Data Policy

1Types of Data We Process

• Customer data: Account information, billing details, and configuration settings for enterprise customers.
• Candidate data: Resumes, interview recordings, AI scores, assessments, and communication history.
• Usage data: Platform interaction logs, feature usage, and performance metrics.
• Integration data: Data received from or sent to connected ATS, HRIS, and other integrated platforms.
• Support data: Correspondence, tickets, and diagnostic information provided during support interactions.

2Data Controller vs. Data Processor

Zealogics acts as a Data Processor on behalf of enterprise customers (Data Controllers) for candidate data. Zealogics acts as Data Controller for account holder and usage data. We process candidate data solely according to the documented instructions of our enterprise customers and in compliance with applicable data protection laws.

3Legal Basis for Processing

• Contract performance: Processing necessary to deliver the ZeaHire service.
• Legitimate interests: Product improvement, security monitoring, and fraud prevention.
• Legal obligation: Compliance with applicable laws and regulatory requirements.
• Consent: Where required, we obtain explicit consent before processing sensitive categories of data.

4Data Residency

Enterprise customers can select their preferred data residency region. Available regions include Southeast Asia (Malaysia), Asia-Pacific (Singapore), Europe (Netherlands), and United States (Virginia). Data is not transferred outside the selected region without explicit customer consent, except where required by law.

5Data Retention and Deletion

• Active account data is retained for the duration of the subscription.
• Candidate data follows the retention schedule configured by the enterprise customer (default: 24 months).
• Upon subscription termination, customer data is exportable for 30 days and then securely deleted within 90 days.
• Backup data is purged on a rolling 30-day cycle.
• Usage logs are retained for 12 months for security and compliance purposes.

6Sub-processors

We use a limited number of trusted sub-processors to deliver our services, including cloud infrastructure providers, email delivery services, and analytics platforms. All sub-processors are bound by data processing agreements requiring equivalent data protection standards. An up-to-date list of sub-processors is available upon request at legal@zealogics.com.

7Candidate Data Rights

• Candidates whose data is processed via ZeaHire have rights under applicable data protection laws.
• Requests to access, correct, or delete candidate data should be directed to the enterprise customer (the Data Controller).
• Zealogics will assist enterprise customers in fulfilling candidate data subject requests upon instruction.
• Candidates may also contact Zealogics directly at privacy@zealogics.com for data-related enquiries.

8AI and Automated Decision Making

ZeaHire uses AI to generate candidate scores and recommendations. These outputs are advisory only and do not constitute automated decisions with legal or significant effects without human review. Candidates have the right to request human review of AI-generated assessments through the enterprise customer.

9Data Security Measures

• AES-256 encryption for data at rest; TLS 1.3 for data in transit.
• Role-based access controls limiting data access to authorised personnel.
• Regular security audits and penetration tests.
• Data Loss Prevention (DLP) policies and monitoring.
• See our Security page for full technical details.

10Data Processing Agreements

Enterprise customers requiring a formal Data Processing Agreement (DPA) in compliance with GDPR Article 28 or equivalent requirements may request one from legal@zealogics.com. Our standard DPA includes Standard Contractual Clauses for international data transfers.