DPDP Compliance

Last updated: 19 May 2026

AxelHired (operated by Sharpe Holdings Private Limited, incorporated under the Companies Act, 2013) processes personal data of users in India and is a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”). This page summarises how we meet that obligation. For the full data-handling contract, see our Privacy Policy.

1. Lawful basis

We process your personal data on the basis of your explicit, granular consent — collected at signup and re-collected when you grant access to Gmail (for OTP retrieval) or to job portals (for automated apply). You can withdraw any consent at any time from Settings → Privacy.

2. Data minimisation

We collect only what is necessary to apply on your behalf: your résumé, employment history, contact details, work-authorisation in India, and answers to screening questions. We do not collect data unrelated to job applications. We do not collect facial images, biometric data, or health data.

3. Storage location

All personal data is stored on Supabase's Mumbai (ap-south-1) region, on infrastructure operated by Amazon Web Services in India. Browser workers that submit applications run on Hetzner servers in India. No personal data is replicated outside India for our use.

4. Third parties (Data Processors)

We share strictly necessary data with the following Data Processors, each bound by a written contract that mirrors our DPDP obligations:

• Firebase Authentication — to authenticate you. Only email + UID stored.
• Supabase — primary database, file storage, real-time sync.
• Razorpay — payment processing. We never store full card numbers.
• OpenAI / Anthropic (via Vercel AI Gateway) — résumé tailoring and screening-question answers. We send only the relevant résumé block and the job description; we do not send your raw résumé file. Zero data retention is enabled at the gateway level.
• WhatsApp Business (Meta) — only the phone number you opt-in with. Template messages only; no chat history retained on our side.

We do not sell or rent personal data. We do not use your data to train any model.

5. Your rights

As a Data Principal under the DPDP Act, you have the right to:

• Access — see exactly what we hold about you.
• Correct — fix anything inaccurate.
• Erase — delete your account and all personal data within 30 days.
• Nominate — designate someone to act on your behalf in case of incapacity.
• Grievance redressal — escalate to our Data Protection Officer.

All of these are self-serve from Settings → Privacy. If anything fails, email privacy@axelhired.com.

6. Retention

Active accounts: data retained for as long as your account is open. Closed accounts: PII purged within 30 days of deletion request. Application audit logs (jobs you applied to, when, by whom) are kept for 90 days for security and dispute resolution, then purged.

7. Security

Row-Level Security is enforced on every table containing personal data; no user can read another user's data even through a compromised application server. All data in transit is TLS 1.2+. OAuth tokens (Gmail, Google Sign-In) are encrypted at rest. Access by our team is logged and limited to incident response.

8. Children

AxelHired is not directed at users under 18. We do not knowingly collect data of children. If you believe a minor has signed up, contact us and we will delete the account.

9. Breach notification

If a personal-data breach occurs, we will notify the Data Protection Board of India and affected users within 72 hours of confirmation, as required by the DPDP Act.

10. Data Protection Officer

Manan Jain — dpo@axelhired.com

This page is a plain-English summary of how we comply with the DPDP Act, 2023. For the legally-binding contract, see the Privacy Policy.