Privacy Policy

When a Customer registers: name, email address, company name, job title, billing information (processed by our payment provider; we do not store full card details).

When Authorised Users use the Service: name and email address (as provided by the Customer); assessment responses, completion times, and interaction data; proficiency scores and analytics generated by the Service.

Automatically collected: IP address, browser type and version, operating system, and device type. We do not track which pages you visit, how long you spend on them, or where you came from before visiting the Service. Cookies and similar technologies are described in Section 9.

If you contact us: the content of your communications, including support requests and feedback.

We use personal data to: provide, maintain, and improve the Service; generate assessment results and reports; administer Customer accounts and process payments; provide customer support.

We use anonymised and aggregated data (which cannot identify any individual) to produce industry benchmarks, improve our assessment methodology, and publish research. This is a core function of the Service and is described in our Terms of Service.

We may use your email address to send service-related communications (e.g., account notifications, security alerts, billing information). We will only send marketing communications with your prior consent (opt-in), and you can unsubscribe at any time.

We use technical data to protect the Service against fraud, abuse, and security threats, and to comply with applicable legal obligations.

We collect and process personal data in accordance with the six Data Protection Principles of the PDPO. We collect data only for purposes directly related to the Service, inform data subjects of such purposes, and do not use data for purposes beyond those specified without consent.

Where the PDPA applies, we collect and use your personal data with your consent, obtained at the time of your first login to the Service. We process data solely for the purposes stated in this Privacy Policy. You may withdraw your consent at any time via the My Data page; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Where the GDPR or UK GDPR applies, we rely on the following legal bases: Contract: processing necessary for the performance of our contract with the Customer; Legitimate interests: processing for the purposes of improving the Service, ensuring security, and producing anonymised benchmarks, where such interests are not overridden by the rights and freedoms of the individual; Consent: for marketing communications and non-essential cookies; Legal obligation: where we are required to process data by law.

The following cookies are set when you use the Service:

• Session cookies (set by Clerk, our authentication provider): Required for secure sign-in and session management. These are httpOnly, secure, and expire when your session ends or after a set period of inactivity.
• CSRF token cookie: A security cookie that prevents cross-site request forgery attacks. It is httpOnly and expires with each session.
• Auth success cookie (__auth_success): A temporary cookie (60-second lifetime) used during the login redirect process. It is automatically deleted after use.

We use browser local storage for a single functional purpose: storing a timestamp of the last successful account synchronisation to prevent unnecessary repeat requests. This data is not shared with any third party and does not contain personal information.

We do not use Google Analytics, advertising pixels, social media tracking scripts, or any other third-party tracking technologies. We do not use advertising or tracking cookies for targeted advertising purposes. Your browsing activity on our platform is not shared with advertisers or data brokers.

If you are a data subject under Hong Kong law, you have the right to: request access to your personal data (Data Access Request); request correction of inaccurate personal data (Data Correction Request). To exercise these rights, please contact us at legal@genplify.com. We will respond within 40 days of receiving a valid request.

If you are a data subject in the EEA or UK, you have the right to: access your personal data; rectify inaccurate or incomplete personal data; erase your personal data (right to be forgotten); restrict processing of your personal data; data portability (receive your data in a structured, commonly used, machine-readable format); object to processing based on legitimate interests; not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects.

To exercise these rights, you can use the self-service options in your account settings (for example, “Delete my account” under Account Actions), or contact us at legal@genplify.com. Self-service deletion requests are processed immediately. We will respond to manual requests within 30 days.

When you delete your account, we also delete records of consents you have given (Article 7), as we no longer process your data on the basis of those consents.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the CNIL in France, the ICO in the UK).

If you withdraw consent under Article 7(3), your access to Service features that depend on that consent is immediately restricted, but your data is preserved (not deleted). If you later choose to re-consent to the current version of the applicable terms, your access is automatically restored — no administrator action, no support contact, and no re-onboarding required. Your previously-recorded data, including assessment history and learning progress, resumes intact.

This restoration mechanism applies only where the restriction was caused by your own consent withdrawal. Restrictions initiated by you for other reasons, or by your organisation administrator, follow separate procedures described in our Terms of Service.

If you are located in Singapore or your personal data is processed in connection with a Singapore-based organisation, you have the right to: request access to your personal data; request correction of inaccurate personal data. We will respond within 30 days of receiving a valid request. A reasonable fee may apply for access requests. To exercise these rights, please contact us at legal@genplify.com or via the My Data page. If you believe your personal data has been mishandled, you may lodge a complaint with the Personal Data Protection Commission (PDPC) at www.pdpc.gov.sg.

The Service generates assessment scores using a combination of automated scoring and psychometric analysis. These scores are provided to the Customer for informational purposes. Genplify does not make any employment decisions about Authorised Users. Any decisions based on Assessment Results are made by the Customer, and the Customer is responsible for ensuring compliance with applicable laws regarding automated decision-making.

Genplify uses artificial intelligence to evaluate certain assessment responses. Specifically, we use Anthropic’s Claude AI model to score open-ended written responses against rubric criteria. Five questions per assessment are evaluated this way; all other questions are scored by deterministic algorithms (Item Response Theory).

When an open-ended response is evaluated, only the following is transmitted to the AI provider: the question text, the rubric criteria for that question, and your written response.

No identifying information is transmitted. We do not send your name, email address, user ID, organisation name, or any other identifier to the AI provider. The AI evaluates your response based solely on the rubric, without knowing who wrote it.

AI-generated scores are advisory. They are presented to your organisation’s administrators alongside other information, and administrators make decisions about training, programmes, and assessments based on multiple factors. AI-generated scores do not automatically trigger any decision about you. There is always a human decision-maker between the AI’s score and any consequence.

Under GDPR Article 22 and the EU AI Act (where applicable), you have the right to: be informed when AI processing has been applied to your data; request human review of any score generated by AI; express your point of view on the AI’s evaluation; contest the result of AI processing; and receive an explanation of how your score was generated.

To request review of an AI-generated score, contact us directly at legal@genplify.com. Please include your name and email address, the assessment date or session reference, and the reason for your request.

Reviews are conducted by qualified Genplify staff (not by your organisation’s administrators). Reviews are acknowledged within 5 business days and resolved within 30 days. The outcome may be a revised score, additional context, or no change with explanation.

Under the EU AI Act, this system may be classified as high-risk (Annex III, Category 4(b)) when used to monitor or evaluate employee performance. We maintain technical documentation, human oversight mechanisms, and audit trails as required.