Legal

Privacy Policy

Effective June 26, 2026 · Plain-English summary at the top, full legal text below.

Summary

In plain English: We collect the data you give us to run the service. We encrypt sensitive fields. We don't sell your data. We share it only with the sub-processors needed to operate the service (payment, email, hosting), and you can export or delete everything you've put in.

1. Introduction

This Privacy Policy explains how NexivoHR ATS ("we", "us", "our") collects, uses, discloses, and safeguards information when you use our applicant tracking system, website, and related services (the "Service"). It applies to:

  • Account holders — the businesses and individuals who sign up for and pay for the Service
  • Users — employees of account holders who log in to the Service
  • Visitors — anyone browsing our marketing website
  • Candidates — individuals whose data is stored in an account holder's database

2. Information We Collect

2.1 Account information

When you register, we collect:

  • Your name and email address — to identify you and contact you
  • Your company name — to associate you with your team
  • A password — hashed with bcrypt (cost 12) before storage; we never see the plaintext
  • Your role and job title — to provide the right permissions

2.2 Candidate data you input

NexivoHR is a tool for storing and managing candidate information. The data you input — candidate names, contact details, resumes, notes, interview feedback — belongs to you. We process it on your behalf as a data processor; you remain the data controller.

You're responsible for:

  • Having a lawful basis to process candidate data (consent, legitimate interest, contract)
  • Providing candidates with the required privacy notices in your jurisdiction
  • Honoring candidates' rights (access, deletion, correction) — we provide tools to help

2.3 Payment information

We don't store credit card numbers. Payments are processed by Stripe, PayPal, or Razorpay; we only receive:

  • Your customer identifier (e.g. cus_xxxxx for Stripe)
  • The last 4 digits and brand of the card (Visa, Mastercard, etc.)
  • Whether the charge succeeded or failed

2.4 Usage data

We automatically collect:

  • IP address and approximate location (city-level)
  • Browser type, version, and operating system
  • Pages visited and actions taken inside the Service
  • Timestamps and session duration
  • Referrer URL (which site sent you to us)

We use this to debug issues, prevent fraud, measure adoption, and improve the product.

2.5 Communications

If you email us, fill out a contact form, or chat with support, we keep the records of those exchanges for follow-up and quality assurance.

3. How We Use Information

We use the data described above to:

  • Provide and maintain the Service
  • Authenticate users and prevent unauthorized access
  • Process payments and bill paid plans
  • Send transactional emails (password resets, invoice receipts, account notifications)
  • Send product update announcements (you can opt out anytime)
  • Respond to support requests
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations (e.g. responding to lawful subpoenas)
  • Improve the product through aggregated, anonymized analytics

We do not sell your data. We do not share candidate data with advertisers or data brokers. Period.

4. Data Security

We take security seriously:

LayerWhat we do
In transitAll data flows over TLS 1.3 with HSTS
At restDatabase disks are AES-256 encrypted by the cloud provider
Sensitive fieldsEmails, phones, resume text are encrypted at the column level with AES-256-GCM; even DB admins can't read them
PasswordsHashed with bcrypt (cost 12) — never stored, logged, or even visible to us
SessionsCryptographically random tokens, HttpOnly + Secure cookies, configurable timeout
API accessBearer tokens scoped per user, rate-limited, revocable from the dashboard
BackupsEncrypted backups, retained 30 days, geo-replicated
Internal accessStrict role-based access controls; engineering access to production is logged and audited
AuditingSOC 2 Type II controls; annual external pentest

5. Data Retention

Active accounts: Data is retained as long as your account is active.

Cancelled accounts: We keep your data for 90 days after cancellation in case you reactivate, then permanently delete it.

You can export all your data anytime from Account → Export Data, or request immediate deletion by emailing privacy@nexivoats.com.

Some data must be retained for legal reasons even after deletion (e.g. payment records for tax compliance — typically 7 years).

6. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of all data we hold about you
  • Correct — have inaccurate data fixed
  • Delete — request permanent removal ("right to be forgotten")
  • Export — receive your data in a structured, machine-readable format (JSON / CSV)
  • Restrict — limit how we process your data
  • Object — opt out of certain processing (e.g. analytics, marketing emails)
  • Withdraw consent — at any time, without affecting prior processing
  • Complain — lodge a complaint with your data protection authority

Email privacy@nexivoats.com to exercise any of these. We respond within 30 days (often much sooner).

7. Cookies & Tracking

We use the minimum cookies necessary to run the Service:

CookiePurposeLifetime
PHPSESSIDKeep you logged inSession (deleted on logout)
nx_csrfCross-site request forgery protectionSession

We do not use:

  • Advertising cookies
  • Third-party trackers (Facebook Pixel, Google Ads, etc.)
  • Cross-site tracking of any kind

We use Cloudflare for DDoS protection, which may set a __cf_bm bot-management cookie. This is essential for security and contains no personal information.

8. Sub-processors

To operate the Service, we share data with these processors. Each is contractually required to protect your data and use it only for the stated purpose.

Sub-processorServiceData sharedLocation
StripeCard paymentsCustomer ID, amount, last 4 of cardUSA
PayPalPayPal paymentsCustomer ID, amountUSA
RazorpayUPI / India paymentsCustomer ID, amountIndia
SendGrid / MailgunTransactional emailRecipient address + email contentUSA
AWS / Google CloudHosting, encrypted DB, file storageAll Service data (encrypted)USA
CloudflareDDoS protection, CDNRequest headers, IPGlobal

9. International Data Transfers

NexivoHR is operated from the United States. If you're outside the US, your data may be transferred to and stored in the US. We rely on:

  • Standard Contractual Clauses (SCCs) for EU/UK transfers
  • Data Processing Agreements (DPAs) with each sub-processor
  • The EU-US Data Privacy Framework where applicable

10. Children's Privacy

The Service is intended for businesses. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, contact us immediately and we'll delete it.

11. California Rights (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we collect, use, share, or sell
  • Request deletion of personal information
  • Opt-out of the sale or sharing of personal information (we don't sell — but the right still applies)
  • Non-discrimination for exercising rights
  • Limit the use of sensitive personal information

To exercise, email privacy@nexivoats.com with subject "California Rights Request".

12. EU/UK Rights (GDPR)

If you are in the EU, UK, or EEA:

  • The legal basis for processing your data is contract performance (to provide you the Service) and legitimate interest (to improve the product)
  • You can lodge a complaint with your local supervisory authority
  • Our EU representative for GDPR purposes can be reached at dpo@nexivoats.com

13. Changes to This Policy

If we make material changes, we'll notify you by email and post a notice in the dashboard at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.

14. Contact Us

Questions about this policy?

See also our Terms of Service and Support Center.