Skip to main content
PRIVACY POLICY

Privacy Policy

Last updated: January 2026

1. Introduction

Welcome to Assessely ("we", "our", or "us"), a service provided by ASSESSELY LTD. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

This policy applies to information we collect:

  • On our website (assessely.com)
  • Through our platform and services
  • In email, text, and other electronic communications
  • When you interact with our advertising and applications on third-party websites and services

Please read this policy carefully to understand our practices regarding your personal data and how we will treat it. By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Important Information and Who We Are

2.1 Data Controller

ASSESSELY LTD is the data controller and responsible for your personal data. We are registered in the United Kingdom with company registration number 15771523.

2.2 Contact Details

If you have any questions about this privacy policy or our data practices, please contact us at:
Email: [email protected]

2.3 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. You can contact our DPO at:
Email: [email protected]

2.4 Changes to the Privacy Policy

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Last Updated" date and the updated version will be effective as soon as it is accessible. We will notify you of any significant changes to this privacy policy by sending a notice to the primary email address associated with your account or by placing a prominent notice on our website.

3. The Data We Collect About You

We collect several different types of personal data for various purposes to provide and improve our service to you. Personal data means any information about an individual from which that person can be identified.

3.1 Identity and Contact Data

  • Full name
  • Email address
  • Phone number (if provided)
  • Job title
  • Company name

3.2 Assessment and Platform Data

  • Assessment results and scores
  • Answers to assessment questions
  • Performance metrics
  • Reference check responses
  • Employee survey responses
  • Exit interview responses

3.3 Technical Data

  • Device information (type, operating system, browser type)
  • IP address
  • Time zone
  • Device fingerprint data (for fraud prevention)

3.4 Usage Data

  • Platform usage patterns
  • Features accessed
  • Time spent on platform
  • Login history (including IP address and browser information)

3.5 Data We Do Not Collect

  • Payment card details (this is processed directly by our payment processor, Stripe, and we do not have access to your full card number)
  • Special categories of personal data (such as details about your race, ethnicity, religious beliefs, sexual orientation, political opinions, trade union membership, health information, genetic or biometric data) unless you voluntarily provide this in free-text responses

4. How We Collect Your Personal Data

We use different methods to collect data from and about you including through:

4.1 Direct Interactions

You may provide us with your personal data when you:

  • Create an account
  • Complete assessments
  • Participate in reference checks
  • Complete employee surveys or exit interviews
  • Fill in forms
  • Correspond with us by post, phone, email, or otherwise

4.2 Automated Technologies

As you interact with our platform, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, device fingerprinting, and other similar technologies. Please see our Cookie Policy for further details.

4.3 Third Parties

We may receive personal data about you from various third parties such as:

  • Your employer or potential employer who has invited you to take an assessment or participate in a reference check
  • Referees who provide reference information about you
  • Technical data from analytics providers and search information providers

6. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

6.1 Provision of Services

  • To register you as a new user (Contract Performance)
  • To provide and maintain our platform (Contract Performance)
  • To manage your account and provide you with customer support (Contract Performance)
  • To deliver assessment results to you or your authorised recipients (Contract Performance)
  • To facilitate reference checks and deliver reference reports (Contract Performance)
  • To deliver employee survey and exit interview results (Contract Performance)

6.2 AI-Powered Features

We use artificial intelligence to power certain features of our platform, including generating customised assessments based on job requirements and analysing assessment responses. When you use these features, your data (such as job descriptions, assessment content, and responses) may be processed by our AI service providers. See Section 7 for details about these providers and their locations.

6.3 Legitimate Interests

  • To improve our platform, products, services, marketing, and user experience
  • To protect the security and integrity of our platform
  • To detect, prevent, or otherwise address fraud, security, or technical issues
  • To analyse usage patterns and trends

6.4 Compliance with Legal Obligations

  • To respond to legal requests and prevent harm
  • To comply with applicable laws and regulations
  • To maintain appropriate business records

6.5 With Your Consent

  • To send you marketing communications about our products and services
  • For any other purpose with your consent

7. Data Sharing and Disclosures

We may share your personal data with the following categories of recipients:

7.1 Service Providers

We share your information with service providers who perform services on our behalf. These include:

Hosting and Infrastructure:

  • Railway (application hosting) - Singapore
  • MongoDB (database storage) - Sydney, Australia
  • AWS S3 (file storage) - Sydney, Australia
  • Cloudinary (image hosting)

AI Processing:

  • Google AI (AI-powered assessment generation and analysis) - United States
  • Anthropic (AI fallback processing) - United States

Important: When you use AI-powered features, your data (including assessment content and job descriptions) is sent to these providers for processing. This data is transferred to and processed in the United States.

Communications:

  • Resend (email delivery) - United States

Payments:

  • Stripe (payment processing) - United States / Global. Stripe is PCI-DSS compliant. We do not store your payment card details on our servers.

Analytics and Security:

  • PostHog (platform analytics)
  • Cloudflare Turnstile (bot protection) - Global
  • FingerprintJS (fraud prevention)

All our third-party service providers are required to take appropriate security measures to protect your personal data. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7.2 Employers and Clients

If you are taking an assessment at the request of an employer or potential employer, we will share your assessment results and relevant data with them based on contractual necessity. If you are providing a reference for a candidate, we will share your reference responses with the requesting employer. If you are completing an employee survey or exit interview, we will share your responses with your employer (responses may be anonymised or identifiable depending on the survey configuration).

7.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data.

7.4 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

7.5 With Your Consent

We may share your personal data with other parties based on your consent.

8. International Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. Based on our current infrastructure, your data may be processed in:

  • Australia (database storage, file storage)
  • Singapore (application hosting)
  • United States (AI processing, email delivery, payments, analytics, bot protection)
  • United Kingdom (business operations)

These countries may have data protection laws that are different from the laws of your country. We have implemented appropriate safeguards to ensure that your personal data will remain protected in accordance with this privacy policy. These include:

  • For transfers to countries with an adequacy decision from the UK or EU: We rely on the adequacy decision
  • For transfers to countries without an adequacy decision: We implement appropriate safeguards such as:
    • Standard Contractual Clauses approved by the European Commission and/or UK authorities
    • Binding Corporate Rules (where applicable)
    • Derogations under Article 49 of the GDPR where necessary

You can request more information about these safeguards by contacting us using the details in Section 2.2.

9. Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include:

  • Encryption of data in transit (HTTPS/TLS)
  • Password hashing using industry-standard algorithms
  • Account lockout protection after failed login attempts
  • Multi-factor authentication (MFA) options
  • Regular security assessments of our systems
  • Access controls and authentication procedures
  • Input validation and sanitisation to prevent attacks
  • Security headers and CORS protection

In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They are subject to a duty of confidentiality and will only process your personal data on our instructions.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider:

  • The amount, nature, and sensitivity of the personal data
  • The potential risk of harm from unauthorised use or disclosure
  • The purposes for which we process your personal data
  • Whether we can achieve those purposes through other means
  • The applicable legal requirements

Our standard retention periods are:

  • Account information: For the duration of your account plus 6 years from account closure
  • Assessment data: For the duration of your account plus 2 years from completion
  • Technical and usage data: 13 months from collection

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

11. Your Legal Rights

11.1 Under UK GDPR and EU GDPR

You have the right to:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in certain scenarios.
  • Request transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
  • Right to withdraw consent where we rely on consent to process your personal data.
  • Right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

11.2 Under Australian Privacy Principles

Under the Australian Privacy Act, you have the right to:

  • Access your personal information
  • Correction of your personal information
  • Complain about a breach of the Australian Privacy Principles
  • Opt-out of direct marketing communications
  • Anonymity or pseudonymity when dealing with us, where practicable

11.3 How to Exercise Your Rights

If you wish to exercise any of the rights set out above, please contact us using the contact details provided in Section 2.2. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Cookies and Similar Technologies

Our platform uses cookies and similar tracking technologies to distinguish you from other users. This helps us to provide you with a good experience when you browse our platform and also allows us to improve it.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

We use the following types of cookies:

  • Strictly Necessary Cookies: Required for the operation of our platform
  • Analytical/Performance Cookies: Allow us to recognise and count visitors and see how they move around our platform
  • Functionality Cookies: Used to recognise you when you return to our platform
  • Targeting Cookies: Record your visit to our platform, the pages you have visited and the links you have followed

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this platform may become inaccessible or not function properly.

For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy.

13. Children's Privacy

Our services are not intended for children under the age of 16, and we do not knowingly collect personal data from children under 16. If we learn we have collected or received personal data from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us using the details provided in Section 2.2.

14. Specific Provisions for Australian Users

If you are an Australian user, the following additional provisions apply:

14.1 Overseas Disclosure

We may disclose your personal information to overseas recipients, including to service providers or related entities located outside Australia. These recipients may be located in the United Kingdom, the United States, Singapore, and other countries where our service providers maintain servers or facilities.

When we disclose your personal information overseas, we will take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles in relation to your personal information.

14.2 Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with our obligations under the Notifiable Data Breaches scheme.

14.3 Direct Marketing

We will not use or disclose your personal information for the purpose of direct marketing unless:

  • We collected the information from you
  • You would reasonably expect us to use or disclose the information for direct marketing
  • We provide a simple way for you to opt out of direct marketing
  • You have not already asked us to stop sending you direct marketing

We will always get your consent before using sensitive information for direct marketing.

15. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us using the details provided in Section 2.2.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), or the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au). We would, however, appreciate the chance to deal with your concerns before you approach a data protection authority, so please contact us in the first instance.