Legal & Compliance

Privacy Policy

How InteleScreen collects, uses, protects, and manages personal data across all its services and platforms.

Effective Date: 1 July 2025 Last Updated: June 2026 Version 1.2

Contents

  1. About This Policy
  2. Who We Are
  3. Scope & Applicable Law
  4. Data We Collect
  5. How We Use Your Data
  6. Legal Basis for Processing
  7. Data Sharing & Disclosure
  8. Cross-Border Data Transfers
  9. Data Retention
  10. Security & Safeguards
  11. Your Rights
  12. Cookies & Tracking
  13. Children’s Privacy
  14. Vendor & Employee Data
  15. Breach Notification
  16. Jurisdiction-Specific Rights
  17. Changes to This Policy
  18. Contact & Grievances
1

About This Policy

This Privacy Policy (“Policy”) describes how Five Diamond Screening India Pvt Ltd (trading as InteleScreen) (“InteleScreen,” “we,” “our,” or “us”) collects, processes, stores, shares, and protects personal data in connection with the use of our website at intelescreen.com, our background verification platform accessible at hub.intelescreen.com, our interview fraud detection platform Spectra accessible at spectra.intelescreen.com, and any related services, applications, or communications (collectively, the “Services”).

This Policy applies to all individuals whose personal data we process, including:

  • Visitors to our website
  • Clients (companies that engage our Services)
  • Candidates and subjects of background verification
  • Interview participants whose sessions are assessed through Spectra
  • Our employees, contractors, and vendors
  • Representatives of partner organisations

By accessing or using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you should not use our Services.

This Policy should be read alongside any supplementary consent forms, service agreements, or data processing agreements (DPAs) entered into with us. In the event of any conflict, the applicable DPA or service agreement will take precedence.

2

Who We Are

Five Diamond Screening India Pvt Ltd, operating under the registered trademark InteleScreen, is a background verification and workforce integrity company incorporated under the Companies Act, 2013, with its registered office at 12th Floor, Summit B, Brigade Metropolis, Whitefield Road, Mahadevpura, Bengaluru, Karnataka 560048, India. We operate as:

  • Data Fiduciary under the Digital Personal Data Protection Act, 2023 (India) with respect to data collected from website visitors, clients, and candidates directly engaging with our platforms.
  • Data Processor under the DPDP Act and GDPR when processing personal data on behalf of our client organisations pursuant to a data processing agreement.
  • Consumer Reporting Agency (CRA) or equivalent, when providing employment background screening reports to clients in jurisdictions where such a classification applies, including under the US Fair Credit Reporting Act (FCRA).

Our Data Protection Officer (DPO) is responsible for overseeing compliance with applicable data protection laws. Contact details are provided in Section 18.

3

Scope & Applicable Law

Our Services operate across multiple jurisdictions. We comply with all applicable data protection and privacy laws, including but not limited to:

🇮🇳

India

Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules, 2025; IT Act, 2000 and SPDI Rules, 2011

🇪🇺

European Union & UK

General Data Protection Regulation (GDPR); UK GDPR and Data Protection Act, 2018

🇺🇸

United States

Fair Credit Reporting Act (FCRA); applicable state privacy laws including CCPA/CPRA

🇸🇬

Singapore

Personal Data Protection Act, 2012 (PDPA) as amended in 2020; PDPC Advisory Guidelines

🇵🇭

Philippines

Data Privacy Act, 2012 (Republic Act No. 10173) and NPC Implementing Rules

🌏

Other Jurisdictions

Applicable national data protection laws where we operate or where our clients are located

Where data protection laws of multiple jurisdictions apply, we apply the standard most protective of the individual’s rights, except where local law expressly requires otherwise.

4

Data We Collect

We collect different categories of personal data depending on your relationship with us.

