Privacy
Privacy Policy
We are committed to protecting the personal data of every individual whose information passes through TalentSpotify. This policy explains what we collect, why we collect it, how we use it, and the rights you hold over your data.
1. Who We Are
This Privacy Policy is published by TalentSpotify Private Limited (CIN: U72900KA2022PTC157845, GST: 29AAJCT1805A1ZN), registered at Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130 ("TalentSpotify", "we", "us", or "our").
TalentSpotify operates an AI-powered human-resource performance management platform that includes TARA (an AI voice agent for structured performance review conversations), OKR management, recognition, and people analytics.
For personal data processed through our platform on behalf of our business customers, TalentSpotify acts as a Data Processor (or Sub-Processor under GDPR). Our customers — the organisations that subscribe to TalentSpotify — are the Data Fiduciaries / Data Controllers responsible for determining the purpose and means of processing employee personal data.
For personal data we collect directly (website visitors, trial users, marketing contacts), TalentSpotify acts as the Data Fiduciary / Controller.
2. Scope & Applicability
This policy applies to:
- Visitors to our website at www.talentspotify.com and any related subdomains.
- Trial and prospective customers who submit demo requests, sign up for free trials, or contact our sales team.
- Subscribers — authorised users (employees, managers, HR administrators) of organisations that have purchased a TalentSpotify subscription.
- Data Principals — employees of our customers whose personal data is processed through our platform as part of performance management workflows.
This policy does not cover third-party websites linked from our platform. We encourage you to review the privacy policies of any third-party services you access through links on our site.
3. Data We Collect
We collect and process the following categories of personal data, depending on your relationship with us:
3.1 Data you provide directly
| Category | Examples | Collected from |
|---|---|---|
| Identity data | Full name, employee ID, job title, department, reporting line | Customer HR upload, user profile |
| Contact data | Work email address, phone number | Customer HR upload, demo request form |
| Performance data | OKR goals, check-in updates, review ratings, manager feedback, bias signal flags | Platform usage during active subscription |
| Voice & conversation data | Audio recordings of TARA review conversations, transcripts, AI-generated analysis | TARA AI agent (with participant consent) |
| Recognition data | Peer recognition messages, award points, leaderboard standings | Platform usage |
| Account credentials | Username, hashed password, SSO tokens | Account registration |
3.2 Data collected automatically
| Category | Examples |
|---|---|
| Usage data | Pages visited, features used, button clicks, session duration, login timestamps |
| Device & technical data | IP address, browser type, operating system, device type, timezone |
| Log data | Server logs, error reports, API call timestamps |
| Cookie data | Session cookies, preference cookies, analytics identifiers |
We do not intentionally collect sensitive personal data (such as health information, biometric data, caste, religion, political opinions, or sexual orientation). If such data is incidentally mentioned in a TARA voice review, it is not extracted, stored separately, or used for any purpose other than providing the review summary in the context in which it was shared.
4. How We Use Your Data
We use personal data only for the purposes for which it was collected or to which you have consented:
- Service delivery: To operate the TalentSpotify platform, including running OKR cycles, performance reviews, TARA conversations, and recognition workflows on behalf of our customers.
- Bias signal analysis: TARA analyses review transcripts to surface potential cognitive, social, and calibration bias signals. This analysis is provided to HR for human review only — it does not make, record, or recommend final employment decisions.
- Account management: To create and manage user accounts, authenticate users, and process subscription billing.
- Customer support: To respond to queries, resolve technical issues, and provide onboarding assistance.
- Security: To detect and prevent fraud, unauthorised access, and security incidents.
- Platform improvement: To analyse aggregated, anonymised usage patterns to improve features and user experience. We do not use identifiable Customer Data to train AI models made available to third parties without explicit written consent.
- Marketing communications: To send product updates, newsletters, and promotional materials to individuals who have opted in. You can unsubscribe at any time.
- Legal compliance: To comply with applicable laws, respond to lawful government requests, and enforce our Terms & Conditions.
5. Legal Basis for Processing
Under India's Digital Personal Data Protection Act, 2023 (DPDPA), we rely on the following grounds to process personal data:
- Consent (§7 DPDPA): For TARA voice recordings, marketing emails, and any optional data collection. Consent is obtained before data collection and may be withdrawn at any time.
- Contractual necessity: To deliver the services you or your employer has subscribed to.
- Legitimate uses (§7(f)–(i) DPDPA): For security monitoring, fraud prevention, legal compliance, and aggregated analytics.
- Legal obligation: Where processing is required by applicable Indian law.
GDPR Lawful Bases (EEA/GCC users)
For users located in the European Economic Area or jurisdictions where GDPR applies, we rely on:
- Article 6(1)(b): Performance of a contract — to provide the services your organisation subscribed to.
- Article 6(1)(a): Consent — for optional processing such as marketing communications and voice recordings.
- Article 6(1)(f): Legitimate interests — for security, fraud prevention, and product analytics, where these interests are not overridden by your rights.
- Article 6(1)(c): Legal obligation — where processing is required by EU or member-state law.
6. Consent Management
Where we rely on consent as the lawful basis for processing, we ensure that consent is:
- Freely given — not bundled with acceptance of terms unrelated to the processing.
- Specific — obtained for a defined purpose, not a blanket permission.
- Informed — provided only after a clear, plain-language description of what data is collected and how it is used.
- Unambiguous — via a positive opt-in action (e.g., checking a box, tapping an on-screen confirmation before a TARA session starts).
