We take your privacy seriously.

This Privacy Policy describes how ThyncLabs Private Limited ("ThyncLabs", "we", "us", or "our") collects, uses, stores, and protects information in connection with DesignLoop, our system design interview platform available at designloop.thynclabs.com and its associated subdomains (the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of the Service immediately.

Account Information

• Name and email address provided at registration
• Authentication tokens and session identifiers
• Plan and subscription tier
• Role (engineer, recruiter, admin) and seniority level if provided

Usage & Interaction Data

• Interview session metadata: problem ID, start/end timestamps, seniority level, score
• Whiteboard diagram data (SVG/JSON) generated during practice sessions
• Voice transcripts from AI-conducted interviews (stored encrypted, retained for 90 days by default)
• Evaluation rubric scores and AI-generated feedback
• Problem bookmarks, favorites, and progress indicators
• Discussion forum posts and comments

Technical & Diagnostic Data

• IP address and approximate geographic region
• Browser type, version, and operating system
• Referring URL and navigation path
• API request logs (retained for 30 days)
• Error reports and crash diagnostics

Payment Data

Payments are processed by Razorpay. DesignLoop does not store raw card numbers, CVV, or full bank account details. We retain Razorpay order IDs, payment IDs, and subscription status for billing and compliance purposes.

Enterprise / Recruiter Data

• Company name, team size, and billing contact
• Candidate invitation records (email addresses, invite status)
• Session evaluation reports shared with hiring managers
• Contract terms and quota utilisation data

We use collected data solely for the following purposes:

• Providing, operating, and improving the Service
• Generating AI evaluation feedback and scoring for your practice sessions
• Processing payments and managing subscription state
• Sending transactional emails (account activation, payment receipts, session summaries)
• Detecting and preventing fraud, abuse, and security incidents
• Complying with applicable legal obligations
• Aggregated, anonymised product analytics to understand feature usage (no individual profiling)

Sub-processors

We share data with the following categories of trusted sub-processors under contractual data-processing agreements:

• Cloud infrastructure (compute, storage, database) — data remains within the primary region
• Razorpay — payment processing (PCI-DSS Level 1 certified)
• Transactional email delivery provider
• AI model inference provider — session transcripts are processed under a strict data-processing agreement that prohibits training on customer data

Legal Disclosure

We may disclose your information if required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of ThyncLabs, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or asset sale, user data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

• Account data: retained for the lifetime of your account, deleted within 30 days of account deletion request
• Voice transcripts: 90 days from session date (configurable to 30 days on Pro plans)
• Whiteboard diagrams: retained until you delete the session or your account
• Evaluation reports: retained for 12 months; enterprise customers may request extended retention
• Payment records: 7 years for tax and financial compliance
• API & server logs: 30 days rolling window
• Anonymised aggregate analytics: indefinitely (no personal identifiers retained)

We implement administrative, technical, and physical safeguards designed to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Key controls include:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Role-based access controls with least-privilege enforcement
• Secrets managed via environment-isolated vaults — never in source code
• Automated vulnerability scanning and dependency patching
• Annual penetration testing by independent third-party assessors

Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at support@thynclabs.com.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EEA / UK residents)

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to restrict processing — limit how we use your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time where processing is consent-based

Under CCPA (California residents)

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information we have collected
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

DesignLoop uses a minimal set of first-party cookies:

• auth_token — stores your session JWT; HttpOnly, Secure, SameSite=Strict; expires per session or 30 days with "remember me"
• csrf_token — CSRF protection for state-mutating requests
• __theme — remembers your UI theme preference (localStorage, not a cookie)

We do not use third-party advertising cookies, Facebook Pixel, Google Analytics, or any cross-site tracking technology. Analytics are first-party and aggregated only.

DesignLoop is operated from India. If you access the Service from the European Economic Area, United Kingdom, or other regions with data protection laws, please be aware that your data may be transferred to and processed in India or other countries.

Where required by applicable law, we ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the European Commission.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will take immediate steps to delete it. If you believe a child has provided us with personal data, please contact us at support@thynclabs.com.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account) and by posting a prominent notice on the Service at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

The version history of this document is maintained and available on request.

For privacy-related inquiries, data subject requests, or to report a concern:

• Email: support@thynclabs.com
• Data Protection contact: ThyncLabs Private Limited, Privacy Team
• Response SLA: 5 business days for general inquiries, 30 days for formal data subject requests