Legal
Effective June 26, 2026
How Assessly collects, uses, protects, and shares your personal data, and the rights you have under India's Digital Personal Data Protection Act, 2023.
Assessly Technologies Private Limited ("Assessly", "we", "us", or "our") operates the Assessly platform, our website, web app, and desktop assessment client. We are a company incorporated in India under the Companies Act, 2013 (CIN U58201KA2026PTC222387), with our registered office at CTS No. 2557/2B, Mahatma Phule Road, Shahapur, Belagavi 590003, Karnataka, India.
This Privacy Policy explains what personal data we handle when you use Assessly, why we handle it, who we share it with, and the rights you have. It is written to align with India's data-protection law, the Digital Personal Data Protection Act, 2023 and the rules made under it, together with the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Two roles run through everything below:
If you're a student
Most questions about your assessment records, what is collected, how long it is kept, who can see it, are answered by your institution's own policies, because those are its academic records. We help your institution honour your rights, and you can always reach us too.
We collect the categories below. Not all of them apply to every person, what we hold depends on whether you are a student, an instructor, an administrator, or a visitor.
We do not ask for, and the platform is not designed to collect, financial-account numbers, government identity numbers, health data, or other sensitive categories beyond what is described here.
We use personal data only to run, secure, and improve Assessly:
Our legal basis. Under the DPDP Act, we and our institution partners rely on your consent and on the legitimate uses the Act recognises. Where your institution is the Data Fiduciary, it is responsible for the lawful basis of student processing and we act on its instructions. Where we are the Data Fiduciary, we ask for consent where the law requires it and otherwise rely on the legitimate uses the Act permits, such as providing a service you have asked for and keeping it secure.
Several Assessly features use AI, automated grading, the Ace teaching-and-learning copilot, AI voice interviews, and written-explanation scoring. When you use them, the relevant text or transcript is sent to the AI providers listed on our Subprocessors page so the feature can work.
We don't train models on your data
We do not use your code, transcripts, chat messages, or profile data to train foundational AI models, and our AI providers are contractually restricted from doing so with the data we send them. Your data is used to deliver the feature you asked for, grading, feedback, an interview, and nothing else.
We are not in the business of selling data, and we never sell your personal data. We share it only in these situations:
Assessly's primary database and code-execution pipeline run in India (Mumbai). Some of our subprocessors, particularly the AI, email, and monitoring providers, process limited data on servers outside India, in regions such as the United States and the European Union. Each provider's data region is listed on our Subprocessors page.
The DPDP Act permits transfers of personal data outside India, except to countries specifically restricted by the Central Government. Wherever data leaves India, we keep the transfer limited to what the feature needs and bind each provider by contract to protect it and to use it only to serve you.
We protect personal data with technical and organisational measures appropriate to the risk: TLS 1.3 in transit and AES-256 at rest, passwords hashed with bcrypt and a per-user salt, strict row-level isolation so each institution's data is walled off from every other, and code execution in isolated, unprivileged sandboxes that hold no student records.
We are honest about our stage: Assessly does not yet hold a SOC 2 or ISO 27001 certification, and we don't pretend otherwise. Security review is continuous, and independent researchers test us through our bug bounty program. Our full posture is described on the Security page.
We keep personal data only as long as we need it:
The DPDP Act gives you, as a Data Principal, rights over your personal data. Where Assessly is responsible for your data, we honour these directly. Where your institution controls your records, your enrolment, submissions, scores, and integrity reports, it is the Data Fiduciary, so you exercise these rights with your institution and we assist it.
You can access, export, and delete much of your data yourself from your account settings. For anything else, or if you are a student whose records sit with your institution, write to our Grievance Officer at grievance@assessly.in and we will help, including by routing your request to your institution where it is the Data Fiduciary.
Assessly is built for higher and technical education, and most users are adults. We know some students, first-year students in particular, may be under 18.
The DPDP Act treats anyone under 18 as a child and requires verifiable parental consent before their data is processed. Because students reach Assessly through their institution, your institution is responsible for obtaining any parental consent required for under-18 students before enrolling them, and we process a child's data only on that basis and on the institution's instructions.
We do not use children's data for behavioural tracking beyond what an assessment needs, or for targeted advertising, we don't run advertising at all. If you believe a child's data has reached us without the required consent, contact our Grievance Officer and we will act on it.
We use cookies and similar technologies to keep you signed in, remember your preferences, and, only if you opt in, measure usage. You can change your choices any time. The full detail, including every cookie and its purpose, is in our Cookie Policy.
If you have a question or complaint about how your data is handled, contact our Grievance Officer:
We acknowledge grievances within 24 hours and aim to resolve them within 15 days, in line with Indian law. If you are not satisfied with how we handle your concern, you may escalate it to the Data Protection Board of India once it is operational under the DPDP Act.
We may update this policy as the platform and the law evolve, the DPDP framework itself is still being phased in. When we make a material change, we'll update the effective date above and, where appropriate, tell you. Continuing to use Assessly after a change means you accept the updated policy.