Privacy Policy

This Privacy Policy explains how Pathnomic Labs FZ-LLC ("Jobnest," "we," "us"), located in Ras Al Khaimah Free Zone, United Arab Emirates (NIN/registration: Ras Al Khaimah Free Zone company record), collects, uses, shares, and protects personal data when you use the Jobnest platform.

It applies to employers, company team members, candidates, invite-based users, and visitors.

1. Information We Collect

We collect information necessary to operate a secure, lawful, and auditable hiring platform.

1.1 Employer and Team Member Data

When companies and team users register or use the platform, we may collect:

• Account identifiers: Name, email, phone, authentication data, role, and company affiliation.
• Company and job data: Company profile details, job posts, interview settings, screening criteria, and invitation lists.
• Operational data: Workspace actions, exports, audit events, and support communications.
• Billing metadata: Subscription plan, invoice references, and payment status (full card data is processed by payment providers).
• Security telemetry: Login events, IP data, device/browser context, and anti-abuse signals.

1.2 Candidate and Invite User Data

When candidates apply or complete interviews, we may collect:

• Identity and contact data: Name, email, phone number, and locale preferences.
• Profile and application data: Education, employment history, skills, languages, and work preferences provided by the user.
• Interview data: Audio/video recordings, transcripts, extracted answers, timing events, and attempt metadata.
• Assessment outputs: Interview summaries, competency indicators, confidence signals, and disqualifier outcomes.
• Device and session diagnostics: Device check status, network quality indicators, and technical logs needed to run interviews.

1.3 Automatically Collected Data

• Device and browser information, operating system, app version, and language settings.
• Log data such as timestamped requests, route usage, referral URLs, and error diagnostics.
• Cookie, token, and local storage data used for authentication, security, and session continuity.
• Fraud and abuse signals used to detect unauthorized automation or suspicious behavior.

2. How We Use Personal Data

2.1 Service Delivery

• Create and manage accounts and company workspaces.
• Run interview sessions and application workflows.
• Generate transcripts, summaries, and recruiter-facing outputs.
• Enable invitation, onboarding, and account-linking flows.
• Provide support, service reliability, and product operations.

2.2 Communications

• Send verification links, OTP codes, and essential account notices.
• Send interview invitations, reminders, and status updates.
• Respond to support requests and legal/privacy inquiries.
• Send service change notifications and security advisories.

2.3 Security, Abuse Prevention, and Compliance

• Enforce Terms, role permissions, and usage limits.
• Detect, prevent, and investigate fraud or security incidents.
• Maintain auditable records for lawful access and accountability.
• Comply with legal obligations and respond to lawful requests.

2.4 AI Processing

We use AI services to support interviews, extraction, and summarization.

• Generate interview questions and follow-up prompts.
• Convert and summarize interview responses.
• Produce structured outputs for recruiter review.
• Improve service quality, safety, and operational reliability.

Important: We do not sell interview data. Where supported by providers and configuration, we use no-training/no-retention controls for AI processing. You remain responsible for lawful use and required human review.

3. Security Architecture and Data Segmentation

We use layered controls to reduce confidentiality, integrity, and availability risks.

3.1 Data Classification Levels

3.2 Encryption and Key Controls

• In transit: TLS-protected network communications between clients, APIs, and service providers.
• At rest: Encryption on storage systems and provider-managed encryption controls.
• Access keys: Credential management and rotation practices to reduce key exposure risk.

3.3 Time-Limited Media Access

Sensitive interview media is served through signed URLs with strict access checks.

• URLs are short-lived and expire automatically.
• Generation requires an authenticated, authorized user context.
• Access requests are recorded in audit and system logs.
• Expired URLs cannot be reused for continued access.

4. Authentication and Access Governance

4.1 Authentication Safeguards

We implement security controls appropriate to account risk, and may require stronger controls for privileged or high-risk accounts.

• Session controls and token validation.
• Two-factor authentication options for supported account types.
• Rate limits, captcha, and anti-abuse checks on sensitive endpoints.

4.2 Role-Based Access Control

Data access is restricted based on account role and company scope.

