Praxy

Legal

Praxy Privacy Policy

Last updated 2026-06-24

This is the privacy policy of Praxel Ventures Private Limited, describing our real, current data practices in plain language. It is not legal advice.

Praxy is an AI career coach delivered over WhatsApp and phone calls. It helps with resume review, interview preparation, salary negotiation, and job-search strategy. This policy explains what we collect, why, who we share it with, how long we keep it, and the choices and rights you have. Please read it alongside our Terms of Service.

We aim for plain language. "Personal data" (or "personal information") means information that identifies you or relates to you. "We," "us," and "Praxy" mean the operator below. "You" means the person using Praxy.

1. Who we are (controller)

Praxy is operated by Praxel Ventures Private Limited (trading as Praxel / Praxy), based in India, registered at 11112, DSR Parkway, Mt. Carmel Church Besides, Carmelram, Bangalore, Bangalore South, Karnataka, India, 560035. We are the controller (under DPDP, the Data Fiduciary) of the personal data described here — meaning we decide why and how it is processed.

  • General privacy contact / Grievance Officer: Ashwin Prasad, CEO, build@praxel.in.
  • We serve users globally, including in the EEA, the UK, the US, India, and Canada. Region-specific rights are in the Regional Addenda at the end.

We have not appointed a Data Protection Officer or an EU/UK Article 27 representative at launch. Given that we process resumes (which can include special-category data) at scale, we are assessing whether these appointments are required and will update this policy and notify the relevant authority if we appoint them. EEA/UK users can reach us directly at build@praxel.in.

2. What data we collect

We collect the following, depending on how you use Praxy:

  • Identity & account: your phone number (the primary identifier), name, email, timezone, and language preference. Authentication uses a self-managed login token.
  • Career profile: current and target role, years of experience, skills, education, work history, location/country, goals, strengths, gaps, and company-stage preferences.
  • Resume data: resume files you upload (by web, mobile, or as a WhatsApp PDF), the text extracted from them, and structured/tailored resume versions you generate (including any public share link you choose to create).
  • WhatsApp messages & media: the text, voice notes, PDFs, images, and button/list replies you send us, plus the messages we send you. Imported group-feedback files may incidentally contain other people's names or numbers.
  • Phone-call audio, recordings & transcripts: when you use voice coaching or interview practice over a phone or voice call, we record the audio, transcribe it, and generate summaries and action items. WhatsApp voice notes are transcribed to text.
  • Verification codes: one-time passcodes sent over WhatsApp and the phone-to-account mapping used to verify you.
  • Job & application activity: jobs you save, apply to, or interact with; AI-generated cover letters, outreach drafts, gap analyses, and interview briefs; and screening answers for any exclusive roles you apply to.
  • Assessments: mock-interview scores and feedback, and skill ratings.
  • Embeddings: mathematical representations (vectors) of your profile and content used for search and matching.
  • Usage, engagement & analytics: product events, notification/delivery logs, email and engagement preferences, referral codes, and the marketing source that brought you to us.
  • Billing: subscription tier and status, and a customer ID held by our payment provider. We do not store full card numbers.
  • Device/push: mobile push tokens and basic device details, if you use the app.

Sensitive data. Resumes and conversations can reveal sensitive details — for example ethnicity or nationality cues, religious-organisation employers, trade-union roles, health or disability disclosures, or photos. You can redact or withhold these before sharing. Where required by law (see addenda), we rely on your explicit consent to process such content, and we minimise what we send to AI providers.

3. Why we use it, and our legal bases

We use your data to provide the coaching you ask for, operate and secure the service, communicate with you, and improve Praxy. Where the law (GDPR/UK GDPR) requires a legal basis, we rely on:

  • Performance of a contract — to deliver the core service you signed up for (processing your resume, messages, and calls to generate coaching).
  • Consent — for optional things such as marketing messages, non-essential analytics, processing sensitive resume content where required, and any use of your data to improve or train models. You can withdraw consent at any time; withdrawal does not affect processing already carried out.
  • Legitimate interests — for security, fraud prevention, abuse limits, and service improvement that is genuinely necessary and balanced against your rights.
  • Legal obligation — to comply with applicable law (e.g. tax, responding to lawful requests).

