Privacy Policy

Effective Date: November 1, 2025

Version: 2.1

I. Introduction

This Privacy Policy describes how NetConnect Private Limited (CIN: U32202KA1997PTC021881), operating as Welocity.ai (“Welocity”, “we”, “our”, or “us”), collects, uses, discloses, and protects personal data about individuals who interact with us. It applies to: 


  • Visitors to our websites and platform (welocity.ai and all subdomains, including go.welocity.ai, my.welocity.ai, partner.welocity.ai, de.welocity.ai, m.welocity.ai) 

  • Job candidates who use our AI-powered talent delivery services, including AI video interviews conducted through our Octo platform 

  • Enterprise clients and their authorised users 

  • Prospective customers, event registrants, and recipients of our marketing communications 

  • Vendors, partners, and other third parties whose personal data we process in the course of our business 

Legal Compliance Framework 

We process personal data in accordance with the laws applicable to each data subject’s jurisdiction, including: 

  • The Digital Personal Data Protection Act, 2023 (India) (“DPDPA”) 

  • The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) 

  • The UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”) 

  • The California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”) and other applicable U.S. state privacy laws 

Our Role: Data Controller 

Welocity acts as the Data Controller (and equivalent role under DPDPA: Data Fiduciary) for all personal data processed through our platform, including candidate data. 


This means Welocity determines the purposes and means of processing. We decide what data to collect, how Octo conducts interviews, how our AI evaluates candidates, how long data is retained, and with which enterprise clients candidates’ information is shared. 


Enterprise clients who receive candidate interview videos through our platform are recipients of personal data (within the meaning of Article 4(9) GDPR). When a client uses the data they receive to make hiring decisions, the client becomes an independent Controller for their own subsequent processing. The client’s use of the data is governed by their own privacy practices and contractual obligations to you, not by this Policy. 

Principles We Follow 

We process personal data in accordance with the principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. 

II. EU Representative 

Where required under Article 27 GDPR, NetConnect Private Limited has appointed an EU Representative to act as the point of contact for EU data subjects and supervisory authorities on matters relating to the processing of EU personal data. 

Our EU Representative is: 

[TO BE APPOINTED — name and full registered address] 

III. Data Protection Officer 

We have designated a Data Protection Officer responsible for overseeing our data protection programme and serving as the point of contact for data subjects and supervisory authorities. 


Email: dpo@welocity.ai 


Postal: NetConnect Private Limited, Attn: Data Protection Officer, Bangalore, Karnataka, India [full address TBD] 

IV. Categories of Personal Data We Collect 

A. Identity and Contact Information 

For candidates: full name, personal email, phone number, postal address (optional), date of birth (where required), nationality (where relevant to visa/work-permit eligibility), photograph (optional). 


For client and prospect users: full name, work email, work phone, job title, company name, LinkedIn profile. 


For Welocity employees: full identity and contact details as per employment records. 

B. Government and Tax Identifiers 

Where required for offer-stage onboarding or statutory compliance: Permanent Account Number (PAN) and similar tax identifiers (India), masked Aadhaar/Virtual ID (only where mandatory under UIDAI rules), passport and national identity document details (for international placements). Government identifiers are collected only at the offer stage — not during candidate sourcing or interviewing. 

C. Professional Information 

Resume/CV files, structured work history, education, certifications, skills (self-reported and AI-derived), salary expectations and current salary (where collection is lawful in your jurisdiction), notice period, language fluency, and other professional attributes you provide or that we infer from your CV and interview responses. 

D. Special Category Data (Article 9 GDPR / Sensitive Personal Data under DPDPA) 

Biometric data. 


When you participate in an Octo AI video interview, we capture an audio recording and a video recording of the session. The audio recording, your voiceprint, and your facial imagery captured in the video constitute biometric data within the meaning of Article 9(1) GDPR and Article 4(14) GDPR (and equivalent provisions under DPDPA and UK GDPR). 


We process biometric data on the lawful basis of your explicit consent, captured separately at the start of the interview through granular unbundled consent toggles (see Section V and Section VI). 


Other special-category data we may process, only where lawful and necessary, includes: 


  • Health and disability information (e.g., reasonable-adjustment requests for interview accessibility) — processed under Article 9(2)(a) explicit consent or Article 9(2)(b) employment-law basis. 


