Data Protection

DPDPA & GDPR Compliance

How TalentSpotify collects, processes, and protects personal data — aligned with India's Digital Personal Data Protection Act 2023 and GDPR for our GCC and international users.

Last updated: 21 June 2026 DPDPA 2023 Aligned GDPR Article 27 Ready

1. Overview & Applicability

This Data Protection & Privacy page ("Policy") describes how TalentSpotify Private Limited (CIN: U72900KA2022PTC157845), registered at Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130, collects, processes, stores, and protects personal data.

This Policy applies to:

  • Data Principals / Employees whose performance data is processed through the Platform.
  • HR Administrators and Managers who configure and operate the Platform.
  • Visitors to our website and marketing materials.

Regulatory framework: Our primary compliance framework is the Digital Personal Data Protection Act, 2023 (DPDPA) — India's landmark data protection legislation. For customers or data principals located in the European Economic Area (EEA), the United Kingdom, or the Gulf Cooperation Council (GCC), we additionally apply the principles of the General Data Protection Regulation (GDPR).

India — DPDPA 2023

Primary framework. We act as Data Processor for customer organisations (Data Fiduciaries). Data stored on AWS Mumbai (ap-south-1).

GCC & International — GDPR

Applied for EEA/UK/GCC data subjects. SCCs in place for cross-border transfers. Article 27 EU Representative designated.

2. Data We Collect

We collect only the personal data necessary to provide the contracted services (data minimisation principle). This includes:

CategoryExamplesPurpose
Identity & ContactName, work email, employee ID, job title, departmentAccount creation, review attribution, reporting
Performance DataOKR scores, review ratings, competency assessments, feedback textCore platform functionality
TARA Voice DataAudio recording (consented), transcript, bias-signal flagsAI-assisted review facilitation and fairness analysis
Usage & Log DataIP address, browser type, session timestamps, page viewsSecurity, fraud prevention, service improvement
Payment DataBilling contact name, GST number, payment referenceInvoice generation, accounting compliance

We do not collect or process sensitive personal data (biometric identifiers, health records, religious beliefs, caste) as defined under DPDPA unless explicitly contracted and consented for a specific purpose.

3. Purpose & Legal Basis for Processing

We process personal data only for specific, lawful purposes. Under DPDPA, our lawful bases are consent and legitimate use. Under GDPR, we rely on contract performance, legitimate interests, and legal obligation.

Performance review facilitation

Consent (DPDPA) / Contract (GDPR)

Employees provide affirmative consent via the in-app consent screen before any TARA session.

Bias-signal analysis

Consent (DPDPA) / Legitimate interest (GDPR)

Analysis is performed on transcripts only after recorded consent. Findings are surfaced to HR — never used to make automated decisions.

OKR tracking & recognition

Consent / Contract

Core platform functionality as contracted with the employer.

Product improvement & model training

Separate explicit consent

We will not use your data to improve AI models available to third parties without a separate, explicit opt-in.

Security & fraud prevention

Legitimate interest / Legal obligation

Logs retained for 90 days for security incident investigation.

Invoice & tax compliance

Legal obligation

Financial records retained for 7 years as required under the Companies Act, 2013 and GST law.

5. Your Rights as a Data Principal

DPDPA §12–18

Under the Digital Personal Data Protection Act 2023, every Data Principal (employee) has the following rights. To exercise any right, contact your HR administrator or email contact@talentspotify.com.

Right to Information (§12)

You have the right to know what personal data we hold about you, the purposes for which it is processed, and the identity of any third parties to whom it has been disclosed.

Right to Correction (§13)

You may request correction of inaccurate or incomplete personal data. Requests are acknowledged within 3 business days and actioned within 15.

Right to Erasure (§13)

You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.

Right to Grievance Redressal (§13)

You may raise a grievance with our Grievance Officer. We will acknowledge within 24 hours and resolve within 30 days.

Right to Nominate (§14)

You may nominate another individual to exercise your rights in the event of death or incapacity.

Right to Withdraw Consent (§7)

You may withdraw consent at any time. Withdrawal will not affect processing already completed and may limit certain Platform features going forward.

Response timelines: We acknowledge all rights requests within 72 hours and respond substantively within 30 days, as required by DPDPA. Complex requests may be extended by a further 30 days with notification.

6. Your Rights under GDPR

For GCC / EEA users

If you are located in the European Economic Area, United Kingdom, or in GCC countries where GDPR-equivalent obligations apply, you additionally have the following rights under Regulation (EU) 2016/679:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, together with information about how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data without undue delay.

Right to Erasure (Art. 17)

The 'right to be forgotten' — request deletion where no overriding legal ground exists.

Right to Restrict Processing (Art. 18)

Request that we restrict processing while a correction or objection request is under consideration.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format and transmit it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.

If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with your national supervisory authority (e.g., the ICO in the UK or relevant DPA in the EEA).

7. Data Retention

We retain personal data only for as long as necessary for the stated purpose or as required by law. Our standard retention schedule:

Data TypeRetention PeriodBasis
TARA voice recordings90 days after review cycle closesOperational necessity; deleted earlier on request
Transcripts & bias-signal reportsDuration of active subscription + 90 daysAudit trail for HR; exportable on request
Performance review dataDuration of subscription + 90 days after terminationCustomer data ownership
Usage & security logs90 daysSecurity incident response
Invoices & financial records7 yearsCompanies Act 2013 / GST compliance
Consent recordsDuration of subscription + 3 yearsDPDPA audit obligation

All data is securely destroyed at end-of-life using NIST SP 800-88 compliant methods. Customers may request early deletion at any time during the subscription.

