Provsy Logo
Privacy & Data Protection

Privacy Policy

This document describes how Provsy ("we", "our") collects, processes, and protects personal and educational data within the assessment platform. We commit to proportional collection, transparent processing, and security by design.

Updated Sep 20, 2025 Version 1.0 Scope: Institutional Users

Privacy Commitments

Foundational promises that govern how your data is treated throughout its lifecycle.

Encryption

Transit + at-rest encryption by default.

No Data Sale

We never monetize educational content.

Transparent Use

Processing strictly mapped to documented purposes.

User Control

Structured processes for access & deletion requests.

Incident Notice

Timely notification of material security events.

Scoped Collection

Data minimization & purpose limitation.

Information We Collect

We collect only the data required to operate, secure, and improve the platform.

Account

Name, email, institution, and role.

Uploaded Content

Study materials and assessment artifacts you provide.

Generated Content

Assessment items, marking schemes, metadata produced by the system.

Usage Metrics

Feature interactions, event timestamps, performance telemetry.

Technical

IP, device/browser fingerprint (hash truncated), OS family for security posture.

How We Use Information

Processing purposes map directly to service delivery, reliability, and compliance goals.

Service Operation

Authenticate users, render workspaces, process generation tasks.

Quality & Validation

Improve item accuracy via aggregated non-personal performance signals.

Support & Communication

Send incident, security, and material change notices.

Security Monitoring

Detect anomalous access or abuse patterns.

Information Sharing

We do not sell personal or educational content. Limited sharing occurs under controlled processors and legal obligations.

Institution Workspace

Content visible to authorized peers within your institution context.

Sub‑Processors

Infrastructure, monitoring, and email delivery vendors under DPA terms.

Legal

Regulatory, court, or lawful requests after validation and minimal disclosure principles.

No Sale

We categorically do not sell personal data or educational materials.

Data Security

Layered controls reduce likelihood and impact of unauthorized access.

Encryption

TLS 1.2+ in transit; AES‑256 or provider-managed equivalents at rest.

Access Control

Principle of least privilege with quarterly entitlement reviews.

Segmentation

Logical separation of tenant data with enforced access boundaries.

Monitoring

Continuous logging, anomaly detection, and automated alert triage.

Testing

Periodic penetration tests and dependency vulnerability scanning.

Incident Response

Documented runbooks; user notification on material impact.

Your Rights

Subject to applicable law, you maintain control over personal information.

Access

Request a structured export of personal data.

Rectification

Correct inaccurate profile information.

Deletion

Request erasure; core logs may persist for security & audit obligations.

Portability

Receive machine-readable exports where technically feasible.

Restriction/Objection

Limit or object to specific processing where grounds exist.

Data Retention

Retention windows balance pedagogical continuity with minimization principles.

Active Use

Data retained while subscription or institutional engagement is active.

Assessment Artifacts

Typically retained through academic year + 1 term for reference.

Backups

Encrypted backups rotate on a rolling schedule (≤ 35 days).

Legal Holds

Extended retention when required for legal or compliance inquiries.

Anonymized Analytics

Aggregated metrics may be stored indefinitely without identifiers.

Data Lifecycle

Structured phases ensure consistent handling, traceability, and timely disposal. Each stage applies least-privilege access, logged operations, and integrity checks.

  1. 1. Ingestion

    User uploads / API input; validation & malware scanning.

  2. 2. Processing

    Generation, tagging, validation pipelines execute in ephemeral workers.

  3. 3. Storage

    Versioned content + metadata stored in multi-AZ encrypted stores.

  4. 4. Access

    Role & institution-scoped policy enforcement on retrieval.

  5. 5. Retention

    Scheduled review vs. retention matrix; unnecessary data flagged.

  6. 6. Deletion

    Soft window, then cryptographic erasure from active + backup media.

Exercising Your Rights

Submit requests from the account email to support@provsy.com. We verify identity before fulfilling, responding within applicable statutory windows.

1. Submit

Email request specifying right(s) invoked.

2. Verify

We confirm requester identity & authorization.

3. Respond

Fulfilment or reasoned denial with guidance.

Privacy Queries

For questions, clarifications, or rights requests, contact us using the channels below. Please avoid including sensitive credentials in initial messages.

Support / Rights Requests

support@provsy.com

General Enquiries

info@provsy.com

Policy Updates

We may amend this policy to reflect platform evolution or regulatory changes. Material changes trigger user notification (email + in‑app) and updated version metadata above.

Historic versions available upon request.