Privacy Policy

Last Updated: May 25, 2026

Overview

This Privacy Policy explains how RaterX Technologies Limited ("Rater-X," "we," "us," or "our") collect, use, disclose, and protect personal information in connection with our business, including when you visit our website at raterx.ai, create an account, use our dashboard, complete assessments, communicate with us, or otherwise interact with our services (collectively, the "Services").

We take privacy seriously. This document tells you exactly what data we collect, why we collect it, who we share it with, and what rights you have over it. We've written it to be as clear as possible, not just as a legal formality.

This Privacy Policy applies to personal information we process in connection with the Services, including information relating to website visitors, applicants, talent, raters, dashboard users, and certain client-facing operational interactions.

Note on Client Data: In some cases, raters or related personnel may perform work on third party client platforms or in environments governed by separate client agreements, confidentiality obligations, or data processing terms. This Privacy Policy does not govern personal information processed solely on behalf of a client under such separate arrangements. Those situations are governed by the applicable client agreement or data processing arrangement.

Table of Contents

1. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, practices, technology, operational needs, or applicable law. When we do, we will post the updated version on raterx.ai and update the &qout;Last Updated&qout; date at the top of this page. Where required by applicable law, we may also provide additional notice of material changes.

We will maintain this Privacy Policy to reflect our current privacy practices. We encourage you to review this page periodically, and we will indicate the latest update date at the top of the policy.

2. Personal Information We Collect

We collect personal information in three ways: directly from you, automatically when you use the Services, and through the vendors and infrastructure providers we rely on to operate the platform.

A. Information You Provide Directly

When you register for an account, complete your profile, upload documents, or interact with us, we may collect:

  • Full name
  • Email address
  • Account credentials (passwords are stored in hashed form only)
  • Country and languages
  • LinkedIn URL
  • Primary vertical or area of specialization
  • Experience summary
  • Profile image
  • CV or resume uploads
  • Any other information you choose to provide through the Services

B. Account, Authentication, and Profile Information

To create and maintain your account and authenticate your access, we collect:

  • Full name and email address
  • Password credentials (hashed)
  • OTP (one-time password) verification information
  • Profile details added after registration

We currently use email and password-based authentication with OTP verification via Resend. We do not use third-party single sign-on providers such as Google, LinkedIn, or GitHub at this time.

C. Assessment Information

When you complete forms, evaluations, or onboarding assessments, we collect:

  • Your responses to assessment questions
  • Qualification results and verification status
  • Proficiency tier assignments
  • Associated assessment records and metadata

Assessment forms may be hosted through Tally and pushed to our database via configured webhooks.

D. Files and Uploads

We collect files and documents you upload to the Services, including CVs and resumes. These are uploaded through the platform and stored in AWS S3.

E. Communications

We collect information contained in communications we send or receive in connection with the Services, including:

  • OTP verification and welcome emails
  • Platform notifications and administrative communications
  • Support-related messages
  • Emails handled via Zoho Mail and Resend

F. Information Collected Automatically

When you access or use the Services, we may automatically collect:

  • IP address
  • User agent, browser type, and device information
  • Timestamps and endpoints accessed
  • Session-related activity
  • Login and verification events
  • Administrative audit activity (e.g., updates to verification status)

This information is used for platform security, troubleshooting, fraud prevention, performance monitoring, and internal administration.

G. Administrative Audit Logs

We maintain audit logs to track certain actions taken by authorized administrators, including modifications to talent verification status and related administrative actions.

H. Information Processed by Service Providers

We use third-party providers to help operate the Services. Personal information may be processed by or through:

  • AWS - hosting, storage, infrastructure, and database services
  • Cloudflare - DNS, CDN, web application firewall, and bot protection
  • Resend - transactional email delivery
  • Zoho Mail - professional team communication
  • Tally - assessment form processing

3. How We Use Personal Information

We use personal information for a variety of operational and business purposes, including to provide, operate, maintain, secure, and improve the Services.

