Effective Date: June 7, 2026 • hire.alvora.ai
This Data Compliance Policy outlines how Alvora LLC ("Alvora AI") meets its obligations under applicable data protection laws, including GDPR (European Union), CCPA (California), PIPL (China), and general US data protection standards. This document is intended for enterprise clients, partners, and users who require compliance documentation.
1. Applicable Regulations
- GDPR (General Data Protection Regulation) — European Union and EEA users
- CCPA (California Consumer Privacy Act) — California residents
- PIPL (Personal Information Protection Law) — China residents
- COPPA (Children's Online Privacy Protection Act) — users under 13
- HIPAA — not applicable (Alvora AI does not process health data)
- SOC 2 — not yet certified; planned for enterprise tier
2. Data Controller and Processor
Alvora LLC acts as the Data Controller for all personal data collected through the Platform. Third-party services (Supabase, AWS) act as Data Processors under our instruction. We maintain data processing agreements with all sub-processors.
3. Legal Basis for Processing (GDPR)
For users in the EU/EEA, we process personal data under the following legal bases:
- Contract performance: processing necessary to deliver the Platform services you signed up for
- Legitimate interests: processing for fraud prevention, security, and Platform improvement
- Consent: processing of video interview behavioral data (eye tracking), where we obtain explicit consent before the session begins
- Legal obligation: processing required to comply with applicable laws
4. CCPA Rights (California Residents)
California residents have the following rights under CCPA:
- Right to Know: request disclosure of personal information collected, used, or shared in the past 12 months
- Right to Delete: request deletion of personal information we hold about you
- Right to Opt-Out: we do not sell personal information — this right is satisfied by default
- Right to Non-Discrimination: exercising CCPA rights will not affect your access to the Platform
To submit a CCPA request, email lakshya@alvora.ai with the subject line "CCPA Request". We will respond within 45 days.
5. PIPL Compliance (China Users)
For users accessing the Platform from mainland China or Hong Kong SAR, we observe the following under China's Personal Information Protection Law:
- We collect only the minimum personal information necessary to provide the service
- We do not transfer personal information of Chinese residents to third parties without a lawful basis
- Data processed by AWS Bedrock is transmitted to US servers — users in China are informed of this cross-border transfer and consent is obtained at signup
- Chinese users have the right to access, correct, delete, and transfer their personal data by contacting lakshya@alvora.ai
- We do not engage in automated decision-making that produces significant legal effects without human review
Note: Alvora AI is currently a US-based platform. Enterprise clients requiring full PIPL compliance with China-local data residency should contact us to discuss custom deployment options.
6. Data Minimization
We collect only the data necessary to deliver the Platform's services. Specifically:
- Eye tracking: gaze direction signals are captured and scored locally in the browser. Raw video is never uploaded or stored on our servers.
- Resumes: stored only as plain text. We do not store uploaded PDF files after text extraction.
- Video transcripts: stored for 12 months then permanently deleted.
- Passwords: hashed with bcrypt. Plain text passwords are never stored or logged.
7. Sub-Processor List
The following sub-processors may process personal data on our behalf:
- Supabase Inc. — database and authentication. Data location: United States. Purpose: storing user accounts, resumes, job data, screening responses, interview scores.
- Amazon Web Services (AWS) — cloud infrastructure and AI. Data location: United States (us-east-2). Purpose: AI processing of resume text, job descriptions, and interview transcripts via AWS Bedrock (Amazon Nova model).
- Google (MediaPipe) — eye tracking library. Data location: processed locally in user's browser only. No data is sent to Google.
8. Data Breach Response
In the event of a personal data breach, Alvora LLC will:
- Contain the breach and assess its scope within 24 hours of discovery
- Notify affected users within 72 hours if the breach poses a risk to their rights or freedoms (GDPR requirement)
- Notify relevant supervisory authorities where required by law
- Document the breach, its effects, and remedial actions taken
- Implement measures to prevent recurrence
9. Data Subject Request Handling
We handle data subject requests as follows:
- Requests received at: lakshya@alvora.ai
- Verification: we verify identity before processing any access or deletion request
- Response time: within 30 days (GDPR), within 45 days (CCPA)
- No charge for requests, unless manifestly unfounded or excessive
10. AI and Automated Decision-Making
The Platform uses AI to generate candidate evaluation scores. We comply with the following principles:
- Transparency: users are informed that AI tools are used in evaluation
- Human oversight: all AI scores are presented as inputs to recruiter decision-making, not final verdicts
- Right to contest: applicants may contact the recruiter or Alvora AI to contest an AI evaluation
- No high-risk AI: the Platform is not used for law enforcement, credit scoring, health assessment, or other high-risk AI applications as defined under the EU AI Act
Alvora AI is monitoring the EU AI Act implementation timeline and will update compliance documentation as requirements are finalized.
11. Retention Schedule
Personal data is retained for the following periods:
- Account data (email, role, password hash): until account deletion
- Resume text: until user updates or deletes it
- Screening question responses: 24 months from submission
- Video interview transcripts and scores: 12 months from interview date
- Eye tracking behavioral data: 12 months from interview date
- Job postings: until recruiter deletes them
- Technical logs (IP, browser): 90 days
12. Enterprise and Custom Compliance
Enterprise clients requiring custom data residency (including China-local hosting), BAA agreements, SOC 2 reports, or custom DPA (Data Processing Agreements) should contact lakshya@alvora.ai to discuss options.
13. Contact and Data Protection Inquiries
Data compliance officer: Lakshya Pandey, Founder
Contact: lakshya@alvora.ai
Alvora LLC, Delaware, United States
Last reviewed: June 7, 2026