TARA Voice Recording Consent
Before any TARA-assisted performance conversation begins, all participants (manager and employee) receive an in-app and/or verbal notification that the conversation will be recorded and analysed by TARA. The session does not commence until all participants have confirmed consent. Participants may withdraw at any time by ending the session — any recording made up to that point is deleted.
Withdrawing Consent
You may withdraw consent at any time by contacting us at contact@talentspotify.com or via the account settings in the platform. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
8. International Data Transfers
All personal data processed through TalentSpotify is stored on AWS Mumbai (ap-south-1) servers located in India. Data does not leave India unless:
- You have explicitly enabled cross-border features (e.g., GCC entity management).
- Required by a lawful order of a government authority.
- A sub-processor listed above operates infrastructure partially outside India (in which case Standard Contractual Clauses or equivalent safeguards apply).
GDPR Transfers
For customers in the EEA or GCC, transfers of personal data outside those jurisdictions are protected by:
- EU Standard Contractual Clauses (SCCs) for transfers to third countries without an adequacy decision.
- Adequacy decisions where applicable (e.g., transfers to countries with equivalent protection recognised by the European Commission).
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, to comply with legal obligations, or to resolve disputes. Our standard retention schedule is as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| TARA voice recordings | Duration of active review cycle + 90 days | Contractual / consent |
| TARA transcripts & analysis | Duration of active subscription + 12 months | Contractual |
| Performance review records | Duration of active subscription + 3 years | Legal / contractual |
| Account & billing records | 7 years from last transaction | Tax / legal obligation (Companies Act, GST) |
| Marketing contact data | Until you unsubscribe + 6 months | Consent |
| Website analytics | 13 months (rolling) | Legitimate interest |
| Server logs | 90 days | Security / legitimate interest |
On termination of a subscription, Customer Data will be available for export for 30 days. After this period, data is securely deleted or anonymised in accordance with the schedule above.
10. Security Measures
We implement and maintain technical and organisational security measures appropriate to the risk and nature of the personal data we process:
Encryption at rest
AES-256 for all stored data on AWS
Encryption in transit
TLS 1.3 for all data in motion
Access control
Role-based access with least-privilege principles; MFA enforced for admin accounts
Audit logging
Immutable access logs retained for 90 days for security investigation
Vulnerability management
Regular penetration testing and third-party security assessments
Incident response
Documented incident response plan with breach notification procedures
Vendor assessment
All sub-processors reviewed against security standards before engagement
Data minimisation
We collect only what is necessary for the stated purpose
Despite these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with applicable law.
11. Your Rights
Depending on your location and the applicable law, you may have the following rights over your personal data:
Rights under DPDPA 2023 (India)
Right to access
Request a copy of the personal data we hold about you and information about how it is processed.
Right to correction
Request correction of inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
Right to grievance redressal
Lodge a complaint with our Grievance Officer (see Section 14) if you believe your rights have been violated.
Right to nominate
Nominate another person to exercise your DPDPA rights on your behalf in the event of your death or incapacity.
Right to withdraw consent
Withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
Additional Rights under GDPR (EEA / GCC users)
Right to data portability
Receive your personal data in a structured, machine-readable format and transfer it to another controller.
Right to restrict processing
Request that we limit how we use your data while a correction or objection is being resolved.
Right to object
Object to processing based on legitimate interests or for direct marketing at any time.
Rights related to automated decisions
Not be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects, without human review.
Right to lodge a complaint
File a complaint with your local supervisory authority (e.g., the relevant Data Protection Authority in your country).
Right to be informed
Receive clear, transparent information about how your data is processed, provided in plain language.
13. Children's Data
The TalentSpotify platform is a B2B enterprise product designed for use by employed adults in a professional context. We do not knowingly collect, process, or solicit personal data from individuals under the age of 18.
If you believe that a person under 18 has provided personal data to us without appropriate parental or guardian consent, please contact us immediately at contact@talentspotify.com. We will take prompt steps to verify and delete such data.
14. Grievance Officer
In accordance with the Information Technology Act, 2000 (as amended), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address complaints related to personal data processing:
Grievance OfficerTalentSpotify Private Limited
Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130
Email: contact@talentspotify.com
Response time: Within 30 days of receipt of complaint
If your complaint is not resolved to your satisfaction by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India, once constituted under the DPDPA 2023.
15. Data Protection Officer (GDPR)
For customers and data subjects in the European Economic Area or jurisdictions where GDPR applies, enquiries related to data protection may be directed to our Data Protection contact:
Data Protection ContactTalentSpotify Private Limited
Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130
Email: contact@talentspotify.com
You also have the right to lodge a complaint with the supervisory authority in your country of residence. In India, the relevant authority is the Data Protection Board of India (once constituted). For EEA users, this is the relevant national Data Protection Authority.
16. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or our services. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send an email notification to all active subscribers at least 30 days before the changes take effect.
- Display a prominent banner on the platform for the notice period.
For changes that reduce your privacy rights, we will seek fresh consent where required by law. Your continued use of the Platform after the effective date of the revised policy constitutes acceptance of the updated terms.
We encourage you to review this policy periodically. Prior versions are available on request.
17. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:
TalentSpotify Private LimitedCIN: U72900KA2022PTC157845
GST: 29AAJCT1805A1ZN
Sy No. 135/1, No. 87, Ground Floor, Flushing Meadows Layout, Yettakodi, Malur, Kolar, Karnataka, India – 563130
contact@talentspotify.com
We aim to respond to all privacy-related enquiries within 5 business days and to resolve requests within 30 days. For complaints that we cannot resolve, you may contact the relevant data protection authority in your jurisdiction.
Questions about how we handle your data? Email our privacy team
Request Demo