Privacy Policy

B. Account, Authentication, and Profile Information

To create and maintain your account and authenticate your access, we collect:

• Full name and email address
• Password credentials (hashed)
• OTP (one-time password) verification information
• Profile details added after registration

C. Assessment Information

When you complete forms, evaluations, or onboarding assessments, we collect:

• Your responses to assessment questions
• Qualification results and verification status
• Proficiency tier assignments
• Assessment records and metadata

Assessment forms may be hosted through Tally and pushed to our database via configured webhooks.

D. Files and Uploads

We collect files and documents you upload to the Services, including CVs and resumes. These are uploaded through the platform and stored in AWS S3.

E. Communications

We collect information contained in communications we send or receive in connection with the Services, including:

• OTP verification and welcome emails
• Platform notifications and administrative communications
• Support-related messages
• Emails handled via Zoho Mail and Resend

F. Information Collected Automatically

When you access or use the Services, we may automatically collect:

• IP address
• User agent, browser type, and device information
• Timestamps and endpoints accessed
• Session-related activity
• Login and verification events
• Administrative audit activity (e.g., updates to verification status)

This information is used for platform security, troubleshooting, fraud prevention, performance monitoring, and internal administration.

G. Administrative Audit Logs

We maintain audit logs to track certain actions taken by authorized administrators, including modifications to talent verification status and related administrative actions.

H. Information Processed by Service Providers

We use third-party providers to help operate the Services. Personal information may be processed by or through:

• AWS - hosting, storage, infrastructure, and database services
• Cloudflare - DNS, CDN, web application firewall, and bot protection
• Resend - transactional email delivery
• Zoho Mail - professional team communication
• Tally - assessment form processing

B. To Operate, Maintain, and Improve the Services

• Support system functionality and monitor performance
• Identify and fix bugs, errors, and technical issues
• Protect against abuse, unauthorized access, spam, bots, or malicious activity
• Review platform usage and maintain internal quality controls

C. To Communicate With You

• Send OTP verification and welcome emails
• Send notifications related to your account or assessments
• Respond to inquiries and support requests
• Send important operational notices

D. To Administer Talent and Assessment Workflows

• Review talent profiles and evaluate submitted information
• Process and store assessment records
• Assign verification status and proficiency tiers
• Support internal review and operational decision-making
• Maintain historical qualification and performance records

E. To Maintain Security, Logs, and Audit Trails

• Monitor login and request activity
• Preserve administrative audit trails
• Detect and investigate suspicious or unauthorized activity
• Protect the Services, our business, our users, and our infrastructure

F. To Comply With Legal Obligations and Protect Rights

• Comply with applicable law, regulation, or lawful process
• Enforce our terms, policies, and agreements
• Protect our rights, systems, users, personnel, and property
• Prevent fraud, abuse, or security incidents

B. Authorized Administrators

Authorized Rater-X administrators may access talent profile information, assessment results, verification status, and related platform data for operational, review, support, and administrative purposes.

C. Clients and Project Operations

We do not currently provide clients with direct access to user or talent profiles. Talent profile data is currently accessible only to authorized Rater-X administrators. Clients may have access to project-related operational information, such as project progress, where relevant to the services we provide them.

D. Legal, Compliance, and Protection Purposes

We may access, preserve, and disclose personal information where we believe in good faith that doing so is necessary or appropriate to:

• Comply with applicable law, regulation, subpoena, court order, or lawful request
• Protect our rights, property, systems, or users
• Investigate or prevent fraud, abuse, unauthorized access, or security incidents
• Enforce our agreements, policies, or terms

E. Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, personal information may be disclosed or transferred as part of that transaction, subject to applicable law.

B. Assessment Data

Assessment data may be retained on an ongoing basis for historical performance tracking, qualification history, internal review, fraud prevention, operational continuity, and related business purposes. At present, assessment data processed through Tally does not expire automatically under the current plan and remains available unless manually deleted. Assessment data stored in our own systems may also be retained unless manually removed in accordance with our operational practices.

C. Logs and Backups

Operational logs stored in AWS CloudWatch are generally retained for approximately 90 days. Database snapshots and backups are generally retained for approximately 30 days.

D. Files and Uploads

CVs, resumes, and other uploaded files may be retained in connection with the associated account and related workflows unless deleted following account closure, a valid deletion request, or internal operational action.

Manual Deletion

Where deletion is requested and verified, deletion may be carried out manually by authorized personnel, including deletion from our database and AWS S3 where appropriate. In some cases, residual copies may remain temporarily in backups until the relevant backup cycle expires.

B. Identity Verification

To protect your privacy and security, we may take steps to verify your identity before acting on a request, for example, by sending a confirmation link to the email address associated with your account.

C. Response Timing

Our target turnaround for valid privacy-related requests is generally 30 days, subject to applicable law and operational requirements.