A. To Provide the Services

  • Create and maintain user accounts
  • Authenticate users and enable secure dashboard access
  • Process registration and profile setup
  • Receive, process, and store uploaded files
  • Process assessment submissions and qualification workflows
  • Communicate with users about their use of the Services

B. To Operate, Maintain, and Improve the Services

  • Support system functionality and monitor performance
  • Identify and fix bugs, errors, and technical issues
  • Protect against abuse, unauthorized access, spam, bots, or malicious activity
  • Review platform usage and maintain internal quality controls

C. To Communicate With You

  • Send OTP verification and welcome emails
  • Send notifications related to your account or assessments
  • Respond to inquiries and support requests
  • Send important operational notices

D. To Administer Talent and Assessment Workflows

  • Review talent profiles and evaluate submitted information
  • Process and store assessment records
  • Assign verification status and proficiency tiers
  • Support internal review and operational decision-making
  • Maintain historical qualification and performance records

E. To Maintain Security, Logs, and Audit Trails

  • Monitor login and request activity
  • Preserve administrative audit trails
  • Detect and investigate suspicious or unauthorized activity
  • Protect the Services, our business, our users, and our infrastructure

F. To Comply With Legal Obligations and Protect Rights

  • Comply with applicable law, regulation, or lawful process
  • Enforce our terms, policies, and agreements
  • Protect our rights, systems, users, personnel, and property
  • Prevent fraud, abuse, or security incidents

4. Automated Decision-Making

Some decisions about your account, like your initial verification status, may be made automatically based on your assessment score. But a human can review and change those decisions. We may use automated processes in limited parts of our workflow.

We may use automated processes in limited parts of our workflow. For example, the initial verification status and proficiency tier assigned to a user may be determined automatically based on that user's Tally assessment score.

These automated outcomes are not necessarily final. Authorized administrators may review and override such decisions through the admin console where appropriate.

5. How We Disclose Personal Information

We may share personal information with third parties for business and operational purposes, including to provide the Services, maintain security, comply with law, or support our infrastructure and workflows.

A. Service Providers and Infrastructure Vendors

We may disclose personal information to third-party service providers that assist with hosting, storage, email delivery, security, form processing, and related support, including:

  • Amazon Web Services (AWS)
  • Cloudflare
  • Resend
  • Zoho Mail
  • Tally

These providers may process personal information on our behalf or in connection with services they provide to us.

B. Authorized Administrators

Authorized Rater-X administrators may access talent profile information, assessment results, verification status, and related platform data for operational, review, support, and administrative purposes.

C. Clients and Project Operations

We do not currently provide clients with direct access to user or talent profiles. Talent profile data is currently accessible only to authorized Rater-X administrators.

Clients may have access to project-related operational information, such as project progress, where relevant to the services we provide them.

D. Legal, Compliance, and Protection Purposes

We may access, preserve, and disclose personal information where we believe in good faith that doing so is necessary or appropriate to:

  • Comply with applicable law, regulation, subpoena, court order, or lawful request
  • Protect our rights, property, systems, or users
  • Investigate or prevent fraud, abuse, unauthorized access, or security incidents
  • Enforce our agreements, policies, or terms

E. Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, personal information may be disclosed or transferred as part of that transaction, subject to applicable law.

6. Cookies and Similar Technologies

We don't use advertising or tracking cookies. We only use cookies that are strictly necessary to keep the platform running securely.

We do not currently use advertising or analytics cookies such as Google Analytics, Meta Pixel, or similar behavioral tracking technologies.

The Services may use strictly necessary session and security cookies required for authentication, secure session management, and platform protection. These may include the following:

  • __cf_bm is set by Cloudflare and is used to detect and mitigate automated bot traffic, helping to protect the platform from abuse and unauthorized access.
  • _cfuvidis used by Cloudflare's web application firewall to distinguish between individual users who share the same IP address, ensuring that security rules are applied accurately without incorrectly blocking legitimate users.
  • cf_clearance is set by Cloudflare when a user successfully completes a security challenge. It stores proof of that completion, so the user is not repeatedly prompted during the same browsing session.

