🎮 THE HACKING GAMES IS CREATING A GENERATION OF ETHICAL HACKERS TO MAKE THE WORLD SAFER​ 🔒

HAPTAI Privacy Policy: Candidates

[
January 1, 2026
]

‍Effective Date: January 2026

Introduction

At HAPTAI, we help you unlock your cyber security potential using gaming insights. We treat your data with respect and transparency.

For 16-17 Year Olds: We have designed this Privacy Notice to be clear. Because there are no social features or messaging on this platform, your data is isolated and private by default.

1. Who We Are & How to Contact Us

THG Ventures Limited (trading as The Hacking Games) (“we”, “us”, “our”, “THG”) is the Data Controller and owns the HAPTAI platform at https://haptai.thehackinggames.com/ (“HAPTAI”).

2. Where We Get Your Data

We typically collect data from you directly when you sign up to our platform. However, we may also receive your name and email address from:

  • Recruiting Partners: If you applied for a job outside our platform, the Recruiter may have shared your contact details with us so we could invite you to build a profile.
    ‍
  • Outreach Partners: If an organisation you belong to shares a sign-up link with you.

3. What We Collect, Why, and Our Lawful Basis

Under UK data protection law, we must have a valid legal reason (a “lawful basis”) to process your information. 

What we are doing (The Purpose)

Account Administration
Purpose: Account Administration
Data we use: Email, username, password.
Lawful basis: Contractual Necessity
What this means in plain English: We need this to verify who you are and let you log in.

Aptitude Assessment
Purpose: Aptitude Assessment
Data we use: Game choices, strategy answers, LLM interview transcript, project files/GitHub data, CV data, TryHackMe data.
Lawful basis: Consent
What this means in plain English: You choose to participate in the games and chats to generate your profile.

Support & Communication
Purpose: Support & Communication
Data we use: Name, email, and support message content.
Lawful basis: Contractual Necessity
What this means in plain English: To help you if you have a technical problem or a question.

Transactional Updates
Purpose: Transactional Updates
Data we use: Email address.
Lawful basis: Contractual Necessity
What this means in plain English: To send essential emails, like password resets or “Report Ready” alerts.

Technical Maintenance‍
Purpose: Technical Maintenance
Data we use: IP address, device type, and usage logs.
Lawful basis: Legitimate Interests
What this means in plain English: To find and fix bugs so the platform stays secure and works well.

Matching & Recruitment
Purpose: Matching & Recruitment
Data we use: Your persona match, aptitude match and skills match scores.
Lawful basis: Consent
What this means in plain English: To show your profile to hiring companies when you’ve opted in.

What happens if you don’t provide your data?

You are not under a legal obligation to provide us with data. However, certain information is a contractual requirement:

  • Email: Without this, we cannot create an account or send your report.
    ‍
  • Assessment Inputs: If you don't complete the games or questions, we cannot generate your Aptitude Report.
    ‍

Optional Data: You do not have to provide diversity data (like gender). Skipping this will not affect your scores or experience.

4. Who We Share Your Information With

We do not sell your data. We work with different types of partners to help you find career opportunities. Our legal relationship with them depends on how you use the platform: 

A. If a Recruiter invited you (Joint Controllers)
If a Recruiter (the companies hiring for roles) shared your name/email with us to invite you to the platform, we and that Recruiter act as Joint Controllers. The Recruiter cannot see your raw answers, uploaded documents, or the internal logic we use and HAPTAI uses its own private technology to analyse your skills. However, because we work together to manage your onboarding and the final Aptitude Report is created to help a Recruiter find the right person, we’ll be Joint Controllers of that report.

B. If you joined independently (Sole Controller)
If you signed up independently or via a link from one of our Outreach Partners, THG is the Sole Controller of your data. No Recruiter has any access to your data or your report unless you choose to share it later. ‍

C. When an Aptitude Report is shared for a Job (Independent Controllers)
When a report is shared with a Recruiter - either because you applied for a role or because you agreed to be matched - that Recruiter becomes an Independent Controller of their copy of your Aptitude Report. They are responsible for their own hiring decisions and how they store your data.

D. Outreach Partners (Aggregated Insights only)
If you joined via one of our Outreach Partners (like a professional membership organisation or gaming club), we may share "Aggregated Insights" with them.

- No Personal Data: This means they see high-level trends about their group (e.g., "40% of your members have a 'Strategist' persona").

- Anonymity: They cannot see your name, your specific scores, or whether you individually have joined the platform.

  • E. Our Service Providers (Processors)
    We use trusted technical partners to help us run the platform, such as OpenAI (for AI analysis) and Google Cloud (for secure storage). 
  • F. Professional Advisors, Legal Authorities, and Business Transfers
    We may share your data with other third parties in specific circumstances:
    ‍

- Professional Advisors: Such as our lawyers, auditors, or insurers, when necessary for legal or professional advice.‍

- Legal Authorities: We will share data if we are legally required to do so by the police, a court, or regulators (like the ICO).

- Business Changes: If we sell, transfer, or merge parts of our business, the new owners may use your data in the same way as set out in this Privacy Notice.

5. International Data Transfers

We host your data in europe-west4-a (Eemshaven, Netherlands). However, to provide our AI aptitude analysis, we use OpenAI. This means your data is transferred to and processed in the United States.

