For any questions about our privacy policy or your personal data, please contact us at team@rchilli.com

SECT.1 - GENERAL INFORMATION

RChilli Inc. is an entity organized and existing under the laws of California, USA, with registered office at 2603 Camino Ramon, Ste 272, San Ramon, CA 94583 (hereinafter “RChilli”, “us”, “we” or “our”), knows how important privacy is to its customers (hereinafter “you” or “your”), and strives to be clear about how personal data is collected, used and disclosed.

This privacy policy (hereinafter the “Privacy Policy”) provides an overview of our privacy practices and tells you how we process personal data on behalf of our clients (“Data Controllers”) in compliance with General Data Protection Regulation (GDPR) and other applicable data protection laws. 

As a data processor, we process personal data solely on instructions of our clients and per the Data Processing Agreement (DPA) 

RChilli Inc. acts as a “Data Processor” We process personal information on behalf of our clients, who are data controllers responsible for collecting, storing, and using the data.

DEFINITIONS:

“Data Controller” means the entity (in most cases, an organization, but sometimes a person) that directs the reason why Personal Data is processed in the first place. It is the entity that first receives and is responsible for personal data.

“Processor” means the entity (again a person or organization, etc.) that does the processing or analysis of Personal Data on behalf of the Data Controller.

“Private Generative AI” means AI models and systems developed, owned, and controlled by our company or trusted partners

“Public Generative AI” means AI models and systems provided by third-party vendors or publicly accessible platforms (e.g. Open AI, Google AI)

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We invite you to read this Privacy Policy carefully to understand our considerations and practices regarding processing your Personal Data. If you do not agree to the practices described in this Privacy Policy, you should not access the Site and/or use our Services.

SECT. 2 - PRINCIPLES OF THE PROCESSING

We are committed to fully complying with data processing requirements worldwide. This includes but is not limited to the European Regulation no. 2016/679 (General Data Protection Regulation; hereinafter, the “GDPR”), in case our processing activities involve data subjects that are either physically located in or citizens of, the European Union or Switzerland.

Therefore, we have configured our Site and Services so that the use of Personal Data is kept to the minimum necessary. We have also adopted safeguards and technical and organizational measures to protect the rights of data subjects and to ensure that, by default, only Personal Data which are necessary for each specific purpose of the data are being processed.

SECT. 3 - PERSONAL DATA WE PROCESS 

When you access the Site and use our Services, we may collect the following Personal Data:

3.1. Information that has been provided by our clients (Data Controller), through various means (e.g., e-mail, website contact form, sign-on through our Services, etc.), voluntarily provide us Personal Data and/or other information containing Personal Data. In particular, the said Personal Data include:

3.1.a. Contact and Account Data, such as your login details (username and password), name, complete address, e-mail, and financial and payment information.

3.1.b. Resume Data, such as third-party Personal Data contained in resumes that are processed through our Services.

3.1.c. Technical and Server details, such as server details, your company IP address, credentials, etc.

We will process the above Personal Data per the applicable law (including, where applicable, the GDPR) and on the assumption that they refer to you or to third parties who have authorized you to provide them according to an appropriate legal basis which legitimizes the processing at stake. In this case, unless you accepted a specific data processing agreement with us, you act as an independent data controller, taking on all relevant obligations and responsibilities according to the applicable law (including, where applicable, the GDPR). In this regard, you shall indemnify and hold us harmless from and against all damages, losses, and expenses of any kind (including reasonable legal fees and costs) that arise from any claim made by any third party whose Personal Data have been processed in breach of the applicable law as regards to your obligations as an independent data controller.

3.2. Information on service use and your device. We log your visits and use of our Services, such as your interaction with the content thereof, your user status (active/inactive), your last session, etc. Furthermore, we also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier, and features, number of sessions, language, and location. To such purpose, we use log-ins, cookies, device information and internet protocol (“IP”) addresses to identify you and log your use.

3.3.  We use cookies and similar technologies (e.g., web beacons, pixels, ad tags, and device identifiers) to recognize you and/or your device(s). Cookies are small text files that can be used by websites to make a user’s experience more efficient. In particular, according to GDPR, we can store cookies on your device if they are strictly necessary for the operation of the Site. For all other types of cookies, we need your permission. The Site uses different types of cookies and some cookies are placed by third-party services that appear on our pages. You can at any time change or withdraw your consent from the Cookie Declaration on the Site. For a detailed list of the cookies that we use on our Site, please check our cookie declaration via the following link: https://www.rchilli.com/cookie-policy 

SECT. 4 - PURPOSES AND LEGAL BASIS OF THE PROCESSING

4.1.  Personal Data above will be processed by us for the purposes and legal basis specified below:

4.2. Voluntary nature of the processing. Providing Personal Data for the above-mentioned purposes is voluntary and not mandatory. However, any refusal to provide any of such data may not allow us to establish and/or continue a contractual relationship with you, or to fulfill your requests, or to comply with legal obligations to which we are subject.