4.1 Website Visitors

  • Name, email address, phone number, and company name (when submitted via contact or inquiry forms)
  • IP address, browser type, device information, and pages visited (via analytics tools)
  • Cookie identifiers and session data (see Section 12)
  • Any information voluntarily submitted in free-text fields

4.2 Clients and Authorised Representatives

  • Business contact details (name, designation, email, phone)
  • Company registration details and authorised signatory information
  • Billing and invoicing information (excluding payment card data, which is processed by third-party payment processors)
  • Login credentials for hub.intelescreen.com (stored in hashed form)
  • Communication records and support tickets

4.3 Candidates and Verification Subjects

This is the most sensitive category of data we handle. We process this data solely on behalf of and upon instruction from our client organisations.

  • Identity data: Full name, date of birth, government-issued identification numbers (Aadhaar, PAN, passport, driving licence, national ID), nationality
  • Contact data: Residential address (current and historical), mobile number, personal email address
  • Employment data: Employment history, job titles, dates of employment, reasons for leaving, salary information (where consented)
  • Educational data: Degrees, certificates, institutions, years of attendance, roll numbers
  • Criminal and court records: Criminal record information, court filings, police verification outcomes (where legally permissible and consented)
  • Financial data: Credit history and CIBIL/credit bureau reports (only for BFSI roles or where specifically consented)
  • Reference data: Feedback from professional references
  • Biometric/media data (Spectra): Video recordings, facial recognition data, audio, and behavioural analytics captured during interview sessions assessed through our Spectra platform

Biometric data and criminal record information are sensitive personal data categories. We process these only with explicit, documented consent and where legally permissible in the applicable jurisdiction.

4.4 Employees and Contractors

  • HR records including personal details, bank account information (for payroll), tax identification numbers, emergency contact information, and performance records
  • Background check data pertaining to our own hiring processes
  • Access logs and system usage records for security and audit purposes

4.5 Vendors and Partners

  • Business contact details of authorised representatives
  • Bank account and GST/tax registration details for payments and compliance
  • Contractual documents and communication records

4.6 Data We Do Not Collect

We do not intentionally collect data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, except where such data is incidentally disclosed in publicly available records reviewed during a background check. Where such data is encountered, it is not used as a basis for any recommendation or decision.

5

How We Use Your Data

Purpose Data Used Legal Basis
Providing background verification services to clients Candidate identity, employment, education, criminal, and financial data Contract; Consent; Legitimate Interest
Interview integrity analysis via Spectra Video, audio, biometric, and behavioural data Explicit Consent; Contract
Client account management and service delivery Client contact and billing data Contract; Legitimate Interest
Website operation and security IP address, cookies, device data Legitimate Interest; Consent
Responding to enquiries and sales conversations Name, email, company, phone Consent; Legitimate Interest
Legal and regulatory compliance All categories as required Legal Obligation
Internal analytics and service improvement Aggregated, anonymised usage data Legitimate Interest
Fraud prevention and platform security Login records, access logs, behavioural signals Legitimate Interest; Legal Obligation
Employee payroll, HR management, and onboarding Employee personal and financial data Contract; Legal Obligation
Vendor management and procurement Vendor contact and payment data Contract; Legal Obligation

We do not use personal data for automated decision-making that produces legal or similarly significant effects without human oversight, except where explicitly disclosed and consented to. Spectra’s outputs are presented as analytical indicators to assist human reviewers, not as autonomous hiring decisions.

6

Legal Basis for Processing

We process personal data only where we have a valid legal basis to do so. Our primary legal bases are:

  • Consent: Where the data subject has given free, specific, informed, and unambiguous consent. Consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Contract: Where processing is necessary for the performance of a contract with the data subject or to take steps at their request prior to entering a contract.
  • Legal Obligation: Where processing is necessary to comply with a legal or regulatory requirement applicable to us.
  • Legitimate Interest: Where processing is necessary for our legitimate business interests or those of a third party, except where such interests are overridden by the fundamental rights and interests of the data subject.
  • Vital Interests: In rare cases where processing is necessary to protect someone’s life or physical integrity.

Under the DPDP Act, 2023, we rely primarily on consent and specified legitimate uses as defined under Sections 4 and 7 of the Act. We do not rely on “legitimate interest” as an independent legal basis under Indian law unless it falls within a recognised legitimate use category under the Act.

