Legal
Privacy Policy
Last updated: June 3, 2026
1. Introduction
SohamRecruit ("we", "our", or "us") is an applicant tracking system (ATS) designed for small recruitment consultancy firms. This Privacy Policy explains how we collect, use, store, and share information when you use our platform at sohamrecruit.com.
By using SohamRecruit, you agree to this Privacy Policy. If you do not agree, please discontinue use of the service.
This policy is written to support compliance with the EU General Data Protection Regulation (GDPR), Singapore's Personal Data Protection Act (PDPA), India's Digital Personal Data Protection Act (DPDP), and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA). Region-specific rights are listed in Section 9.
2. Who We Are and How to Contact Us
SohamRecruit is operated by Soham Value Creation, a sole proprietorship. SohamRecruit is delivered as a Software-as-a-Service (SaaS) product available globally.
Data Protection Officer / Privacy Contact: privacy@sohamrecruit.com
The same address serves as our designated contact under GDPR Article 27 (representative), PDPA (Data Protection Officer), and DPDP (Data Protection Officer / Grievance Officer). We will respond to privacy requests within 30 days, in line with the strictest applicable regulation.
General support: support@sohamrecruit.com
3. Information We Collect
3.1 Account Information
When recruiters or company admins register, we collect: name, email address, company name, role, and a hashed password.
3.2 Candidate Data
Recruiters may upload candidate profiles containing: full name, email, phone number, current and expected salary, skills, work experience, education, and resume files (PDF or DOCX). Resume text is extracted and stored to enable search and AI-assisted matching.
3.3 Gmail & Google Calendar Data (Optional Integration)
If a recruiter connects their Gmail account, we request the following Google OAuth scopes:
- gmail.readonly — to scan the recruiter's inbox for incoming resume attachments (PDF/DOCX) sent by candidates. We read message metadata and attachment content only; we do not read, store, or index unrelated email body content.
- gmail.send — to send candidate-facing emails (interview invites, follow-ups, status updates) from the recruiter's own Gmail address so candidates receive a personal sender rather than a no-reply address. Sends are recruiter-initiated or triggered by automation rules the recruiter explicitly configures.
- calendar.events — to create, update, and delete interview events on the recruiter's Google Calendar when they schedule, reschedule, or cancel an interview in SohamRecruit. We only write events we create; we never read or enumerate other events on the recruiter's calendar.
Google OAuth tokens are encrypted at rest using AES-256-GCM and are never shared with third parties. Gmail and Calendar data are used solely to provide the features described above within SohamRecruit. Resume attachments imported via Gmail are stored in our private Google Cloud Storage bucket (signed-URL access only) and are subject to our standard data-retention policy.
You can revoke Gmail and Calendar access at any time from your Profile page within SohamRecruit, or directly from your Google Account permissions. Revoking access immediately clears our stored refresh token and stops all further Gmail scans and calendar writes.
3.4 Job Applications
Candidates who apply through public job boards provide: name, email, phone, and a resume upload. Explicit consent is captured at submission. This data is submitted to the recruiting company's SohamRecruit account.
3.5 Usage Data
We may collect standard server logs including IP addresses, browser type, pages visited, and timestamps for security and operational purposes.
We also run privacy-friendly, cookieless analytics on our own infrastructure to understand site traffic. For each page view we store only the page path, the referring website's domain, and a coarse country — no cookies, no IP address, no device fingerprint, and no personal identifiers. This data cannot identify you, is never shared with third parties, and is used solely to measure how people find and use our public pages.
4. How We Use Your Information
Purpose limitation.
We use personal data only for the purposes listed below. We do not repurpose candidate data for marketing, advertising, model training, or any use outside the recruitment workflow. We do not sell your personal data.
- To provide and operate the SohamRecruit platform
- To enable recruiters to manage candidates, jobs, clients, and interviews
- To send transactional emails (interview invites, follow-up reminders) on behalf of recruiters
- To parse resumes and run AI-assisted matching via Google Vertex AI (Gemini)
- To store resume files securely in Google Cloud Storage
- To detect and prevent fraud or abuse
- To respond to support requests
5. Data Storage, Security, and Residency
Data residency. Candidate, recruiter, and company data is stored on Google Cloud Platform infrastructure in the us-central1 region (Council Bluffs, Iowa, United States). Database storage is Cloud SQL for PostgreSQL; resume files and other uploads are stored in a private Google Cloud Storage bucket served via short-lived signed URLs (no anonymous access).
Encryption. Sensitive stored values — OAuth refresh tokens, SMTP credentials, WhatsApp Business API access tokens — are encrypted at rest using AES-256-GCM with a dedicated key (held in Google Secret Manager, never rotated except by emergency procedure). All data is transmitted over HTTPS (TLS 1.2 or higher).
Access controls. Multi-tenant isolation is enforced at every API route by filtering on tenant ID extracted from the authenticated session. Cross-tenant data access is blocked at the application layer. Super-administrator actions (including any impersonation for support) are recorded in an immutable audit log readable only by super-administrators.
Backups. Cloud SQL automated backups are retained per Google's standard policies. Point-in-time recovery is available within the backup window.
6. Sub-processors
We share personal data only with the following sub-processors, each contractually bound to use the data solely to provide their service to us:
- Google Cloud Platform — Cloud SQL (PostgreSQL database), Google Cloud Storage (file uploads), Cloud Run (application hosting), Vertex AI (Gemini for resume parsing, candidate-fit scoring, and other AI features), Google Workspace OAuth (Gmail / Drive integration), and Secret Manager (encryption-key custody). Region: us-central1 (Iowa, USA).
- Microsoft (Azure / Microsoft Graph) — Outlook OAuth, only if a recruiter connects their Outlook account.
- Meta (WhatsApp Business Cloud API) — only if a company admin configures WhatsApp candidate intake.
- Razorpay — payment processing for tenants paying in INR (India). Currently the only payment processor; non-India billing is under development.
- Sentry — error and performance monitoring. We forward 5xx errors and stack traces; we do not forward candidate or recruiter personal data deliberately, though error context may incidentally include identifiers (e.g. a tenant ID).
- Email delivery — user-configured (the recruiter's own Gmail / Outlook / SMTP) or a system fallback SMTP provider for transactional emails.
- Google reCAPTCHA — fraud prevention on public sign-up, login, and job application forms. Subject to Google's privacy policy.
We do not share data with any other third parties unless required by law or with your explicit consent. A current sub-processor list is maintained and disclosed; we will notify customers of material changes.
7. Data Retention
Candidate and recruiter data is retained for as long as the company account is active. Companies may delete candidates or their entire account at any time. Deleted records are removed from active storage; cascade deletion includes the resume file in Google Cloud Storage, the parsed resume text, the activity log entries, and all related rows in the database.
Activity-log entries (the audit trail of changes to a candidate record) are automatically deleted 36 months after they are created. Core candidate and job records are not subject to this window — they are retained while the account is active and removed on account deletion or candidate-level deletion.
When a tenant account is purged via the operator-mediated deletion flow, the deletion is recorded permanently in our admin audit log as legal proof — that record contains only counts and metadata, no personal data.
8. International Data Transfers
SohamRecruit is a global service operated from infrastructure in the United States. If you are located outside the United States, your personal data will be transferred to, stored, and processed in the United States. By using the service, you consent to this transfer. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) incorporated into our data processing agreements with Google Cloud Platform.
If your jurisdiction requires data residency within a specific region, please contact privacy@sohamrecruit.com before signing up. SohamRecruit does not currently offer alternative regions.
9. Your Privacy Rights
Depending on where you live, you have the rights described below. To exercise any of them, use our privacy request form or email privacy@sohamrecruit.com. We will respond within 30 days.
9.1 GDPR (European Economic Area, United Kingdom, Switzerland)
- Article 15 — Right of access to your personal data
- Article 16 — Right to rectification of inaccurate data
- Article 17 — Right to erasure ("right to be forgotten")
- Article 18 — Right to restriction of processing
- Article 20 — Right to data portability (we provide JSON export)
- Article 21 — Right to object to processing
- Right to lodge a complaint with your supervisory authority
9.2 PDPA (Singapore)
- Access obligation — Request a copy of your personal data and the ways it has been used or disclosed in the last year
- Correction obligation — Request correction of an error or omission in your personal data
- Withdrawal of consent — Withdraw consent previously given; we will stop collecting, using, or disclosing your personal data within a reasonable timeframe
- Notification of breach — We will notify you of a significant data breach affecting your personal data, in line with Section 26D of the PDPA
- Right to complain to the Personal Data Protection Commission (PDPC) of Singapore
9.3 DPDP Act (India)
- Right to access — Receive a summary of your personal data and processing activities
- Right to correction and erasure — Request correction or deletion of your personal data
- Right of grievance redressal — Raise a grievance with our Data Protection Officer
- Right to nominate — Nominate another individual to exercise your rights on your behalf in the event of death or incapacity
- Right to complain to the Data Protection Board of India
9.4 CCPA / CPRA (California)
- Right to know what personal information is collected, used, and shared
- Right to delete personal information held by us
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising)
- Right to limit use and disclosure of sensitive personal information
- Right to non-discrimination for exercising your rights
9.5 How We Verify Requests
To protect you, we verify the identity of the requester before disclosing or deleting data. For candidates whose data is held by a recruitment company using SohamRecruit, we may need to coordinate with that recruitment company to fulfill your request, as they are the data controller for your candidate record.
10. Breach Notification
If we detect a personal data breach that meets the notification threshold under applicable law, we will:
- Notify the affected tenants (recruitment companies) without undue delay, and in any event within 72 hours of becoming aware of the breach (GDPR Article 33 / DPDP Section 8(6) standard).
- Notify the relevant supervisory authorities — the European Data Protection Board for GDPR breaches, the Personal Data Protection Commission for PDPA breaches, the Data Protection Board of India for DPDP breaches, and the California Attorney General for CCPA breaches — within the timeframe required by the applicable law.
- Notify affected individuals where required and where the breach is likely to result in a high risk to their rights and freedoms.
- Maintain a public post-incident write-up summarising the cause, scope, and remediation, where the incident affected production users.
Our internal breach response process is documented in our operational runbook; affected customers will receive the relevant excerpts as part of the incident notification.
11. Cookies
SohamRecruit sets a small number of cookies, all of which are strictly necessary for the service to function. We do not use advertising, analytics, or tracking cookies.
token(httpOnly) — your authentication session. Cleared when you sign out.original_token(httpOnly) — only set when a super-administrator is impersonating a tenant for support; cleared when they stop impersonating.- Google reCAPTCHA cookies (
_GRECAPTCHAand others) are set by Google on our sign-in, sign-up, and public job-application pages to prevent automated abuse. We don't read these — Google does. - A browser
localStorageentry (cookieConsent.v1) to remember you dismissed our cookie notice.
You can clear cookies at any time from your browser's settings. Clearing the auth cookie will sign you out; clearing the cookieConsent.v1 entry will re-show our cookie notice on next visit.
12. Children's Privacy
SohamRecruit is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes — for example, adding a new sub-processor or changing data residency — we will notify customers by email before the change takes effect. Continued use of SohamRecruit after changes constitutes acceptance of the updated policy.
14. Contact Us
For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:
Email: privacy@sohamrecruit.com
Privacy request form: /privacy/sar
Website: sohamrecruit.com