Privacy Policy

1. Data Controller

Assessory operates under German and EU data protection law. We are the data controller for the personal data we collect through our platform.

2. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): To provide our assessment platform services
• Legitimate Interest (Art. 6(1)(f)): For service improvement, security, and communication
• Consent (Art. 6(1)(a)): For marketing communications (where applicable)
• Legal Obligation (Art. 6(1)(c)): For tax, accounting, and regulatory compliance

3. Data We Collect

3.1 Account and Organization Data

• Name, email address, profile information
• Organization details (company name, address, VAT number)
• Account preferences and settings
• Billing and subscription information

3.2 Assessment and Candidate Data

• Assessment content, files, and configurations
• Candidate email addresses and names (when provided)
• Submitted assessment files and responses
• Timing data and completion status

3.3 Technical Data

• IP addresses, browser information, device identifiers
• Usage analytics and platform interaction data
• Session information and access logs
• Cookie data (with your consent)

4. How We Use Your Data

• Service Delivery: Create assessments, manage candidates, process submissions
• Account Management: User authentication, billing, support
• Communication: Service updates, security notifications, support responses
• Platform Security: Fraud prevention, abuse detection, system security
• Service Improvement: Analytics, feature development, performance optimization
• Legal Compliance: Tax obligations, regulatory requirements, legal processes

5. Data Sharing and Third Parties

We only share your data when necessary and in compliance with GDPR:

5.1 Service Providers (GDPR Art. 28)

• Hosting: Cloud infrastructure providers (EU-based or with adequate safeguards)
• Email Services: Transactional email providers (Resend)
• Payment Processing: Stripe (for billing and subscriptions)
• File Storage: Secure file storage services

5.2 Legal Requirements

We may disclose data when required by German or EU law, court orders, or to protect our legal rights and safety.

5.3 International Transfers

When we transfer data outside the EU, we ensure adequate protection through Standard Contractual Clauses or other approved mechanisms under GDPR Chapter V.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate or incomplete data
• Erasure (Art. 17): Request deletion of your data (“right to be forgotten”)
• Restriction (Art. 18): Limit how we process your data
• Portability (Art. 20): Receive your data in a machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent: Revoke consent for consent-based processing

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Account Data: Until account deletion plus legal retention periods
• Assessment Data: As long as needed for the assessment purpose, or as requested by the organization
• Billing Data: 10 years for German tax compliance requirements
• Analytics Data: Aggregated and anonymized after 26 months
• Support Data: 3 years for service improvement and legal protection

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS) and at rest
• Access controls and authentication
• Regular security audits and updates
• Employee training on data protection
• Incident response procedures
• Regular backups with encryption

9. Cookies and Tracking

We use cookies and similar technologies in compliance with the ePrivacy Directive:

• Essential Cookies: Required for platform functionality (no consent needed)
• Analytics Cookies: To understand platform usage (with consent)
• Preference Cookies: To remember your settings and preferences

You can manage cookie preferences through your browser settings or our cookie banner.

10. Data Processing for Organizations

When you use Assessory to process candidate data:

• You remain the data controller for candidate data
• Assessory acts as a data processor under your instructions
• You must have a lawful basis to collect and process candidate data
• You're responsible for providing privacy notices to candidates
• Data Processing Agreement available upon request

11. Children's Privacy

Our service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly.

12. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or platform notification at least 30 days before they take effect.

13. Supervisory Authority

You have the right to lodge a complaint with the relevant data protection supervisory authority:

14. Contact Information

For any questions about this privacy policy or to exercise your rights: