TraqCheck IT Services Private Limited (“TraqCheck”, “we”, “our”, or “us”) is committed to protecting your privacy and handling personal data in a transparent, secure, and responsible manner. This document has been approved by our DPO / Legal Counsel.
1. Introduction
TraqCheck IT Services Private Limited (“TraqCheck”, “we”, “our”, or “us”) is committed to protecting your privacy and handling personal data in a transparent, secure, and responsible manner.
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you interact with our websites, products, and services, including:
- TRACE, our background verification platform; and
- NINA, our AI-powered talent sourcing and candidate engagement platform.
This Privacy Policy is intended to comply with applicable privacy and data protection laws, including the General Data Protection Regulation (“GDPR”), the UK GDPR, and the Digital Personal Data Protection Act, 2023 (“DPDPA”) of India, together with other applicable privacy laws.
By accessing our websites or using our services, you are informed of the practices described in this Privacy Policy. This Privacy Policy does not constitute consent to the processing of your personal data; where consent is required, it will be obtained separately in accordance with applicable law.
2. Who We Are
TraqCheck IT Services Private Limited is a technology company providing background verification and AI-powered talent sourcing services to organisations globally.
- Registered Name: TraqCheck IT Services Private Limited
- Registered Address: C-01, Hub And Oak, E-14 LGF, Defence Colony, New Delhi, Delhi, India, 110024
- Data Protection Officer: dpo@traqcheck.com
- EU Representative: Suite 501, 116 Baker Street, London, England, W1U 6TS
3. Our Role in Processing Personal Data
Depending on the service being provided, TraqCheck may act either as a Data Controller or a Data Processor.
TRACE — Background Verification Services
When providing background verification services through TRACE, TraqCheck acts as a Data Processor on behalf of employers, recruiters, staffing agencies, educational institutions, or other customers requesting verification services (“Customers”).
The Customer requesting the verification determines the purposes and scope of the verification and acts as the Data Controller under GDPR or the Data Fiduciary under the DPDPA. TraqCheck processes personal data solely for the purpose of performing the requested verification services and in accordance with the Customer’s documented instructions.
NINA — Talent Sourcing and Candidate Engagement
When operating NINA, TraqCheck acts as a Data Controller. TraqCheck determines the purposes and means of processing personal data for candidate identification, talent sourcing, recruitment outreach, and candidate engagement activities conducted through NINA.
TraqCheck might act as joint controller in certain cases. For further information refer to the Terms of Service for NINA.
4. Categories of Personal Data We Process
Depending on the services provided, we may process the following categories of personal data:
| Category | Data |
|---|---|
| Identity Information | Full name; date of birth; government-issued identification details (passport, national ID, driving licence); photographs and identity document images (for identity verification — transient, not retained beyond the check) |
| Contact Information | Email address; telephone number; residential or mailing address |
| Employment Information | Current and previous employers; employment dates and tenure; job titles and roles; professional experience and achievements |
| Educational Information | Educational qualifications and degrees; academic institutions attended and dates of study; professional certifications and training history |
| Candidate Information (NINA) | Publicly available professional profile information; resumé or curriculum vitae; professional skills and career preferences; candidate communications and conversation records; interview-related information; AI-assisted suitability indicators (post-consent only) |
| Verification Information (TRACE) | Employment verification results; education verification results; identity verification results; professional licence and credential verification results; criminal record verification results, where legally permitted and appropriately consented to; credit and financial history, where applicable to the role and appropriately consented to |
| Consent, Compliance and Technical Records | Consent records (timestamp, IP address, consent version, preferences); withdrawal and opt-out records; data subject rights request records; IP address; browser type and device information; log files and website usage data; cookie identifiers |
5. How We Collect Personal Data
We may collect personal data:
- Directly from you, when you submit information through our platforms or communicate with us;
- From our Customers, who provide candidate details when initiating a background verification check through TRACE;
- From previous employers, educational institutions, professional licensing bodies, and government authorities, for the purpose of conducting verification checks;
- From publicly available professional sources, such as professional networking platforms, professional databases, and publicly accessible professional profiles, where permitted by applicable law;
- Through our websites and platforms, including through cookies and similar technologies; and
- Through service providers acting on our behalf.
6. How We Use Personal Data
We process personal data to:
- Provide and operate our TRACE and NINA services;
- Conduct background verification activities on behalf of our Customers;
- Verify information provided by individuals;
- Facilitate recruitment and candidate engagement activities;
- Respond to enquiries and data subject rights requests;
- Maintain platform security and prevent fraud;
- Comply with legal and regulatory obligations;
- Maintain records for audit and compliance purposes; and
- Improve and develop our products and services.
7. TRACE — Background Verification Services
TRACE enables organisations to conduct employment, education, identity, professional credential, criminal record, and other background verification checks.
