1. About This Policy

This Privacy Policy explains how TreadOS World Private Limited ("OnePixel," "we," "us," or "our") collects, uses, shares, and protects personal information.

We operate both as:

• Data Controller - when we collect and process information for our own purposes (e.g., our website visitors, marketing contacts, customer admin accounts).
• Data Processor - when we process candidate or end-user data on behalf of our customers, in connection with our hiring intelligence layer embedded on their career pages, ATS, or websites.

2. Scope of Services

OnePixel provides a one-line embed that activates an intelligent hiring layer on career pages, ATS, or other websites.

When a candidate visits a customer's page with our embed, we may:

• Engage them in real-time via chat or interface
• Screen for fit and role matches (including automated rejection or filtering if configured by customer)
• Collect and process application data, documents, interview availability, and optional audio/video
• Pass qualified leads to the customer's ATS or scheduling system

3. Contact Information

4. Information We Collect

A. When Acting as Controller (Our Own Data Collection)

We collect:

• Contact Data - name, email, phone, company, role, etc.
• Account Data - login credentials for customer admin accounts.
• Marketing Data - newsletter signups, preferences, and engagement with our campaigns.
• Technical Data - IP address, device/browser type, operating system, pages visited, time on page, referring/exit URLs, cookies, and similar identifiers.

B. When Acting as Processor (Candidate & End-User Data)

When embedded on a customer's site, we process on their behalf:

• Application Data - name, email, phone, location, work history, education, CV/resume, LinkedIn profile, skills, certifications.
• Screening Data - answers to qualifying questions, AI screening scores, matching results.
• Scheduling Data - availability, interview booking details, time zone.
• Communications - chat transcripts, candidate questions, employer responses.
• Audio/Video Data (Biometric) - candidate voiceprints and facial geometry from recorded interviews or media submissions.
• ATS Integration Data - candidate IDs, role IDs, job details, hiring stage updates.
• Widget Analytics - interaction logs with our embedded script (clicks, opens, dwell time).

5. Special Category & Sensitive Data

We do not require special category data (race, ethnicity, health, union membership, etc.) for use of our service.

If customers request such fields (e.g., voluntary diversity data), they must:

• Obtain explicit consent from the candidate before collection;
• Ensure lawful basis under GDPR/DPDPA;
• Configure retention and deletion rules accordingly.

6. Automated Decision-Making & Profiling

Our system may perform automated profiling and decision-making when configured by the customer, including:

• Matching candidates to roles
• Filtering/rejecting candidates without human review
• Prioritizing candidates for outreach

Candidate Rights:

Where required by law, candidates can request human review, contest decisions, and obtain an explanation of the logic involved.

7. How We Use Information

Controller Use Cases

• Provide, secure, and improve our services
• Respond to inquiries and support requests
• Send service updates, marketing, and educational content (with opt-out)
• Analyze site usage for improvements

Processor Use Cases (on Customer Instructions)

• Deliver the hiring intelligence functions configured by the customer
• Store and forward candidate data to customer systems (ATS, CRM, calendar)
• Provide analytics to the customer on widget performance and candidate funnel

8. Legal Bases

We process personal data under these bases:

• Contractual Necessity - to provide our services to customers
• Legitimate Interests - securing systems, preventing fraud, improving services
• Consent - for optional data (e.g., marketing, diversity data, certain cookies)
• Legal Obligation - to comply with applicable laws or respond to lawful requests

9. Data Retention

• Controller Data - kept as long as necessary for the purposes collected or as required by law.
• Processor (Candidate) Data - retained only for the duration and purposes defined in the customer contract; maximum retention aligned to applicable law (e.g., 12 months EU default unless customer specifies shorter).
• Audio/video and biometric data is purged per customer contract terms, and no later than 30 days after contract termination unless legally required to retain.

10. Data Sharing

We may share data with:

• Customers - candidates' prospective employers or their agents (when acting as processor).
• Service Providers & Sub-Processors - cloud hosting (AWS), analytics, AI processing (OpenAI, Google), ATS integration providers, email/SMS delivery vendors.
• Legal/Regulatory Authorities - where required by law or to protect rights/safety.
• Business Transfers - in case of merger, acquisition, or sale of assets.

Sub-Processor List: We maintain and update a public list of sub-processors with location and purpose at: [Insert Link].

11. International Data Transfers

Candidate and customer data may be stored in multiple AWS data centers globally, including in the US, EU, and Asia.

When transferring personal data outside the originating jurisdiction, we use:

• Standard Contractual Clauses (SCCs) for EU/UK transfers;
• Data Privacy Framework (DPF) where applicable;
• Other adequacy mechanisms recognized under DPDPA and relevant laws.

12. Cookies & Tracking

• On our own website, we use cookies for analytics, personalization, and marketing (with consent where required).
• Our embedded widget may track candidate interactions for service performance analytics; customers are responsible for disclosing and obtaining any required consents on their own sites.

13. Security

We implement technical and organizational measures including:

• Encryption at rest and in transit
• Access control & authentication
• Audit logging
• Regular security testing and monitoring

Breach notifications are provided to customers and regulators within legally mandated timelines.

14. Candidate & User Rights

Depending on jurisdiction, rights may include:

• Access, correction, deletion
• Portability
• Restriction or objection to processing
• Withdrawal of consent
• Contesting automated decisions

Requests regarding candidate data processed on behalf of a customer will be forwarded to that customer.

15. Children's Privacy

Our services are not intended for individuals under 18. If such data is discovered, it will be deleted.

16. Customer Responsibilities

Customers embedding OnePixel on their sites must:

• Provide a lawful privacy notice to candidates;
• Obtain all required consents (e.g., cookies, diversity data);
• Configure our system in compliance with applicable employment and privacy laws;
• Handle candidate rights requests related to their recruitment process.

17. Changes to This Policy

We may update this policy and will post revisions with a new "Last Updated" date. Material changes will be communicated through our site or customer admin channels.

18. Contact

For any questions or rights requests: