HAPTAI Privacy Policy

HAPTAI x Data Protection Impact Assessment(DPIA)

1. Project Overview

Project/Tool Name: HAPTAI

HAPTAI is a behavioural profiling tool to match gaming/cyber aptitudes to roles using public and voluntarily supplied data.

Key Stakeholders: [Product Owner, DPO, CTO,Legal, etc.]

Start Date: 6 November 2025

Expected Go-Live Date: 17 November 2025

2. Purpose of the Processing

Why is personal data being collected?
Match user-submitted gaming/cyber aptitudes to roles.
The platform uses voluntarily supplied, non-sensitive behavioural data(e.g. gaming preferences) to generate self-view aptitude insights visible only to the user, unless they choose to share them

Lawful Basis for Processing (tick as appropriate):

Consent (users opt-in)
Consent is collected at onboarding via an explicit checkbox with layered privacy summary and full policy link.
Age confirmation: Users must confirm they are 18 or older, or that they have parental/guardian consent if under 18.

Intended Benefits:

●     For Users:

○     Identify and showcase gaming/cyber aptitude to potential employers in a secure, standards-aligned way.

●     For THG/Employers:

○     Surface unconventional talent faster and link aptitude scoring to employability signals, reducing hiring friction.

3. Description of Personal Data Involved

Name, email, gamer handle.

●     Optional CV/LinkedIn-type info.

●     Basic gaming challenge scores (no sensitive data).

No special category or sensitive data (health, ethnicity, political opinions, etc.) is processed or inferred

4. Data Flow Mapping

CollectionMethods:

●     Collected via platform interface → encrypted storage (AWS EU).

○     No sensitive/special category data.

○     Retention: 12 months inactivity.

StorageLocation:

●     WS EU (Ireland) region only. Data encrypted at rest (AES-256) and in transit (TLS 1.2+).

TransferMechanisms:

●     No international transfers outside EEA at MVP.

○     If support tools (e.g., email notifications or analytics) later involve non-EU services, they will be covered by SCCs(Standard Contractual Clauses).

RetentionPeriod:
Auto-deletion after 12 months inactivity.

5. Risk Assessment

●     Unauthorised access → encryption + strong password policy (MFA planned in next phase).

●     Profiling accuracy → human oversight.

●     Data breach → AWS controls + incident response.

Given the non-sensitive data and full user control, overall risk is classified as Low. Review cycle: annual or on any feature that introduces data sharing.

6. Data Subject Rights

●     Access, deletion, correction, opt-out (via platform commands/support email).

Method:
Users can exercise rights via in-platform controls or by contacting haptai.support@thg-v.com. Data requests are processed within 30 days.

As profiling results are generated algorithmically but not used for decision-making, there is no significant effect on individuals under GDPR Article 22

7. Security Measures

Technical and organizational measures in place:

●     Encrypted data, RBAC, audit logs.

8. Consultation & Sign-Off

DPO (or acting role), CTO, Product Owner –single sign-page.

9. Final Assessment

Given the limited personal data collected(gamer handles and CV-like profiles), risks to individuals are low. We will review our handling of personal data quarterly and whenever we introduce new features. Data access is restricted to authorised administrators. We will monitor for any data breaches or complaints, and adapt our approach if risks change or regulatory guidance evolves.”

10. Sign-Off

Reviewed and approved: We have considered and documented the data protection risks associated with this soft launch. Residual risks are low and acceptable for this phase. This DPIA will be updated as the platform scales or features change.”

                 •                Name: Adam Cox

                 •                Role/Title:  CFO

                 •                Date: 6 November 2025

‍