When providing TRACE services, TraqCheck acts solely as a Data Processor and processes personal data only on behalf of and under the instructions of the Customer requesting the verification.
Consent for Verification
Background verification activities conducted through TRACE are performed only after appropriate consent has been obtained from the individual undergoing verification. Consent may be obtained:
- By the Customer prior to initiating the verification request; or
- Directly by TraqCheck at the commencement of the verification process through TRACE’s candidate consent interface.
TraqCheck maintains immutable records of all consents obtained, including the timestamp, IP address, consent version, and the specific checks consented to by the individual.
Criminal Record and Sensitive Data Checks
Where background verification includes criminal record data, biometric data, or financial history, TraqCheck processes such data only where:
- The individual has given explicit consent to the specific sensitive data check;
- The Customer has confirmed that applicable law authorises such processing for the specific role and jurisdiction; and
- The purpose is proportionate to the privacy impact on the individual.
Criminal record data is deleted within six months of delivery of the verification report, regardless of any other retention period. Identity document images are deleted upon completion of the identity verification check.
Purpose of Processing
TRACE processes personal data solely for:
- Identity, employment, educational, professional credential, and criminal record verification;
- Generation of verification reports for Customers;
- Fraud prevention and compliance purposes.
TraqCheck does not use personal data processed through TRACE for marketing, advertising, profiling, or any purpose unrelated to the verification services requested by the Customer.
Data Subject Requests — TRACE
Where personal data is processed through TRACE, TraqCheck acts as a Data Processor. Individuals whose data is processed through TRACE should ordinarily direct data rights requests to the Customer (employer or organisation) that initiated the background check, as that organisation is the Data Controller.
TraqCheck will assist the relevant Customer in responding to such requests in accordance with applicable law. Where an individual contacts TraqCheck directly, we will acknowledge the request and coordinate with the relevant Customer to facilitate resolution. TraqCheck will not allow any data rights request to go unanswered — if a Customer is unresponsive, TraqCheck will advise the individual directly of their options.
8. NINA — Talent Sourcing and Candidate Engagement
NINA helps organisations identify and connect with qualified candidates for employment opportunities. When operating NINA, TraqCheck acts as a Data Controller.
How We Identify Candidates
To identify potential candidates, NINA reviews publicly available professional information where an individual’s qualifications, skills, experience, or professional background appears to align with a specific employment opportunity. This may include information made publicly available by individuals through professional networking platforms, professional websites, portfolios, publications, or similar professional sources.
Under the Digital Personal Data Protection Act 2023 (DPDPA), Section 3(b)(A), personal data that has been made publicly available by the Data Principal themselves is exempt from the provisions of the DPDPA. Where your professional profile data was published by you on professional platforms, this exemption applies to TraqCheck’s initial identification of your profile for recruitment purposes.
Under the EU and UK GDPR, this limited processing is undertaken on the basis of TraqCheck’s legitimate interests in facilitating recruitment and connecting qualified professionals with relevant opportunities (Article 6(1)(f)). At this stage, NINA performs only basic criteria matching — identifying whether a publicly available profile appears relevant to a role. No AI scoring, no profiling, and no automated decision-making occurs before we contact you. The decision to contact a candidate is made by a human recruiter (the Customer’s HR team).
First Outreach — Notice and Consent Request
Where a candidate’s profile appears relevant to a role, NINA sends an introductory communication that simultaneously:
- Provides notice under GDPR Article 14 and DPDPA Section 5 — explaining who we are, where we obtained your information, why we are contacting you, how long we will retain your data if you do not respond, and how to exercise your rights; and
- Requests your consent to proceed with further recruitment-related processing, including sharing your profile with the hiring organisation.
This outreach email is TraqCheck’s first active use of your personal data. If you do not respond, your data is deleted within 30 days of the outreach email.
Consent-Based Processing
No further recruitment-related processing through NINA is undertaken unless the individual provides consent by responding positively to the first outreach email. Following consent, TraqCheck may process personal data for:
- Candidate engagement and recruitment communications;
- AI-assisted conversational screening (post-consent only);
- Opportunity matching and suitability assessment;
- Sharing your profile with the Customer’s hiring team if you are shortlisted; and
- Interview coordination and talent pool participation.
Withdrawal of Consent
Individuals may withdraw consent at any time by clicking the opt-out link in any NINA communication, or by contacting us at dpo@traqcheck.com. Upon withdrawal, TraqCheck will cease all recruitment-related processing through NINA except to maintain suppression records to prevent further contact and comply with legal obligations. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
DPDPA — Indian Candidates
For candidates who are Indian citizens or residents, the first NINA outreach email constitutes the required notice under DPDPA Section 5 and requests consent under DPDPA Section 6. For Indian candidates, consent is the primary lawful basis for all NINA processing beyond initial identification from publicly available data. Clicking ‘Yes’ in the outreach email constitutes your free, specific, informed, and unambiguous consent under DPDPA Section 6.
