Privacy Policy (B2B)
Utkrusht Skill Assessment Platform — For Recruiters and Organizations
Last Updated: May 5, 2026 Effective Date: February 3, 2026 Version: 1.0 (Audit-Ready)
Scope: This privacy policy primarily addresses data practices relevant to business customers (recruiters, organizations). While it describes how candidate data is processed, a separate candidate-facing privacy notice will provide direct disclosures to candidates.
1. IDENTITY AND CONTACT DETAILS
1.1 Data Controller
Utkrusht Learning Services Private Limited
Registered Office (India) A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 Phone: +91-9023239479
US Office 572 Amboy Dr, San Jose, CA, United States of America - 95136 Phone: +1-919-793-6081
Corporate Identity Number (CIN): U85490GJ2024PTC157512
1.2 Data Protection Contact
For all privacy-related inquiries, data subject requests, or complaints:
Data Protection Officer Email: naman@utkrusht.ai
General Privacy Inquiries Email: naman@utkrusht.ai
1.3 Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
- European Union (EU)
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/18473340039
1.4 Response Commitment
We commit to responding to all data subject requests within thirty (30) days of receipt of a verified request. Complex requests may require an additional sixty (60) days, in which case we will notify you of the extension and reasons within the initial thirty-day period.
2. CATEGORIES OF PERSONAL DATA
2.1 Candidate Data
We process the following categories of personal data for Candidates (individuals who take assessments):
| Category | Data Elements | Source |
|---|---|---|
| Identity Data | Full name, email address, phone number, user ID | Provided by recruiter or candidate directly |
| Source Tracking | Source hashcode (SHA-256), referral source, campaign identifiers | Generated from referral links |
| Professional Data | Resume/CV, LinkedIn profile, GitHub profile, work history, education, skills | Provided by candidate or recruiter |
| Assessment Responses | Text answers, audio recordings, video recordings, code submissions | Collected during assessments |
| Proctoring Data | Webcam video, screen recordings, audio recordings, transcripts, behavioral flags | Collected during proctored assessments |
| Derived Data | Scores, ratings (1-5 scale), proficiency levels, AI-generated analysis, SWOT analysis, ranking position | Generated by Platform AI |
| Technical Data | IP address, browser type, device information, session timestamps | Collected automatically |
| Communication Data | Email correspondence, SMS messages, WhatsApp messages | Generated through platform communications |
2.2 Recruiter Data
We process the following categories of personal data for Recruiters and platform Users:
| Category | Data Elements | Source |
|---|---|---|
| Identity Data | Full name, email address, phone number | Provided during registration |
| Account Data | Username, password (hashed), role, permissions | Created during onboarding |
| Professional Data | Job title, department, organization affiliation | Provided during registration |
| Activity Data | Login history, actions taken, positions created, candidates reviewed | Collected through platform usage |
| Communication Data | Support tickets, feedback, correspondence | Generated through interactions |
2.3 Organization Data
We process the following categories of data for Organizations:
| Category | Data Elements | Source |
|---|---|---|
| Business Data | Organization name, registration details, industry, size | Provided during registration |
| Billing Data | Billing address, payment method details, transaction history, credit ledger | Provided and generated through billing |
| Configuration Data | Subscription tier, resource pools, settings, branding | Set through platform configuration |
| Usage Data | Assessment volumes, candidate counts, feature usage, API calls | Collected through platform usage |
3. PURPOSES AND LEGAL BASES
3.1 Processing as Data Processor
When recruiters upload candidate data and administer assessments, Utkrusht acts as a Data Processor on behalf of the recruiting organization (the Data Controller). This processing is governed by our Data Processing Agreement.
| Purpose | Description | Legal Basis |
|---|---|---|
| Assessment Delivery | Presenting questions, recording responses, enforcing time limits | Contract performance (recruiter's instructions) |
| Score Generation | Analyzing responses and generating scores | Contract performance |
| Proctoring | Recording and monitoring assessment sessions | Contract performance |
| Reporting | Generating reports and analytics for recruiters | Contract performance |
| Data Storage | Securely storing candidate data | Contract performance |
For Processor activities, the recruiting organization determines the lawful basis. Contact the organization that invited you to take the assessment for information about their legal basis for processing your data.