7

Data Sharing & Disclosure

We do not sell, rent, or trade personal data. We share personal data only in the following circumstances:

7.1 With Our Clients

Verification reports are shared exclusively with the authorised client who initiated the check on behalf of their candidate. Reports are not shared with any other party without explicit consent or legal compulsion.

7.2 With Sub-Processors and Technology Partners

We engage vetted third-party service providers who assist us in delivering our Services, including cloud hosting providers, database infrastructure, communication platforms, and identity verification partners. All sub-processors are bound by written data processing agreements requiring them to maintain standards of protection no less protective than this Policy.

A current list of our material sub-processors is available on request.

7.3 With Verification Sources

To conduct verification checks, we disclose limited personal data to the relevant sources, including former employers, educational institutions, professional licensing bodies, court record repositories, police verification authorities, and credit bureaus. This disclosure is limited to what is strictly necessary to complete the specific check.

7.4 Legal and Regulatory Disclosure

We may disclose personal data where required by law, court order, regulatory directive, or where we have a good-faith belief that disclosure is necessary to protect our legal rights, protect the safety of any person, or respond to a government request. We will notify affected individuals of such disclosures where permitted by law.

7.5 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the relevant successor entity, subject to the same level of data protection obligations. Affected individuals will be notified where required by applicable law.

We do not share verification report data with the subject’s current employer, family members, or any unauthorised third party. Verification reports are confidential documents belonging to the instructing client and the subject of verification.

8

Cross-Border Data Transfers

Our Services are delivered across 25+ countries. Personal data may be transferred to, stored in, or processed in countries other than the country in which it was originally collected, including India, Singapore, the United States, the United Kingdom, and the Philippines.

Where personal data is transferred across borders, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) or equivalent contractual protections approved under applicable law
  • Adequacy assessments of the destination jurisdiction’s data protection framework
  • Binding data processing agreements with recipients requiring protection standards equivalent to those in the originating jurisdiction
  • Compliance with the DPDP Act’s cross-border transfer provisions and any restrictions notified by the Central Government of India
  • Compliance with Singapore PDPA’s transfer limitation obligations
  • Compliance with GDPR Chapter V for transfers of EU/UK personal data

Verification data collected in India relating to Indian residents is stored primarily on servers located within India unless otherwise required for a specific check and disclosed to the client.

9

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required or permitted by applicable law.

Data Category Retention Period Basis
Verification reports and underlying data 7 years from report date (or as specified in client agreement) Legal obligation; contractual requirement; dispute resolution
Candidate consent records 7 years from date of consent Legal obligation; audit trail
Spectra session recordings 90 days from session date, unless client specifies longer period in their DPA Contractual; legitimate interest
Client account data Duration of contract + 7 years Legal obligation; contractual
Website enquiry data 3 years from last contact Legitimate interest
Employee records Duration of employment + 8 years (or as required by Indian labour law) Legal obligation
Vendor records Duration of contract + 7 years Legal obligation; contractual
Security and access logs 1 year Legitimate interest; security

Upon expiry of the applicable retention period, personal data is securely deleted, anonymised, or destroyed in accordance with our data disposal procedures. Where data is held by sub-processors, we contractually require equivalent disposal.

10

Security & Safeguards

We implement technical, organisational, and administrative measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction. These include:

Technical Measures

  • End-to-end encryption for data in transit (TLS 1.2 and above) and encryption at rest for sensitive data stores
  • Role-based access controls ensuring personnel access only the data necessary for their specific function
  • Multi-factor authentication for all platform access
  • Regular vulnerability assessments and penetration testing
  • Secure deletion protocols for data disposal
  • Firewall protection, intrusion detection, and anomaly monitoring

Organisational Measures

  • Mandatory data protection training for all employees with access to personal data
  • Confidentiality obligations in all employment and vendor contracts
  • Documented data handling procedures and internal privacy policies
  • Background verification of employees in sensitive roles
  • Regular internal audits of data handling practices
  • Designated DPO responsible for oversight and compliance

No method of transmission over the internet or electronic storage is completely secure. While we apply industry-leading safeguards, we cannot guarantee absolute security. We commit to responding to any confirmed breach promptly and transparently in accordance with Section 15.