9. Legal Bases for Processing
TraqCheck relies on the following legal bases for processing personal data, depending on the nature of the processing activity and applicable law:
| Processing Activity | Product | GDPR Basis | DPDPA Basis |
|---|---|---|---|
| BGV processing on Customer instruction | TRACE | Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation | Legitimate use (employment) |
| Candidate consent capture | TRACE | Art. 6(1)(a) Consent | Consent |
| Criminal record / biometric data | TRACE | Art. 9(2)(a) Explicit consent; Art. 10 authorisation | Explicit consent |
| Identifying candidates from public data | NINA | Art. 6(1)(f) Legitimate interests | Public data exemption; Legitimate use |
| First outreach email | NINA | Art. 6(1)(f) Legitimate interests | Notice obligation; Consent request |
| Further recruitment processing | NINA | Art. 6(1)(a) Consent | Consent |
| Maintaining suppression lists | Both | Art. 6(1)(c) Legal obligation; Art. 6(1)(f) LI | Withdrawal honoured |
| Compliance and audit records | Both | Art. 6(1)(c) Legal obligation; Art. 5(2) Accountability | Data Processor obligations |
11. International Data Transfers
All personal data processed by TraqCheck is stored within our primary cloud infrastructure. Where personal data is transferred internationally, such transfers are conducted using one or more of the following safeguards: (a) an adequacy decision by the European Commission or UK Secretary of State (Article 45 GDPR); (b) Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR); (c) other appropriate safeguards under Article 46 GDPR; or (d) in compliance with conditions notified by the Central Government under DPDPA Section 16(1). A copy of the relevant transfer safeguards may be obtained by contacting our Data Protection Officer. Regardless of where the data is processed or stored, appropriate technical safeguards are implemented, including encryption at rest using AES-256 and encryption in transit using TLS 1.3 or higher.
12. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following retention schedule:
| Data Category | Retention Period | Notes |
|---|---|---|
| TRACE — BGV report and standard verification data | Per Statement of Work (default: 12 months from report delivery) | Shorter or longer periods may be agreed with the Customer in the applicable SOW |
| TRACE — Criminal record data | Maximum 6 months from report delivery | Hard limit regardless of SOW; earlier deletion required by applicable law takes precedence |
| TRACE — Identity document images | Deleted on completion of identity check | Not retained beyond the verification |
| NINA — No response to outreach email | 30 days from date of outreach email | Automatic deletion; suppression list updated |
| NINA — Candidate engaged but not shortlisted | 6 months from last interaction | Automatic deletion |
| NINA — Candidate shortlisted; profile shared with Customer | 12 months from date of sharing | Customer notified to delete their copy |
| Consent and opt-out records (all products) | 7 years from date of consent or withdrawal | Retained for regulatory compliance and audit |
| Audit logs | 3 years | Rolling deletion |
| Data subject rights request records | 3 years from closure of request | Limitation period for regulatory action |
13. Your Privacy Rights
Subject to applicable law, individuals may have the following rights in relation to their personal data:
Rights under GDPR (EU and UK individuals)
- Right to be informed — to receive clear information about how your personal data is processed;
- Right of access — to obtain a copy of your personal data;
- Right to rectification — to have inaccurate or incomplete data corrected;
- Right to erasure — to request deletion of your personal data in certain circumstances;
- Right to restriction — to request that processing is paused while a dispute is resolved;
- Right to data portability — to receive your data in a machine-readable format where applicable;
- Right to object — to object to processing based on legitimate interests or for direct marketing;
- Right not to be subject to solely automated decisions — see Section 15; and
- Right to complain to a supervisory authority — ICO (UK): ico.org.uk | your national EU Data Protection Authority.
Rights under DPDPA 2023 (Indian individuals)
- Right to information about personal data being processed (Section 11(1)(a));
- Right to access a summary of personal data and processing activities (Section 11(1)(b));
- Right to correction of inaccurate or incomplete personal data (Section 12);
- Right to erasure of personal data where the purpose is fulfilled or consent is withdrawn (Section 13);
- Right to withdraw consent at any time (Section 6(4));
- Right to nominate another individual to exercise rights on your behalf (Section 14); and
- Right to grievance redressal and to approach the Data Protection Board of India if unresolved (Sections 13(6), 27).
14. Data Subject Requests and Grievances
TRACE
Where personal data is processed through TRACE, TraqCheck acts as a Data Processor. Individuals should ordinarily direct requests relating to access, correction, deletion, or other privacy rights to the employer or organisation that initiated the background verification, as that organisation is the Data Controller / Data Fiduciary.
