Privacy Policy
Version 1.0 — Effective Date: March 19, 2026 — Last Updated: March 19, 2026
1. Introduction
ClankerRank (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use ClankerRank Hire (“the Platform”). This policy applies to all users including Admins (employers) and Candidates (assessment takers).
We process personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Lei Geral de Proteção de Dados (LGPD), the Protection of Personal Information Act (POPIA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Principles (APP).
2. Data We Collect
2.1 Admin Data
- Account Information: Email address, display name, company name.
- Authentication Data: Password (hashed with scrypt, never stored in plaintext).
- Consent Records: Timestamps and versions of accepted Terms and Privacy Policy, IP address, and user agent at time of consent.
- Usage Data: Actions taken on the Platform (job creation, invite generation, candidate reviews) logged for audit purposes.
2.2 Candidate Data
- Identity Information: Full name, email address, phone number (optional).
- Professional Information: Resume URL, LinkedIn URL (optional).
- Assessment Data: Code submissions, test results, scores, execution times.
- Proctoring Data: Tab switch events, fullscreen exit events, focus loss events, copy/paste events (when proctoring is enabled by the Admin).
2.3 Technical Data
- IP addresses (for security, rate limiting, and audit logging).
- Browser user agent strings.
- Cookies (httpOnly, secure, sameSite: strict) for session management.
3. How We Protect Your Data
We implement multiple layers of security to protect personal data:
Encryption at Rest
Email addresses in the invite system are encrypted using AES-256-GCM with authenticated encryption, preventing unauthorized access even if the database is compromised.
Password Hashing
All passwords are hashed using the scrypt key derivation function with a unique 16-byte salt per password (N=16384, r=8, p=1, keyLen=64). Passwords are never stored in plaintext or recoverable form.
Data Integrity
HMAC-SHA256 is used for deterministic data hashing, ensuring data integrity and enabling secure lookups without exposing plaintext data.
Transport Security
All data in transit is encrypted via TLS 1.2+. Authentication cookies use httpOnly, secure, and sameSite: strict flags to prevent XSS and CSRF attacks.
Access Controls
Row-Level Security (RLS) policies restrict database access. API routes verify JWT tokens with HMAC-SHA256 signatures. Rate limiting prevents brute-force attacks.
Audit Logging
All significant actions are recorded in an immutable audit log with actor identification, timestamps, IP addresses, and action metadata for compliance and forensic purposes.
4. Legal Basis for Processing (GDPR Article 6)
- Consent (Art. 6(1)(a)): We process data based on your explicit consent, obtained at account creation. You may withdraw consent at any time.
- Contractual Necessity (Art. 6(1)(b)): Processing necessary for the performance of our service agreement.
- Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform improvement.
- Legal Obligation (Art. 6(1)(c)): Where required by applicable law (e.g., tax records, regulatory reporting).
5. Your Rights
Depending on your jurisdiction, you have the following rights:
| Right | GDPR | CCPA | LGPD | POPIA | PIPEDA |
|---|---|---|---|---|---|
| Access your data | Yes | Yes | Yes | Yes | Yes |
| Rectify inaccurate data | Yes | Yes | Yes | Yes | Yes |
| Delete your data | Yes | Yes | Yes | Yes | Yes |
| Data portability | Yes | Yes | Yes | - | - |
| Restrict processing | Yes | - | Yes | Yes | Yes |
| Object to processing | Yes | - | Yes | Yes | Yes |
| Withdraw consent | Yes | Yes | Yes | Yes | Yes |
| Non-discrimination | - | Yes | - | - | - |
To exercise any of these rights, contact us at privacy@clankerrank.xyz. We will respond within 30 days (or sooner if required by your local law).
6. Data Retention
- Admin accounts: Data is retained for the duration of the account plus 30 days after deletion request.
- Candidate assessment data: Retained for 12 months after the assessment, unless the Admin or Candidate requests earlier deletion.
- Consent records: Retained for 5 years as required for compliance audit trails.
- Audit logs: Retained for 3 years for security and compliance purposes.
- Invite tokens: Expired/used tokens are retained for 90 days, then permanently deleted.
7. Data Sharing & Third Parties
We do not sell your personal data. We may share data with:
- Infrastructure Providers: Supabase (database hosting, PostgreSQL), Vercel (application hosting). These providers are contractually bound to protect your data and process it only on our instructions.
- Legal Requirements: We may disclose data if required by law, court order, or governmental request.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.
8. International Data Transfers
Your data may be processed in countries outside your own. When we transfer data internationally, we ensure adequate protection through: (a) adequacy decisions by relevant authorities; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; or (c) other legally recognized transfer mechanisms. For transfers from the EU/EEA, we rely on SCCs as our primary transfer mechanism.
9. Cookies & Tracking
ClankerRank Hire uses only essential cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| hire_admin_token | Admin session authentication | 7 days |
We do not use analytics cookies, advertising cookies, or any third-party tracking technologies on ClankerRank Hire.
10. Data Breach Notification
In the event of a personal data breach, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33); (b) notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms; and (c) document the breach, its effects, and remedial actions taken.
11. Children's Privacy
ClankerRank Hire is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will take immediate steps to delete it.
12. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the CCPA and CPRA:
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information held by us.
- Right to opt-out of the sale of personal information. We do not sell personal information.
- Right to non-discrimination for exercising your privacy rights.
- Right to correct inaccurate personal information.
- Right to limit use of sensitive personal information.
To submit a verifiable consumer request, email privacy@clankerrank.xyz.
13. EU/EEA Residents (GDPR)
Our Data Protection Officer can be reached at dpo@clankerrank.xyz. You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated. A list of EU supervisory authorities is available at the European Data Protection Board website.
14. Brazilian Residents (LGPD)
In accordance with the Lei Geral de Proteção de Dados, you may exercise your rights through our Data Protection Officer. We appoint a local representative as required. You may file complaints with the Autoridade Nacional de Proteção de Dados (ANPD).
15. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or through the Platform at least 30 days before taking effect. The “Last Updated” date at the top reflects the most recent revision.
16. Contact Us
General Privacy Inquiries: privacy@clankerrank.xyz
Data Protection Officer: dpo@clankerrank.xyz
Data Subject Access Requests: privacy@clankerrank.xyz with subject line “DSAR”