  • Information about race, ethnicity, or religious belief — only where you voluntarily disclose it (e.g., in your CV) or where collected for lawful diversity-monitoring purposes with separate consent. 


  • Sign-language video data, in the future, for accessibility-focused interview formats (this feature is not currently active and is in design exploration). 

E. Technical and Behavioural Data 

IP address, browser type, device identifiers, user-agent, referrer URLs, page-view logs, timestamps, geolocation (only where you grant permission), and interactions with the platform. We use cookies and similar technologies on our websites — their use is governed by our Cookie Policy and managed through our cookie consent management platform. 

F. Authentication Data 

Login credentials (passwords are stored only in hashed form by our authentication provider), multi-factor authentication factors, session tokens, and account activity logs. 

G. Communications 

Records of messages, emails, support tickets, and chat transcripts you exchange with our team or our platform. 

H. Financial Data 

For client billing: business contact details and tokenised payment instrument identifiers held by our payment processors. We do not store raw card numbers. 


For employees: salary, bank account, and statutory contribution records, processed through our internal human resources system and our payroll provider. 

I. Consent Metadata 

Where processing depends on your consent, we maintain records of your consent decisions, including timestamps, IP addresses, the version of this Policy and the consent UX shown to you, and any subsequent withdrawal. This allows us to demonstrate compliance with Article 7 GDPR and equivalent provisions. 


We collect only the personal data we need for the specific purposes set out in Section V. We do not collect data we cannot lawfully justify. 

V. Purposes and Legal Basis 

The table below sets out, for each purpose for which we process your personal data, the specific lawful basis on which we rely under Article 6 GDPR (and, for special category data, Article 9). Where DPDPA, UK GDPR, or CCPA/CPRA apply, equivalent bases apply. 

VI. Octo AI Processing and Automated Decision-Making 


How Octo Works 


Octo is our proprietary AI interview platform. When you participate in an Octo interview: 


  • You are presented with an AI-generated interviewer voice (synthesised in 25+ languages by our text-to-speech provider) which asks structured questions relevant to the role or assessment. 


  • Your camera and microphone record your audio and video responses. The audio recording, voiceprint, and facial imagery captured constitute biometric data (see Section IV(D)). 


  • Our AI processes the audio component of your responses to produce a transcript, evaluate language proficiency, assess content relevance to the role, and generate a structured evaluation summary. 


  • Welocity does NOT presently apply computer-vision processing to the video portion of your interview. The video recording is captured and stored for visual review by Welocity recruiters and authorised enterprise client recipients who view the video to make their own evaluation. 


Consent for AI Processing 


At the start of every Octo interview, you are presented with separate, unbundled consent toggles. You must give explicit consent for each of the following before the interview proceeds: 


  • Audio and video recording of the interview session 


  • AI-based analysis of your audio and transcript for evaluation 


  • Disclosure of your interview video to prospective enterprise employer recipients 


You can withdraw any of these consents at any time through your candidate portal at my.welocity.ai or by emailing privacy@welocity.ai. Withdrawal does not affect the lawfulness of processing before withdrawal but stops further processing for the affected purpose. We will then delete or anonymise the affected data subject to limited legal-retention exceptions. 


Automated Decision-Making and Article 22 


Octo’s AI evaluation outputs are used by Welocity recruiters to shortlist candidates and to decide which interviews to share with enterprise client recipients. These evaluations have a real influence on whether you progress in a recruitment process. 


However, decisions that produce legal or similarly significant effects (such as hiring or rejection decisions for a specific role) are not made by Welocity solely on the basis of automated processing. Such decisions are made by human recruiters at Welocity, and ultimately by the enterprise client who is considering you for the role. 


In accordance with Article 22 GDPR, you have the right to: 


  • Obtain meaningful information about the logic of the AI processing applied to you (see below for a high-level explanation) 


  • Express your point of view and contest any Welocity-side decision that was influenced by automated processing 


  • Request human review of any evaluation that affected your candidacy 



To exercise these rights, contact privacy@welocity.ai. 


