Provsy Logo
Privacy & Data Protection

Privacy Policy

This document describes how Provsy ("we", "our") collects, processes, and protects personal and educational data within the assessment platform. We commit to proportional collection, transparent processing, and security by design.

Updated Nov 4, 2025 Version 1.0 Scope: Institutional Users

Privacy Commitments

Foundational promises that govern how your data is treated throughout its lifecycle.

Encryption

TLS 1.2+ in transit; provider-managed encryption at rest.

No Data Sale

We never monetize educational content.

Transparent Use

Processing strictly mapped to documented purposes.

User Control

Structured processes for access & deletion requests.

Incident Notice

Timely notification of material security events.

Scoped Collection

Data minimization & purpose limitation.

Information We Collect

We collect only the data required to operate, secure, and improve the platform.

Account

Name, email, institution, and role.

Uploaded Content

Study materials and assessment artifacts you provide.

Generated Content

Assessment items, marking schemes, metadata produced by the system.

Usage Metrics

Feature interactions, event timestamps, performance telemetry.

Technical

IP, device/browser fingerprint (hash truncated), OS family for security posture.

How We Use Information

Processing purposes map directly to service delivery, reliability, and compliance goals.

Service Operation

Authenticate users, render workspaces, process generation tasks.

Quality & Validation

Improve item accuracy via aggregated non-personal performance signals.

Support & Communication

Send incident, security, and material change notices.

Security Monitoring

Detect anomalous access or abuse patterns.

Information Sharing

We do not sell personal or educational content. Limited sharing occurs under controlled processors and legal obligations.

Institution Workspace

Content visible to authorized peers within your institution context.

Sub‑Processors

Infrastructure, monitoring, and email delivery vendors under DPA terms.

Legal

Regulatory, court, or lawful requests after validation and minimal disclosure principles.

No Sale

We categorically do not sell personal data or educational materials.

Data Security

Layered controls reduce likelihood and impact of unauthorized access.

Encryption

TLS 1.2+ in transit; provider-managed encryption at rest.

Access Control

Principle of least privilege with quarterly entitlement reviews.

Segmentation

Logical separation of tenant data with enforced access boundaries.

Monitoring

Continuous logging, anomaly detection, and automated alert triage.

Testing

Periodic penetration tests and dependency vulnerability scanning.

Incident Response

Documented runbooks; user notification on material impact.

Your Rights

Subject to applicable law, you maintain control over personal information.

Access

Request a structured export of personal data.

Rectification

Correct inaccurate profile information.

Deletion

Request erasure; core logs may persist for security & audit obligations.

Portability

Receive machine-readable exports where technically feasible.

Restriction/Objection

Limit or object to specific processing where grounds exist.

Data Retention

Retention windows balance pedagogical continuity with minimization principles.

Active Use

Data retained while institutional engagement is active.

Assessment Artifacts

Retained indefinitely unless asked to be removed by the creator.

Backups

Encrypted backups rotate on a rolling schedule (≤ 35 days).

Legal Holds

Extended retention when required for legal or compliance inquiries.

Anonymized Analytics

Aggregated metrics may be stored indefinitely without identifiers.

Data Lifecycle

Structured phases ensure consistent handling, traceability, and timely disposal. Each stage applies least-privilege access, logged operations, and integrity checks.

  1. 1. Ingestion

    User uploads / API input; validation & basic validation and content checks.

  2. 2. Processing

    Generation, tagging, validation pipelines execute in ephemeral workers.

  3. 3. Storage

    Versioned content and metadata stored in encrypted cloud (S3) and server storage.

  4. 4. Access

    Role & institution-scoped policy enforcement on retrieval.

  5. 5. Retention

    Data retained per defined policies and reviewed periodically.

  6. 6. Deletion

    Soft deletion window, followed by permanent removal from active and backup storage.

Exercising Your Rights

Submit requests from the account email to support@provsy.com. We verify identity before fulfilling, responding within applicable statutory windows.

1. Submit

Email request specifying right(s) invoked.

2. Verify

We confirm requester identity & authorization.

3. Respond

Fulfilment or reasoned denial with guidance.

Privacy Queries

For questions, clarifications, or rights requests, contact us using the channels below. Please avoid including sensitive credentials in initial messages.

Support / Rights Requests

support@provsy.com

General Enquiries

info@provsy.com

Policy Updates

We may amend this policy to reflect platform evolution or regulatory changes. Material changes trigger user notification (email + in‑app) and updated version metadata above.

Historic versions available upon request.