These cookies are necessary to operate and secure the Services. They are not optional advertising or analytics cookies.

If you disable necessary cookies in your browser, some parts of the Services may not function properly.

7. Logging, Monitoring, and Security Records

To operate and secure the Services, we maintain system and operational logs that may include:

  • IP address and user agent
  • Timestamp and endpoint accessed
  • Login-related activity
  • Administrative actions recorded in the admin audit log

Operational logs are stored in AWS CloudWatch. Administrative audit information may also be stored in our database.

We use these records to maintain platform security, investigate issues, support operations, detect abuse, and maintain internal accountability.

8. International Transfers of Personal Information

Our servers are primarily in the United States. Some of our vendors process data in other countries too. We take steps to make sure those transfers are handled responsibly.

Rater-X uses vendors and technical infrastructure that may process personal information outside your country of residence. Our primary infrastructure, including RDS, S3, and Elastic Beanstalk instances, is hosted in AWS us-east-1 (N. Virginia, United States).

Certain service providers may also process information in other jurisdictions:

  • Tally stores assessment-related responses on infrastructure located in Belgium
  • Resend may process transactional email-related data in the United States
  • Other infrastructure and support providers may process information in the United States or the European Union

By using the Services, you understand that your personal information may be transferred to, stored in, and processed in countries other than your own, which may have data protection laws different from those in your jurisdiction. Where applicable, we rely on contractual, technical, and organizational measures intended to support appropriate data handling by our vendors and service providers.

9. Retention of Personal Information

We retain personal information for different periods depending on the nature of the information and the purposes for which it is processed.

A. Account and Profile Information

We generally retain account and profile information for as long as the account remains active. After account closure, such information may be deleted approximately 30 days later, unless retention is required for operational, legal, security, or related purposes.

B. Assessment Data

Assessment data may be retained on an ongoing basis for historical performance tracking, qualification history, internal review, fraud prevention, operational continuity, and related business purposes.

At present, assessment data processed through Tally does not expire automatically under the current plan and remains available unless manually deleted. Assessment data stored in our own systems may also be retained unless manually removed in accordance with our operational practices.

C. Logs and Backups

Operational logs stored in AWS CloudWatch are generally retained for approximately 90 days. Database snapshots and backups are generally retained for approximately 30 days.

D. Files and Uploads

CVs, resumes, and other uploaded files may be retained in connection with the associated account and related workflows unless deleted following account closure, a valid deletion request, or internal operational action.

Manual Deletion

Where deletion is requested and verified, deletion may be carried out manually by authorized personnel, including deletion from our database and AWS S3 where appropriate. In some cases, residual copies may remain temporarily in backups until the relevant backup cycle expires.

10. Your Privacy Choices and Rights

Depending on where you live, you may have rights to access, correct, or delete your personal information. Here's how to exercise them.

Depending on applicable law and your jurisdiction, you may have certain rights regarding your personal information, which may include rights to request access, correction, deletion, or additional information about how your data is processed.

A. Access, Correction, and Deletion

You may contact us to request access to, correction of, or deletion of certain personal information we hold about you.

At present:

  • Users may edit certain profile fields in the platform, including profile image, LinkedIn URL, and experience summary
  • Users cannot currently self-delete their accounts through the dashboard
  • Account deletion requests must be submitted to us directly at [email protected]

B. Identity Verification

To protect your privacy and security, we may take steps to verify your identity before acting on a request, for example, by sending a confirmation link to the email address associated with your account.

C. Response Timing

Our target turnaround for valid privacy-related requests is generally 30 days, subject to applicable law and operational requirements.

