Start free today Get free Gap Analysis

HR & recruitment

You hold CVs for thousands of candidates who never consented to being stored

Recruitment firms have the highest pre-existing DPDPA risk of any Indian SMB sector. CV databases without consent. Client company sharing without DPAs. BGV data handling without documented consent. Privigo fixes it — start free, live in 48 hours.

  • CV consent at collection
  • Client DPAs
  • 12-month re-consent rule

Compliance gaps

Your four compliance gaps

Most HR firms and recruitment agencies have all four — often without realising the exposure until an enterprise client asks during a procurement audit.

  • 1 · CVs without consent

    Years of CVs collected via email, job portals, and walk-ins — with no per-purpose consent, no retention policy, and no proof of what notice was shown.

  • 2 · Sharing without DPAs

    When you forward a candidate's CV to a hiring company, you are sharing personal data. Without a written Data Processing Agreement, neither party has defensible evidence.

  • 3 · BGV handling

    Background verification data — address, employment history, criminal checks — requires documented consent and restricted access. Most firms treat BGV as "part of the process" without a separate lawful basis.

  • 4 · No retention policy

    Non-selected candidates' CVs sit in your ATS indefinitely. DPDPA's storage limitation principle requires defined deletion timelines — not "we might need it someday."

Enterprise pressure

Why your enterprise clients will require your badge

Large corporate HR teams and enterprise staffing buyers are starting to include DPDPA compliance evidence in vendor due diligence — the same way GDPR vendor questionnaires became standard in 2018–2020.

The 12-month rule

Inactive candidate data must be re-consented or deleted

Candidate data that has been inactive for 12 months must be re-consented or deleted under DPDPA's storage limitation expectations. Most firms have no system for this. Privigo automates the flag.

  • AI flags inactive records — candidates with no activity for 12 months trigger a re-consent or deletion workflow automatically.
  • Per-purpose consent at application — not a generic "I agree to terms" line buried in the job form.
  • Client sharing agreements — template DPA workflows for each hiring company that receives CVs from your firm.
  • Privigo Guardrails — recruitment firms use WhatsApp for candidate communication including salary discussions; Guardrails scans every message for PII before it reaches an LLM.
Rights request queue with status and assignment
Empower · Operations Access, correction, erasure, and withdrawal requests — tracked with SLA-friendly status.

How Privigo helps

Start free. Scale when enterprise clients ask.

Start free with DPDPA-compliant job application forms, cookie consent, and an AI privacy policy. Get DPDPA Ready in 7 days with a verifiable badge. Move to DPDPA Compliant when you need client DPAs, ATS integrations, and full audit trails across your candidate database.

Next step

Diagnose your firm's gaps — then start free

Gap Analysis includes HR-specific questions about CV consent, client sharing, and retention. One setup call and your digital presence can be live in 48 hours.