We process only what is necessary, and if we ever want to use your data for a materially new purpose, we will tell you first.

4. AI processing & sub-processors

Praxy is AI-powered. To generate coaching we send relevant parts of your content (minimised where we can) to third-party AI and infrastructure providers acting as our processors under contract. We use categories of providers so this stays accurate as vendors change. We may update our sub-processors; a current list is available on request at build@praxel.in.

  • Large-language-model (LLM) providers for generating advice and text — accessed via an LLM gateway/routing layer and including direct providers for real-time voice. Key examples: OpenRouter (and underlying inference providers), Google (Gemini), and OpenAI (for embeddings only).
  • Voice providers for speech-to-text, text-to-speech, call infrastructure, and recording. Key examples: LiveKit, Deepgram, Smallest.ai, ElevenLabs, Fish Audio, and a SIP telephony carrier (Vobiz).
  • Messaging & email — Meta / WhatsApp Cloud API (messaging, media, calling, OTP), Resend (email), and a social-inbox integration (Unipile).
  • Cloud hosting & storage — our application host (Railway), S3-compatible object storage (currently Cloudflare R2), and a managed database and cache.
  • Analytics & error monitoring — PostHog (product analytics and LLM observability; your phone number is used as the identifier) and Sentry (error tracking).
  • Payments — Dodo Payments (subscriptions).
  • Mobile push — Expo.
  • Job/market data sources — services used to fetch public job and market data (e.g. Apify, Adzuna, Findwork, YouTube Data API). These mainly process search context rather than your private profile, though some features (for example finding referral contacts) may use details you provide, such as a LinkedIn profile, to run a search.

We instruct these providers, by contract, to use your data only to provide their service to us and not for their own purposes (including training their own models) without a contractual carve-out. If any provider were to reuse your data for its own purposes, we would treat that as a sharing event subject to your consent and applicable law.

5. How we share your data

We do not sell your personal data for money. We share it:

  • with the processors above, to run the service;
  • with people you choose to share with (e.g. anyone you give a resume share link to);
  • where required by law, legal process, or to protect rights and safety; and
  • in a business transfer (merger, acquisition, or asset sale), subject to this policy.

6. International transfers

We are based in India and use providers in the US and elsewhere, so your data is transferred internationally. Where you are in a region with transfer rules (EEA, UK, and others), we rely on the relevant safeguard for each provider — an adequacy decision where one exists (e.g. the EU-US / UK-US Data Privacy Framework for certified vendors), or Standard Contractual Clauses (SCCs) / the UK IDTA or Addendum where it does not, together with a transfer assessment. You can request a copy of the safeguard used for a given transfer at build@praxel.in. We keep a fallback in place in case any adequacy decision changes.

7. How long we keep it, and deletion

We keep personal data only as long as needed for the purposes above, then delete or anonymise it.

  • Account deletion is available and irreversible. Deleting your account triggers a full cascade delete of your conversations and messages, resumes, interviews, goals, voice identities, skill ratings, preferences, profile, and account record, and purges your uploaded files from object storage. We also instruct our processors to delete your data.
  • Short-lived items (one-time passcodes, file access links, caches, login tokens) expire automatically on built-in timers.
  • Call recordings, transcripts, and conversation history are retained until you delete your account unless a shorter period is set. We are introducing a defined time-bound retention schedule for these; in the meantime, you can ask us to delete specific recordings or conversations at any time.

We may retain limited records where the law requires it (e.g. billing), and then delete them.

8. Security

We take reasonable technical and organisational measures, including: transport encryption and time-limited (presigned) links for stored files; signature verification on incoming webhooks; access tokens stored as hashes; segregated tokens for integrations; phone numbers redacted in logs; rate limiting and abuse caps; path-traversal hardening; and disabling debug auth bypass in production. No system is perfectly secure, and you share data with us at your own risk; if a breach occurs, we will notify the relevant authority and affected users as required by law.

9. Your rights and how to use them

Subject to your region and to legal limits, you can:

  • Access a copy of your data and a summary of how we process it;
  • Correct inaccurate or incomplete data;
  • Delete your data (including by deleting your account);
  • Port your data in a structured, machine-readable form;
  • Object to or restrict certain processing;
  • Withdraw consent at any time (including opting out of marketing); and
  • Complain to your data-protection authority.

To exercise any right, contact build@praxel.in or message us on WhatsApp. We respond within the time the law requires (generally within one month under GDPR/UK GDPR; see addenda for other timelines) and free of charge in normal cases. We may verify your identity proportionately. For WhatsApp messages, you can reply STOP to opt out and HELP for help; for voice calls you can opt out of calls and of recording.

10. Automated processing — advice is informational

Praxy uses AI to generate coaching, and uses profiling — for example, matching you to jobs and, where you apply to an exclusive or confidential role, generating a fit score and screening summary. This guidance is informational only and not binding: for your own coaching, you stay in control and decide what to do; for any role you apply to, a fit score or screening summary is used only to assist a human reviewer and does not by itself accept or reject you. Praxy does not make a solely-automated decision that produces legal or similarly significant effects about you. Because of this, automated-decision restrictions generally do not apply; if we ever introduced a solely-automated decision of that kind, we would add the safeguards the law requires (including, where applicable, your explicit consent and a route to human review) and tell you first. AI output can be wrong or incomplete — verify anything important before acting on it.

11. Children (18+)

Praxy is for adults. You must be 18 or older to use it. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it. Where the law requires verifiable parental/guardian consent for minors, we do not currently offer Praxy to minors, so that flow does not apply.

12. Cookies & website analytics

Our marketing website uses only minimal first-party cookies/storage needed to run the site (for example, remembering interface state); it does not currently run third-party advertising or tracking pixels. In the app and product, we use product analytics (PostHog) and error monitoring (Sentry). Where required, we ask for consent for non-essential analytics and honour browser opt-out signals such as Global Privacy Control. If we add advertising or cross-context tracking technologies, we will update this section and provide the related opt-outs. You can manage cookies in your browser.

13. Contact & grievances

For any privacy question, request, or complaint, contact our Grievance Officer / privacy contact Ashwin Prasad, CEO at build@praxel.in. We aim to acknowledge promptly and resolve within the time the law requires. You may also complain to your local data-protection authority (see addenda).

14. Changes to this policy

We may update this policy as our practices or the law change. We will revise the "last updated" date and, for material changes, give you clearer notice. Using Praxy after an update means you accept the updated policy.

This policy is governed by the laws of India (default India), without prejudice to mandatory rights you have under your local law.

Regional Addenda

These add to (and, where they conflict, prevail over) the main policy for users in the regions named.

A. EEA & UK (GDPR / UK GDPR)

  • Roles & contacts. We are the controller. Contact: build@praxel.in. We have not appointed a DPO or an Article 27 EU/UK representative at launch and are assessing whether either is required; we will name them here and notify the relevant authority if appointed.
  • Legal bases are listed in Section 3 (contract; consent; legitimate interests; legal obligation). Where we rely on legitimate interests, they are security, fraud prevention, and service improvement.
  • Special-category data in resumes/conversations is processed on the basis of your explicit consent (Art. 9(2)(a)); you can redact or withhold it, and withdraw consent at any time.
  • Recipients / categories are in Sections 4-5 (LLM providers, voice providers, messaging/email, hosting/storage, analytics, payments).
  • Transfers outside the EEA/UK rely on an adequacy decision (incl. the EU-US / UK-US Data Privacy Framework for certified vendors) or SCCs / the UK IDTA or Addendum, plus a transfer assessment. Copies available on request.
  • Your rights (Arts. 15-22, 7(3)): access, rectification, erasure, restriction, objection, portability, and withdrawal of consent — exercise via build@praxel.in, normally answered within one month.
  • Automated decisions (Art. 22): see Section 10 — advice is non-binding and any fit score or screening summary only assists a human reviewer, so there is no solely-automated decision with legal or similarly significant effect and Art. 22 restrictions generally do not apply. We have carried out (or are carrying out) a DPIA covering large-scale processing, AI, and profiling.
  • Providing data is necessary to use the service; without it we cannot provide coaching. Optional items (marketing, model-improvement) are consent-based and not required.
  • Complaints: you may complain to your EEA lead supervisory authority or, in the UK, to the Information Commissioner's Office (ICO).

