Privacy Policy

Last updated: October 28, 2025

1. Introduction

Welcome to Assessly ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services (collectively, the "Service").

This policy applies to all users of our platform, including companies that create assessments, candidates who complete assessments, and visitors to our website. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide to us when you:

  • Register for an account: Full name, email address, company name, job title, and password
  • Complete an assessment: Name, email address, phone number (optional), resume/CV, cover letter, and any other information you choose to provide in your responses
  • Submit assessment responses: Text responses, multiple-choice selections, numerical data, video recordings, audio recordings, code submissions, and file uploads
  • Contact us: Name, email address, phone number, and the content of your message
  • Subscribe to our newsletter: Email address and communication preferences

2.2 Information Automatically Collected

When you access the Service, we automatically collect certain information about your device and usage:

  • Device Information: IP address, browser type and version, operating system, device type, screen resolution
  • Usage Data: Pages visited, time spent on pages, links clicked, assessment progress, session duration
  • Location Data: Approximate geographic location based on IP address
  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies (see Section 9)

2.3 Information from Third Parties

We may receive information about you from third-party services:

  • Google OAuth: If you sign up using Google, we receive your name, email address, and profile picture
  • OpenAI: AI-generated evaluation scores and feedback based on your assessment responses

3. How We Use Your Information

We use the information we collect for various purposes, including:

  • Provide and maintain the Service: Process your account registration, enable assessment creation and completion, store and display your data
  • AI-powered evaluation: Analyze your assessment responses using OpenAI gpt-5-mini to generate scores, feedback, and insights
  • Share with assessment creators: Transmit your responses and AI-generated insights to the company that created the assessment
  • Send notifications: Email confirmations of assessment submissions, results notifications, account updates, and security alerts
  • Improve our Service: Analyze usage patterns, identify bugs, develop new features, and enhance user experience
  • Security and fraud prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity
  • Legal compliance: Comply with applicable laws, regulations, and legal processes
  • Marketing and communications: Send you product updates, newsletters, and promotional materials (with your consent)

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing is necessary to provide the Service you requested
  • Consent: You have given explicit consent for specific processing activities (e.g., marketing emails)
  • Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., improving the Service, security)
  • Legal Obligation: Processing is required to comply with applicable laws and regulations

5. Data Sharing and Disclosure

5.1 With Assessment Creators

When you complete an assessment, your responses, personal information, and AI-generated insights are shared with the company that created the assessment. This is the primary purpose of the Service and is necessary to fulfill the assessment process.

5.2 With Third-Party Service Providers

We share your information with trusted third-party service providers who assist us in operating the Service:

  • Supabase: Database hosting, authentication, and file storage
  • OpenAI: AI-powered evaluation of assessment responses using gpt-5-mini
  • Resend: Transactional email delivery
  • Hosting and Infrastructure: Cloud hosting, content delivery networks, and server infrastructure

These providers are contractually obligated to use your information only for the purposes we specify and to maintain appropriate security measures.

5.3 Legal Requirements and Protection

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas). We may also disclose your information to:

  • Comply with legal obligations
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of users or the public
  • Protect against legal liability

5.4 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in your jurisdiction.

If you are located in the EEA or UK and your data is transferred to countries outside these regions, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with third-party providers
  • Adequacy decisions recognizing equivalent data protection standards

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Data in transit is encrypted using TLS/SSL; sensitive data at rest is encrypted
  • Access Controls: Role-based access controls limit who can view or modify data
  • Authentication: Secure password requirements and optional two-factor authentication
  • Regular Backups: Automated backups to prevent data loss
  • Security Monitoring: Continuous monitoring for unauthorized access attempts
  • Secure Development: Security best practices in code development and deployment

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

8. Your Privacy Rights

8.1 General Rights (All Users)

Depending on your location, you may have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request that we limit the processing of your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to our processing of your data for certain purposes
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent

8.2 GDPR Rights (EEA and UK Users)

If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to lodge a complaint with your local supervisory authority
  • Right to object to automated decision-making, including profiling
  • Right to be informed about how your data is processed

8.3 CCPA Rights (California Users)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information collected, used, or shared
  • Right to Delete: Request deletion of personal information we have collected
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@assessly.app. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.

  • Account Data: Retained for the duration of your account plus 90 days after deletion
  • Assessment Responses: Retained according to the company's retention policy, typically 1-3 years from submission
  • Video/Audio Recordings: Retained for the same period as assessment responses
  • Usage Data: Retained for up to 2 years for analytics purposes
  • Backup Data: May be retained for up to 90 days in backup systems

After the retention period expires, personal data is securely deleted or anonymized.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. Cookies are files with a small amount of data that are stored on your device.

Types of Cookies We Use:

  • Essential Cookies: Necessary for the Service to function (e.g., authentication, session management)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with the Service
  • Performance Cookies: Monitor performance and identify areas for improvement

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

11. Third-Party Services and Links

Our Service may contain links to third-party websites or services that are not owned or controlled by Assessly. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit.

12. Children's Privacy

Our Service is not intended for use by individuals under the age of 16 ("Children"). We do not knowingly collect personally identifiable information from Children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from Children without verification of parental consent, we will take steps to remove that information from our servers.

13. AI Processing and Automated Decision-Making

We use OpenAI's gpt-5-mini to evaluate assessment responses and generate scores, feedback, and insights. This involves automated processing of your responses. You should be aware that:

  • AI-generated evaluations are advisory and should be considered alongside human judgment
  • Your responses may be sent to OpenAI's servers for processing
  • We do not use your responses to train OpenAI models (OpenAI's API terms prohibit this)
  • You have the right to request human review of AI-generated evaluations
  • Final hiring or selection decisions should not be based solely on automated processing

14. Do Not Track Signals

We do not currently respond to Do Not Track (DNT) signals. However, you can disable cookies in your browser settings to limit tracking.

15. Changes to This Privacy Policy

We may update our privacy policy from time to time. We will notify you of any material changes by:

  • Posting the new privacy policy on this page
  • Updating the "Last updated" date at the top of this policy
  • Sending you an email notification (for significant changes)
  • Displaying a prominent notice on our Service

You are advised to review this privacy policy periodically for any changes. Changes to this privacy policy are effective when they are posted on this page.

16. Contact Us and Data Protection Officer

If you have any questions about this privacy policy, our data practices, or wish to exercise your privacy rights, please contact us:

Email: privacy@assessly.app

Subject Line: Privacy Inquiry - [Your Request Type]

Response Time: We aim to respond within 30 days

For users in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.