Privacy Policy

Last updated: April 7, 2026

About RTIdx

RTIdx (Risk & Threat Index) is a community-driven platform that analyses risk signals associated with recruitment-related communications and code repositories.

Report Submissions

When you submit a report through the platform, we collect:

  • Conversation text — the pasted or typed description of the interaction you are reporting. Reporter personal information (name, email, handles) is automatically redacted before storage.
  • URLs — profile links (e.g. LinkedIn, GitHub) and repository links you provide as evidence.
  • Red-flag indicators— optional checkboxes you select (e.g. "pressured to run code", "no formal contract").
  • Reporter identity — your authenticated user ID is linked to the report. Your name and email are never displayed publicly.

Legal basis:Legitimate interest in fraud prevention and protection of the recruitment community (GDPR Art. 6(1)(f)). We conduct a Legitimate Interest Assessment (LIA) and balance the interests of the reporting community against the rights of data subjects.

Data About Reported Persons (Data Subjects)

When a report is submitted, data about the person being reported may be processed. This can include:

  • Name or alias used in the reported conversation
  • Claimed employer or organisation
  • Platform profile URL (publicly redacted to platform name only; full URL visible only to authorised analysts)
  • Repository URL (publicly redacted to domain only; full URL visible only to authorised analysts)

Legal basis:Legitimate interest in anti-fraud intelligence (GDPR Art. 6(1)(f)). We apply data minimisation: public case pages do not display full URLs, personal profile links, or definitive labels about individuals. Risk assessments are expressed as signal-based indicators, not conclusive statements.

We do not make fully automated decisions with legal or similarly significant effect about any individual. All risk signals are generated by automated analysis, but any consequential action (public disclosure of identity, partner notification, or account restriction) requires human review by a trained analyst.

Automated Processing & AI Analysis

Submitted reports are processed by automated systems that generate risk signals:

  • Rule engine — pattern matching against known threat indicators in conversations and code repositories.
  • AI verification — large language models (OpenAI, Google Gemini) verify whether detected code patterns are genuinely suspicious or benign in context.
  • AI narrative summary— a language model generates a plain-language summary of the risk signals detected. Summaries use hedged language ("evidence suggests", "indicators point to") and never make definitive accusations.

These AI services process sanitised data (reporter PII is redacted before transmission). Processing may involve transfers to servers outside the EU/EEA (see International Transfers below).

Your Rights as a Data Subject

Under the GDPR and applicable national law, you have the following rights:

  • Right of access(Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification(Art. 16) — request correction of inaccurate data.
  • Right to erasure(Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Right to restriction(Art. 18) — request that we limit processing of your data while a dispute is resolved.
  • Right to object(Art. 21) — object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to data portability(Art. 20) — receive your data in a structured, machine-readable format.
  • Right not to be subject to automated decisions(Art. 22) — we do not make fully automated decisions with legal or similarly significant effect.

If you are the subject of a report and believe you have been incorrectly identified, you can use the Appeal / Dispute function on the relevant case page, or contact us directly.

Appeal & Dispute Process

Every case page includes an Appeal / Dispute link. If you believe a risk assessment is inaccurate, you can:

  • Submit an appeal explaining why the assessment is incorrect
  • Request temporary restriction of public display while the appeal is reviewed
  • Have your appeal reviewed by a human analyst, who will examine the evidence and update or retract the assessment

All appeal decisions are logged in an audit trail for accountability.

Data Retention

  • Active cases— retained for the duration of the risk assessment lifecycle. Cases resolved as "no risk signals detected" are retained for up to 12 months, then anonymised or deleted.
  • High-risk cases — retained indefinitely to protect the community, unless erasure is required following a successful appeal or legal obligation.
  • Appeal records — retained for 24 months after resolution for accountability.
  • Reporter accounts — you may delete your account at any time. Your reports persist as anonymised records (reporter identity is removed).

International Transfers

Risk signal analysis may involve transmitting sanitised (reporter PII redacted) data to AI model providers:

  • Google Gemini API — for generating case narrative summaries
  • OpenAI API — for verifying code-level findings in repositories

These providers process data under their respective data processing agreements and may transfer data outside the EU/EEA. We rely on Standard Contractual Clauses (SCCs) or adequacy decisions where applicable. No raw reporter personal data is transmitted to these services.

Data Sharing

We do not sell, rent, or share your data with third parties for marketing purposes. Analysis results are returned only to you. When you submit a report, the submitted data becomes part of the RTIdx threat intelligence database to help protect other users.

Security

We implement technical and organisational measures including: encrypted storage, role-based access control for analysts, signed temporary URLs for evidence files, submit-time PII redaction, and tiered visibility controls that limit what public viewers can see versus authorised analysts.

Contact

For privacy concerns, data subject access requests, or data deletion requests, contact us at privacy@rtidx.com.

You also have the right to lodge a complaint with your national data protection authority. In Poland, this is the President of the Office for Personal Data Protection (UODO).