Privacy Policy

This Privacy Policy explains how Pathnomic Labs FZ-LLC ("Jobnest," "we," "us"), located in Ras Al Khaimah Free Zone, United Arab Emirates (NIN/registration: Ras Al Khaimah Free Zone company record), collects, uses, shares, and protects personal data when you use the Jobnest platform.

It applies to employers, company team members, candidates, invite-based users, and visitors.

1. Information We Collect

We collect information necessary to operate a secure, lawful, and auditable hiring platform.

1.1 Employer and Team Member Data

When companies and team users register or use the platform, we may collect:

• Account identifiers: Name, email, phone, authentication data, role, and company affiliation.
• Company and job data: Company profile details, job posts, interview settings, screening criteria, and invitation lists.
• Operational data: Workspace actions, exports, audit events, and support communications.
• Billing metadata: Subscription plan, invoice references, and payment status (full card data is processed by payment providers).
• Security telemetry: Login events, IP data, device/browser context, and anti-abuse signals.

1.2 Candidate and Invite User Data

When candidates apply or complete interviews, we may collect:

• Identity and contact data: Name, email, phone number, and locale preferences.
• Profile and application data: Education, employment history, skills, languages, and work preferences provided by the user.
• Interview data: Audio/video recordings, transcripts, extracted answers, timing events, and attempt metadata.
• Assessment outputs: Interview summaries, competency indicators, confidence signals, and disqualifier outcomes.
• Device and session diagnostics: Device check status, network quality indicators, and technical logs needed to run interviews.

1.3 Automatically Collected Data

• Device and browser information, operating system, app version, and language settings.
• Log data such as timestamped requests, route usage, referral URLs, and error diagnostics.
• Cookie, token, and local storage data used for authentication, security, and session continuity.
• Fraud and abuse signals used to detect unauthorized automation or suspicious behavior.

2. How We Use Personal Data

2.1 Service Delivery

• Create and manage accounts and company workspaces.
• Run interview sessions and application workflows.
• Generate transcripts, summaries, and recruiter-facing outputs.
• Enable invitation, onboarding, and account-linking flows.
• Provide support, service reliability, and product operations.

2.2 Communications

• Send verification links, OTP codes, and essential account notices.
• Send interview invitations, reminders, and status updates.
• Respond to support requests and legal/privacy inquiries.
• Send service change notifications and security advisories.

2.3 Security, Abuse Prevention, and Compliance

• Enforce Terms, role permissions, and usage limits.
• Detect, prevent, and investigate fraud or security incidents.
• Maintain auditable records for lawful access and accountability.
• Comply with legal obligations and respond to lawful requests.

2.4 AI Processing

We use AI services to support interviews, extraction, and summarization.

• Generate interview questions and follow-up prompts.
• Convert and summarize interview responses.
• Produce structured outputs for recruiter review.
• Improve service quality, safety, and operational reliability.

Important: We do not sell interview data. Where supported by providers and configuration, we use no-training/no-retention controls for AI processing. You remain responsible for lawful use and required human review.

3. Security Architecture and Data Segmentation

We use layered controls to reduce confidentiality, integrity, and availability risks.

3.1 Data Classification Levels

3.2 Encryption and Key Controls

• In transit: TLS-protected network communications between clients, APIs, and service providers.
• At rest: Encryption on storage systems and provider-managed encryption controls.
• Access keys: Credential management and rotation practices to reduce key exposure risk.

3.3 Time-Limited Media Access

Sensitive interview media is served through signed URLs with strict access checks.

• URLs are short-lived and expire automatically.
• Generation requires an authenticated, authorized user context.
• Access requests are recorded in audit and system logs.
• Expired URLs cannot be reused for continued access.

4. Authentication and Access Governance

4.1 Authentication Safeguards

We implement security controls appropriate to account risk, and may require stronger controls for privileged or high-risk accounts.

• Session controls and token validation.
• Two-factor authentication options for supported account types.
• Rate limits, captcha, and anti-abuse checks on sensitive endpoints.

4.2 Role-Based Access Control

Data access is restricted based on account role and company scope.

• Company roles determine permitted actions in dashboards and APIs.
• Cross-company data isolation is enforced at application and query boundaries.
• Access to sensitive operations is limited to authorized roles and logged.

4.3 Least Privilege and Need-to-Know

We follow least-privilege principles so users and systems only receive access needed for their legitimate function.

5. Audit Logging and Accountability

We maintain logs to support security monitoring, compliance review, and incident response.

5.1 Events We Log

• AUTH_EVENT: Sign-in, token verification, and authentication failures.
• DATA_ACCESS: Access to protected records, media, or transcript artifacts.
• ROLE_CHANGE: Permission and role updates in company workspaces.
• EXPORT_EVENT: Download or export actions involving personal data.
• SECURITY_EVENT: Abuse detection, throttling triggers, and suspicious activity markers.
• AI_PROCESS_EVENT: Calls used for AI interview and extraction workflows.