3.2 Processing as Data Controller
For the following purposes, Utkrusht acts as an independent Data Controller with its own lawful basis:
3.2.1 Legitimate Interest Processing
| Purpose | Legitimate Interest | Necessity | Data Subject Impact | Safeguards |
|---|---|---|---|---|
| AI Model Training | Improving assessment accuracy and service quality | Essential for maintaining competitive AI systems | Minimal - data is de-identified before use | Aggregation, pseudonymization, no re-identification |
| Cross-Organization Benchmarking | Providing accurate candidate rankings and industry benchmarks | Core platform feature that benefits all users | Moderate - rankings visible to recruiters | Opt-out available, transparency, no PII shared across orgs |
| Platform Analytics | Understanding usage patterns and improving services | Necessary for product development | Minimal - statistical aggregation only | No individual identification possible |
| Fraud Prevention | Maintaining assessment integrity and preventing cheating | Essential for platform trust | Low - limited additional data collection | Clear disclosure, human review for adverse decisions |
| Security Monitoring | Protecting platform and user data from threats | Legal and contractual security obligations | Low - standard security logging | Minimal retention, access controls |
Balancing Test Documentation: For each legitimate interest purpose, we have conducted and documented a balancing test weighing our interests against data subject rights. These assessments are available upon request to our Data Protection Officer.
Your Right to Object: You may object to processing based on legitimate interests by contacting naman@utkrusht.ai. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
3.2.2 Contract Performance
| Purpose | Description |
|---|---|
| Account Management | Creating and maintaining user accounts |
| Service Delivery | Providing access to platform features |
| Billing | Processing payments and managing subscriptions |
| Support | Responding to inquiries and resolving issues |
3.2.3 Legal Obligations
| Purpose | Description | Legal Requirement |
|---|---|---|
| Tax Records | Maintaining payment and invoice records | Indian tax law (7-year retention) |
| Audit Trail | Maintaining immutable credit ledger | Financial compliance requirements |
| Legal Requests | Responding to valid legal process | Applicable law |
3.2.4 Consent
Where required by law, we obtain explicit consent for:
| Purpose | How Consent is Obtained |
|---|---|
| Marketing Communications | Opt-in checkbox during registration |
| Cross-Organization Data Usage (where legally required) | Notice and acknowledgment before assessment |
You may withdraw consent at any time by contacting naman@utkrusht.ai or using unsubscribe links in communications.
4. RECIPIENTS AND THIRD-PARTY SHARING
4.1 Sub-processors
We share personal data with the following third-party service providers (sub-processors):
| Provider | Location | Data Shared | Purpose | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (S3) | Mumbai, India | Assessment recordings, documents, proctoring videos | Cloud storage | Adequacy (India-based) |
| Supabase | Singapore | All platform data | Database, authentication | SCCs |
| OpenAI (via Portkey) | USA | Assessment responses (text only, no PII) | AI-powered response analysis | SCCs + Supplementary Measures |
| AssemblyAI | USA | Audio/video recordings | Transcription services | SCCs + Supplementary Measures |
| Sarvam AI | India | Audio recordings (Indic languages) | Transcription services | Adequacy (India-based) |
| MSG91 | India | Phone numbers, message content | SMS/OTP delivery | Adequacy (India-based) |
| WhatsApp/Meta | Ireland/USA | Phone numbers, message content | Candidate messaging | SCCs |
| Dodo Payments | India | Billing information, transaction details | Payment processing | Adequacy (India-based) |
| GitHub | USA | Code submissions, usernames | Task submission hosting | SCCs |
| USA | Email address, profile info (if OAuth used) | Authentication | SCCs | |
| Sentry | USA | Error logs (may contain user context) | Error monitoring | SCCs |
Sub-processor Updates: We maintain an up-to-date list of sub-processors at this URL. Organizations may subscribe to notifications of sub-processor changes through the platform settings.
4.2 Sharing with Recruiting Organizations
When you take an assessment, we share the following with the recruiting organization:
| Data Shared | Purpose |
|---|---|
| Your identity information (name, email, phone) | Contacting you about opportunities |
| Assessment responses | Evaluating your candidacy |
| Scores and AI-generated analysis | Informing hiring decisions |
| Proctoring flags (if any) | Verifying assessment integrity |
| Ranking position | Comparing candidates |
The recruiting organization becomes an independent controller of data we share with them. Contact them directly regarding their data practices.
4.3 Other Disclosures
We may disclose personal data:
- Legal Requirements: When required by law, regulation, or legal process
- Rights Protection: To protect our rights, property, or safety
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice)
- With Consent: When you have provided explicit consent
We do not sell personal data to third parties.
5. INTERNATIONAL TRANSFERS
5.1 Transfer Destinations
Personal data may be transferred to and processed in:
| Country | Services | Adequacy Status |
|---|---|---|
| India | Primary processing, storage | N/A (domestic) |
| Singapore | Database services (Supabase) | No adequacy decision - SCCs used |
| USA | AI services, transcription, code hosting | No adequacy decision - SCCs used |
| Ireland | Messaging services (Meta) | EU adequacy |
5.2 Transfer Mechanisms
For transfers to countries without adequacy decisions, we rely on:
(a) Standard Contractual Clauses (SCCs): We execute EU-approved SCCs with all sub-processors in non-adequate countries.