TraqCheck will assist the relevant Customer in responding to such requests in accordance with applicable law. Where an individual contacts TraqCheck directly, we will acknowledge the request promptly and coordinate with the relevant Customer. If a Customer is unresponsive, TraqCheck will notify the individual and advise them of their right to approach the relevant supervisory authority.
NINA
Where personal data is processed through NINA, TraqCheck acts as a Data Controller. Individuals may exercise their privacy rights directly with TraqCheck using the contact details in Section 20. We will respond to all requests within 30 days (or such shorter period as required by applicable law).
15. Automated Decision-Making
TRACE
TRACE uses automated processes and third-party verification APIs to conduct verification checks. However, the verification report delivered to the Customer represents an aggregation of verified information; it does not make an employment recommendation. All employment decisions based on the TRACE report are made by the Customer’s human HR team. No adverse employment decision may be made based solely on automated outputs from TRACE without human review.
NINA
NINA uses AI to conduct conversational screening of candidates who have consented to further engagement. This AI-assisted process generates suitability indicators that are used to assist, not replace, the Customer’s human hiring decision. No AI-generated assessment is used to automatically exclude or include a candidate without human review by the Customer.
Before we contact you, NINA performs only basic criteria matching against your publicly available professional profile, equivalent to a keyword search. No profiling, scoring, or automated decision with significant effects occurs before the first outreach email is sent.
Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that significantly affects you. To request human review of any AI-generated assessment, contact dpo@traqcheck.com with the subject line ‘Human Review Request’.
16. Security of Personal Data
TraqCheck maintains appropriate technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, loss, misuse, or destruction. These measures include:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.3+);
- Role-based access controls and least-privilege principles;
- Multi-factor authentication for all administrative and client-facing accounts;
- Immutable audit logging of all data access and processing events;
- Annual third-party penetration testing;
- Continuous vulnerability management and patch processes;
- Vendor due diligence and sub-processor security requirements;
- Employee confidentiality obligations and annual data protection training; and
- Documented incident response and breach notification procedures.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, TraqCheck will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required under GDPR Article 33), and will notify the Data Protection Board of India in the prescribed manner and timeframe under DPDPA Section 8(6). Where required, TraqCheck will notify affected individuals without undue delay.
18. Children’s Privacy
TraqCheck’s services are intended for professional and employment-related purposes and are not directed toward children. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data relating to a child has been collected inadvertently, we will take appropriate steps to delete such information without undue delay.
19. EU and UK Representatives
Where TraqCheck is not established in the EU or UK but offers services to individuals in those jurisdictions, TraqCheck has appointed the following representatives in accordance with GDPR Article 27 and UK GDPR Article 27:
- EU Representative (Article 27 GDPR): Jaibir Nihal Singh, Suite 501, 116 Baker Street, London, England, W1U 6TS
- UK Representative (Article 27 UK GDPR): Jaibir Nihal Singh, Suite 501, 116 Baker Street, London, England, W1U 6TS
20. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or raise a concern regarding the processing of your personal data, please contact us:
Data Protection Officer
- Email: dpo@traqcheck.com
- Subject Line: Please use ‘Privacy Enquiry’, ‘DSAR’, or ‘Human Review Request’ as appropriate
- Postal Address: TraqCheck IT Services Private Limited, C-01, Hub And Oak, E-14 LGF, Defence Colony, New Delhi, Delhi, India, 110024
Data Subject Rights Request
- DSAR Form: https://backend.traqcheck.com/homepage/gdpr
- Response Time: 30 days (extendable to 90 days for complex requests under GDPR)
Supervisory Authorities
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk | 0303 123 1113
- European Union: Your national Data Protection Authority — edpb.europa.eu
- India: Data Protection Board of India — to be constituted under the DPDPA 2023
21. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, technology, or privacy practices. Material changes will be communicated to affected individuals through appropriate channels (for example, by email to candidates actively engaged through NINA, or by prominent notice on our website) before the changes take effect.
The latest version of this Privacy Policy is always available at traqcheck.com/privacy. The version number and effective date at the top of this document indicate when it was last updated. We encourage you to review this Privacy Policy periodically.
22. Version History
| Version | Log | Approved By | Date |
|---|---|---|---|
| 1.0 | Initial policy created | Legal / DPO | February 2026 |
| 2.0 | Current version — full GDPR, UK GDPR and DPDPA compliance update; EU/UK representatives added; primary storage disclosed; retention schedule added; legal basis table added; Art. 22 automated decision-making section added | DPO / Legal Counsel | July 2026 |
This document shall be reviewed annually and whenever significant changes occur in TraqCheck’s processing activities, applicable law, or regulatory guidance.