D. How to Submit a Request

Privacy requests may be submitted to: [email protected]

Lawful Basis for Processing

Under the NDPA, we process your personal information on the following lawful bases:

• Consent - where you have freely given, specific, informed, and unambiguous consent to the processing of your personal data for one or more specific purposes (e.g., receiving marketing communications)
• Contract - where processing is necessary to perform a contract to which you are a party or to take steps at your request before entering a contract (e.g., creating and operating your account)
• Legitimate Interest - where processing is necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms
• Legal Obligation - where processing is necessary to comply with a legal obligation to which we are subject under Nigerian law

Your Rights Under the NDPA

As a Nigerian resident or Nigerian citizen, you have the following rights regarding your personal data:

• Right of Access - to request confirmation of whether we process your personal data and obtain a copy of it
• Right to Rectification - to request correction of inaccurate or incomplete personal data
• Right to Erasure - to request deletion of your personal data in certain circumstances
• Right to Restriction - to request that we limit the processing of your personal data in certain circumstances
• Right to Object - to object to processing based on legitimate interest
• Right to Data Portability- to receive your personal data in a structured, commonly used format and transmit it to another controller where technically feasible
• Right to Withdraw Consent- where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of a valid request.

Data Protection Officer

We are in the process of formalizing our data governance structure in accordance with NDPA requirements. For data protection inquiries, please contact us at [email protected].

Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the NDPC and, where required, affected data subjects in accordance with applicable timelines under the NDPA.

Lawful Basis for Processing

We rely on the following lawful bases under Article 6 of the GDPR:

• Consent (Art. 6(1)(a)) - for processing activities where you have provided explicit consent
• Performance of a Contract (Art. 6(1)(b)) - where processing is necessary to perform a contract with you or take pre-contractual steps at your request
• Legitimate Interests (Art. 6(1)(f)) - where processing is necessary for our legitimate business interests, including platform security, fraud prevention, and service improvement, provided those interests are not overridden by your rights and interests
• Legal Obligation (Art. 6(1)(c)) - where we are required to process data to comply with applicable law

Your Rights Under the GDPR

EEA and UK residents have the following rights:

• Right of Access (Art. 15) - to obtain confirmation that we process your personal data and receive a copy of it
• Right to Rectification (Art. 16) - to have inaccurate personal data corrected and incomplete data completed
• Right to Erasure ("Right to be Forgotten") (Art. 17) - to request deletion of your personal data in certain circumstances
• Right to Restriction of Processing (Art. 18) - to request that we restrict processing of your personal data in certain circumstances
• Right to Data Portability (Art. 20) - to receive your personal data in a structured, machine-readable format and transmit it to another controller
• Right to Object (Art. 21) - to object to processing based on legitimate interests or for direct marketing purposes
• Rights Related to Automated Decision-Making (Art. 22) - to not be subject to a decision based solely on automated processing that produces significant legal effects, except where permitted by law. See Section 4 of this Privacy Policy for details on our use of automated processes

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable by a further two months where necessary, with notice).

International Transfers

Where we transfer personal data from the EEA or UK to countries that do not provide an equivalent level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other mechanisms recognized under the GDPR. For more detail, see Section 8 of this Privacy Policy.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state of habitual residence, place of work, or where an alleged infringement occurred. In the UK, the relevant authority is the Information Commissioner's Office (ICO).

Personal Information Collected

For a full description of the categories of personal information we collect, the purposes for which we collect it, and the categories of third parties with whom we share it, please refer to Sections 2 and 5 of this Privacy Policy.

The categories of personal information we collect include identifiers (such as name and email address), professional and employment-related information, and internet or other electronic network activity information (such as IP address and usage data).

Sale or Sharing of Personal Information

Rater-X does not sell your personal information. Rater-X does not share your personal information for cross-context behavioral advertising purposes.

Your Rights Under the CCPA/CPRA

California residents have the following rights:

• Right to Know - to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for collection, and the categories of third parties to whom we share it
• Right to Delete - to request deletion of personal information we have collected from you, subject to certain exceptions
• Right to Correct - to request correction of inaccurate personal information we maintain about you
• Right to Opt Out of Sale or Sharing - to opt out of the sale of your personal information or its sharing for cross-context behavioral advertising (note: we do not currently engage in these activities)
• Right to Limit Use of Sensitive Personal Information - to direct us to limit our use and disclosure of sensitive personal information to purposes permitted by the CCPA/CPRA
• Right to Non-Discrimination - we will not discriminate against you for exercising any of your CCPA/CPRA rights

How to Submit a Request

To submit a rights request, contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within 45 days of receipt of a verifiable consumer request, with a possible extension of a further 45 days where necessary.

Authorized Agents

California residents may designate an authorized agent to submit a rights request on their behalf. We may require verification of the agent's authorization and verification of your identity before processing such a request.