(b) Supplementary Measures: Following the Schrems II decision, we implement additional safeguards:
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transfers |
| Encryption at Rest | AES-256 encryption for stored data |
| Pseudonymization | Removing direct identifiers before AI processing |
| API-Only Access | Sub-processors access data only through controlled APIs |
| Minimal Persistence | AI services process data in memory without long-term storage |
| Access Controls | Strict limits on who can access data at sub-processors |
5.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for high-risk transfers, evaluating:
- Legal framework in the destination country
- Practical risk of government access
- Technical and organizational safeguards
- Nature and sensitivity of the data
TIA summaries are available upon request to our Data Protection Officer.
6. RETENTION PERIODS
We retain personal data only as long as necessary for the purposes collected:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Assessment Responses | 3 years from assessment completion | Dispute resolution, reference checks, audit requirements |
| Proctoring Videos/Audio | 1 year from assessment completion | Assessment integrity verification |
| Proctoring Transcripts | 1 year from assessment completion | Red flag review and appeals |
| Derived Scores/Analysis | 3 years from assessment completion | Same as assessment responses |
| Candidate Account Data | Until deletion requested or 3 years of inactivity | Service provision |
| Recruiter Account Data | Duration of organization subscription + 1 year | Service provision, audit |
| Payment Records | 7 years from transaction | Indian tax compliance (GST) |
| Credit Ledger | 7 years from transaction | Financial audit requirements (immutable) |
| Communication Logs | 1 year from communication | Support and dispute resolution |
| Security Logs | 1 year from event | Security monitoring and incident response |
| De-identified/Aggregated Data | Indefinite | No longer personal data |
6.1 Retention After Account Deletion
When you request account deletion:
- Active personal data is deleted within 30 days
- Backup copies are deleted within 90 days
- Data already shared with recruiters must be addressed with them directly
- Data required for legal compliance is retained as specified above
- De-identified data is retained (no longer linked to you)
6.2 Retention After Organization Termination
When an organization terminates their subscription:
- 30-day data export period
- Candidate and assessment data deleted from active systems after export period
- Backup deletion within 90 days
- Payment and audit records retained per legal requirements
7. DATA SUBJECT RIGHTS
7.1 Your Rights Under GDPR
If GDPR applies to you (EU/EEA residents, or if an EU-based organization administers your assessment), you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your personal data and information about how it's processed | Email naman@utkrusht.ai |
| Rectification | Correct inaccurate personal data | Email naman@utkrusht.ai or update in-app |
| Erasure ("Right to be Forgotten") | Request deletion of your personal data | Email naman@utkrusht.ai |
| Restriction | Limit how we process your data | Email naman@utkrusht.ai |
| Portability | Receive your data in a machine-readable format | Email naman@utkrusht.ai |
| Object | Object to processing based on legitimate interests | Email naman@utkrusht.ai |
| Automated Decision Review | Request human review of automated decisions | Email naman@utkrusht.ai |
| Withdraw Consent | Withdraw previously given consent | Email naman@utkrusht.ai or unsubscribe links |
| Lodge Complaint | Complain to a supervisory authority | Contact your local data protection authority |
7.2 Exceptions to Erasure
We may be unable to fully comply with erasure requests when:
| Exception | Explanation |
|---|---|
| Legal Obligations | Tax records must be retained for 7 years |
| Legal Claims | Data needed to establish, exercise, or defend legal claims |
| Audit Requirements | Credit ledger entries are immutable for financial compliance |
| Already Shared | Data shared with recruiters must be addressed with them |
| De-identified | Data that has been de-identified is no longer personal data |
When exceptions apply, we will: - Delete what we can - Explain what we cannot delete and why - Provide information on how to address remaining data (e.g., recruiter contact)
7.3 Cross-Organization Data Opt-Out
You may opt out of cross-organization data usage (AI training, benchmarking) by:
- Emailing naman@utkrusht.ai with subject "Cross-Org Opt-Out"
- Providing your name and email address for verification
- We will process your opt-out within 30 days
Effect of Opt-Out: - Your future assessment data will not be used for cross-organization purposes - Previously de-identified data cannot be removed (it's no longer linked to you) - Your assessment results for the recruiting organization are not affected
7.4 Verification Requirements
To protect your data, we verify identity before processing requests:
- Candidates: Email verification from registered address, or government ID for sensitive requests
- Recruiters: Verification through organization admin or registered email
- Response Time: 30 days (may extend to 90 days for complex requests with notice)
7.5 Requests via Recruiting Organizations
If you were invited to an assessment by a recruiting organization:
- You may contact them directly to exercise your rights
- They are obligated to forward requests to us
- We will assist them in responding within required timeframes
- You may also contact us directly at naman@utkrusht.ai
8. AUTOMATED DECISION-MAKING AND PROFILING
8.1 AI-Powered Analysis
We use artificial intelligence to analyze assessment responses. This includes:
| AI Function | Description | Output |
|---|---|---|
| Response Evaluation | Analyzing the quality and relevance of your answers against competency criteria | Quality scores, relevance ratings |
| Competency Rating | Generating ratings on a 1-5 scale with proficiency levels (Novice to Expert) | Competency ratings per skill area |
| SWOT Analysis | Identifying strengths, weaknesses, opportunities, and threats | Narrative analysis |
| Code Analysis | Evaluating code submissions for correctness, efficiency, and style | Technical scores, feedback |
| Ranking | Positioning candidates relative to others for a position | Rank position, percentile |
8.2 Smart Ranking Algorithm
Our ranking algorithm considers:
- Assessment scores and competency ratings
- Resume and profile information
- Position requirements and preferences
- Anonymized benchmark data from assessments across organizations
The algorithm provides recommendations to recruiters but does not make hiring decisions. All final decisions involve human review.