B. United States — California (CCPA / CPRA)

We provide this for transparency. CCPA/CPRA applies to a business only above set thresholds; we may be under those thresholds at launch but build to be CCPA-ready.

  • Notice at collection. We collect these categories: identifiers (name, email, phone); customer records; protected-classification characteristics (only if present in your resume/inputs); commercial information; internet/network activity; audio/visual information (call recordings, voice); professional/employment information (resumes, job history); and inferences. Some inputs may contain sensitive personal information (e.g. precise content of messages, or data revealing race/ethnicity, religion, union membership, or health). Purposes are in Sections 2-3. Retention is in Section 7.
  • Do Not Sell or Share / Limit SPI. We do not sell personal information for money. If any third-party advertising pixel is active, that may count as "sharing," and we will provide a working "Do Not Sell or Share My Personal Information" link and honour the Global Privacy Control. We use sensitive information only to provide the service you requested; if we ever use it to infer characteristics beyond that, we will offer a "Limit the Use of My Sensitive Personal Information" choice.
  • Your rights: to know/access, delete, correct, opt out of sale/sharing, limit SPI, data portability, and non-discrimination. Submit requests to build@praxel.in (and via WhatsApp). We acknowledge within 10 business days and respond within 45 calendar days (extendable).
  • Messaging/calling: you opt in before we message or call you on WhatsApp; you can opt out by replying STOP (or the marketing opt-out button). Where we record calls, we disclose recording and obtain consent at the start, and you can decline recording.

C. India (DPDP Act 2023 + IT Act / SPDI Rules)

  • We are a Data Fiduciary. Before/at collection we give a standalone, plain-language notice of the data and purposes, with easy ways to withdraw consent, exercise rights, and complain.
  • Consent is free, specific, informed, and unambiguous, and withdrawal is as easy as giving it. On withdrawal or when the purpose ends, we (and our processors) stop processing and erase, unless the law requires retention.
  • Your rights: access a summary of your data and processing; correction, completion, updating, and erasure; grievance redressal; and nomination of another person to exercise your rights on death or incapacity.
  • Sensitive/financial data is handled under the IT Act / SPDI Rules with appropriate security and consent.
  • Security & breach. We maintain reasonable security safeguards. If a personal-data breach occurs, we will notify the Data Protection Board of India and affected users without undue delay, as required under the DPDP Act and its Rules (and report to CERT-In where applicable).
  • Grievance Officer: Ashwin Prasad, CEO, build@praxel.in. We respond within the period prescribed under the DPDP Act and, in any case, within one month as required under the SPDI Rules. You may escalate to the Data Protection Board of India.
  • We do not knowingly process children's (under-18) data and do not perform tracking or targeted advertising to children.

D. Canada (PIPEDA)

  • We obtain meaningful consent for collecting, using, and disclosing your personal data, and limit collection to what is needed for the purposes in this policy.
  • You may access your personal data and request correction; contact build@praxel.in.
  • We use contracted processors (including in the US and elsewhere) and remain accountable for your data with them; international transfers use comparable safeguards (Section 6).
  • You may complain to us first and then to the Office of the Privacy Commissioner of Canada (OPC).