Sign In Get Started
HomePrivacy Policy

Privacy Policy

How we collect, use, protect and respect your personal data — globally

Last updated: 06 April 2026  |  Version 1.1.0
Contents
Introduction and Scope Who We Are Information We Collect How We Use Your Information Sensitive Personal Data Legal Basis for Processing Data Sharing and Disclosure Data Retention Your Rights by Jurisdiction International Data Transfers Security Measures Cookies Children Changes to This Policy Contact and Grievance Redressal

1. Introduction and Scope

AscentPassport (operated by AscentPassport Technologies Pvt Ltd, referred to as "we", "us", or "our") is a verified career identity platform. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use our platform at ascentpassport.com.

This policy applies to all users regardless of location and is designed to comply with the following frameworks:

  • India: Digital Personal Data Protection Act 2025 (DPDP Act)
  • European Union: General Data Protection Regulation (GDPR)
  • United Kingdom: UK GDPR and Data Protection Act 2018
  • United States: California Consumer Privacy Act (CCPA / CPRA) and Fair Credit Reporting Act (FCRA) where applicable
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
  • UAE: Federal Decree-Law No. 45 of 2021 on Personal Data Protection
  • Saudi Arabia: Personal Data Protection Law (PDPL)

Where local law provides stronger protections than this policy, local law prevails.

2. Who We Are

AscentPassport Technologies Pvt Ltd is the Data Controller (and Data Fiduciary under DPDP) for all personal data processed on the platform. Employers who access candidate verification reports act as independent Data Controllers for their own hiring decisions.

Our registered address is: AscentPassport Technologies Pvt Ltd, Ahmedabad, Gujarat 380015, India.

Our Data Protection Officer and Grievance Officer can be reached at privacy@ascentpassport.com.

3. Information We Collect

We collect the following categories of personal data:

  • Account Information: Full name, email address, phone number, password (hashed, never stored in plain text), account role (employee or employer).
  • Identity Information: Date of birth, PAN number (India), Social Security Number or National ID (international users), passport number, government-issued ID type and number. All of these are encrypted at rest using industry-standard field-level encryption with regional keys.
  • Employment Information: Employer names, job titles, employment dates, salary ranges (optional), Provident Fund account numbers, HR contact details provided for verification outreach.
  • Verification Data: Documents uploaded for verification, AI agent analysis outputs, derogatory report flags, AP Score, audit logs of verification events.
  • Employer Data: Company name, CIN or registration number, industry, company size, designation of the HR contact.
  • Usage Data: IP address, browser type, operating system, pages visited, time on platform, referring URL, session identifiers.
  • Consent Records: Type of consent given, exact text shown at time of consent, timestamp, IP address, and browser user agent — retained as an immutable audit trail.
  • Communications: Emails and notifications sent through the platform including OTP codes, verification alerts, and employer outreach logs.

We do not collect biometric data, financial account numbers, or health information.

4. How We Use Your Information

We use your personal data for the following purposes:

  • To create and maintain your Ascent Passport ID (APID) as a verified career identity.
  • To run AI-powered verification agents on your employment history and calculate your AP Score.
  • To conduct HR outreach to past employers on your behalf for employment verification, strictly with your prior knowledge.
  • To enable employers who have purchased credits to verify candidate APIDsand view authorised profile sections.
  • To prevent fraud, detect duplicate accounts, and maintain platform integrity.
  • To send transactional communications including OTP codes, verification updates, and account notices.
  • To comply with legal obligations including responses to lawful government requests.
  • To maintain immutable audit logs for regulatory accountability.
  • To improve platform performance and user experience using aggregated, anonymised analytics.

We do not use your personal data for advertising, behavioural profiling for third parties, or any purpose not described in this policy without obtaining fresh consent.