8.3 Proctoring Analysis
During proctored assessments, AI monitors for:
| Behavior | Detection Method | Consequence |
|---|---|---|
| Face not visible | Video analysis | Red flag logged |
| Multiple faces | Video analysis | Red flag logged |
| Tab switching | Browser monitoring | Red flag logged |
| External audio | Audio analysis | Red flag logged |
| Suspicious objects | Video analysis | Red flag logged |
Red flags are indicators for human review, not automatic disqualification. Recruiters review flagged sessions and make final integrity determinations.
8.4 Safeguards
We implement the following safeguards for automated processing:
| Safeguard | Description |
|---|---|
| Transparency | Clear disclosure of AI usage before assessments |
| Human Review | All significant decisions involve human judgment |
| No Solely Automated Hiring | AI informs but does not make final hiring decisions |
| Appeal Process | You may request human review of AI-generated assessments |
| Bias Monitoring | Regular audits of AI outputs for unfair bias |
| Explanation | Upon request, we provide meaningful information about AI logic |
8.5 Your Rights Regarding Automated Decisions
You have the right to:
- Not be subject to solely automated decisions with significant effects - all hiring involves humans
- Request human review of any AI-generated assessment
- Express your point of view and contest automated outputs
- Receive meaningful information about the logic involved
To exercise these rights, contact naman@utkrusht.ai.
9. SECURITY MEASURES
9.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 for all connections |
| Encryption at Rest | AES-256 for stored data |
| Authentication | Multi-factor authentication for administrative access |
| Password Security | Passwords hashed with bcrypt, minimum complexity enforced |
| Access Logging | Comprehensive audit logs of data access |
| Vulnerability Scanning | Regular automated security scans |
| Backup Encryption | All backups encrypted with separate keys |
| Network Security | Firewalls, intrusion detection, DDoS protection |
9.2 Organizational Measures
| Measure | Implementation |
|---|---|
| Least Privilege | Staff access limited to job requirements |
| Background Checks | Screening for employees with data access |
| Security Training | Annual security awareness training |
| Confidentiality | All personnel bound by confidentiality agreements |
| Vendor Assessment | Security review before engaging sub-processors |
| Incident Response | Documented procedures for security incidents |
| Business Continuity | Disaster recovery and data backup procedures |
9.3 Incident Response
In the event of a data breach:
- Detection: Automated monitoring and manual review
- Containment: Immediate action to limit impact
- Assessment: Determine scope and affected data
- Notification: - Recruiting organizations within 48 hours - Supervisory authorities within 72 hours (where required) - Affected individuals without undue delay (where required)
- Remediation: Fix vulnerabilities and prevent recurrence
- Documentation: Maintain breach register
10. COOKIES AND LOCAL STORAGE
10.1 Essential Cookies Only
We use only essential cookies and local storage required for platform functionality:
| Cookie/Storage | Purpose | Duration |
|---|---|---|
| Session Token | Authentication state | Session |
| Auth Token | Persistent login (if selected) | 30 days |
| CSRF Token | Security against cross-site attacks | Session |
| Preferences | UI settings (language, theme) | 1 year |
10.2 No Advertising or Tracking Cookies
We do not use:
- Advertising cookies
- Third-party tracking cookies
- Social media tracking pixels
- Analytics cookies that track individual users across sites
10.3 Analytics
We collect aggregate analytics (page views, feature usage) for service improvement. This data is:
- Aggregated and not linked to individual users
- Processed by our own systems, not third-party analytics
- Not shared with advertisers
11. CHILDREN'S DATA
11.1 Age Restrictions
The Platform is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.