• Company roles determine permitted actions in dashboards and APIs.
• Cross-company data isolation is enforced at application and query boundaries.
• Access to sensitive operations is limited to authorized roles and logged.

4.3 Least Privilege and Need-to-Know

We follow least-privilege principles so users and systems only receive access needed for their legitimate function.

5. Audit Logging and Accountability

We maintain logs to support security monitoring, compliance review, and incident response.

5.1 Events We Log

• AUTH_EVENT: Sign-in, token verification, and authentication failures.
• DATA_ACCESS: Access to protected records, media, or transcript artifacts.
• ROLE_CHANGE: Permission and role updates in company workspaces.
• EXPORT_EVENT: Download or export actions involving personal data.
• SECURITY_EVENT: Abuse detection, throttling triggers, and suspicious activity markers.
• AI_PROCESS_EVENT: Calls used for AI interview and extraction workflows.

5.2 Access to Audit Data

Authorized company users and internal security personnel may access relevant logs for legitimate purposes such as security review, legal compliance, and incident investigation.

• Actor identity or system source.
• Action type and affected resource.
• Timestamp and technical context.
• Supporting event details necessary for investigation.

5.3 Integrity Measures

Logs are stored with controls intended to reduce unauthorized alteration and to preserve traceability for post-incident review.

6. Data Sharing and Processors

We share personal data only where necessary to provide the Services, meet legal obligations, or protect rights and safety.

6.1 AI and Speech Providers

AI subprocessors: We may use providers such as OpenAI and speech services for interview processing and summarization.

• We apply contractual safeguards and security review processes.
• Where available and configured, no-training/no-retention controls are used.
• Only required data is transmitted for the requested operation.

6.2 Payment Providers

Payments: Payment transactions are handled by processors such as Stripe. We do not store full payment card numbers in Jobnest systems.

6.3 Communications and Messaging

Messaging providers: We may use email/SMS vendors (for example Twilio and transactional email providers) for invitations, OTPs, and service notifications.

6.4 Hosting and Infrastructure

Infrastructure providers: We use cloud infrastructure, databases, and storage providers (including private object storage) to host and secure platform data.

6.5 Legal, Corporate, and Safety Disclosures

We may disclose data when required by law, court order, or to protect users, the public, and the platform.

We may also transfer data in a merger, acquisition, reorganization, or asset sale, subject to applicable confidentiality and legal requirements.

6.6 No Sale or Advertising Share

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

7. Your Privacy Rights

7.1 EEA/UK and Similar Rights

Depending on your location and applicable law, you may have rights such as:

• Access: Obtain confirmation and a copy of your personal data.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion where legal grounds apply.
• Restriction/Object: Ask us to limit or stop certain processing.
• Portability: Request export in a structured format where applicable.
• Complaint: Lodge a complaint with your local supervisory authority.

7.2 U.S. State Privacy Rights

Residents of certain U.S. states may have rights to know, access, delete, and correct personal data, and to appeal denied requests, subject to statutory exceptions.

7.3 Exercising Rights

To submit a verified privacy request, contact [email protected]. We may request information needed to verify your identity and authority before processing requests.

8. Data Retention and Deletion

8.1 Retention Principles

• We retain personal data only as long as needed for service delivery, legitimate business purposes, and legal obligations.
• Account and workspace records are typically retained while accounts remain active and for a limited period afterward.
• Interview media and transcripts may be retained until deleted by the relevant company workspace owner, unless legal obligations require longer retention.
• Security, audit, and billing records may be retained for compliance, fraud prevention, and dispute resolution periods.

8.2 Deletion Requests

On valid request and where no legal exception applies, we will delete or anonymize personal data within a reasonable period.

• Some records may be preserved when required by law, contract, or legitimate legal defense.
• Backups are rotated and may persist temporarily before secure overwrite/deletion.
• If data is controlled by an employer workspace, candidates may also need to contact that employer directly.

9. International Data Transfers

Jobnest may process data in multiple countries where we or our subprocessors operate.

When legally required, we implement transfer safeguards (such as contractual protections) to protect personal data transferred across borders.

• Vendor due diligence and contractual data protection commitments.
• Transfer mechanisms required by applicable privacy laws.
• Technical and organizational controls tailored to transfer risk.