5.2 Access to Audit Data

Authorized company users and internal security personnel may access relevant logs for legitimate purposes such as security review, legal compliance, and incident investigation.

• Actor identity or system source.
• Action type and affected resource.
• Timestamp and technical context.
• Supporting event details necessary for investigation.

5.3 Integrity Measures

Logs are stored with controls intended to reduce unauthorized alteration and to preserve traceability for post-incident review.

6. Data Sharing and Processors

We share personal data only where necessary to provide the Services, meet legal obligations, or protect rights and safety.

6.1 AI and Speech Providers

AI subprocessors: We may use providers such as OpenAI and speech services for interview processing and summarization.

• We apply contractual safeguards and security review processes.
• Where available and configured, no-training/no-retention controls are used.
• Only required data is transmitted for the requested operation.

6.2 Payment Providers

Payments: Payment transactions are handled by processors such as Stripe. We do not store full payment card numbers in Jobnest systems.

6.3 Communications and Messaging

Messaging providers: We may use email/SMS vendors (for example Twilio and transactional email providers) for invitations, OTPs, and service notifications.

6.4 Hosting and Infrastructure

Infrastructure providers: We use cloud infrastructure, databases, and storage providers (including private object storage) to host and secure platform data.

6.5 Legal, Corporate, and Safety Disclosures

We may disclose data when required by law, court order, or to protect users, the public, and the platform.

We may also transfer data in a merger, acquisition, reorganization, or asset sale, subject to applicable confidentiality and legal requirements.

6.6 No Sale or Advertising Share

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

7. Your Privacy Rights

7.1 EEA/UK and Similar Rights

Depending on your location and applicable law, you may have rights such as:

• Access: Obtain confirmation and a copy of your personal data.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion where legal grounds apply.
• Restriction/Object: Ask us to limit or stop certain processing.
• Portability: Request export in a structured format where applicable.
• Complaint: Lodge a complaint with your local supervisory authority.

7.2 U.S. State Privacy Rights

Residents of certain U.S. states may have rights to know, access, delete, and correct personal data, and to appeal denied requests, subject to statutory exceptions.

7.3 Exercising Rights

To submit a verified privacy request, contact [email protected]. We may request information needed to verify your identity and authority before processing requests.

8. Data Retention and Deletion

8.1 Retention Principles

• We retain personal data only as long as needed for service delivery, legitimate business purposes, and legal obligations.
• Account and workspace records are typically retained while accounts remain active and for a limited period afterward.
• Interview media and transcripts may be retained until deleted by the relevant company workspace owner, unless legal obligations require longer retention.
• Security, audit, and billing records may be retained for compliance, fraud prevention, and dispute resolution periods.

8.2 Deletion Requests

On valid request and where no legal exception applies, we will delete or anonymize personal data within a reasonable period.

• Some records may be preserved when required by law, contract, or legitimate legal defense.
• Backups are rotated and may persist temporarily before secure overwrite/deletion.
• If data is controlled by an employer workspace, candidates may also need to contact that employer directly.

9. International Data Transfers

Jobnest may process data in multiple countries where we or our subprocessors operate.

When legally required, we implement transfer safeguards (such as contractual protections) to protect personal data transferred across borders.

• Vendor due diligence and contractual data protection commitments.
• Transfer mechanisms required by applicable privacy laws.
• Technical and organizational controls tailored to transfer risk.

10. Cookies and Similar Technologies

We use cookies, local storage, and similar tools for authentication, security, session management, language preferences, and product analytics.

• Essential technologies required for sign-in and secure platform operation.
• Preference technologies used to remember language and user settings.
• Operational analytics used to improve reliability and user experience.

You can control cookies through browser settings, but disabling required cookies may limit platform functionality.

11. Children's Data

The Services are not directed to children under the age required to consent in their jurisdiction. If you believe a child submitted personal data without authorization, contact us so we can take appropriate action.

12. Security Incident Response

We maintain incident response procedures designed to detect, contain, investigate, and remediate security incidents.

• Triage and containment of suspected incidents.
• Forensic analysis and remediation planning.
• Notification to affected parties and regulators where required by law.
• Post-incident controls improvement and documentation.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.

• We will update the "Last updated" date when changes are published.
• For material changes, we may provide additional notice through email or in-product messaging.
• Continued use of the Services after the effective date means the updated policy applies.

If you do not agree with the updated policy, you should stop using the Services and contact us regarding data handling options.

14. Contact and Data Protection Requests

For privacy inquiries, rights requests, or legal notices, contact: