privacy_policy :: public_document
last_updated   :: 2026-06-02
controller     :: atul sehrawat (sole data fiduciary / controller)
jurisdiction   :: india (operator); applicable laws include DPDP Act 2023, GDPR / UK GDPR for EU/UK visitors
contact        :: atul@atulsehrawat.ai

This site is a professional portfolio and operator-style shell for Atul Sehrawat. It exists to present professional background, selected work, and optional interactive portfolio features. The site is operated as a sole-controller / sole-data-fiduciary deployment. There is no marketing, advertising, profiling, or sale of personal data.

- web request metadata (IP address, user-agent, request path, timestamps)
- short-lived OAuth state and PKCE verifier cookies (10 minutes, namespaced per provider)
- a short-lived verification flow cookie carrying a pending verifyId (30 minutes)
- a signed session cookie carrying your LinkedIn-issued subject ID, display name, email address, and profile picture URL if you choose to sign in (cookie lifetime: 7 days)
- if you start the identity verification flow (/verify): your first name, last name, and email address; a one-time email verification code (hashed in storage, plaintext is never persisted); an audit log of verification events (initiated, code attempts, decision)
- a Cloudflare Turnstile bot-check token exchanged with your browser during /verify (an opaque, short-lived token that Cloudflare uses to score the likelihood you are a real human; not linked to your account)
- the audience parameter ("recruiter" / "founder" / "cto") you submit to /brief
- the job-description text (max 4 KB) you submit to /jd, and — if you choose the URL mode of /jd/analyze — the URL you submit; the server fetches that URL once and resolves the hostname via public DNS before fetching, refusing private / loopback / link-local destinations
- correspondence you voluntarily send outside the shell (e.g., email)

- web logs + session cookies + OAuth cookies: legitimate interests (operating and securing the service) under GDPR Art. 6(1)(f); legitimate uses under DPDP Act 2023 §7(a) where applicable
- LinkedIn sign-in + allowlist comparison: explicit consent under GDPR Art. 6(1)(a) / DPDP Act §6 (you initiate sign-in)
- /brief and /jd content generation: explicit consent (you submit the prompt)
- correspondence you send: contract / pre-contract steps at your request under GDPR Art. 6(1)(b)

- Google Cloud Run (hosting)
- Resend (email delivery for one-time verification codes, https://resend.com/legal/dpa)
- MongoDB Atlas (storage of pending verifications, hashed verification codes, audit log, and rate-limit counters, asia-south1 / Mumbai)
- Google Cloud Vertex AI Gemini (AI briefings, role-match generation, and grounded role-context lookups for /jd, asia-south1 / Mumbai)
- Cloudflare, Inc. (Turnstile anti-bot challenge served during /verify only; processes a short-lived browser token and high-level browser signals; see https://www.cloudflare.com/turnstile-privacy-policy/ — the Turnstile Privacy Addendum is incorporated by reference into this policy as required for the invisible Turnstile widget mode)

Cross-border transfers: provider regions may sit outside the EU/UK and India. Transfers rely on the providers' published terms and, for EU/UK visitors, Standard Contractual Clauses where applicable. A transfer-impact assessment is maintained off-site by the controller.

AI provider note: the production deployment uses Vertex AI Gemini under Google Cloud terms which do not permit training on submitted inputs or outputs. Visitors may opt out of AI features by not using /brief or /jd. Submitted prompts are not stored by this service beyond the request lifecycle.

- request logs (Cloud Run): 30 days, then auto-deleted
- OAuth state / PKCE cookies: 10 minutes
- signed session cookie: 7 days from issuance, then auto-expired
- AI provider logs: governed by the provider's retention; see the provider's data-processing terms
- correspondence: retained while a professional conversation is active; deleted on request

You have the following rights, exercisable by emailing the privacy_contact below:

- access and correction (GDPR Art. 15-16; DPDP Act 2023 §11-§12)
- erasure (GDPR Art. 17; DPDP Act §12)
- withdrawal of consent (GDPR Art. 7(3); DPDP Act §6(4)) by signing out or asking the controller to delete the LinkedIn-derived session data
- restriction and objection (GDPR Art. 18, 21)
- portability (GDPR Art. 20) for data held by the controller
- complaint to the supervisory authority (your local Data Protection Authority for EU/UK; the Indian Data Protection Board for India)

Responses target 30 days from a valid request.

The /brief and /jd commands generate text using an AI model on inputs you submit. These outputs are not used to make decisions about you, are not stored beyond the request lifecycle on this service, and are clearly labelled as AI-generated.

The /verify identity-verification flow uses a Cloudflare Turnstile bot-check at the front door and an email one-time-code exchange to confirm you control the address you submitted. Both checks are mechanical — no AI model is used to score whether you are who you say you are. If the email-OTP exchange succeeds, the verified session is granted directly.

There is therefore no solely-automated decision producing legal or similarly significant effects under GDPR Art. 22.

The controller maintains a procedure to assess and notify personal-data breaches:
- DPDP Act §8(6) and Rule 7: notify the Indian Data Protection Board and affected principals without delay (target 72 hours)
- GDPR Art. 33-34: notify the supervisory authority within 72 hours; notify affected data subjects without undue delay where high risk
- Notifications to affected visitors will be sent to the email address on the latest LinkedIn-issued session, where available

privacy_contact :: atul@atulsehrawat.ai
navigation      :: /home :: /terms