Legal

Privacy policy

Effective June 26, 2026

How Assessly collects, uses, protects, and shares your personal data, and the rights you have under India's Digital Personal Data Protection Act, 2023.

Who we are and what this covers

Assessly Technologies Private Limited ("Assessly", "we", "us", or "our") operates the Assessly platform, our website, web app, and desktop assessment client. We are a company incorporated in India under the Companies Act, 2013 (CIN U58201KA2026PTC222387), with our registered office at CTS No. 2557/2B, Mahatma Phule Road, Shahapur, Belagavi 590003, Karnataka, India.

This Privacy Policy explains what personal data we handle when you use Assessly, why we handle it, who we share it with, and the rights you have. It is written to align with India's data-protection law, the Digital Personal Data Protection Act, 2023 and the rules made under it, together with the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Two roles run through everything below:

  • When your institution uses Assessly: your college, university, or employer decides which assessments to run and what to collect about you. In the language of the DPDP Act, your institution is the Data Fiduciary and we act as its Data Processor, handling student and assessment data on its documented instructions.
  • When you deal with us directly: as a visitor to our website, someone who contacts our team, or a researcher in our bug bounty program, we are the Data Fiduciary for that data.

If you're a student

Most questions about your assessment records, what is collected, how long it is kept, who can see it, are answered by your institution's own policies, because those are its academic records. We help your institution honour your rights, and you can always reach us too.

The information we collect

We collect the categories below. Not all of them apply to every person, what we hold depends on whether you are a student, an instructor, an administrator, or a visitor.

  • Account & profile data: your name, username, email address, hashed password, role, and the learning tracks or cohorts you belong to.
  • Institution & roster data: the institution you belong to, your enrolment and cohort membership, and the assessments assigned to you. This is provided and controlled by your institution.
  • Assessment & code data: your code submissions, editor and compilation logs, terminal commands, execution-time metrics, written answers, and scores.
  • Voice interview & explanation data: in AI voice interviews and verbal explanations, your microphone audio is streamed for live transcription and evaluation. We store the resulting transcript and scores, not the audio itself.
  • Integrity & proctoring telemetry: when an instructor enables proctoring, we record only what each module needs and nothing more, tab-switch and fullscreen-exit counts (not screenshots), paste events as a length and a one-way hash (never the pasted text), typing-timing summaries (not raw keystrokes), webcam frames captured only when an anomaly is detected (no continuous video), and a numeric speech-likelihood score (audio is never recorded).
  • Pulse chat & direct messages: messages you post in community channels or send as DMs, with the timestamps and read-state needed to keep messaging in sync.
  • Gamification data: XP, streaks, leaderboard standings, achievements, and league divisions.
  • Feedback & surveys: ratings, emoji reactions, difficulty and clarity signals, and any comments you choose to write.
  • Support & communications: messages you send us through the contact form, email, or support, and our replies.
  • Bug bounty payout data: if you earn a reward as a security researcher, your UPI ID, certificate details, and email, collected only to pay you and issue your certificate.
  • Technical & device data: IP address, browser and device type, and basic log data needed to keep sessions secure and debug problems. The desktop assessment client may read limited device signals to enforce single-device exam locks.

We do not ask for, and the platform is not designed to collect, financial-account numbers, government identity numbers, health data, or other sensitive categories beyond what is described here.

How we collect it

  • Directly from you: when you create an account, take an assessment, chat, give feedback, or contact us.
  • From your institution: when it enrols you, assigns assessments, or configures your cohort.
  • Automatically: through cookies, your device, and server logs as you use the platform. See our Cookie Policy.
  • From our subprocessors: the infrastructure and AI providers that operate parts of the service return data to us (for example, a transcript from a speech-to-text provider). See Subprocessors.

Why we use it, and our legal basis

We use personal data only to run, secure, and improve Assessly:

  • To provide the platform, run code, transcribe and evaluate spoken answers, grade work, deliver messages, and render streaks and leaderboards.
  • To generate assessment and integrity reports for your institution.
  • To keep the platform secure, authenticate you, prevent cheating and abuse, and investigate incidents.
  • To support you and respond to your messages.
  • To improve the product, understand which features work, fix bugs, and measure quality, using aggregated or first-party analytics as described in our Cookie Policy.
  • To meet our legal and regulatory obligations, and to process bug bounty rewards.

Our legal basis. Under the DPDP Act, we and our institution partners rely on your consent and on the legitimate uses the Act recognises. Where your institution is the Data Fiduciary, it is responsible for the lawful basis of student processing and we act on its instructions. Where we are the Data Fiduciary, we ask for consent where the law requires it and otherwise rely on the legitimate uses the Act permits, such as providing a service you have asked for and keeping it secure.

AI and your data

Several Assessly features use AI, automated grading, the Ace teaching-and-learning copilot, AI voice interviews, and written-explanation scoring. When you use them, the relevant text or transcript is sent to the AI providers listed on our Subprocessors page so the feature can work.

We don't train models on your data

We do not use your code, transcripts, chat messages, or profile data to train foundational AI models, and our AI providers are contractually restricted from doing so with the data we send them. Your data is used to deliver the feature you asked for, grading, feedback, an interview, and nothing else.