5. Sensitive Personal Data

The following categories of data receive heightened protection on our platform:

  • PAN numbers (India): Encrypted at rest using Fernet symmetric encryption with India-specific encryption keys. Never transmitted to employers. Used solely to ensure each APID is linked to one unique individual and to prevent duplicate accounts. Retained for 2 years after account closure under DPDP requirements.
  • Social Security Numbers and National IDs (international): Encrypted at rest using region-specific encryption keys. Never shared with employers. Used solely for identity uniqueness verification. Retained for 7 years for US users under FCRA requirements, 2–3 years for other jurisdictions.
  • Passport numbers: Encrypted at rest. Used solely for identity verification. Retained for 3 years.
  • Date of birth: Encrypted at rest. Used for identity verification only.

Every read of an encrypted sensitive field is logged to an immutable access log, recording which field was accessed and when. You can view your access log from your Privacy Settings page.

Sensitive data is never included in employer-facing verification reports. Employers receive only the verification outcome, not the underlying identity documents.

6. Legal Basis for Processing

We process your personal data under the following legal bases, which vary by jurisdiction:

  • Consent: Collection of national identity numbers (PAN, SSN, passport), cross-border data transfers, third-party AI processing, and marketing communications. You may withdraw consent at any time from your Privacy Settings without affecting the lawfulness of processing before withdrawal.
  • Contract performance: Processing necessary to create your APID, run verification agents, and deliver the core service you have signed up for.
  • Legitimate interests: Fraud prevention, duplicate account detection, platform security, immutable audit logging, and aggregated analytics. We have assessed that these interests are not overridden by your fundamental rights.
  • Legal obligation: Retaining audit logs for regulatory compliance, responding to lawful government requests, and honouring data subject rights requests within legally mandated timeframes.

For California residents (CCPA): we do not sell or share your personal information as defined under CCPA/CPRA. You have the right to opt out of any future sale or sharing. To exercise this right visit your Privacy Settings page or contact privacy@ascentpassport.com.

For Indian residents (DPDP): we process your data as a Data Fiduciary under the Digital Personal Data Protection Act 2025. Your consent is specific, informed, and unconditional. You may withdraw it at any time.

7. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

  • With employers you authorise: Employers who have purchased credits may view your verified APID profile section, subject to your visibility settings. They receive verification outcomes only — not your raw identity documents, PAN, SSN, or passport number.
  • With HR contacts for verification outreach: We contact HR representatives at your past employers solely to verify employment dates and roles you have listed. This outreach is conducted on your behalf and with your prior knowledge.
  • With service providers: We use third-party processors for email delivery, AI model inference, and infrastructure hosting. All processors are bound by data processing agreements and are not permitted to use your data for their own purposes.
  • With legal authorities: We disclose data when required by a valid court order, subpoena, or applicable law. We will notify you of such requests where legally permitted to do so.
  • In business transfers: If AscentPassport is acquired or merged, your data may be transferred to the successor entity subject to equivalent privacy protections. We will notify you before such a transfer occurs.

We do not share your data with advertisers, data brokers, or any party for commercial profiling purposes.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. Our retention schedule is as follows:

  • Employment records and AP Score: Retained for 3 years after account closure (India / EU / UK / CA / AU) or 7 years (US users, under FCRA).
  • PAN numbers and Aadhaar references (India): Retained for 2 years after the purpose of collection is fulfilled, then anonymised.
  • SSNs and national IDs (US): Retained for 7 years as required by FCRA, then anonymised.
  • Passport numbers: Retained for 3 years after account closure, then anonymised.
  • Consent records: Retained for 7 years as an immutable legal audit trail regardless of account closure.
  • Audit logs: Retained for 5–7 years depending on jurisdiction.
  • Session data: Deleted after 30 days.
  • Communication logs: Retained for 2 years.

When a retention period expires, data is anonymised rather than deleted to preserve statistical integrity. Anonymised data cannot be linked back to you. Records under active legal hold are exempt from automated anonymisation.

9. Your Rights by Jurisdiction

You have the following rights over your personal data. The specific rights available to you depend on your jurisdiction. To exercise any right, visit your Privacy Settings page or contact privacy@ascentpassport.com. We will respond within the legally required timeframe for your jurisdiction.