SECT. 5 - DATA STORAGE & RETENTION 

We do not store any or other content that is generated during the processing phase and we do not retain any copies. 

We do not store or save any personal data. All data is processed in real time and we ensure that no records are kept beyond the required processing period. 

Use of Public and Private Generative AI

Our AI-powered services, including generative AI models, are developed to automate, streamline, and improve processes such as resume parsing and data extraction. By leveraging AI, we aim to deliver fast, accurate, and reliable results, empowering organizations to make informed decisions efficiently

We use both private and public generative AI models to perform services for our clients. The use of these AI models is governed by strict protocols that do not involve the retention or storage of any personal data provided by the client.

• Private AI Models: These models are hosted on secure, private servers and are fully managed by us. Data processed through private AI tools remains within our controlled environment, and no data is shared or stored beyond the processing task.
• Public AI Models: Public AI models, such as those offered by third-party providers, temporarily process data during task execution and are governed by strict safeguards to ensure compliance with data protection standards. 

RChilli prioritizes the protection of user data processed by our AI systems. We ensure compliance with all applicable data protection laws and standards, including GDPR, ISO 27001: 2022, SOC 2 Type II, HIPAA, and others as applicable. We implement robust data privacy measures, including encryption, anonymization, and access control, to ensure that personal information is securely handled. Additionally, AI outputs are generated in a manner that respects user privacy and consent, with strong safeguards in place to protect sensitive data.

SECT. 6 - WHAT SECURITY MEASURES HAVE BEEN TAKEN FOR YOUR PERSONAL 

DATA SAFEGUARD?

6.1.  We warrant maintaining (and continue to maintain) appropriate and sufficient technical and organizational security measures to protect  Personal Data during processing.  Please be aware that no security measures are perfect or impenetrable, so we cannot guarantee that unauthorized access, hacking, data loss, or a data breach will ever occur. Notwithstanding the preceding, we operate to mitigate the risks associated with processing your Personal Data through several measures. These measures include encryption, secure data transmission, and access control to prevent unauthorized access or alteration to data 

• We employ industry-standard security measures to protect data during processing e.g. AES encryption, bcrypt hashing, Secure Socket Layer – SSL.  
• We process only Personal Data that is essential to carry out our services and legal obligations. However, as we do not store data, the risk of data retention is minimized.
• Use company-wide restriction methods for restricting access into the foundation of our processes, systems, and structure, to ensure that only those with authorization and/or a relevant purpose have access to Personal Data and always with their private keys. 
• We ensure that our third-party services provider to whom we may transfer your Personal Data puts in place an adequate level of protection thereof when carrying on their processing activities.
  

Sharing & Selling of Personal Information

We do not sell personal data. The term sell is commonly understood. Under certain Data Protection Laws, a “sale” is defined to include disclosures of personal data to a third party for monetary or valuable consideration. Under the GDPR, the concept of "selling" personal data is prohibited, and we ensure that your personal data is only used for the purposes stated in this Privacy Policy or as otherwise explicitly agreed upon. 

We do not share your personal data with any third parties for any purposes, including marketing or advertising.

SECT. 7 - WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?

We share your Personal Data with the following third parties, to the extent necessary to provide you with the Services and, in any case, in consistency with the purposes and legal basis of proceeding mentioned in this Privacy Policy:

7.1. Our affiliates, partners and employees. We may share Personal Data with any subsidiary, holding company, associated company, affiliate of, or companies controlled by, or under common control with, RChilli (including their employees and partners), to whom it is reasonably necessary or desirable for us to process your Personal Data for the purposes described in this Privacy Policy.

7.2. Third-party service providers or consultants. We engage certain trusted third parties to perform functions and provide services to us, including hosting and maintenance, e-mail, web analytics, database storage and management, operations, customer relationships, and advertising operations. We also require these third parties to maintain the confidentiality and security of the Personal Data they process on our behalf. 

