What we collect, why, and how long.

Who we are

Ishavi is a knowledge-verification interview platform operated by Ishank Sharma (the “data controller” for the purposes of GDPR / DPDP / CCPA). Contact: privacy@ishavi.app. Registered correspondence address available on request.

When Ishavi runs an interview on behalf of a recruiter (the “customer”), the customer is the controller of the candidate’s personal data; Ishavi is the processor. This policy describes both relationships -- where they differ, the controller relationship is what governs.

Lawful bases for processing

Under GDPR Article 6, Ishavi relies on the following lawful bases:

• Art. 6(1)(b) -- performance of a contract: candidate-initiated interviews where the candidate has chosen to proceed with a job application.
• Art. 6(1)(f) -- legitimate interest: sourcing and outreach communications based on publicly available professional data, balanced against the data subject’s rights through a documented Legitimate Interest Assessment (LIA). Right to object is honoured at the first contact.
• Art. 6(1)(a) -- explicit consent: any optional analytics cookies, marketing communications, and sensitive-data processing that falls outside Art. 6(1)(b).
• Art. 6(1)(c) -- legal obligation: retention of audit logs and financial records for the periods required by tax and corporate law.
• Equivalent DPDP Act (India) bases are mapped one-to-one and operate under the same internal controls.

Categories of personal data

Ishavi processes the following categories of personal data, each tied to a specific processing purpose:

• Identity: name, work email, role, organisation; collected at recruiter sign-up or at candidate invitation.
• Authentication: WorkOS-issued session tokens, IP at sign-in, MFA factors.
• Interview content: audio recordings, machine-generated transcripts, model-generated scorecards, evidence quotes, recruiter notes.
• Behavioural signals during a session: tab focus loss, window blur, paste events, fullscreen exit, environment heuristics. The full list is published on the Bill of Rights page.
• Operational metadata: session timestamps, browser, device class, region, IP (truncated for analytics).
• Communications: support tickets, appeal submissions, sub-processor list subscriptions.

How long we keep data (retention)

Retention is configured per tenant within the limits below. Tenants may shorten any of these periods; they may not extend them without an explicit written amendment that names a specific legal basis.

• Raw interview audio: 90 days from session end, then automatic deletion. EU tenants may select 30 days; high-stakes regulated industries may opt up to 180 days under a written addendum.
• Machine transcripts + scorecards: 24 months from session end (audit and appeal window), then anonymisation.
• Audit logs (who did what, when): 7 years -- required for compliance investigations and tax law.
• Recruiter account data: retained for the life of the subscription plus 30 days, then deleted unless the customer asks for a longer return-and-delete window.
• Candidate sourcing records (Art. 6(1)(f) basis): 18 months from last meaningful contact, or until the candidate exercises the right to object.
• Backups: encrypted backups follow a 35-day rolling cycle and are not searchable by data subject; data deleted in production is removed from backups within the same cycle.

Data subject rights

You have the following rights regardless of jurisdiction; Ishavi will honour them within 30 days of a verified request unless the law allows a longer period for unusually complex requests.

• Right of access -- a copy of your personal data and a description of how it is processed.
• Right to rectification -- correction of inaccurate or incomplete data.
• Right to erasure -- deletion of your data, subject to retention carve-outs for audit logs and ongoing legal proceedings.
• Right to portability -- machine-readable export of your data where the lawful basis is consent or contract.
• Right to restriction -- temporary halt of processing while a dispute is resolved.
• Right to object -- to processing on legitimate-interest grounds (including sourcing outreach) and to fully-automated decision-making.
• Right to withdraw consent -- where processing is based on consent, withdrawal is as easy as giving it; future processing stops, past processing remains lawful.
• Right to complain to a supervisory authority -- the EU lead authority is the customer’s national DPA; for India, the Data Protection Board; for California, the CPPA.

International data transfers

Ishavi operates from multiple regions and uses sub-processors that may transfer data outside the data subject’s home jurisdiction. Every transfer is covered by a recognised transfer mechanism.

• EU / EEA personal data: Module 2 Standard Contractual Clauses (Commission Decision 2021/914) with each non-EU sub-processor.
• UK personal data: the International Data Transfer Addendum (IDTA) issued by the ICO, appended to the SCCs.
• India personal data: contractual clauses anticipating the DPDP Act cross-border transfer rules; data residency in ap-south-1 by default.
• EU-US transfers: EU-US Data Privacy Framework self-certification is pending; until certified, transfers rely on the SCCs and a transfer impact assessment.
• The current sub-processor list and their locations are published at /legal/subprocessors.

Automated decision-making + the right to human review

Ishavi’s model produces a recommendation; the platform does not, in product, take a hiring decision without a human reviewer. If a candidate disagrees with a decision they can file an appeal, which is read by a human who was not involved in the original decision. The platform’s default SLA is 72 hours; tenants may shorten it.

This satisfies GDPR Art. 22 (right not to be subject to a decision based solely on automated processing). Tenants who attempt to bypass the human-review step lose their access to the platform; this is a contractual commitment, not just a policy line.

Cookies + similar technologies

Ishavi uses a small number of strictly necessary cookies (session, authentication, active-tenant, theme preference). Analytics and functional cookies are opt-in via the cookie banner shown on first visit in EU/UK jurisdictions. The full cookie list and the reset flow are documented at /legal/cookies.

Security

Detailed technical and organisational measures are listed in Annex A of the DPA. The summary: TLS everywhere; AES-256 at rest; MFA on production access; tenant-scoped key derivation; quarterly access reviews; on-call rotation with documented run-books; breach notification SLA of 48 hours from confirmation.

We assume incidents will happen and plan for them. The right comparison is response time, not boast.

Children

Ishavi is built for professional hiring contexts and is not directed at children. We do not knowingly collect personal data from individuals under the age of 16 (or the equivalent age of digital consent in the data subject’s jurisdiction). If we learn we have, we delete it.

Contact + DPO

Primary contact for any privacy question or rights request: privacy@ishavi.app. We acknowledge within two business days and respond substantively within 30 days.

Data Protection Officer: outsourced retained counsel (placeholder pending the EU branch incorporation in Q4 2026). Until then, the same address routes to the DPO advisor.

Changes to this policy

Material changes are notified to active customers by email at least 30 days before they take effect. Non-material changes (typos, additional clarifications, new sub-processors that do not change data categories) are dated below and announced in the changelog at the bottom of the Trust Center.

Last reviewed by outside counsel: 2026-04. Current revision: 2026-05-27.