All users (universal rights):

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to correction: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data, subject to legal holds and regulatory retention obligations.
  • Right to restrict processing: Request that we limit how we use your data while a dispute is resolved.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to withdraw consent: Withdraw any consent you have given at any time without affecting the lawfulness of prior processing.

India (DPDP Act 2025 — additional rights):

  • Right to nominate another person to exercise your data rights on your behalf.
  • Right to grievance redressal — responses within 30 days.

European Union and United Kingdom (GDPR — additional rights):

  • Right to object to processing based on legitimate interests.
  • Right to request human review of any automated decision that significantly affects you.
  • Right to lodge a complaint with your local supervisory authority.

United States — California (CCPA / CPRA — additional rights):

  • Right to opt out of the sale or sharing of personal information (we do not sell — but you may register your preference).
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising your privacy rights.

United States — FCRA rights (where applicable):

  • Right to a free copy of your consumer report.
  • Right to dispute inaccurate information in any verification report.
  • Right to receive adverse action notices if a hiring decision is made based on your report.

Response timelines: India 30 days | EU/UK 30 days (extendable to 90 for complex requests) | US CCPA 45 days (extendable to 90) | FCRA disputes 30 days | Canada/Australia 30 days.

10. International Data Transfers

AscentPassport's primary servers are located in India. If you are located outside India, your data is transferred to India for processing. We ensure the following safeguards are in place for cross-border transfers:

  • EU / UK users: Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO respectively.
  • All other jurisdictions: Transfers are conducted under equivalent contractual safeguards and in accordance with applicable local law.

Cross-border transfer of sensitive personal data (PAN, SSN, passport) only occurs with your explicit consent, which you may withdraw at any time.

11. Security Measures

We implement the following technical and organisational measures to protect your data:

  • Field-level encryption: National identity numbers, passport numbers, and date of birth are encrypted at rest using Fernet symmetric encryption with separate encryption keys per geographic region. This means a breach of one region's data does not compromise another.
  • Blind index search: Encrypted fields are searchable via one-way HMAC hashes, meaning the plain text value is never exposed during search operations.
  • Transport security: All data in transit is protected by TLS 1.2 or higher.
  • Access controls: Role-based access control ensures employees cannot see employer data and employers can only access candidate data they are authorised to view.
  • Immutable audit logs: Every read of a sensitive encrypted field is logged with a timestamp. These logs cannot be deleted.
  • Key management: Encryption keys are stored in environment variables and never committed to source code or version control.
  • Admin security: Django admin is protected by a non-public URL and two-factor authentication.
  • Intrusion detection: Automated blocking of known scanner user agents, malicious path probes, and brute-force attempts via Fail2Ban and Nginx rate limiting.

Despite these measures, no system is 100% secure. In the event of a breach that poses a risk to your rights and freedoms, we will notify you and the relevant regulatory authority within 72 hours of discovery.

12. Cookies

AscentPassport uses the following types of cookies:

  • Strictly necessary cookies: Session cookies required for authentication and security. These cannot be disabled.
  • Analytics cookies: We use Google Analytics (GA4) to understand how users interact with our platform. This data is aggregated and anonymised. You may opt out by enabling "Do Not Track" in your browser or using the Google Analytics opt-out browser add-on.

We do not use advertising cookies, tracking pixels, or third-party remarketing cookies.

13. Children

AscentPassport is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with their data, please contact privacy@ascentpassport.com and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice on the platform. Existing users will be asked to review and re-confirm their consent before continuing to use the platform after a material policy change. The version number and last updated date at the top of this page will always reflect the current version.

15. Contact and Grievance Redressal

For any privacy-related queries, requests, or complaints:

  • Email: privacy@ascentpassport.com
  • Grievance Officer (DPDP): privacy@ascentpassport.com — we will acknowledge within 48 hours and resolve within 30 days.
  • Postal address: AscentPassport Technologies Pvt Ltd, Ahmedabad, Gujarat 380015, India.

If you are an EU or UK resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. If you are a California resident, you may contact the California Privacy Protection Agency.

To exercise your data rights directly, visit your Privacy Settings page where you can submit access, correction, erasure, and portability requests with a legally tracked reference number and deadline.