D. How to Submit a Request

Privacy requests may be submitted to: [email protected]

11. Supplemental Notice - Nigeria (NDPA)

This section applies to individuals in Nigeria and, where applicable, Nigerian data subjects whose personal information is processed by Rater-X.

ater-X Technologies Limited is incorporated in Nigeria and is subject to applicable Nigerian data protection laws, including the Nigeria Data Protection Act 2023 ("NDPA") and applicable regulatory guidance issued by the Nigeria Data Protection Commission ("NDPC").

The NDPA establishes the legal framework for the protection of personal data in Nigeria and sets out obligations for data controllers and data processors. The NDPC is the principal regulatory authority responsible for administering and enforcing data protection requirements in Nigeria.

Lawful Basis for Processing

Where Nigerian data protection law applies, we process personal information on one or more lawful bases, including:

  • Consent - where you have given clear permission for a specific processing purpose.
  • Contract - where processing is necessary to provide the Services, create or manage your account, process assessments, or take steps before entering into a contract.
  • Legitimate Interest - where processing is necessary for our operational, security, administrative, fraud prevention, or service improvement purposes, provided those interests are not overridden by your rights and freedoms.
  • Legal Obligation - where processing is necessary for us to comply with applicable law, regulation, lawful request, or legal process.

Your Rights Under Nigerian Data Protection Law

Subject to applicable law, you may have rights in relation to your personal information, including the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate or incomplete personal information;
  • request deletion of personal information in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing based on legitimate interests;
  • request portability of your personal information where technically feasible and legally applicable;
  • withdraw consent where processing is based on consent, without affecting processing carried out before withdrawal.

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before acting on your request. We will respond within the timeframe required by applicable law.

Data Protection Governance

Rater-X is developing and maintaining internal data protection practices appropriate to the nature, scope, and risk of our processing activities. These practices may include privacy notices, access controls, data handling procedures, security safeguards, retention practices, breach response processes, and vendor oversight.

Where required by law or regulatory guidance, Rater-X may designate appropriate data protection responsibility internally or work with qualified external advisers, including licensed Data Protection Compliance Organisations, to support compliance with Nigerian data protection requirements. The NDPC's General Application and Implementation Directive addresses areas such as compliance audits, Data Protection Officers, breach notification, DPIAs, cross-border transfers, and controller/processor obligations.

Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will assess the incident and take appropriate steps in accordance with applicable Nigerian data protection law. Where required, this may include notifying the NDPC and affected individuals within the applicable legal timeframe.

Cross-Border Processing

Because Rater-X uses service providers and technical infrastructure that may process personal information outside Nigeria, personal information may be transferred to, stored in, or processed in other countries. Where applicable, we rely on appropriate contractual, technical, and organizational safeguards to support lawful and secure cross-border processing.

12. Supplemental Notice - EU and UK (GDPR)

This section applies to individuals located in the European Economic Area (EEA), the European Union (EU), or the United Kingdom (UK).

If you are located in the European Economic Area, the European Union, or the United Kingdom, you may have specific rights under applicable data protection laws. This section explains how those rights may apply to personal information processed by Rater-X.

Data Controller

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR, RaterX is the data controller of personal information collected through the Services.

Lawful Basis for Processing

We rely on the following lawful bases under Article 6 of the GDPR:

  • Consent (Art. 6(1)(a)) - for processing activities where you have provided explicit consent
  • Performance of a Contract (Art. 6(1)(b)) - where processing is necessary to perform a contract with you or take pre-contractual steps at your request
  • Legitimate Interests (Art. 6(1)(f)) - where processing is necessary for our legitimate business interests, including platform security, fraud prevention, and service improvement, provided those interests are not overridden by your rights and interests
  • Legal Obligation (Art. 6(1)(c)) - where we are required to process data to comply with applicable law

Your Rights Under the GDPR

EEA and UK residents have the following rights:

