[ Legal ]
GDPR
How HireRank approaches the General Data Protection Regulation.
Last updated — March 2026
What is GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union, in effect since May 25, 2018. It is considered one of the world's most comprehensive data protection frameworks.
GDPR protects the following rights for persons residing in the EU and EEA:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to avoid automated decision-making
Does GDPR apply to HireRank?
Yes. HireRank is a developer portfolio and talent platform open to users from the EU. I (Shivam Singh) built and run this as an individual developer based in India — which means GDPR applies under Article 3(2) (territorial scope) because HireRank processes personal data of EU residents, regardless of where the operator is located.
There is no legal entity, no company structure. It is just me, and I take this seriously because I think it matters — not because a legal team told me to.
Where is HireRank data stored?
All personal data is stored within the European Union:
- Database: Neon PostgreSQL, eu-central-1 (Frankfurt, Germany)
- File storage: Cloudflare R2, EU jurisdiction (profile images, CV PDFs)
- Caching: Upstash Redis, EU region
For users outside the EU, your data is still stored in the EU — HireRank operates a single-region architecture for simplicity and compliance.
AI Processing and GDPR
HireRank uses AI for two features: Magic Import and ATS Optimization. Both are strictly opt-in. You will be asked for explicit, informed consent before either feature runs — there is no pre-ticked box, no buried agreement in terms of service. You can also withdraw consent at any time from Account Settings → Privacy & AI.
AI text processing currently uses Google Gemini. An EU-hosted alternative (Mistral AI) may be activated as a fallback if the primary provider experiences disruption. Regardless of which provider is used, no provider uses API data for model training.
How HireRank honors GDPR obligations
As the data controller, I have implemented:
Explicit, informed consent before AI processing
No pre-ticked checkboxes anywhere. The consent modal names the AI provider, explains what data is sent, and confirms no model training occurs. Consent can be withdrawn at any time.
Age verification gate (18+) before onboarding
Required by GDPR Art. 8 and DPDP Act Section 9. This is a hard block during onboarding — not a warning, not a soft prompt. The checkbox is not pre-ticked.
Hard delete on account deletion
When you delete your account, your data is gone — not archived, not marked inactive, not sitting in a backup queue. The database cascade removes portfolios, sessions, uploaded files (purged from R2 storage), and all associated records. The only exceptions are an anonymized audit log entry (your ID is hashed, not readable) and a 30-day abuse prevention record (hashed email only, no other data).
Cryptographic anonymization of audit logs on deletion
The consent audit log survives account deletion for legal compliance reasons — but the moment your account is deleted, your user ID in that log is replaced with a one-way SHA-256 hash. I cannot reverse it. The record becomes an anonymous timestamp.
Cookieless analytics
No cookie banner is needed because there are genuinely no tracking cookies. Product analytics use PostHog EU Cloud (Frankfurt), configured in cookieless mode — no cookies, no localStorage, no persistent identifiers of any kind. For authenticated users, anonymized usage events are linked to an internal account identifier (not email or name) for product improvement.
Private file access via signed URLs
Uploaded CV PDFs are never publicly accessible. Every access goes through a server-generated link that expires in one hour and is scoped to your authenticated session.
IP address hashing
Raw IP addresses are never written to the database. Any value derived from an IP address uses SHA-256 hashing with a server-side secret applied first.
Data export on demand
Account Settings → “Export My Data” generates a full JSON export of everything HireRank holds about you. Available once per 30 days.
Consent version tracking
If the AI processing policy changes materially, the consent version number is bumped. Any user whose stored consent version doesn't match the current one will be shown the consent modal again before their next AI operation.
Embedding privacy (planned)
When the Talent Directory launches, embeddings will be 768-dimensional mathematical vectors generated from name, headline, skills, and job titles only — no contact information, no CV content. These vectors will not be reversible back into readable text. The embedding will be set to null when you explicitly opt out of the Talent Directory, or when your account is deleted. Withdrawing AI consent alone will not remove your directory listing — these will be separate decisions.
Sub-Processors
All third-party processors that handle personal data on behalf of HireRank have Data Processing Agreements (DPAs) in place. US-based processors operate under Standard Contractual Clauses (SCCs).
View the full sub-processor list in the Privacy Policy.
User Rights — How to Exercise Them
| Right | How to exercise |
|---|---|
| Access / Portability | Account Settings → “Export My Data” |
| Erasure | Account Settings → “Delete Account” |
| Rectification | Edit directly in the HireRank editor |
| Withdraw AI consent | Account Settings → Privacy & AI |
| All other rights | [email protected] |
I respond to all requests within 30 days.
DPDP Act 2023 (India)
HireRank also complies with India's Digital Personal Data Protection Act 2023. Key measures:
- Age verification (18+) required — DPDP Act Section 9
- Explicit consent before data processing
- Right to erasure honored via hard delete
- No pre-ticked consent boxes anywhere in the product
EU Representative
As a non-EU individual processing EU personal data, I am required to appoint an EU Representative under GDPR Article 27. I will appoint a representative via GDPR-Rep.eu before actively marketing HireRank to EU users. For data subject requests in the interim, contact [email protected].
Contact
Privacy questions or data subject requests:
Email: [email protected] — I respond within 30 days.
Built by: Shivam Singh — terra01.dev