10. Cookies and Similar Technologies

We use cookies, local storage, and similar tools for authentication, security, session management, language preferences, and product analytics.

• Essential technologies required for sign-in and secure platform operation.
• Preference technologies used to remember language and user settings.
• Operational analytics used to improve reliability and user experience.

You can control cookies through browser settings, but disabling required cookies may limit platform functionality.

11. Children's Data

The Services are not directed to children under the age required to consent in their jurisdiction. If you believe a child submitted personal data without authorization, contact us so we can take appropriate action.

12. Security Incident Response

We maintain incident response procedures designed to detect, contain, investigate, and remediate security incidents.

• Triage and containment of suspected incidents.
• Forensic analysis and remediation planning.
• Notification to affected parties and regulators where required by law.
• Post-incident controls improvement and documentation.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.

• We will update the "Last updated" date when changes are published.
• For material changes, we may provide additional notice through email or in-product messaging.
• Continued use of the Services after the effective date means the updated policy applies.

If you do not agree with the updated policy, you should stop using the Services and contact us regarding data handling options.

14. Contact and Data Protection Requests

For privacy inquiries, rights requests, or legal notices, contact:

15. Electronic Signatures and Signed Records

Jobnest provides an electronic-signature service that lets companies prepare documents, invite signers, and apply a cryptographic seal. Electronic records and signatures created through this service are governed by the U.S. Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA). For business-to-business use in the United Arab Emirates, they are governed by UAE Federal Decree-Law No. 46 of 2021 on Electronic Transactions and Trust Services (advanced electronic signature tier). Where a signer is located in Türkiye, KVKK continues to apply to their personal data.

15.1 Information processed when you sign

To make a signed document legally reliable, we record evidence of who signed, that they intended to sign, and that they agreed to transact electronically. When you open and sign a document we may process:

• Your name and the email address and/or phone number the sending company used to invite you.
• One-time verification codes used to confirm your identity, and the times they were requested and verified.
• Your typed (adopted) signature and initials, rendered to an image — we do not collect handwritten or biometric signatures.
• Your affirmative consent to use electronic records and signatures, the exact disclosure text shown to you, and the time you accepted it.
• Technical metadata captured for the tamper-evident audit trail: IP address, browser/user-agent, and server timestamps for each step (invited, opened, consented, signed).

15.2 Retention of completed signed records

A completed, sealed document is a legal record. To preserve its evidentiary value, we retain the sealed PDF, its certificate of completion, and its audit trail, and we mirror them to a separate, write-once (WORM / object-lock) archive that cannot be altered or deleted.

• We keep these records on the lawful basis of business recordkeeping and the establishment, exercise, or defense of legal claims — a signed agreement must remain provable for as long as it could be relied upon.
• A company may "delete" a document from its workspace; this removes it from the workspace views (a soft delete) but does not purge the sealed record from the immutable archive.
• Non-completed envelopes (drafts, declined, expired, or voided) are not archived this way and may be removed.
• Signers receive a copy of the completed document by email and may download it. A public verification page lets anyone holding the document's verification link confirm its status, signatory display names, and signed dates without exposing email, phone, IP, or other personal contact details.

15.3 Some documents may require a handwritten signature

Electronic signatures are valid for the great majority of commercial and HR documents, but the law reserves certain categories for handwritten ("wet ink") execution. Jobnest shows a non-binding advisory in the product and never blocks you from sending a document; you should confirm requirements with your own counsel. Categories that commonly require wet ink include:

• United States (ESIGN §103): wills, codicils, and testamentary trusts; matters governed by family law such as adoption and divorce; most court orders and official court documents; and certain statutory notices (for example, utility cut-off, default, eviction or foreclosure, and health- or life-insurance cancellation notices).
• United Arab Emirates / DIFC / ADGM: powers of attorney, wills, and the sale or long-term lease (over ten years) of real property, among other instruments reserved by law.
• Türkiye: instruments that the applicable law requires to be executed before a notary or in a prescribed form.

This list is provided for general guidance only, is not legal advice, and does not prevent you from sending any document electronically.