11.2 Discovery of Children's Data
If we discover that we have collected personal data from a child under 16:
- We will promptly delete all associated data
- We will notify the recruiting organization
- We will document the incident and remediation
11.3 Reporting
If you believe we have collected data from a child under 16, please contact naman@utkrusht.ai immediately.
12. POLICY UPDATES
12.1 Notification of Changes
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- For material changes: Email notification at least 30 days before changes take effect
12.2 Material Changes
Material changes include:
- New categories of personal data collected
- New purposes for processing
- New third-party recipients
- Changes to retention periods
- Changes to your rights
12.3 Version History
We maintain version history of this Privacy Policy. Previous versions are available upon request from naman@utkrusht.ai.
| Version | Date | Changes |
|---|---|---|
| 1.0 | February 2, 2026 | Initial publication |
12.4 Continued Use
Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should stop using the Platform and exercise your deletion rights.
13. CONTACT US
13.1 Privacy Inquiries
Data Protection Officer Email: naman@utkrusht.ai
General Privacy Questions Email: naman@utkrusht.ai
EU/EEA Data Subjects — You may also contact our GDPR Article 27 representative, Prighter Group, via the portal at https://app.prighter.com/portal/18473340039. See Section 1.3 for details.
13.2 Mailing Addresses
Utkrusht Learning Services Private Limited
Registered Office (India) A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 Phone: +91-9023239479
US Office 572 Amboy Dr, San Jose, CA, United States of America - 95136 Phone: +1-919-793-6081
13.3 Supervisory Authority
If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with a supervisory authority:
For EU/EEA Residents: Contact your local Data Protection Authority
For India: [Once established] Data Protection Authority of India Currently: You may contact us or seek legal remedies under applicable law
13.4 Response Times
| Request Type | Response Time |
|---|---|
| General inquiries | 5 business days |
| Data subject requests | 30 days (extendable to 90 days with notice) |
| Breach notifications | 72 hours to authorities, without undue delay to individuals |
APPENDIX: LEGAL BASIS SUMMARY
For Candidates
| Processing Activity | Legal Basis | Controller |
|---|---|---|
| Delivering your assessment | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Generating your scores | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Proctoring your session | Contract (recruiter's instructions) | Recruiter (via Utkrusht as processor) |
| Improving AI models | Legitimate interest | Utkrusht |
| Cross-org benchmarking | Legitimate interest | Utkrusht |
| Fraud prevention | Legitimate interest | Utkrusht |
| Security monitoring | Legitimate interest | Utkrusht |
For Recruiters
| Processing Activity | Legal Basis | Controller |
|---|---|---|
| Account management | Contract performance | Utkrusht |
| Service delivery | Contract performance | Utkrusht |
| Billing | Contract performance | Utkrusht |
| Tax records | Legal obligation | Utkrusht |
| Marketing (with consent) | Consent | Utkrusht |
| Service improvement | Legitimate interest | Utkrusht |
This Privacy Policy was last updated on February 2, 2026.
VERSION ROADMAP
V1.0 (Current — Audit-Ready)
This version provides full GDPR Article 13/14 disclosures and is immediately publishable. All data subject rights can be exercised through manual processes.
V1.0 Capabilities: - Manual data access request fulfillment (30-day response) - Manual erasure request processing - Manual cross-org opt-out handling - Email-based consent withdrawal - Static sub-processor list in this document
V2.0 (Target — Enhanced Automation)
| Enhancement | Description | Target |
|---|---|---|
| Self-service data access | In-app "Download My Data" feature | Q2 2026 |
| Automated erasure | One-click account deletion with cascade | Q2 2026 |
| Consent management | Granular consent preferences UI | Q3 2026 |
| Cookie consent banner | Dynamic consent for future analytics | Q3 2026 |
| Privacy dashboard | Real-time view of data processing | Q4 2026 |
Utkrusht Learning Services Private Limited India: A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara, India - 390023 USA: 572 Amboy Dr, San Jose, CA 95136 Email: naman@utkrusht.ai
Document Version: 1.0
Privacy Notice — For Candidates
Utkrusht Skill Assessment Platform
Last Updated: May 5, 2026 Effective Date: May 5, 2026 Version: 1.0.1 — language tightened: enumerated 5 cross-org purposes, removed AI-training language, removed microphone references (not currently captured)
Who this is for: You're reading this because you've been invited to take an assessment on Utkrusht. This notice explains, in plain English, what data we collect about you, why, who sees it, and what you can do about it. If you're a recruiter or organization using the platform, see our B2B Privacy Policy instead.