Meaningful Information About the Logic Involved 


Octo evaluates candidates on the basis of audio-derived signals from the interview. These signals include: 


  • Language fluency and pronunciation in the language(s) of the interview 


  • Relevance and coherence of spoken responses to the questions asked 


  • Technical accuracy of responses to skill-based questions, where applicable 


  • Communication clarity and structure 


Octo does not process the visual content of your video (e.g., facial expression, gaze, gestures) for evaluation purposes. The video is stored and may be shared with enterprise client recipients for their visual evaluation but is not analysed by our AI. 


Octo orchestrates large-language-model inference provided by a third-party AI inference provider on an inference-only basis. We do not submit your data to any third party for model training. Our AI inference provider may retain API request data for a short period for abuse-monitoring purposes under its standard policies. We are working toward zero-retention configuration with our provider. 


Bias, Fairness, and Accuracy 


We test our AI evaluation outputs for systemic bias across language, demographic, and role-type cohorts on a periodic basis. Methodology and ongoing fairness work are described in our AI Ethics page at welocity.ai/ai-ethics. If you believe an evaluation was inaccurate or unfair, you may request human review (see above). 

VII. Recipients of Personal Data 

A. Enterprise Client Recipients 

Welocity discloses candidate interview videos to enterprise employer recipients who use our platform to identify and evaluate candidates for their open roles. As of the date of this Policy, Welocity has approximately 80 enterprise client recipients across the following sectors and geographies: 


  • Sectors: banking and financial services, insurance, global capability centres (GCC), telecommunications, IT services and consulting, business process services, and selected verticals such as energy and FMCG. 


  • Geographies: India (primary), Europe, United States, Asia-Pacific, and the Middle East. 


Each enterprise client recipient is bound by a Master Services Agreement that includes data-protection clauses establishing purpose limitation (recipient may use received data only for the specific hiring evaluation), no onward transfer without your further consent, confidentiality obligations, and an obligation to return or delete data on termination of the engagement. 

B. Service Provider Categories (Sub-processors) 

We engage service providers across the following categories who process personal data on our documented instructions and under written contracts (Data Processing Agreements) that include Article 28 GDPR obligations: 


  • Cloud infrastructure and data storage (hosted in India and the European Union) 


  • AI inference and large-language-model providers 


  • Text-to-speech and voice generation providers 


  • Authentication and identity management 


  • Email and communications platforms (transactional and marketing) 


  • Customer relationship management 


  • Payment processing (separately for international and India operations) 


  • Contract lifecycle management 


  • Cookie consent and privacy governance 


  • Website and mobile-site hosting 


  • Internal human resources and payroll 


  • Synthetic-media generation for internal training content 


A current list of the specific service providers we use, together with their function and processing location, is maintained internally and made available on request to privacy@welocity.ai. We will respond to such requests within the timeframe set out in Section X. 

C. Other Disclosures 

We may disclose personal data: 


  • To our professional advisers (lawyers, accountants, auditors) under confidentiality obligations 


  • To government authorities or law-enforcement agencies where required by law or in response to lawful legal process 


  • In connection with a corporate transaction (e.g., merger, acquisition, restructuring), in which case the recipient will be bound by terms protecting personal data consistent with this Policy 


  • Where you give us specific consent for the disclosure 

VIII. International Data Transfers 

Welocity operates primarily from India. Our infrastructure for EU candidate data is hosted in the European Union. Where personal data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with restrictions on cross-border transfers, we rely on lawful transfer mechanisms including: 


  • The European Commission’s Standard Contractual Clauses (2021) in their applicable modules (C2C, C2P, P2P, P2C) 


  • Adequacy decisions where the destination country is recognised by the European Commission as providing adequate protection 


  • Explicit consent under Article 49(1)(a) where appropriate 


  • Supplementary contractual, technical, and organisational measures, including encryption in transit and at rest, role-based access controls, and contractual restrictions on government access without legal challenge 

Specific Transfers You Should Be Aware Of 

A Transfer Impact Assessment (TIA) covering these transfers, together with the identity of the specific service providers involved, is available on request from privacy@welocity.ai. 

IX. Data Retention 

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply to candidate and platform data: 

Upon expiry of the applicable retention period, we securely delete the data or irreversibly anonymise it. Anonymised data may be retained for analytical and product-improvement purposes without time limit. 


Under DPDPA, personal data is also deleted upon withdrawal of consent or when its purpose has been fulfilled, except where retention is required for legal or regulatory obligations. 

X. Your Rights 

Subject to the law that applies to you, you have the following rights:

Under GDPR and UK GDPR 


  • Access — obtain confirmation of whether we process your data, a copy of your data, and information about how we process it. 


  • Rectification — have inaccurate or incomplete data corrected. 


  • Erasure (“right to be forgotten”) — have your data deleted where one of the grounds in Article 17 applies. 


  • Restriction of processing — limit how we process your data in certain circumstances. 


  • Data portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller. 


  • Object to processing — in particular for processing based on legitimate interest or for direct marketing. 


  • Rights related to automated decision-making — see Section VI. 


  • Withdraw consent — where processing is based on consent, at any time, without affecting prior lawfulness. 


  • Lodge a complaint with a supervisory authority — you may complain to the data protection authority in your country of residence or workplace. EU candidates may complain to their national supervisory authority; German candidates may complain to the competent Land authority or to the Federal Commissioner for Data Protection and Freedom of Information (BfDI). UK candidates may complain to the Information Commissioner’s Office (ICO). 


Under DPDPA (India) 


  • Right to information about processing 


  • Right to correction and erasure 


  • Right to grievance redressal 


  • Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity. 


Under CCPA/CPRA (California Residents) 



  • Right to know what personal information is collected 


  • Right to delete personal information 


  • Right to correct inaccurate personal information 


  • Right to opt-out of “sale” or “sharing” of personal information 


  • Right to limit use of sensitive personal information 


  • Right to non-discrimination for exercising privacy rights 


“Do Not Sell or Share” 


Welocity does not sell personal information as defined under CCPA/CPRA. We do not share personal information for monetary or cross-context behavioural advertising purposes. California residents may submit a “Do Not Sell or Share” request at any time by emailing privacy@welocity.ai. 


How to Exercise Your Rights 


Email: privacy@welocity.ai 


Online form: welocity.ai/privacy-requests 


Postal: NetConnect Private Limited, Attn: Privacy Team, Bangalore, India [full address TBD] 


We will respond within the timeframe required by applicable law (typically 30 days under GDPR, extendable by 60 days for complex requests). We may need to verify your identity before processing certain requests. 

XI. Security Measures 

We implement appropriate technical and organisational measures to protect personal data, as required by Article 32 GDPR. These include: 


  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 for databases, server-side encryption for object storage) 


  • Role-based access controls and least-privilege principles for all employee, recruiter, and client access 


  • Multi-factor authentication for privileged accounts 


  • Audit logging of access to candidate records and interview content, retained for 12 months minimum 


  • Network segmentation, vulnerability management, and regular penetration testing 



  • Service-provider due diligence, ongoing monitoring, and contractual data-protection obligations 


  • Employee data-protection training and confidentiality obligations 


  • Information Security Management System certified to ISO/IEC 27001:2013 (NetConnect group-level certification) 


  • Incident response and breach-notification procedures 

XII. Data Breach Notification 

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, in accordance with Article 34 GDPR. 


Under DPDPA, we will notify the Data Protection Board of India and affected data principals of any personal data breach as required by the Act and applicable rules. 

XIII. Children’s Privacy 

Welocity’s services are intended for adults seeking employment opportunities. We require all platform users to be at least 18 years of age. We do not knowingly collect or process personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will promptly delete it. 


Parents or guardians who believe their child has provided personal data to us may contact privacy@welocity.ai for prompt deletion. 

XIV. Changes to This Policy 

We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in the services we offer. Material changes will be communicated to you via email (where we have your email on file) or by prominent notice on our platform at least 15 days before the changes take effect. 


Older versions of this Policy will be archived and available on request for compliance and audit purposes. The current version, with effective date, is always available at welocity.ai/privacy-policy. 

XV. Contact Us 

NetConnect Private Limited (operating Welocity.ai) 

CIN: U32202KA1997PTC021881 

Address: Bangalore, Karnataka, India [full registered address TBD] 


 Privacy queries: privacy@welocity.ai 

Data Protection Officer: dpo@welocity.ai 

Legal queries: legal@welocity.ai 

EU Representative: [TO BE APPOINTED]