When we share information

We are not in the business of selling data, and we never sell your personal data. We share it only in these situations:

  • With your institution: your scores, submissions, and integrity reports are part of its academic records and are visible to authorised instructors and administrators.
  • With our subprocessors: the infrastructure and AI providers that run the service, each limited to the minimum data needed for its job. The full list is public on our Subprocessors page.
  • For legal reasons: where we are required to by Indian law, by a binding order of a court or authority, or to protect the rights and safety of users and the public.
  • In a business transfer: if Assessly is involved in a merger, acquisition, or sale of assets, data may transfer as part of that transaction, subject to this policy.

Where your data is processed

Assessly's primary database and code-execution pipeline run in India (Mumbai). Some of our subprocessors, particularly the AI, email, and monitoring providers, process limited data on servers outside India, in regions such as the United States and the European Union. Each provider's data region is listed on our Subprocessors page.

The DPDP Act permits transfers of personal data outside India, except to countries specifically restricted by the Central Government. Wherever data leaves India, we keep the transfer limited to what the feature needs and bind each provider by contract to protect it and to use it only to serve you.

How we protect it

We protect personal data with technical and organisational measures appropriate to the risk: TLS 1.3 in transit and AES-256 at rest, passwords hashed with bcrypt and a per-user salt, strict row-level isolation so each institution's data is walled off from every other, and code execution in isolated, unprivileged sandboxes that hold no student records.

We are honest about our stage: Assessly does not yet hold a SOC 2 or ISO 27001 certification, and we don't pretend otherwise. Security review is continuous, and independent researchers test us through our bug bounty program. Our full posture is described on the Security page.

How long we keep it

We keep personal data only as long as we need it:

  • Account data: for as long as your account is active. If you delete your account, we remove or anonymise your personal profile data within a reasonable period, except where we must keep some of it to meet a legal obligation.
  • Institutional records: submissions, scores, and integrity evidence are your institution's academic records. How long they are kept is governed by your institution's agreement with us and its own policies, because it is the Data Fiduciary for them.
  • Proctoring evidence: retained for the assessment and the period your institution needs to resolve any academic-integrity review, then deleted on the same schedule as the assessment.
  • Logs and security data: kept for a limited period for security, debugging, and abuse prevention.
  • Bug bounty payout records: kept as long as tax and accounting law require.

Your rights as a Data Principal

The DPDP Act gives you, as a Data Principal, rights over your personal data. Where Assessly is responsible for your data, we honour these directly. Where your institution controls your records, your enrolment, submissions, scores, and integrity reports, it is the Data Fiduciary, so you exercise these rights with your institution and we assist it.

  • Access a summary of the personal data we hold about you and how we process it.
  • Correct, complete, or update inaccurate or incomplete data.
  • Erase your personal data where it is no longer needed for the purpose it was collected, though some records are kept where the law or your institution's academic record-keeping requires it.
  • Withdraw consent for anything you consented to, at any time and as easily as you gave it. Processing that is necessary to run an assessment or deliver the service continues, and withdrawing won't undo what has already been done.
  • Nominate someone to exercise these data-protection rights for you if you die or can't act yourself. This only lets them make the kinds of requests above, it does not transfer your account, your submissions, or your results to anyone.
  • Grievance redressal: raise a concern and have it addressed (see below).

You can access, export, and delete much of your data yourself from your account settings. For anything else, or if you are a student whose records sit with your institution, write to our Grievance Officer at grievance@assessly.in and we will help, including by routing your request to your institution where it is the Data Fiduciary.

Children and students under 18

Assessly is built for higher and technical education, and most users are adults. We know some students, first-year students in particular, may be under 18.

The DPDP Act treats anyone under 18 as a child and requires verifiable parental consent before their data is processed. Because students reach Assessly through their institution, your institution is responsible for obtaining any parental consent required for under-18 students before enrolling them, and we process a child's data only on that basis and on the institution's instructions.

We do not use children's data for behavioural tracking beyond what an assessment needs, or for targeted advertising, we don't run advertising at all. If you believe a child's data has reached us without the required consent, contact our Grievance Officer and we will act on it.

Cookies and tracking

We use cookies and similar technologies to keep you signed in, remember your preferences, and, only if you opt in, measure usage. You can change your choices any time. The full detail, including every cookie and its purpose, is in our Cookie Policy.

Grievances and how to reach us

If you have a question or complaint about how your data is handled, contact our Grievance Officer:

  • Grievance Officer, Assessly Technologies Private Limited
  • Email: grievance@assessly.in
  • Registered office: CTS No. 2557/2B, Mahatma Phule Road, Shahapur, Belagavi 590003, Karnataka, India

We acknowledge grievances within 24 hours and aim to resolve them within 15 days, in line with Indian law. If you are not satisfied with how we handle your concern, you may escalate it to the Data Protection Board of India once it is operational under the DPDP Act.

Changes to this policy

We may update this policy as the platform and the law evolve, the DPDP framework itself is still being phased in. When we make a material change, we'll update the effective date above and, where appropriate, tell you. Continuing to use Assessly after a change means you accept the updated policy.