11

Your Rights

Depending on your jurisdiction and the legal basis for our processing of your data, you may have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Correction: Request that inaccurate or incomplete data be corrected or updated.
  • Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent (subject to our legal obligations to retain certain data).
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to Data Portability: Request a copy of your personal data in a structured, machine-readable format (where applicable under GDPR or equivalent).
  • Right to Object: Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to Restrict Processing: Request that we limit the processing of your data in certain circumstances.
  • Right to Grievance Redressal: Lodge a complaint with us or with the applicable supervisory authority (see Section 18).
  • Right to Nominate: Under the DPDP Act, you may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, submit a written request to info@intelescreen.com. We will respond within 30 days or such shorter period as may be required by applicable law. We may need to verify your identity before processing your request.

Where we process personal data as a Data Processor on behalf of a client, rights requests relating to that data must be directed to the client (the Data Fiduciary or Controller), not to us. We will, however, assist clients in responding to valid data subject requests as required by our contractual obligations.

12

Cookies & Tracking

Our website uses cookies and similar tracking technologies to enhance your experience and understand how our website is used.

Types of Cookies We Use

  • Strictly Necessary Cookies: Required for the website to function. These cannot be disabled.
  • Analytical/Performance Cookies: Help us understand how visitors interact with our website (e.g., page views, traffic sources). Data is collected in aggregated, anonymised form.
  • Functionality Cookies: Remember your preferences to personalise your experience.
  • Marketing Cookies: Track visits and actions to measure the effectiveness of our communications. These are only activated with your consent.

You may configure your cookie preferences at any time through your browser settings or via our cookie consent tool. Disabling certain cookies may affect the functionality of our website.

We do not use cookies to track individuals across third-party websites for advertising profiling without explicit consent.

13

Children’s Privacy

Our Services are not directed at and are not intended to be used by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a child under 18 without verified parental or guardian consent, we will take immediate steps to delete such data.

Under the DPDP Act, 2023, we are required to obtain verifiable parental or guardian consent before processing the personal data of a child. We apply this requirement across all our operations.

If you believe a minor’s data has been submitted to us without appropriate consent, please contact us immediately at info@intelescreen.com.

14

Vendor & Employee Data

14.1 Employees and Contractors

We process the personal data of our employees and contractors for purposes including recruitment, onboarding, payroll, performance management, access control, and regulatory compliance. Such processing is governed by our internal Employee Data Privacy Notice, provided separately at the time of engagement. Key principles include:

  • Data collected is proportionate to the requirements of the employment relationship
  • Employees have the right to access, correct, and request deletion of their personal data (subject to legal retention obligations)
  • Employee monitoring (including system usage and access logs) is conducted strictly for security and audit purposes, with appropriate notice
  • Personal data is not shared with third parties except where required for payroll processing, statutory compliance, or background checks

14.2 Vendors and Third-Party Suppliers

We process contact and transactional data of vendor representatives for the purposes of contract management, procurement, invoicing, and compliance. We require all vendors who process personal data on our behalf or under our instruction to:

  • Enter into a written Data Processing Agreement with us
  • Maintain security standards no less protective than those described in this Policy
  • Notify us immediately upon discovering any actual or suspected data breach affecting our data
  • Not sub-process personal data without our prior written authorisation
  • Delete or return all personal data upon termination of the vendor relationship
15

Data Breach Notification

In the event of a personal data breach, we will:

  • Contain the breach and investigate its scope and impact as a matter of urgency
  • Notify the applicable supervisory authority (including the Data Protection Board of India under the DPDP Act, and where applicable, EU/UK supervisory authorities) within the timeframes prescribed by law, which under GDPR is 72 hours and under the DPDP Rules is as prescribed by the Data Protection Board
  • Notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms or where required by applicable law
  • Notify our affected clients within 24 hours of confirming a breach involving their data, as required under our contractual obligations
  • Maintain an internal breach register documenting all breaches, actions taken, and outcomes

If you become aware of or suspect a data security incident involving our systems or data, please report it immediately to security@intelescreen.com.

