Privacy Policy

1. Introduction

Cognaium AI Pvt. Ltd. ("we," "us," or "our") operates a talent assessment and workforce learning platform. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you use our websites, applications, and related services (collectively, the "Services").

Last updated: April 2026.

Controller and processor roles. Where we process personal data on behalf of organizations (for example, employers or training providers) that use our Services to evaluate candidates or employees, that organization is typically the data controller (or business under U.S. state law) for candidate and workforce data, and Cognaium AI Pvt. Ltd. acts as a processor (or service provider/contractor) following their instructions and this Policy, our agreements, and applicable law. Where we determine the purposes and means of processing—for example, for our own account administration, billing, security operations, product analytics tied to our business, and direct communications with you about the Services—Cognaium AI Pvt. Ltd. may act as an independent controller.

If you interact with our Services as a candidate or employee of a customer organization, please also review notices and consents provided by that organization; they may impose additional rules or retention schedules that we honor contractually.

2. Information We Collect

We collect personal information that you or your organization provides, that is generated through your use of the Services, or that we receive from integrations and subprocessors as described below.

• Identity data: full name, username, employee or candidate identifiers, date of birth where required for compliance, and records of government-issued ID verification outcomes.
• Government ID images and selfie photos: images of identity documents and live or uploaded facial images you or your organization submit for identity verification.
• Contact data: email address, phone number, mailing address, and similar contact details.
• Professional data: employer, role, résumé or CV files, employment history, skills, certifications, education, and application materials.
• Assessment data: responses to tests and structured assessments; scores and rubrics; AI-generated commentary or recommendations concerning performance; training progress and completion records.
• Interview and conversation data: transcripts or text derived from interviews (which may be sent to AI systems for summarization or reporting, including excerpts up to approximately 15,000 characters where applicable).
• Proctoring and biometric-adjacent data: webcam frames or still images, session metadata, and signals from remote proctoring providers used to support exam integrity (we do not use this Policy to make medical or diagnostic claims).
• Usage data: pages and features accessed, timestamps, referral sources, in-app events, support tickets, and coarse location derived from IP address.
• Device data: browser type, operating system, device identifiers, IP address, and diagnostic logs needed for security and reliability.

3. How We Use Your Information

We process personal information for the purposes below. For data subject to the GDPR, we rely on the legal bases indicated in brackets (Article 6). Where processing is necessary for criminal-conviction or special-category data in your jurisdiction, we apply supplementary requirements (for example, Article 9 conditions and local law).

• Providing, operating, and improving the Services, including assessments, certifications, tutoring, and employer workflows [contract; legitimate interests in service delivery].
• Authenticating users, administering accounts, billing, and customer support [contract; legitimate interests].
• Identity verification using ID images and facial comparison, where enabled by the controller organization [contract; legal obligation where applicable; consent or explicit authorization where required].
• AI-assisted scoring, parsing, summarization, and content generation as further described in Section 4 [contract; legitimate interests with appropriate safeguards; consent where required].
• Proctoring and exam security, fraud prevention, and abuse detection [legitimate interests; legal obligation where applicable; contract].
• Security monitoring, debugging, backups, and disaster recovery [legitimate interests; legal obligation].
• Complying with law, responding to lawful requests, and enforcing our terms [legal obligation; legitimate interests].
• Aggregated or de-identified analytics to understand product usage [legitimate interests].

4. AI and Data Processing (Corrected Disclosure)

We use artificial intelligence and machine learning to deliver core features. Certain categories of personal information—including identifiable text, images, and transcripts—are transmitted to third-party AI providers for processing. This section replaces any prior statement that we do not share personally identifiable information with AI vendors.

AI providers that may receive personal data include: OpenAI; Anthropic (Claude); and Google (Gemini), including vision-capable models. Additional subprocessors may be listed on our Subprocessors page.

• Identity verification: government ID images and selfie photos may be sent to Google Gemini and OpenAI vision-capable APIs to perform document and facial matching checks requested by the controller organization.
• Assessment scoring: candidate answers and related context may be sent to OpenAI, Anthropic, and/or Google models to generate scores, rationales, or feedback.
• Résumé parsing: résumé or CV text may be sent to AI providers to extract structured fields such as skills and experience.
• Interview reporting: interview transcripts (including segments up to roughly 15,000 characters where applicable) may be sent to AI providers to produce summaries or reports for recruiters and hiring teams.

