Privacy Policy

This policy explains what data Assessing AI collects, why we collect it, and how we handle it.

1. Who We Are

Assessing AI is an AI-powered assessment platform that lets organizations create, distribute, and analyze quizzes and assessments. When this policy says "Assessing AI", "we", "our", or "us", it refers to the Assessing AI service accessible at assessing.ai and any associated subdomains. When we say "you", we mean anyone who visits our website or uses our platform — whether as an assessment creator (we call you an "account holder") or as someone taking an assessment (we call you a "respondent").

If you have questions about this policy or how we handle your data, you can reach us at [email protected].

2. What Data We Collect

Account holders (people who create assessments)

When you sign up for Assessing AI, we collect:

  • Email address — used for account login, email verification, and transactional notifications
  • Name — displayed in your account and assessments
  • Password — stored as a hashed value; we never store or see your plain text password
  • Team or organization name — if you create a team workspace
  • Billing information — if you subscribe to a paid plan, your payment is processed by Stripe. We store only the last four digits of your card and your billing postal code for display purposes. Your full card details never touch our servers.

Respondents (people taking assessments)

Respondents access assessments via a shared link without needing an account. Depending on how the assessment creator configured the assessment, we may collect:

  • Name and email address — if the assessment requires respondent identification
  • Assessment answers — the responses submitted to each question, including typed text and uploaded files
  • Recorded responses — audio or video recordings if the assessment includes recorded answer questions
  • Timestamps — when the assessment was started and when it was completed
  • Time-per-question data — how long was spent on each question (used for analytics shown to the assessment creator)

Usage data (all visitors)

When you use the platform — whether you have an account or not — we automatically collect:

  • Session identifiers — anonymous identifiers used to track usage limits for anonymous users
  • IP address — used for security, abuse prevention, and approximate geolocation (country level)
  • Browser and device type — to ensure the platform works correctly across different environments
  • Pages visited and actions taken — which parts of the product you use, to help us improve the platform

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the service — your account data is needed to log you in, display your assessments, and show results to you
  • Assessment delivery — respondent data is needed to deliver the assessment experience and store responses so creators can review them
  • Automatic grading — submitted answers are processed by our grading systems, which may use AI models (including OpenAI APIs) to grade typed and recorded responses against a rubric
  • Email communications — we send verification emails when you sign up, notification emails when assessment responses come in (if you have enabled this), and billing receipts
  • Analytics and product improvement — aggregated, non-personally-identifiable usage data helps us understand how the product is being used and where it can be improved
  • Fraud prevention and security — IP addresses and session data help us detect and prevent abuse
  • Legal compliance — we retain certain records as required by applicable law

We do not sell your personal data to third parties. We do not use your data for advertising targeting. We do not share your assessment responses with anyone other than the account holder who created the assessment.

4. Third-Party Services

Running Assessing AI requires us to use some third-party services. Here is what each one receives:

Stripe

Stripe processes subscription payments on our behalf. When you subscribe to a paid plan, you enter your payment details directly into Stripe's secure interface. Stripe receives and stores your card information. We receive confirmation of payment and a subscription status. Stripe's privacy policy applies to how they handle your payment data: stripe.com/privacy.

Email delivery

We use a third-party email delivery service (currently Mailgun or Amazon SES depending on region) to send transactional emails. These providers receive the recipient email address and the email content for the purpose of delivery. They are contractually prohibited from using your data for any other purpose.

OpenAI

When assessments use AI-powered question generation or AI grading features, content is sent to OpenAI's API for processing. This may include the assessment topic, question text, and respondent answers (for grading purposes). OpenAI's API usage policy prohibits them from using API inputs for training their models without opt-in consent. We send only the minimum content necessary for the task.

Cloud infrastructure

Our platform is hosted on cloud infrastructure providers. Data is stored on servers in the European Union and/or United States. We use encrypted connections (HTTPS/TLS) for all data in transit and encrypt sensitive data at rest.

5. Cookies and Tracking

We use cookies and similar local storage mechanisms to keep you logged in, remember your preferences, and provide a consistent experience. We do not use third-party advertising cookies. We do not use tracking pixels or behavioral advertising systems.

The specific cookies we use:

  • Session cookie — keeps you authenticated during a browsing session. Expires when you close your browser or after 30 days if you choose "remember me".
  • CSRF token — a security cookie that protects against cross-site request forgery attacks. Required for the platform to function.
  • Anonymous session ID — a cookie used to track usage limits for non-authenticated visitors (for example, how many assessments they have started). This does not identify you personally.

You can disable cookies in your browser settings, but doing so will prevent you from logging in or using the platform in a meaningful way.

6. Data Retention

We retain your data for as long as your account is active and for a reasonable period afterward to allow account recovery. Specifically:

  • Account data — retained for the life of your account and deleted within 90 days of account deletion
  • Assessment data and respondent responses — retained for the life of the account that created them. When an account is deleted, assessment data is scheduled for deletion within 90 days.
  • Recorded answers (audio/video files) — retained for 12 months from submission, or until the account holder deletes them, whichever comes first
  • Billing records — retained for 7 years as required by financial regulations
  • Usage logs — anonymized and retained for 12 months for security and fraud analysis purposes

If you want your data deleted before these periods expire, see the Your Rights section below.

7. Data Security

We take data security seriously. Our measures include:

  • All connections to the platform use HTTPS/TLS encryption
  • Passwords are hashed using bcrypt before storage — we cannot recover or read your password
  • Database access is restricted to the application layer — no direct public access
  • Uploaded files (including recorded responses) are stored with access controls that prevent unauthorized retrieval
  • We apply the principle of least privilege to internal system access
  • Stripe handles all payment card data — our servers never receive or store raw card numbers

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a data breach that affects your personal data, we will notify you as required by applicable law.

8. Your Rights (Including GDPR Rights for EU Users)

Depending on where you are located, you may have certain rights regarding your personal data. Users in the European Union and European Economic Area have rights under the GDPR. Similar rights exist under UK data protection law, California's CCPA, and other regulations. We honor these rights for all users regardless of location.

Your rights include:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate data
  • Right to erasure — you can ask us to delete your personal data ("the right to be forgotten")
  • Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances
  • Right to data portability — you can ask for your data in a machine-readable format
  • Right to object — you can object to certain types of processing, including direct marketing (we do not do this, but the right exists)
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at [email protected] with "Data Request" in the subject line. We will respond within 30 days. We may ask you to verify your identity before processing the request.

If you are an EU resident and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

Assessing AI is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If a child under 13 is taking an assessment through our platform — for example, a teacher using Assessing AI for a classroom — the assessment creator bears responsibility for obtaining any required parental consents in accordance with applicable law. If you believe we have inadvertently collected data from a child under 13 without proper consent, please contact us at [email protected] and we will delete the data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time as the platform evolves. If we make material changes — ones that significantly affect how we collect or use your data — we will notify you by email (if you have an account) or by displaying a notice on the platform. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, data requests, or concerns, contact us at:

Email: [email protected]

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 days.