8. Security Safeguards

We implement layered security controls proportionate to the sensitivity of performance and HR data:

Encryption at Rest

AES-256 encryption for all stored data including voice recordings, transcripts, and review data.

Encryption in Transit

TLS 1.3 enforced for all data transmission. HSTS enabled. Certificate pinning for mobile clients.

Infrastructure

Hosted on AWS Mumbai (ap-south-1). VPC isolation, private subnets, and WAF protection.

Access Control

Role-based access control (RBAC) with least-privilege principles. MFA enforced for all admin accounts.

Vulnerability Management

Annual penetration testing by independent third party. Continuous dependency scanning via automated tooling.

Employee Training

All staff complete data protection and security awareness training annually. Background checks for staff with data access.

Incident Response

Documented incident response plan. Dedicated security team on-call 24/7. Breach notification within 72 hours of discovery.

Backup & Recovery

Daily encrypted backups with 30-day retention. RTO of 4 hours, RPO of 1 hour for Enterprise plans.

9. Sub-Processors

We engage the following categories of sub-processors to deliver the Platform. All sub-processors are contractually bound to data protection obligations at least equivalent to those we owe you.

Sub-ProcessorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure & storageIndia (ap-south-1)
AI/ML Inference ProviderSpeech-to-text transcription & NLP analysisIndia (primary)
Email Delivery ProviderTransactional and notification emailsIndia / EEA
Payment GatewayPayment processing (no card data stored by us)India (RBI-compliant)
Analytics ProviderAnonymised product usage analyticsIndia

We will notify you of any intended changes to sub-processors with at least 30 days' notice, giving you the opportunity to object. An up-to-date list is available on request.

10. International Data Transfers

By default, all Customer Data is stored and processed in India (AWS Mumbai region) and does not leave India. For customers who explicitly enable cross-border features (e.g., GCC payroll integrations), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): For transfers to EEA or UK-based sub-processors, we use the European Commission-approved SCCs (2021/914/EU).
  • Adequacy Decisions: Where the destination country has received an adequacy decision from the European Commission or a DPDPA-equivalent notification from the Indian government, we rely on that decision.
  • Cross-Border Transfer Agreements: Under DPDPA §16, we enter into a cross-border data transfer agreement with the overseas entity before any transfer of personal data.

We will not transfer your data to countries identified as restricted under DPDPA notifications without your explicit prior consent.

11. Data Breach Notification

In the event of a personal data breach affecting your data:

  1. We will notify your designated security or privacy contact within 72 hours of becoming aware of the breach (as required by DPDPA §8 and GDPR Article 33).
  2. Notification will include: nature of the breach; categories and approximate number of data principals affected; likely consequences; measures taken or proposed to address the breach.
  3. Where required by DPDPA, we will simultaneously report the breach to the Data Protection Board of India.
  4. Where required by GDPR, we will notify the relevant supervisory authority and, where high risk to data subjects is likely, notify affected data subjects directly.
  5. We will cooperate fully in any investigation and provide all reasonable assistance.
To report a suspected security incident or data breach, contact us immediately at contact@talentspotify.com. Our security team is on-call 24/7.

12. Children's Data

The TalentSpotify Platform is designed exclusively for use in professional workplace settings. We do not knowingly collect personal data from individuals under the age of 18. If you believe that a minor's data has been collected through the Platform, please contact us immediately at contact@talentspotify.com and we will take prompt steps to delete that data.

Under DPDPA §9, processing of personal data of children requires verifiable parental consent and additional safeguards. Our standard service agreements expressly prohibit use of the Platform to process data of individuals below 18 years of age.

13. Grievance Redressal Officer

DPDPA §13

In accordance with the Digital Personal Data Protection Act 2023, TalentSpotify has designated a Grievance Redressal Officer (GRO) to handle complaints and queries from Data Principals.

Grievance Redressal Officer
TalentSpotify Private Limited
CIN: U72900KA2022PTC157845 · GST: 29AAJCT1805A1ZN
Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130
contact@talentspotify.com

We acknowledge all grievances within 24 hours and resolve them within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is constituted, as provided under DPDPA §20.

14. Data Protection Officer

For GDPR purposes and as a matter of best practice, TalentSpotify has designated a Data Protection Officer (DPO) responsible for overseeing compliance with data protection laws and acting as the point of contact for supervisory authorities.

Data Protection Officer
TalentSpotify Private Limited
CIN: U72900KA2022PTC157845 · GST: 29AAJCT1805A1ZN
Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130
contact@talentspotify.com

EEA/UK data subjects may also contact our EU Representative (Article 27 GDPR) for matters relating to EU data protection law. Contact details available on request.

15. Policy Changes

We may update this Policy to reflect changes in our data practices, product features, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify Customer account administrators by email at least 30 days before material changes take effect.
  • Where consent is the legal basis, obtain fresh consent before the new processing begins.

Continued use of the Platform after the effective date of the updated Policy constitutes acceptance of the revised terms. If you do not agree, you may terminate your subscription as described in our Terms & Conditions.

16. Contact Us

For all data protection queries, rights requests, or privacy concerns:

General Privacy

contact@talentspotify.com

Grievance Officer

contact@talentspotify.com

Security Incidents

contact@talentspotify.com

Questions about how we protect your data? Contact our privacy team

Request Demo
DPDPA & GDPR Compliance — TalentSpotify