These providers process data under their own technical and organizational measures and, where they act as our subprocessors, under data processing terms consistent with Section 6 and Section 7.

Human review. Outputs from AI systems are advisory. Hiring, promotion, certification, and similar decisions by our customers should involve meaningful human review in line with the customer's policies and applicable law. Cognaium AI Pvt. Ltd. does not intend AI outputs to replace professional judgment where such judgment is required.

GDPR Article 22. Where AI processing produces legal or similarly significant effects concerning you, you may have the right to object to decisions based solely on automated processing, as described in Section 5 and Section 9.

5. Automated Decision-Making (GDPR Art. 22 Disclosure)

The Services may involve profiling or automated evaluations that affect candidates and employees, including:

• AI-generated hiring or screening recommendations presented to employer users;
• automated or semi-automated scoring of assessments;
• automated identity verification results (pass/fail or risk signals) based on ID and selfie analysis.

Under the GDPR, you may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, subject to exceptions in Article 22(2)–(4). You may request human intervention, express your point of view, and contest the decision where those rights apply.

To exercise Article 22 rights, contact the organization that invited you to the assessment or email [email protected]. We will work with the relevant controller or route your request as appropriate.

6. Data Sharing and Subprocessors

We share personal information with categories of recipients required to operate the Services:

• AI providers: OpenAI, Anthropic (Claude), Google (Gemini), as described in Section 4.
• Cloud infrastructure: hosting, storage, databases, and networking vendors.
• Payment processors: entities that facilitate billing where applicable.
• Email and communications: transactional email and notification vendors.
• Proctoring services: third parties that analyze webcam frames and session telemetry for exam integrity.
• Search and analytics: tools that help us understand product usage and reliability, subject to configuration and contractual limits.

A current list of material subprocessors, including AI vendors, is maintained at /subprocessors. We impose confidentiality, security, and data protection obligations consistent with our role as processor or controller, as applicable.

7. Cross-Border Data Transfers

Cognaium AI Pvt. Ltd. and our subprocessors may process personal information in the United States and other countries where we or they maintain facilities. If you are in the European Economic Area, United Kingdom, or Switzerland, and we transfer personal data to countries not subject to an adequacy decision, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures where required.

For U.S.-bound transfers from the EEA, UK, or Switzerland, we may also rely on the EU-U.S. Data Privacy Framework principles, the UK extension, and the Swiss-U.S. Data Privacy Framework, as applicable and where self-certified, together with contractual clauses where needed for specific processing activities.

AI providers such as OpenAI, Anthropic, and Google maintain global infrastructure; data you submit to AI features may be processed in the United States or other regions according to those providers' documentation and our agreements with them. You may request further information about transfer mechanisms by contacting [email protected].

8. Data Retention

Retention periods may be overridden by customer agreements, legal holds, or statutory requirements. Unless a longer period is required by law or contract, we apply the following benchmarks:

• Assessment results: retained per the data controller's instructions or, if none are specified, up to one (1) year from the assessment date or completion.
• AI interview transcripts: up to ninety (90) days unless the controller directs an earlier deletion or a longer period is legally required.
• Proctoring snapshots: up to thirty (30) days unless a longer period is required for an active integrity investigation or by law.
• Résumé files: up to one (1) year after the associated application or pipeline closes unless the controller specifies otherwise.
• Government ID verification data: deleted after successful verification, except where limited retention is necessary for audit, dispute resolution, or legal obligation (in which case access is minimized).
• Account data: duration of the subscription or account relationship plus thirty (30) days for ordinary wind-down backups, unless law requires longer retention.
• Audit logs: up to three (3) years for security and compliance traceability.

9. Your Rights

Depending on your location and whether we act as controller or processor, your rights may be exercised directly with us or with the organization that deployed the Services.

European Economic Area / UK (GDPR / UK GDPR)

• Access, rectification, erasure, restriction of processing, and data portability;
• Object to processing based on legitimate interests or for direct marketing;
• Withdraw consent where processing is consent-based;
• Rights related to automated decision-making under Article 22, as outlined in Section 5;
• Lodge a complaint with a supervisory authority.