TL;DR
- We record you during proctored assessments. Webcam video, screen, audio, and AI-detected behavioral signals (face visible, tab switching, etc.). This is the most invasive thing we do — it's covered in detail below.
- AI scores and ranks your responses. Humans make the final hiring call, not the AI. You can ask for a human re-review.
- The recruiter who invited you sees your results. They are an independent controller of the data they receive — for their privacy practices, contact them.
- We use anonymized assessment data to improve our AI and benchmarks. You can opt out (see Section 7).
- You have rights — access, correction, deletion, objection, portability. Email naman@utkrusht.ai to use them. EU/EEA candidates can also use our representative Prighter at https://app.prighter.com/portal/18473340039.
1. WHO HANDLES YOUR DATA
When you take an Utkrusht assessment, two organizations handle your personal data:
| Organization | Role | What they do |
|---|---|---|
| The company that invited you | Independent controller | Decides to assess you, receives your results, makes the hiring decision. Has its own privacy policy — contact them for details. |
| Utkrusht (Utkrusht Learning Services Pvt. Ltd.) | Processor for the recruiter; independent controller for our own purposes (aggregated benchmarks, question/task calibration, cross-org fraud detection, platform analytics, security) | Runs the assessment, stores your data, generates scores, monitors proctoring. |
This notice covers only what Utkrusht does. For questions about why you were assessed, how your results will be used in their hiring decision, or how long they'll keep your data after they receive it, contact the recruiting organization directly.
Utkrusht contact details
Utkrusht Learning Services Private Limited (CIN: U85490GJ2024PTC157512)
- India: A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara - 390023 · +91-9023239479
- USA: 572 Amboy Dr, San Jose, CA 95136 · +1-919-793-6081
- Email: naman@utkrusht.ai
- EU/EEA representative (GDPR Art. 27): Prighter Group — https://app.prighter.com/portal/18473340039
2. WHAT WE COLLECT AND WHY
2.1 Identity and contact information
Your name, email, phone number, and a user ID. This comes from the recruiter who invited you, or from you when you sign up. We use it to give you access to the assessment and to contact you about it.
2.2 Professional information
Your resume / CV, LinkedIn profile, GitHub profile (if you provide it), work history, education, and stated skills. We extract structured fields from your resume so the recruiter and our AI can compare against the role requirements.
2.3 Your assessment responses
Text answers, audio recordings of spoken answers, video recordings of video answers, and code submissions. These are the substance of what's evaluated.
2.4 Proctoring data — the important one
If the recruiter has enabled proctoring for the assessment, before recording starts you'll be shown a separate consent screen explaining exactly what will be captured. You can decline — but if you decline, you typically can't take the proctored assessment (the recruiter set it that way).
When proctoring is on, we capture:
| What | Why | How long we keep it |
|---|---|---|
| Webcam video | Verify it's you taking the assessment, detect cheating | 1 year |
| Screen recording | Detect off-screen lookups, multiple windows, copy-paste | 1 year |
| Behavioral flags from AI: face not visible, multiple faces, tab switching, suspicious objects | Surface things for human review | 1 year |
We do not currently capture microphone audio or transcripts of audio during proctoring. If we add audio-based proctoring in a future release, we will obtain separate explicit consent before any recording begins, and we will update this notice.
Important: AI generates the flags. Recruiters review the flags. The AI does not disqualify you on its own.
2.5 Derived data the AI generates about you
Quality scores per response, competency ratings (1-5 with proficiency labels from Novice to Expert), SWOT-style analysis, code analysis, and a ranking position relative to other candidates for the role. See Section 4 for how AI is used.
2.6 Technical and source data
IP address, browser, device info, session timestamps, and a SHA-256 source hashcode that identifies which referral link you came from (e.g. a specific recruiter campaign). The hashcode is pseudonymous — it doesn't contain personal info on its own.
2.7 Communications
Emails, SMS, or WhatsApp messages we send you about your assessment, plus your replies to support.
3. THE LEGAL BASIS WE RELY ON
| What we do | Why it's lawful |
|---|---|
| Deliver the assessment, generate scores, run proctoring | The recruiter has instructed us to (contract performance / their lawful basis) |
| Capture proctoring video and audio | Your explicit consent, captured at the consent screen before the assessment starts |
| Use de-identified assessment data for aggregated benchmarks, question/task calibration, cross-org fraud detection, and platform analytics | Our legitimate interest — and you can opt out (Section 7) |
| Detect fraud and protect platform security | Our legitimate interest |
| Keep records required by law (tax, financial audit) | Legal obligation |
For our processor-role activities (delivery, scoring, reporting), the recruiter is the controller and determines the legal basis. Ask them.