16

Jurisdiction-Specific Rights

16.1 India (DPDP Act, 2023)

As a Data Fiduciary under the DPDP Act, we are required to provide you with a clear privacy notice at or before the point of data collection. You have the right to access information about your data, correct inaccuracies, seek erasure (right to be forgotten), and file complaints with the Data Protection Board of India. You also have the right to nominate a representative to exercise these rights on your behalf.

16.2 European Union and United Kingdom (GDPR / UK GDPR)

If you are located in the EU or UK, you have all rights under Articles 15 to 22 of the GDPR. These include rights of access, rectification, erasure, portability, objection, and restriction. You also have the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing are documented and available on request. Where we rely on legitimate interests, you may request our Legitimate Interests Assessment (LIA).

16.3 United States (FCRA)

Where we act as a Consumer Reporting Agency under the FCRA in connection with employment background screening reports provided to US clients:

  • You have the right to obtain a copy of your consumer report from us upon written request
  • You have the right to dispute the accuracy or completeness of any information in your report. We will conduct a reasonable investigation within 30 days and notify you of the outcome
  • We will provide you with a copy of the FTC’s “A Summary of Your Rights Under the Fair Credit Reporting Act” with any report provided for employment purposes
  • Where a client proposes to take adverse employment action based on a report we have provided, the client is required to notify you and provide a copy of the report and your rights before the action is finalised

16.4 Singapore (PDPA)

Individuals in Singapore have the right to access and correct their personal data held by us. Upon receiving an access request, we will respond within 30 days. We comply with the transfer limitation obligations of the PDPA when transferring personal data out of Singapore. Our Data Protection Officer’s contact details are publicly accessible as required by PDPA.

16.5 Philippines (Data Privacy Act, 2012)

Individuals in the Philippines have rights to be informed, access, rectify, erase, object, data portability, and file complaints with the National Privacy Commission. We register as a personal information controller/processor as required by NPC regulations where applicable.

17

Changes to This Policy

We may update this Policy periodically to reflect changes in our practices, legal requirements, or the Services we offer. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this Policy
  • Where required by law or where changes are material, notify affected individuals by email or via a prominent notice on our website
  • For existing clients, provide reasonable advance notice of changes that affect how we process data under their data processing agreement

We encourage you to review this Policy periodically. Your continued use of our Services after the effective date of any updated Policy constitutes your acknowledgement of the revised terms.

Prior versions of this Policy are available on request by contacting info@intelescreen.com.

18

Contact & Grievance Redressal

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us through the following channels. We are committed to resolving all grievances promptly and transparently.

Get in Touch

Our Data Protection Officer and Grievance Officer are available to assist with all privacy-related enquiries.

Privacy, Data & General Enquiries info@intelescreen.com
Registered Address

12th Floor, Summit B, Brigade Metropolis, Whitefield Road, Mahadevpura, Bengaluru, Karnataka 560048

Office Phone +91 81970 13120

Regulatory Authorities

If you are not satisfied with our response to your grievance, you may escalate to the relevant supervisory authority in your jurisdiction:

  • India: Data Protection Board of India (once constituted and operational under the DPDP Act)
  • European Union: Your local EU data protection supervisory authority
  • United Kingdom: Information Commissioner’s Office (ICO) at ico.org.uk
  • Singapore: Personal Data Protection Commission (PDPC) at pdpc.gov.sg
  • Philippines: National Privacy Commission (NPC) at privacy.gov.ph
  • United States: Federal Trade Commission (FTC) at ftc.gov for FCRA-related complaints

This Privacy Policy is governed by the laws of India. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India, unless otherwise required by applicable law. This Policy does not create any contractual rights or obligations beyond those established in any applicable service agreement or data processing agreement.

This Policy is provided for informational purposes and reflects our current practices. It should not be construed as legal advice. Clients requiring jurisdiction-specific data processing terms are advised to review our Data Processing Agreement (DPA), available upon request.