syndicate job postings or import candidates.

4. How we use information

We use personal information for the following purposes:

1. To provide, operate, secure, and improve the Services.
2. To process resumes, generate candidate scores, and assist customers with hiring decisions, on the customer's instructions.
3. To run customer-configured workflows such as interview scheduling, document collection, offer-letter generation and signing, and pre-onboarding checks.
4. To send transactional emails (account, billing, security, system notifications) and, where you have opted in, marketing communications.
5. To respond to your enquiries, support requests, and demo bookings.
6. To detect, investigate, and prevent fraud, abuse, security incidents, and breaches of our terms.
7. To comply with applicable laws, court orders, and lawful requests from public authorities.
8. For internal analytics, aggregated and de-identified, to understand usage patterns and improve features.

We do not sell personal information. We do not use Subject data (such as candidate resumes or employee records) to train general-purpose machine-learning models for purposes outside the customer's own instance.

5. Legal bases for processing

Where the GDPR or similar laws apply, we rely on one or more of the following legal bases:

• Contract: processing necessary to provide the Services you or your employer have signed up for.
• Legitimate interests: securing the Services, preventing fraud, communicating with prospective customers, and improving the platform, where your interests do not override ours.
• Consent: for marketing communications, certain cookies, and any optional features that ask for your explicit opt-in.
• Legal obligation: meeting record-keeping, tax, employment, and statutory-disclosure requirements.

For data processed on behalf of a customer, the customer is the controller and is responsible for the legal basis on which it relies.

6. How we share information

We share personal information in limited circumstances:

1. With our customers, when you are a Subject (for example, a candidate). The customer organisation is the data fiduciary and decides how your information is used within their hiring process.
2. With sub-processors (see Section 7) who help us run the Services, under contracts that bind them to confidentiality and security at a level no less protective than this policy.
3. With professional advisers (lawyers, auditors, accountants) on a need-to-know basis under confidentiality.
4. In response to lawful requests from regulators, law-enforcement agencies, or courts of competent jurisdiction. We review every request and challenge any that appear overbroad.
5. In a corporate transaction (merger, acquisition, financing, or asset sale). If a transfer happens, we will notify you and the receiving party will be bound by this policy or an equivalent one.
6. With your consent for any purpose not listed above.

7. Sub-processors

We use carefully selected vendors to deliver the Services. Each is contractually bound by data-protection terms at least as protective as ours. The categories of sub-processors we use include:

• Cloud infrastructure and hosting.
• Email delivery and notifications.
• Error monitoring and application performance.
• Resume parsing and document analysis powered by large-language-model providers.
• Calendar, video conferencing, and identity providers (used only when customers connect them).
• Customer support tooling.

The current list of sub-processors and their roles is available on request from privacy@ppulse.com. We will provide reasonable advance notice of any new sub-processor for in-scope customer environments, and customers may object on legitimate grounds.

8. International data transfers

The Services are operated from infrastructure located in India. Some of our sub-processors are based outside India and may process personal data in the United States, the European Union, or other jurisdictions. Where personal data is transferred outside India, we rely on appropriate safeguards such as standard contractual clauses, data-transfer agreements, and country-level adequacy decisions where these have been recognised.

9. Data retention

We retain personal information for as long as needed to provide the Services and to satisfy our legal, accounting, and regulatory obligations. Specifically:

• Customer-controlled data: retained for as long as the customer's account is active, plus a configurable wind-down period after termination during which the customer can export their data. After that period, we delete or anonymise the data unless a longer retention is required by law.
• Candidate records: retained according to the customer's configured policy. Customers can delete individual candidate records on demand.
• Marketing and prospect data: retained until you unsubscribe or ask us to delete it, and routinely reviewed.
• Logs and security telemetry: retained for up to 12 months for security and audit purposes.
• Billing and tax records: retained for the period required by Indian tax and corporate law (currently up to 8 years).

10. Your rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or out of date.
• Request deletion of your information, where there is no overriding reason for us to keep it.
• Withdraw consent that you previously gave us.
• Object to or restrict certain types of processing.
• Receive a portable copy of your information in a commonly used format.
• Lodge a complaint with the Data Protection Board of India or, if applicable, a supervisory authority in your jurisdiction.

If you are a Subject (for example, a candidate), the customer organisation that is using pPULSE to process your data is the data fiduciary. Please direct your request to them in the first instance. If they do not respond within a reasonable time, you can write to us at privacy@ppulse.com and we will route your request appropriately.

11. Cookies and similar technologies

We use cookies and similar local-storage technologies to keep you signed in, remember your preferences, measure traffic, and improve the Services. Strictly necessary cookies are always on. Other categories (functional, analytics, marketing) are governed by your consent where required. You can control cookies through your browser settings or, on EU and UK traffic, through our consent banner.

12. Security

We take security seriously and follow industry-recognised practices to protect the information we process. Our controls include:

• Per-organisation isolation of customer data.
• Role-based access control with least-privilege defaults.
• Multi-factor authentication for staff access to production systems.
• Audit logging of administrative and security-sensitive actions.
• Encryption of data in transit using current TLS standards.
• Regular vulnerability management, dependency scanning, and code review.
• An incident-response process with notification to affected customers in line with applicable law.

For more detail, see our Security overview and the Trust center. We are working toward formal third-party attestations and will publish them on the Trust center as they are issued.

13. Children's data

The Services are intended for use by businesses and their employees, candidates, and contractors who are 18 years of age or older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, applicable law, or for other operational reasons. When we make material changes, we will notify you by email (where we have your address) or by posting a notice on our website at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact us

If you have any questions, comments, or requests about this policy or your personal information, please contact:

Kaaspo Enterprises Private Limited
Attn: Privacy Officer
Chennai, Tamil Nadu, India
Email: privacy@ppulse.com

For data-protection complaints in India that we have been unable to resolve to your satisfaction, you may refer the matter to the Data Protection Board of India once it begins accepting complaints under the DPDP Act.