Privacy Policy

Last updated: January 2026

DPDP Act, 2023 Compliance

This policy is drafted in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 and the Information Technology Act, 2000.

2. Privacy Policy

2.1 Data Collection & Categories

QualScore collects the following categories of data:

  • Personal Data: Name, Email, Phone, Date of Birth (DOB), Gender, Employment History
  • Sensitive Personal Data:
    • Biometric data (facial recognition for proctoring)
    • Financial information (for payments)
    • Health data (if voluntarily disclosed for accommodations)
    • Background Verification results
  • Behavioral Data:
    • Audio/Video recordings of interviews
    • Keystroke patterns during coding tests
    • Psychometric responses

2.2 Purpose of Processing & Legal Basis

We process data based on Consent and Legitimate Uses defined under Section 4 of the DPDP Act, 2023, specifically for:

  • Conducting skill and behavioral evaluations
  • Identity verification and fraud prevention (Proctoring)
  • Generating employment suitability reports for Employers
  • Training AI models (using anonymized, non-PII data only)

2.3 Data Sharing & Disclosure

Data may be shared with:

Employers (Multiple Subscribers)

Candidate reports and profile data may be shared with multiple employer subscribers to QualScore's platform for commercial purposes. Candidates grant explicit consent for such multi-employer sharing, including for candidate discovery and unsolicited interview opportunities. Anonymized profiles may be shown to employers, with full contact details shared upon mutual interest or application.

Third-Party BGV Vendors

Personal information (including name, contact details, identification documents, educational credentials, employment history) is shared with independent Background Verification vendors and related parties (previous employers, educational institutions, reference contacts, court databases, credit information companies) to conduct verification checks. Candidates explicitly consent to this third-party data sharing. QualScore is not liable for data security practices or actions of these independent third-party vendors.

Cloud & Infrastructure Providers

  • Cloud hosts (AWS/Azure/GCP within India)
  • CDN providers
  • Payment Gateways for service delivery purposes

Legal Authorities

When required by a court order or government agency under relevant statutes.

DATA SALE PROHIBITION:

QualScore does NOT sell, rent, or trade personal data to marketing agencies or third-party data brokers.

2.4 Data Retention & Erasure

  • Evaluation Data: Retained for 24 months to facilitate re-hiring or audit, then anonymized.
  • BGV Data: Retained as per statutory limitation periods (typically 3-5 years).
  • Deletion Rights: Users may request data deletion via support@qualscore.co. Deletion is subject to data necessary for legal compliance or defense of claims.

2.5 Candidate Right to Withdraw Consent

Candidates retain the right to withdraw consent for data processing at any time by notifying QualScore in writing to support@qualscore.co. However, Candidates acknowledge that:

CONSEQUENCES OF WITHDRAWAL:

  • Process Termination: Withdrawal of consent will result in immediate cessation of the evaluation process, and no reports or scores will be generated.
  • No Refunds: Withdrawal after service initiation does not entitle the Candidate to any refund of fees paid.
  • Data Retention Exceptions: QualScore may retain minimal data necessary for:
    • Compliance with legal obligations (e.g., GST records, audit trails)
    • Defense of legal claims or disputes
    • Fraud prevention and security purposes
    Such retained data will be the minimum necessary and stored securely.
  • Employer Notification: If the Candidate has already applied to Employers, QualScore may notify them that the candidate has withdrawn consent, but will not share further evaluation data.

2.6 Data Breach Notification & Response

In compliance with the DPDP Act, 2023 and global data protection standards, QualScore has implemented a comprehensive data breach response protocol.

A. Data Breach Definition

A "Data Breach" includes unauthorized access, acquisition, use, disclosure, modification, or destruction of personal data that compromises the security, confidentiality, or integrity of such data.

B. Notification Timeline

DPDP ACT COMPLIANCE - 72 HOUR NOTIFICATION:

In the event of a data breach affecting personal data, QualScore will:

  • Report to Data Protection Board: Notify the Data Protection Board of India within 72 hours of becoming aware of the breach (as required by DPDP Act, 2023)
  • Notify Affected Users: If the breach poses a high risk to user rights, affected individuals will be notified via email within 72 hours of discovery
  • Public Disclosure: For large-scale breaches affecting 10,000+ users, a public notice will be posted on the Platform homepage

C. Breach Notification Contents

User notifications will include:

  • Nature and scope of the breach (what data was compromised)
  • Approximate date and time of the breach
  • Types of personal data affected (e.g., names, emails, assessment data)
  • Potential consequences and risks to users
  • Measures taken by QualScore to contain and mitigate the breach
  • Recommended actions for users (e.g., password change, credit monitoring)
  • Contact details for further inquiries: support@qualscore.co

D. Breach Response Measures

Upon detecting a breach, QualScore will:

  • Immediately isolate affected systems to prevent further unauthorized access
  • Conduct forensic investigation to determine scope, cause, and entry point
  • Reset credentials and access tokens for affected accounts
  • Implement additional security controls to prevent recurrence
  • Engage external cybersecurity experts if necessary
  • Cooperate with law enforcement if criminal activity is suspected

E. Limitation of Liability for Breaches

BREACH LIABILITY LIMITATION:

While QualScore employs industry-standard security measures, no system is 100% secure. In the event of a data breach:

  • Maximum Liability: QualScore's total liability for any breach-related claims shall not exceed the fees paid by the affected user in the 12 months preceding the breach, or ₹10,000, whichever is lower
  • Excluded Damages: QualScore is NOT liable for indirect, consequential, emotional distress, or punitive damages resulting from a breach
  • Third-Party Breaches: QualScore is NOT liable for breaches occurring at third-party vendors (BGV agencies, payment gateways, cloud providers), though we will assist in coordination
  • User Negligence: No liability if breach results from user's own actions (e.g., sharing passwords, clicking phishing links, using public Wi-Fi without VPN)

F. User Responsibilities Post-Breach

Upon receiving a breach notification, users should:

  • Immediately change their QualScore password and any other accounts using the same password
  • Enable Two-Factor Authentication (2FA) if not already enabled
  • Monitor bank statements and credit reports for suspicious activity
  • Be vigilant against phishing attempts claiming to be from QualScore
  • Report any suspicious activity to support@qualscore.co

Data Protection Rights

Under the DPDP Act, 2023, you have the following rights:

  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to erasure (subject to legal retention requirements)
  • Right to withdraw consent
  • Right to data portability
  • Right to nominate (designate someone to exercise rights on your behalf)

To exercise these rights, contact us at:

support@qualscore.co