California residents (CCPA/CPRA)

• Know what personal information we collect, use, disclose, and retain;
• Delete personal information subject to exceptions;
• Correct inaccurate personal information;
• Opt out of sale or sharing of personal information for cross-context behavioral advertising (we state our practices in Section 14);
• Limit use and disclosure of sensitive personal information where applicable.

India (Digital Personal Data Protection Act)

• Access, correction, and erasure rights as prescribed by law and consistent with legitimate processing grounds;
• Grievance redressal through our Grievance Officer (Section 15);
• Withdraw consent where processing is consent-based, subject to contractual or legal retention needs.

10. Data Subject Access Requests

To submit a rights request, email [email protected] with a description of the right you wish to exercise, the Services you used, and any reference IDs supplied by your employer or recruiting team. We may verify your identity using reasonable measures (for example, confirming control of your email address or requesting a signed declaration) before disclosing or deleting data.

Response timelines: where the GDPR applies, we aim to respond within thirty (30) days; where the CCPA applies to requests to know, delete, or correct, we aim to respond within forty-five (45) days unless an extension is permitted by law and communicated to you.

If we process your data solely as a processor for a customer, we may forward your request to that customer and assist them in fulfilling it.

11. Cookie Policy

We use cookies and similar technologies to operate sessions, remember preferences, secure accounts, and understand how the Services are used. Essential cookies are required for core functionality; where non-essential cookies or similar tools are used, we align deployment with applicable consent requirements. You can manage cookie preferences through our cookie settings (where offered) and your browser controls. More detail on categories and retention is available through the cookie banner or settings experience presented in the product.

12. Data Security

We implement administrative, technical, and organizational measures designed to protect personal information, including:

• Encryption in transit using TLS;
• Encryption at rest for stored objects such as files in Amazon S3 using AES-256;
• Role-based access control and least-privilege engineering practices;
• Multi-tenant isolation for customer datasets;
• Audit logging of security-relevant events, retained in line with Section 8.

No method of transmission or storage is completely secure; we encourage strong passwords, device security, and prompt reporting of suspected incidents.

13. Children's Privacy

The Services are not directed to individuals under sixteen (16) years of age, and we do not knowingly collect personal information from children for such audiences. If you believe we have collected information from a child inappropriately, contact [email protected] and we will take appropriate steps to investigate and delete information where required.

14. California Residents (CCPA/CPRA)

In the preceding twelve months, we may have collected the categories of personal information described in Section 2, including identifiers, professional or employment information, education information, audio/electronic visual information (such as proctoring frames and ID images), internet or network activity, and inferences drawn to create profiles about abilities or performance.

No sale of personal information. We do not sell personal information as traditionally defined under the CCPA. We may share personal information with service providers and AI subprocessors strictly to provide the Services in accordance with written contracts.

Sensitive personal information. Some features may process SPI such as government ID contents or precise account credentials. We limit use of SPI to what is reasonably necessary to perform the Services you request, maintain security, and comply with law, and we honor applicable limitation rights.

Authorized agents. California residents may designate an authorized agent to submit requests. We may require signed permission and direct verification with you unless the agent holds valid power of attorney under California law.

15. India Residents (DPDP Act)

Where the Digital Personal Data Protection Act, 2023 applies, Cognaium AI Pvt. Ltd. acts as a Data Fiduciary or Data Processor as determined by the facts of processing. We collect and process digital personal data fairly and for lawful purposes with appropriate notice.

You may exercise applicable rights—including access, correction, erasure where eligible, grievance redressal, and withdrawal of consent where processing is consent-based—by contacting [email protected] or the Grievance Officer identified below.

Grievance Officer: Email [email protected] with subject line "DPDP Grievance" for escalation handling consistent with statutory timelines once implementing rules are fully operative.

16. Data Protection Officer

For questions about our processing of personal data under the GDPR or similar regimes, contact our Data Protection Officer at [email protected].

17. Changes to This Policy

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. We will post the revised policy on this page, update the "Last updated" date, and, where changes are material and we have your contact details, provide additional notice such as an email or in-product alert. Continued use of the Services after the effective date constitutes acceptance of the updated Policy except where your consent is required for new processing activities.

18. Contact Us

Privacy inquiries: [email protected]
Data Protection Officer: [email protected]

General contact: Contact page