To ensure your information remains protected to UK standards, we rely on the following safeguards:

  • The UK Extension to the Data Privacy Framework:
    We confirm that OpenAI is certified under this framework, which is recognised by the UK government as providing "adequate" protection.
    ‍
  • Standard Contractual Clauses/IDTA:
    Where data is transferred outside the UK, we use International Data Transfer Agreements (IDTAs) to ensure your data is protected to UK standards.These are standard legal clauses approved by the UK Information Commissioner’s Office (ICO) that require companies to protect your data.
    ‍
  • No Training:
    Our corporate agreement ensures OpenAI does not use your data to train its models.

6. How Our AI Works ("The Human-in-the-Loop")

Our AI tool analyses your "game-play mindset" to determine your skills and aptitudes and suggest your best cyber roles.

  • No Solely Automated Decisions:
    Our AI tool provides a "Decision Support" report. A human recruiter at our partner companies always reviews the report before any hiring decision is made.
    ‍
  • Challenging a Result:
    If you think your report is inaccurate, you have the right to request a human review by emailing: haptai.support@thg-v.com

7. How Long We Keep Your Data

  • Active Profiles: We keep your profile and progress active for as long as you are using the platform.
    ‍
  • The 12-Month Check: If you haven’t logged in for 11 months, we will send you a reminder. We keep your account open by default for 24 months unless you tell us to close it so that you don’t lose your hacking personas, project history, or career progress.
    ‍
  • Closing Your Account: If you no longer want us to keep your profile, you can click the "Close Account" link in our reminder email or delete your account at any time via your Settings. If we don’t hear from you and you remain inactive, we will eventually de-identify your profile.
    ‍
  • Research: We may keep "anonymised" data (where all personal identifiers like your name and email are permanently removed) indefinitely to help improve our cyber-security research and AI accuracy.

8. Your Online Safety 

We have designed this platform to be a private space for your career assessment:

  • No Social Interaction: There is no way for other users to see your profile, message you, or comment on your work. Your journey is private between you and our assessment tool.
    ‍
  • Data Isolation: Recruiters only see your final Aptitude Report. They never see your original project files, chat transcripts, or raw answers.
    ‍
  • Safety by Design: We proactively strip or request the removal of identifiers (like home addresses) to protect your "real world" identity.
    ‍
  • Contact: If you feel any part of the assessment is inappropriate, contact our Support Team immediately.

9. Security: Protecting your Information

We take technical and organisational measures to protect your information:

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
    ‍
  • Access Control: Only authorised staff with a specific business need can access the backend of the platform.
    ‍
  • Vendor Due Diligence: We check all third parties (like OpenAI and Google Cloud) to ensure they meet UK security standards.
    ‍
  • Data Isolation: No other user on the platform can see your profile or contact you.

10. Cookies and Tracking Technologies

We use "cookies" - small text files stored on your device - to help our platform work and to understand how you interact with it.

  • Strictly Necessary Cookies: These are essential for you to move around the platform and use its features, such as logging into secure areas. Without these, the assessment games and report generation cannot function. We do not need your consent for these.
    ‍
  • Analytics and Performance Cookies: With your permission (via our cookie banner), we use tools like Google Analytics to collect information about how you use the site. This helps us see if a particular game is too difficult or if a page is loading slowly. All data is aggregated and anonymised.
    ‍
  • How to Control Cookies: You can set your browser to block cookies, but please note that some parts of the platform may stop working if you do.

11. Marketing and Career Updates

We want to support your journey into the cyber security industry, but we will never "nudge" you to stay online longer than you need to.

  • Service Messages: We will send you emails that are necessary for the platform to work (e.g., password resets, account verification, and a notification when your Aptitude Report is ready). You cannot opt out of these as they are part of our service to you.
    ‍
  • Career & Job Alerts: If you give us your permission (by ticking the "opt-in" box at sign-up), we will send you emails about new job opportunities from our partners that match your "Cyber Persona."
    ‍
  • Platform News: Occasionally, we may send you information about new upskilling challenges or events.
    ‍
  • Your Right to Stop: You have the right to opt out of marketing at any time. Every marketing email we send includes a clear "Unsubscribe" link. You can also update your preferences in your Profile Settings.
    ‍
  • Third Parties: We never share your contact details with third-party companies so they can market their own products to you.

12. Your Legal Rights

You have the following rights under UK data protection law. You can ask us to:

  • Access: Send you a copy of all data we hold about you.
    ‍
  • Rectify: Fix any mistakes in your data.
    ‍
  • Erase: Delete your account and all associated data.
    ‍
  • Restrict/Object: Stop using your data for certain things.
    ‍
  • Portability: Transfer your data to another service.
    ‍
  • Withdraw Consent: Stop our processing at any time, where you previously gave us your consent.
    ‍

To exercise these rights, or if you have a complaint, please contact us at haptai.support@thg-v.com and let us have enough information to identify you. We may need to ask for extra information from you to help us identify you before we can process your request. We may also ask you to clarify the scope of your request. 

We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex. In this case, we’ll notify you and keep you updated. 

You also have the right to contact your supervisory authority. In the UK, this is the Information Commissioner’s Office (www.ico.org.uk).

13. Your Duty to Inform Us of Changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data (such as your email address) changes during your relationship with us. You can update your details at any time through your Profile Settings.

14. Changes to this Privacy Notice

We keep our Privacy Notice under regular review. If we make significant changes to how we handle your data, we will notify you by:

  • Sending an email to the address associated with your account; and/or
    ‍
  • Placing a prominent notice on our platform login page.


This version was last updated in January 2026. Historical versions can be obtained by contacting us.

‍

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
    • ‍
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

KEEP IT MOVING