Privacy Policy.

We collect only the data we need to run our website, evaluate applications, deliver client engagements and meet our legal obligations. The categories below cover everything we record.

• Account information. Name, email address, phone number, password hash, and role (candidate, client, administrator) when you register on the ElvixIT portal.
• Resumes and application data. Education history, work experience, skills, portfolio links, expected compensation, location preferences, cover letters and any other content you submit when applying for a job or internship.
• Contact messages. The content of forms you submit through the contact, sales or support channels, including the email address and any attachments you choose to share.
• Client engagement data. Business contact details, billing information, and any project material you share with our delivery teams under a signed statement of work.
• Analytics and technical data. IP address (truncated where feasible), user agent, referrer, pages viewed, approximate region, and timestamps. We use a privacy-preserving analytics setup; we do not load third-party advertising trackers.

We do not knowingly collect data from anyone under the age of eighteen. Internship applicants must confirm they are of legal working age in their jurisdiction.

Each category above maps to one or more specific purposes. We do not sell personal data, and we do not use it for purposes that are materially different from those described here without first obtaining consent.

• Operating the website, the careers portal and the intern management system, including account authentication and session management.
• Reviewing applications, conducting interviews, extending offers, and onboarding successful candidates and interns.
• Responding to enquiries, scoping engagements, issuing proposals and invoices, and providing contracted services.
• Maintaining security, preventing fraud and abuse, and diagnosing outages or quality issues.
• Producing aggregated, non-identifying statistics about our services, hiring funnel and program outcomes.
• Complying with applicable law, including tax, employment and grievance redressal obligations.

We rely on the following legal bases under the DPDP Act, 2023 and, where applicable, comparable frameworks such as the GDPR.

• Consent. When you create an account, submit an application, or send us a message, you provide free, specific and informed consent for the processing described in this policy. Consent can be withdrawn at any time by writing to the contact address below.
• Contractual necessity. We process client and supplier data to perform contracts you have signed with us or to take pre-contract steps at your request.
• Legitimate uses. Limited processing for security, fraud prevention, internal record-keeping and the establishment, exercise or defence of legal claims.
• Legal obligation. Retention of invoices, tax records and statutory employment data for the periods required by Indian law.

Data is hosted on infrastructure operated by Amazon Web Services in the Mumbai (ap-south-1) region, with operational tooling on Hostinger and a small number of vetted SaaS subprocessors. Where a subprocessor stores data outside India, we ensure equivalent contractual protections through standard data processing terms.

Backups are encrypted and held in the same region. Access to production systems is restricted to a small group of engineers under documented access controls.

We keep personal data only for as long as it serves the purpose for which it was collected, with the following defaults.

• Resumes and application records. Kept for up to eighteen months from the date of last activity, unless you ask us to delete them earlier or you accept an offer and the data becomes part of an employment or internship record.
• Contact messages. Kept for up to twenty-four months, after which they are deleted unless they have become part of an active engagement.
• Account records. Kept for as long as the account remains active. Dormant accounts are archived after thirty-six months of inactivity and deleted on request.
• Financial and tax records. Retained for the period required by Indian law, currently eight years from the close of the relevant financial year.
• Analytics. Aggregated and non-identifying after fourteen months.

You can request deletion at any time through the channels listed in section ten, subject to overriding legal retention obligations.

We share personal data only when one of the following conditions is met.

• Service providers. A small number of infrastructure and operational providers (such as our cloud host, our email delivery provider and our analytics provider) process data on our behalf under written instructions and confidentiality obligations.
• Clients and partners. For candidates being considered for a client engagement, we share relevant application material only after obtaining your explicit consent for that specific opportunity.
• Legal obligation. We may disclose data when compelled by a valid order from a competent authority, or where disclosure is necessary to protect life, safety, or our legal rights.
• Corporate transactions. In the event of a merger, acquisition or restructuring, data may be transferred to the successor entity under equivalent protections, and you will be notified before any material change in handling.

We do not sell, rent or trade personal data, and we do not allow our subprocessors to use it for their own purposes.

You have the following rights with respect to your personal data. We respond to verified requests within thirty days, or sooner where required by law.

• Right to access. A summary of the personal data we hold about you and the purposes for which it is processed.
• Right to correction. Correction of inaccurate or incomplete data, including resume content and contact details.
• Right to erasure. Deletion of personal data, subject to any overriding legal retention obligation. Once deleted, residual data in backups is overwritten during the next scheduled rotation.
• Right to data portability. A machine-readable export of the personal data you have provided to us directly.
• Right to withdraw consent. Withdrawal of any consent you have given, without affecting the lawfulness of processing before the withdrawal.
• Right to grievance redressal. Escalation to our Grievance Officer (see section ten), and to the Data Protection Board of India if your concern is not resolved.

We apply layered controls appropriate to the sensitivity of the data we hold. While no system can be guaranteed against every possible threat, the following measures form our baseline.

• Encryption at rest for all production databases and object storage, using provider-managed keys with periodic rotation.
• TLS 1.2 or higher for all data in transit, with HSTS enforced on public domains.
• Role-based access control with named accounts, mandatory multi-factor authentication for administrative roles, and an audit log of privileged operations.
• Least-privilege defaults for engineering access to production systems, reviewed quarterly.
• Routine vulnerability scanning of our infrastructure and dependencies, and a coordinated disclosure channel for security researchers.
• Documented incident response runbooks, including notification of affected users and the Data Protection Board where required by law.

We use only the cookies and local storage entries needed to make the site work. These include a session cookie for authenticated users, a CSRF protection token, and a preference cookie for accessibility settings. We do not use third-party advertising or cross-site tracking cookies.

Aggregated analytics events are recorded without persistent device identifiers and cannot be used to identify a specific visitor.

For privacy enquiries, data subject requests, or to escalate a concern, please contact our Grievance Officer.

• Email. privacy@elvixit.com
• Postal address. ElvixIT Technologies Private Limited, Hyderabad, Telangana, India.
• Response time. Acknowledged within seventy-two hours, substantive response within thirty days.

If you are not satisfied with our response, you may approach the Data Protection Board of India under the DPDP Act, 2023.

We review this policy at least once a year and whenever there is a material change to our services or to applicable law. The “Last updated” date at the top of the page reflects the most recent revision. Substantive changes will be notified through the website and, where appropriate, by email to active account holders at least fifteen days before they take effect.