Privacy Policy

1. Introduction

Petal Apps ("we," "us," "our") is committed to protecting your privacy and safeguarding your personal information. ApplyMantra (applymantra.com) is developed and operated by the Petal Apps team. This Privacy Policy applies to ApplyMantra and all related services, applications, and tools provided by us.

This Policy is published in compliance with the Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Digital Personal Data Protection Act, 2023 (DPDP Act), and the Consumer Protection (E-Commerce) Rules, 2020.

2. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information from third parties.

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, password (stored in hashed form), and profile photo.
• Resume & Career Data: Resume files (PDF/DOCX), work history, educational qualifications, skills, certifications, and career preferences.
• Job Application Data: Jobs you apply to, application statuses, notes, and communications tracked within the platform.
• Payment Information: Billing address and payment method details (processed and stored by our PCI-DSS-compliant payment gateway; we do not store full card numbers).
• Communications: Emails, support tickets, feedback, and survey responses submitted to us.
• Preferences: Job search preferences, notification settings, and onboarding information.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, search queries, click patterns, and time spent on the platform.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, and referring URLs.
• Cookies & Tracking: Session cookies, persistent cookies, and similar tracking technologies (see Section 6).
• Log Data: Server logs recording user interactions, errors, and access times.

2.3 Information from Third Parties

• Social Login: If you sign in via Google or another OAuth provider, we receive basic profile information (name, email, profile picture) as permitted by you.
• Job Boards: Job listing metadata from third-party job boards we aggregate (this does not include your personal data).

3. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: Creating and managing your account, providing AI resume tailoring, job matching, application tracking, and interview preparation features.
• Personalisation: Customising your job feed, recommendations, and platform experience based on your profile and preferences.
• Payments: Processing subscription payments, managing billing, and preventing fraud.
• Communications: Sending transactional emails (account verification, payment receipts), service updates, and (with your consent) marketing communications.
• Platform Improvement: Analysing usage patterns to improve features, fix bugs, and develop new services.
• Security & Compliance: Detecting and preventing fraud, abuse, and security incidents; complying with legal obligations.
• Legal Obligations: Responding to lawful government or regulatory requests.

We will not use your personal data for any purpose beyond those described above without obtaining your prior consent.

4. Information Sharing & Disclosure

We do not sell your personal information. We share it only in the following limited circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the platform, subject to strict data processing agreements:

• Cloud Infrastructure: Amazon Web Services (AWS) — hosting and data storage.
• Payment Processors: PCI-DSS-compliant payment gateways for subscription billing.
• Analytics: Aggregated, anonymised analytics services.
• AI Providers: Large language model providers used for resume tailoring (data is processed under confidentiality agreements).
• Email Services: Transactional email delivery providers.

4.2 Legal Requirements

We may disclose your personal data to government authorities, law enforcement, or regulatory bodies if required by applicable law, court order, or legal process, or to protect the rights, property, or safety of Petal Apps, our users, or the public.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, provided that entity agrees to honour this Privacy Policy.

4.4 With Your Consent

We may share your information with third parties in any other circumstance with your explicit prior consent.

5. Sensitive Personal Data (SPDI Rules 2011)

The Information Technology (SPDI) Rules, 2011 classify certain categories of information as Sensitive Personal Data or Information (SPDI). On ApplyMantra, the following may constitute SPDI:

• Financial information (payment details processed via our payment gateway).
• Health or medical information (if disclosed in your resume or profile).
• Biometric data (not currently collected by ApplyMantra).

We collect SPDI only with your prior consent, only for specified purposes, and only to the extent necessary. You may withdraw consent for collection of SPDI at any time by contacting us at privacy@applymantra.com. Withdrawal of consent may limit your ability to use certain features.

We do not transfer SPDI to any body corporate or person located in any country that does not ensure a similar level of data protection as India, without your prior consent.

