Privacy Policy

At Zerotonin, we are dedicated to safeguarding your privacy. This Privacy Policy is an integral part of the Zerotonin Terms of Service (ToS) and applies to all registered users, including both candidates and recruiters. We may collect information, including but not limited to your personal details, when you register and use our services. If you do not agree with our Privacy Policy, we recommend that you discontinue use of our services immediately. Your acceptance of this Privacy Policy shall be deemed as your explicit consent for us to use your personal data in the manner stated in this policy.

This policy may be modified or revised from time to time and you are requested to revisit this page periodically.

Our Details

---

Personal Data Collected

We categorise data as Mandatory (necessary for account creation and platform use), Optional (intended to improve profiles or user experience), and Files/Documents. Only personal data is listed here; non-personal technical data is not separately enumerated.

If you are a Doctor / Medical Professional (Candidate)

Mandatory Information

• Basic Identity: Full Name, Phone Number, Email Address
• Preferred Job Specialization
• Preferred Job Location
• Gender
• Date of Birth
• Employment History: Hospital/Clinic Name, Department, Designation/Role, Start Date, End Date (or "Currently employed" status)
• Education & Qualifications: Status (Completed/Ongoing), Highest Qualification, Degree/Title, Country, Institution, Year of Completion
• Medical Council Registration: Registration Year, Medical Council (e.g., Medical Council of India / General Medical Council), Registration Number
• Job Preferences & Relocation: Preferred Work Locations (Countries, States, Districts)

Optional Information

• Clinical Skills, Research / Thesis (Title and Year of Submission)
• Publications (Journal Title, Publication Title, Category, URL)
• Presentations (Type, Level, Conference/Event Title, Year)
• Achievements: Prizes, Awards, Ranks
• Management & Leadership Experience
• Teaching Experience

Files Required & Generated

• Certificates: Verification documents classified as REGISTRATION, DEGREE, or OTHER (file metadata: original name, MIME type, size)
• Dynamic Resumes: CVs generated in PDF format upon request; downloads are protected by strict no-store cache-control headers
• Profile Photo

If you are a Recruiter (Hospital / Clinic)

We collect only the minimum personal data of your authorised user(s) for registration: Full Name, Work Email, Mobile Number, Designation, and Profile Photo.

---

Purpose of Processing Personal Data

We process personal data only for the following purposes:

• Creating and managing user accounts
• Verifying user identity and contact information (Two-Factor Authentication via SMS OTPs)
• Enabling job discovery, applications, and recruitment communication
• Displaying professional profiles to relevant, verified users
• Sending essential service communications (login, security, application-related notifications)
• Maintaining platform security and preventing misuse
• Building reputable Employer Profiles visible to the medical community (for hospitals)
• Internal admin vetting and approval of healthcare organisations

---

Data Sharing

We do not sell user data. Data is shared only to facilitate the functioning of the platform.

Between Platform Users

When a Doctor applies for a role or opts to be discoverable, their professional personal data (profile details, qualifications, experience, and contact details) becomes visible to the relevant verified recruiter.

With Third-Party Service Providers

We transmit the minimum data necessary for each provider to perform their function:

• AWS SES (Amazon Simple Email Service): Receives email addresses to deliver OTPs, password reset links, and platform notifications.
• MSG91: Receives Indian mobile numbers to dispatch SMS OTP messages for phone verification.
• AWS S3: Secure cloud storage for document uploads (logos, verification PDFs, registration certificates).
• MongoDB: Primary database service where all structured platform data securely resides.

---

Safety and Security Measures

• Robust Password Protection: All passwords are encrypted using the bcrypt hashing algorithm with secure salts. Passwords are never stored in plaintext.
• Data Integrity & Transport: Authentication relies on time-bound, stateless JSON Web Tokens (JWT) tied to the user's granular role permissions.
• Secure OTP Policies: OTPs are randomly generated and securely hashed. Protected against brute-force by a 10-minute expiry, 60-second cooldown, and a maximum of 5 failed attempts before temporary lockout.
• Strict File Upload Boundaries: Only .png, .jpg, and .pdf files are accepted (strict MIME-type allowlists), with a maximum 10 MB size limit.
• Audit Logging & Tracing: Critical security actions (login attempts, password resets, token generation) are persistently logged with actor details and IPs.
• Fail-Closed Architecture: Security tokens and hashes are intentionally stripped from all client-facing API payloads.

---

Data Retention

Personal data is retained only for as long as:

• The user account remains active, or
• The data is required for recruitment-related services, or
• Retention is required by applicable law

Users may request deletion or correction of their personal data, subject to legal obligations. See our Deletion Policy for full details on how account deletion and data anonymisation works.

---

Your Rights

Depending on applicable law, you may have the right to:

• Access your personal data
• Correct inaccurate or incomplete personal data
• Request deletion of your personal data
• Withdraw consent where applicable
• Raise grievances regarding personal data processing

Last updated: May 19, 2026. We may update this policy from time to time. Continued use of the platform indicates acceptance of the updated policy.