7.3. Third parties required by laws or authorities. We may disclose your Personal Data to a third party if: (i) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request (including to meet national security or law enforcement requirements), or (ii) to protect ourselves, our customers, or the public from harm or illegal activities. If we are required by law to disclose any of your Personal Data, then we will use reasonable efforts to provide you with notice of that disclosure requirement, unless we are prohibited from doing so by statute, subpoena, or court or administrative order. Further, we object to requests that we do not believe were issued properly.

7.4. Third Parties recipients of anonymized, de-identified, and aggregated data. We may transform your Personal Data in such a manner (i.e., through anonymization, de-identification, and aggregation) that these data can no longer be attributed to you. Such anonymized, de-identified or aggregated data will be shared with third parties for various purposes, including for business or marketing purposes or to assist third parties in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, and functionalities of our Site.

SECT. 8 - WHERE YOUR PERSONAL DATA MAY BE TRANSFERRED

8.1.  We are based in the United States of America, India, and other global locations, and your Personal Data may be further transferred to, and stored at, any of our affiliates, partners, or service providers mentioned inthe  previous Sect. 7. In any case, when we transfer or disclose your Personal Data, we will ensure that the data transfer agreement entered into with the respective third party includes the “Standard Contractual Clauses for data transfers between EU and non-EU countries” adopted by the European Commission.

8.2.  In addition to the safeguards mentioned in previous Sect. 8.1, RChilli also has in place further measures in compliance with the “EU-U.S. and Swiss-U.S. Privacy Shield Frameworks” as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and/or Switzerland to the United States. In particular, RChilli has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. 

SECT. 9 - YOUR RIGHTS

9.1. Right of access. You are always entitled to receive confirmation as to whether your Personal Data are being processed or not and, where that is the case, access and receive a copy of such Personal Data in an intelligible form. Furthermore, you are also entitled to receive information concerning: the purposes of the processing; the categories of Personal Data concerned; the recipients (or categories thereof) to whom the Personal Data have been or will be disclosed; where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from us rectification or erasure of personal data or restriction of processing of your Personal Data or to object to such processing; the right to complain with a supervisory authority; the source of the Personal Data; the existence of automated decision-making; where Personal Data are transferred to a third country or to an international organization, the appropriate safeguards relating to the transfer.

9.2. Right to withdraw consent. You are always entitled to withdraw, at any time, your consent to the processing of your Personal Data, both on legitimate grounds (even though they are relevant to the purpose of the collection) and if the processing is carried out for direct marketing purposes. The preceding will not affect the lawfulness of your Personal Data processing based on consent before the withdrawal.

9.3. Right to rectification, erasure, and restriction. You are always entitled to obtain from us, without undue delay: the rectification or integration of your Personal Data that are inaccurate or incomplete; the erasure of your Personal Data that have been processed unlawfully or whose retention is unnecessary for the Purposes; the restriction of processing, in case you challenge either the accuracy of your Personal data or the lawfulness of the processing, or in case we no longer need the Personal Data for the Purposes, but they are required by you for the establishment, exercise or defense of a legal claim.

9.4. Specific rights for European or Swiss data subjects. If you are a Swiss citizen or a citizen of any Country in the European Union to whom GDPR applies, you will be afforded also the following rights:

9.4.a. Right to data portability. You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, as well as the right to transmit those data to another controller without hindrance from us, where technically feasible.

9.4.b. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects. We may in some cases use automated decision-making if it is authorized by legislation, if you have provided explicit consent, or if it is necessary for the performance of a contract. You can always request a manual decision-making process instead, express your opinion, or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you.

9.4.c. Right to complain. If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. However, you have the right to complain to the Supervisory Authority located in your place of residence.

9.5. Contacts. Requests to exercise the rights above must be sent by e-mail to team@rchilli.com or by post to RChilli Inc., 2603 Camino Ramon, Ste 272, San Ramon, CA 94583, United States of America. Any access request is always completed within one month; however, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to the individual within one month and keep him/her informed of the delay and the reasons thereof.

SECT. 10 - AMENDMENTS TO THIS POLICY

We reserve the right to amend or to update its content, whether in whole or in part, also following changes in the legal and regulatory obligations regarding data protection. We will inform you of such amendments and updates through their publication on our website (on the privacy policy page at https://www.rchilli.com/privacy-policy) as soon as they are adopted, and they will be binding from the moment of publication. Therefore, we invite you to visit this page of our website regularly, to be aware of the most recent and updated version thereof, so that you are always updated on the processing activities that we carry out.