6. Cookies & Tracking Technologies

We use cookies and similar technologies (such as local storage and session storage) to operate the platform, remember your preferences, and understand usage patterns.

You may control cookies through your browser settings. Disabling essential cookies may affect platform functionality. We do not use cookies to track your browsing activity on third-party websites.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our Services. Specific retention periods:

• Account Data: Retained for the duration of your account, plus 90 days after deletion request.
• Resume & Application Data: Retained for the duration of your account, plus 30 days after deletion.
• Payment Records: Retained for 7 years as required by Indian financial regulations and GST law.
• Server Logs: Retained for up to 180 days for security purposes.
• Support Communications: Retained for 2 years after resolution.

You may request deletion of your personal data at any time (subject to legal obligations that require us to retain certain records). See Section 9 for how to exercise this right.

8. Security Practices

We implement reasonable security practices and procedures as required under the SPDI Rules, 2011, including:

• Encryption of data in transit using industry-standard TLS/SSL.
• Encryption of stored data at rest where supported by our cloud infrastructure providers.
• Secure password hashing using industry-standard algorithms.
• Access controls limiting team member access to personal data on a need-to-know basis.
• Periodic reviews of our security posture and dependencies.
• Reasonable procedures for responding to and notifying users of material data incidents.

Despite these measures, no transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

9. Your Rights

Under applicable Indian law and our commitment to data protection, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to Withdraw Consent: Withdraw consent for processing of sensitive personal data at any time.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 13).
• Right to Nominate: Under the DPDP Act, 2023, designate a nominee to exercise your rights in case of death or incapacity.
• Right to Data Portability: Request your data in a structured, machine-readable format (to be implemented in accordance with DPDP Act timelines).

To exercise any of these rights, contact us at privacy@applymantra.com. We will respond within 30 days of receiving your request.

You also have the right to opt out of marketing communications at any time by clicking the "Unsubscribe" link in any email or by contacting our support team.

10. Children's Privacy

ApplyMantra is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal data from a person under 18 without verified parental consent, we will take immediate steps to delete such information. If you believe we may have such data, please contact us at privacy@applymantra.com.

11. Cross-Border Data Transfers

Your personal data may be stored and processed in India or in other countries where our service providers operate (including the United States for cloud services). Where data is transferred outside India, we ensure that the recipient country or entity provides a level of data protection comparable to that applicable in India, or we obtain your prior consent for such transfer.

Such transfers are governed by appropriate data transfer agreements, including standard contractual clauses, as required under applicable Indian law.

12. Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a significant evolution in India's data protection framework. We are actively preparing for full compliance with the DPDP Act as its provisions come into force.

Our commitments under the DPDP Act include:

• Processing personal data only for specified, lawful purposes with your consent.
• Maintaining accuracy and completeness of your personal data.
• Implementing appropriate technical and organisational security measures.
• Deleting personal data once the purpose for collection is fulfilled or upon withdrawal of consent.
• Designating a contact point for data protection queries (currently our Grievance Officer); we will appoint a Data Protection Officer if and when required for our category of operations under the DPDP Act rules.
• Providing a clear and accessible mechanism for you to exercise your rights under the DPDP Act.

Non-compliance with the DPDP Act may attract penalties of up to ₹250 crore per instance and up to ₹10,000 crore for repeated violations. We take this obligation seriously and are committed to full compliance.

13. Grievance Officer

In accordance with the IT Act, 2000, SPDI Rules, 2011, and the IT (Intermediary Guidelines) Rules, 2021, we have appointed a Grievance Officer for privacy-related concerns:

If you are not satisfied with our response, you may escalate your complaint to the relevant authority under the DPDP Act, 2023 once the Data Protection Board of India is constituted.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a prominent notice on the platform at least 15 days before the changes take effect. The updated date will be reflected at the top of this page.

We encourage you to review this Policy periodically. Continued use of the platform after changes take effect constitutes acceptance of the revised Policy.

15. Contact Us

For any privacy-related questions, requests, or concerns: