Privacy Policy

1Introduction & scope

This Privacy Policy ("Policy") explains how HIPI Pte. Ltd. ("HIPI", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit hipi.com, create an account, or use our AI co-worker platform and related services (together, the "Service"). Our recruiting co-worker, "Angela", is live today; additional co-workers are released over time and are covered by this Policy as they launch.

We handle personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and have regard to the PDPC's Advisory Guidelines, including those on the use of personal data in AI recommendation and decision systems. Where our customers operate in other jurisdictions, additional terms may apply under our agreements with them.

2Our role: controller vs. intermediary

The PDPA distinguishes between an organisation that determines the purposes of processing and a data intermediary that processes data on another organisation's behalf. Our role depends on the data:

If you are a candidate and want to exercise your rights, the fastest route is usually the employer you applied to. We will support them, and you can also contact us directly (see section 11).

3Personal data we collect

3.1 Account data

• Name, work email, company name, and role.
• A password stored only as a salted, hashed value (scrypt) — we never store it in plain text.
• Account settings, autonomy preferences, and audit metadata.

3.2 Candidate data (processed for our customers)

• Contact details (name, phone number, email) provided by the candidate or the customer's job board / ATS.
• Application content: availability, eligibility, certifications, and answers to screening questions.
• Screening outputs: scores, ranking rationales, and pipeline status.

3.3 Conversation data

• Messages exchanged with Angela over SMS or chat.
• AI-disclosure and consent records, and any request to speak with a human.

3.4 Technical & usage data

• Log data (IP address, timestamps, request metadata), device and browser information.
• Cookies and similar technologies (see section 7).

We do not seek special-category data (such as race, religion, or health) and instruct the model not to score protected attributes. Please do not submit such data unless strictly necessary and lawful.

4How and why we use data

We use personal data to:

• Provide the Service — AI screening, candidate messaging, scheduling, and shortlisting on behalf of our customers.
• Maintain audit trails, consent and AI-disclosure records, and fairness/bias reporting.
• Authenticate users, secure accounts, and prevent fraud or abuse.
• Operate, troubleshoot, analyse, and improve the Service.
• Communicate with you about your account, security, and material changes to the Service.
• Comply with legal obligations and enforce our agreements.

Under the PDPA we rely on consent (including deemed consent where appropriate), the legitimate interests exception, and other lawful bases such as the performance of a contract. Our customers are responsible for establishing the lawful basis for candidate data they bring to the platform.

5AI processing, disclosure & human oversight

The Service uses AI to assist recruiters. We design it for transparency and human control:

• Disclosure. Angela states she is an AI on first contact with a candidate.
• Consent first. Consent is captured before AI-driven screening begins.
• A human, always. Candidates can ask for a human at any time, and a human approves every shortlist.
• Explainability. Every score and action is recorded with a written rationale in an append-only audit log.
• No solely-automated rejections. Final hiring decisions rest with the customer's people, not the model.

This reflects the spirit of Singapore's Model AI Governance Framework and TAFEP's fair-employment guidelines.

6Disclosure & sub-processors

We disclose personal data only as needed to run the Service:

• Sub-processors / service providers — for example messaging (SMS), calendar, cloud hosting, and large-language-model providers, strictly to deliver the Service under contractual confidentiality and security obligations.
• Your organisation — recruiters and authorised users within your workspace.
• Legal & safety — where required by law, regulation, legal process, or to protect rights, safety, and the integrity of the Service.
• Business transfers — in connection with a merger, acquisition, or asset sale, subject to this Policy.

We do not sell personal data and we do not use candidate data to train third-party foundation models.

7Cookies & analytics

We use strictly-necessary cookies to keep you signed in (a signed, httpOnly session cookie) and remember your theme preference. We may use privacy-respecting analytics to understand aggregate usage and improve the Service. You can control cookies through your browser; disabling strictly-necessary cookies may break sign-in.

8International transfers

We primarily process data in or for Singapore. Where personal data is transferred outside Singapore (for example to a cloud or model provider), we take steps required by the PDPA's Transfer Limitation Obligation to ensure a comparable standard of protection, such as contractual safeguards with the recipient.

9Retention & redaction

We retain personal data only for as long as necessary for the purposes in this Policy, to meet our customers' configured retention settings, or as required by law. When data is no longer needed, we delete or anonymise it.

Customers can configure retention windows, and candidates or customers may request redaction or deletion of candidate data, subject to legal and audit-retention requirements. Audit-trail metadata may be retained in a minimised form to evidence fair-hiring compliance.

10How we protect data

We apply technical and organisational measures appropriate to the risk, including:

• Encryption of data in transit (TLS).
• Salted, hashed credentials (scrypt) and signed session cookies.
• Role-based access controls and tenant isolation between customers.
• Webhook signature verification, request idempotency, and rate limiting.
• An append-only audit log of automated actions.

No method of transmission or storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that meets the PDPA notification threshold, we will notify the PDPC and affected individuals as required.

11Your rights & choices

Subject to the PDPA and other applicable law, you may:

• Access the personal data we hold about you and information on how it has been used.
• Correct inaccurate or incomplete personal data.
• Withdraw consent to our processing (this may limit your ability to use the Service).

To make a request, email our Data Protection Officer at dpo@hipi.com. We will verify your identity and respond within the timeframes required by law. If you are a candidate, we may direct your request to the relevant employer where they are the controlling organisation.

12Children

The Service is intended for use by employers and adult job candidates. It is not directed at children, and we do not knowingly collect personal data from anyone below the minimum legal working age without appropriate consent. If you believe we have collected such data, contact us and we will take appropriate steps.

13Third-party links

Our website and the Service may link to third-party sites and services (for example, job boards, calendars, or messaging apps). We are not responsible for their privacy practices. Review their policies before providing personal data.

14Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with a revised "last updated" date and, where appropriate, notified to account holders. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

15Contact us

For privacy questions or to reach our Data Protection Officer:

• Email: dpo@hipi.com · General: hello@hipi.com
• Entity: HIPI Pte. Ltd., Singapore
• Or use our contact page.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

This document is provided for general information and transparency. It is not legal advice. HIPI Pte. Ltd. operates the Service from Singapore; please consult your own advisers about how these terms apply to you.