4. HOW WE USE AI
We use AI throughout the assessment:
- Response evaluation: Each answer is scored for quality and relevance.
- Competency ratings: We generate a 1-5 rating per skill area with a proficiency label.
- Code analysis: Code submissions are evaluated for correctness, efficiency, and style.
- SWOT analysis: A short narrative of strengths/weaknesses/opportunities/threats.
- Ranking: We position you against other candidates for the same role, including anonymized benchmark data from candidates at other organizations.
- Proctoring analysis: AI watches your video and screen and raises flags for human review. (Microphone audio is not currently captured — see Section 2.4.)
You will not be hired or rejected purely by an algorithm. Human recruiters make the final call. You have the right to:
- Ask for a human review of any AI-generated assessment of you
- Express your point of view and contest the AI output
- Get meaningful information about how the AI reached its conclusion
Email naman@utkrusht.ai to invoke any of these.
5. WHO WE SHARE YOUR DATA WITH
5.1 The recruiting organization
They see your identity info, responses, scores, AI-generated analysis, proctoring flags (and on request, the underlying recordings), and your ranking. Once they have the data, they're an independent controller — meaning they decide how long to keep it, who else inside their company sees it, and how it factors into hiring. Contact them for those details.
5.2 Our sub-processors
We use third parties to actually run the platform. They're contractually bound to only process your data on our instructions, with appropriate security in place.
| Provider | Where | What they do | What they see |
|---|---|---|---|
| Amazon Web Services (S3) | Mumbai, India | Storage | Recordings, documents |
| Supabase | Singapore | Database, auth | All platform data |
| OpenAI (via Portkey) | USA | Response analysis | Text responses (no direct identifiers) |
| AssemblyAI | USA | Transcription | Audio/video |
| Sarvam AI | India | Indic-language transcription | Audio |
| MSG91 | India | SMS / OTP | Phone number, message |
| WhatsApp / Meta | Ireland / USA | Messaging | Phone number, message |
| Dodo Payments | India | Payments (recruiter side; you don't pay) | — |
| GitHub | USA | Code submission hosting | Code, GitHub username |
| USA | OAuth login (if you use it) | Email, basic profile | |
| Sentry | USA | Error monitoring | Error logs (may include user context) |
5.3 Other situations
We may also share data when legally required (court orders, regulatory requests), to protect our rights or the safety of others, or in connection with a merger or acquisition (with notice).
We do not sell your personal data.
6. WHERE YOUR DATA GOES (INTERNATIONAL TRANSFERS)
Your data is processed in India, Singapore, the USA, and Ireland. For transfers outside India to countries without an adequacy decision, we use EU-approved Standard Contractual Clauses plus supplementary safeguards: TLS 1.3 in transit, AES-256 at rest, pseudonymization before AI processing, and strict access controls.
Transfer Impact Assessments are available on request.
7. CROSS-ORGANIZATION DATA USE & OPT-OUT
By default, we use de-identified assessment patterns from candidates across all organizations for the following five purposes:
- Aggregated benchmarks — computing how candidates score relative to industry / role / experience cohorts.
- Question / task calibration — adjusting question difficulty and validity from response patterns over time.
- Cross-organization fraud detection — identifying patterns where the same candidate appears across multiple organizations with suspicious signals (impersonation, coordinated cheating).
- Platform analytics — aggregated platform-usage statistics for product development, marketing, and leadership reporting.
- Recruiter "industry comparison" features — surfacing benchmark metrics in the recruiter dashboard.
What's used: de-identified response patterns and aggregated metrics. What's never used or shared cross-organization: your name, contact info, the actual content of your responses, or your proctoring recordings.
We do not currently train machine learning models on candidate data. If that ever changes, we will update this notice and notify candidates with active assessments.
To opt out:
1. Email naman@utkrusht.ai with the subject line Cross-Org Opt-Out
2. Include the name and email you used for the assessment so we can verify
3. We'll process the opt-out within 30 days
After opt-out, your future assessments will be excluded from all five cross-organization purposes listed above. Data that's already been de-identified cannot be removed (it's no longer linked to you). Your assessment results for the recruiter who invited you are unaffected.