  • Right of Access (Art. 15) - to obtain confirmation that we process your personal data and receive a copy of it
  • Right to Rectification (Art. 16) - to have inaccurate personal data corrected and incomplete data completed
  • Right to Erasure ("Right to be Forgotten") (Art. 17) - to request deletion of your personal data in certain circumstances
  • Right to Restriction of Processing (Art. 18) - to request that we restrict processing of your personal data in certain circumstances
  • Right to Data Portability (Art. 20) - to receive your personal data in a structured, machine-readable format and transmit it to another controller
  • Right to Object (Art. 21) - to object to processing based on legitimate interests or for direct marketing purposes
  • Rights Related to Automated Decision-Making (Art. 22) - to not be subject to a decision based solely on automated processing that produces significant legal effects, except where permitted by law. See Section 4 of this Privacy Policy for details on our use of automated processes

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable by a further two months where necessary, with notice).

International Transfers

Where we transfer personal data from the EEA or UK to countries that do not provide an equivalent level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other mechanisms recognized under the GDPR. For more detail, see Section 8 of this Privacy Policy.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state of habitual residence, place of work, or where an alleged infringement occurred. In the UK, the relevant authority is the Information Commissioner's Office (ICO).

13. Supplemental Notice - California (CCPA/CPRA)

This section applies only to individuals who are residents of the State of California, to the extent California privacy laws apply to Rater-X.

Rater-X does not sell personal information. Rater-X also does not share personal information for cross-context behavioral advertising.

Where applicable, California residents may have certain rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (&qout;CCPA/CPRA&qout;), including the right to:

  • request access to the personal information we collect about them;
  • request correction of inaccurate personal information;
  • request deletion of personal information, subject to applicable exceptions;
  • request information about the categories of personal information collected, the purposes for collection, and the categories of third parties with whom personal information may be disclosed;
  • opt out of the sale or sharing of personal information, although Rater-X does not currently sell or share personal information for cross-context behavioral advertising; and
  • not be discriminated against for exercising applicable privacy rights.

For details about the personal information we collect, how we use it, and who we disclose it to, please see Sections 2, 3, and 5 of this Privacy Policy.

To submit a privacy-related request, contact us at [email protected]. We may need to verify your identity before processing your request. Where applicable, we will respond within the timeframe required by law.

California residents may also designate an authorized agent to submit a request on their behalf, subject to verification of the agent's authority and the identity of the individual concerned.

14. Security

We use technical and organizational measures designed to protect personal information and maintain the security of the Services. These measures include:

  • HTTPS enforcement across all endpoints via Cloudflare
  • Web application firewall, CDN, and bot protection through Cloudflare
  • Role-based admin access controls
  • OTP-based email verification via Resend
  • Secure password hashing using bcrypt
  • AWS-hosted infrastructure with IAM-based access controls
  • Encryption at rest for uploaded files in S3 using SSE-S3 (AES-256)
  • AWS CloudTrail logging of file access and modification activity
  • Administrative audit logs for account and verification actions

Although we take reasonable measures to protect personal information, no system is completely secure and we cannot guarantee absolute security.

15. Children's Personal Information

The Services are not directed to children. We do not intend for individuals below the applicable minimum age, and in no case under 16 years of age, to create accounts or use the Services.

If we become aware that we have collected personal information from a child in violation of applicable law, we will take steps to delete that information. We may update our registration process over time to include an age confirmation step.

16. Third-Party Services and External Platforms

The Services rely on certain third-party providers for hosting, security, forms, email delivery, and communications. When personal information is processed by those providers in support of our Services, their processing may also be subject to their own privacy terms and data processing practices.

For example, Tally uses infrastructure and subprocessors in connection with assessment processing.

In addition, where raters later perform work on third-party client platforms, the processing of data within those client environments may be governed by separate agreements, confidentiality obligations, or client-specific data processing terms, not this Privacy Policy.

17. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or if you'd like to make a privacy-related request, please contact us at:

Rater-X

Liberty estate

Korea Avenue

Ago Palace Way

Lagos

Nigeria

Email:

[email protected]

Website:

raterx.ai

© 2026 RaterX Technologies Limited. All rights reserved.