8. HOW LONG WE KEEP YOUR DATA
| Data | Kept for |
|---|---|
| Assessment responses, scores, AI analysis | 3 years from assessment completion |
| Proctoring video, audio, screen recordings, transcripts | 1 year from assessment completion |
| Your account data (if you created one) | Until you ask us to delete, or 3 years of inactivity |
| Communication logs | 1 year |
| Security and access logs | 1 year |
| De-identified / aggregated data | Indefinite (no longer personal data) |
When you ask us to delete your data, we remove it from active systems within 30 days and from backups within 90 days. We can't pull back data we've already shared with the recruiter — contact them for that. We also have to keep some data for legal reasons (e.g. anti-fraud records).
9. YOUR RIGHTS
Depending on where you are, you have some or all of the following rights:
| Right | What it means | How to use it |
|---|---|---|
| Access | Get a copy of your personal data | Email naman@utkrusht.ai |
| Correction | Fix inaccurate data | Email naman@utkrusht.ai |
| Deletion | Delete your data ("right to be forgotten") | Email naman@utkrusht.ai |
| Restriction | Limit how we process your data | Email naman@utkrusht.ai |
| Portability | Get your data in a machine-readable format | Email naman@utkrusht.ai |
| Objection | Object to processing based on legitimate interests | Email naman@utkrusht.ai |
| Human review | Request a human review of an AI-generated assessment | Email naman@utkrusht.ai |
| Withdraw consent | Withdraw any consent you previously gave | Email naman@utkrusht.ai |
| Lodge a complaint | Complain to your data protection authority | See your local DPA |
We respond within 30 days of a verified request. Complex requests can take up to 90 days, in which case we'll tell you within the first 30 days.
To verify it's really you, we may ask you to confirm from the email address registered with your assessment, or for stricter requests, a government ID.
9.1 If you're in the EU / EEA
GDPR applies. You have all the rights listed above. You can also contact our EU representative, Prighter Group, at https://app.prighter.com/portal/18473340039 — they can route privacy requests to us. You can lodge a complaint with your national Data Protection Authority.
9.2 If you're in India
The Digital Personal Data Protection Act, 2023 applies. You have the right to access, correction, erasure, grievance redressal, and to nominate someone to act on your behalf. Email naman@utkrusht.ai. Once the Data Protection Board of India is operational, you can also escalate complaints there.
9.3 If you're in California (USA)
Under the CCPA / CPRA, you have the right to know what personal information we've collected about you, to delete it, to correct inaccurate data, and to opt out of "sharing" of personal information for cross-context behavioral advertising (we don't do this). You also have the right to limit the use of "sensitive personal information" — proctoring biometric data falls in this category, and the proctoring consent screen is your control point. We do not sell your personal information. To exercise these rights, email naman@utkrusht.ai.
9.4 If the recruiter invited you
You can also send rights requests to the recruiter — they're obligated to forward them to us, and we'll help them respond on time. You can always come straight to us at naman@utkrusht.ai.
10. CHILDREN AND MINORS
The Platform is not intended for use by minors. We apply the strictest of the following thresholds based on where you are:
| Region | Minimum age without parental consent |
|---|---|
| India (DPDP Act) | 18 |
| EU / EEA (GDPR + member state laws) | 16 (some member states set 13-16) |
| USA (COPPA) | 13 |
If you're under the threshold for your region, you should not take an assessment without verifiable consent from a parent or guardian. If we discover we've collected data from a minor without proper consent, we will delete it promptly and notify the recruiting organization. To report this, email naman@utkrusht.ai.
11. SECURITY
We protect your data with encryption in transit (TLS 1.3) and at rest (AES-256), strict access controls (least privilege), audit logs, multi-factor authentication for staff, vulnerability scanning, and documented incident response procedures.
If a data breach affects your data, we will notify you without undue delay where the law requires us to (in particular, when there's a high risk to your rights), and we will notify supervisory authorities within 72 hours where applicable.
12. COOKIES
We only use essential cookies needed to keep you logged in and protect against cross-site attacks. We don't use advertising cookies, third-party tracking pixels, or social media tracking. Internal analytics are aggregated and not linked to individual candidates.
13. CHANGES TO THIS NOTICE
We may update this notice. The "Last Updated" date at the top tells you when. For material changes — new categories of data, new purposes, new recipients, changes to retention or your rights — we'll notify you by email at least 30 days before the change takes effect, where we have your email.
If you don't agree with a change, contact us to exercise your deletion rights.
14. CONTACT US
| For | Contact |
|---|---|
| All privacy questions and requests | naman@utkrusht.ai |
| EU/EEA representative | Prighter portal |
| Postal (India) | A-18 Shreenathji Kurpa Society, Subhanpura, Vadodara - 390023 |
| Postal (USA) | 572 Amboy Dr, San Jose, CA 95136 |
If you're not happy with our response, you can complain to your national data protection authority.
Utkrusht Learning Services Private Limited Document Version: 1.0