Privacy Policy

1. Introduction

Ten10 ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our assessment platform (the "Service").

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Ten10 is the data controller responsible for your personal data. We determine the purposes and means of processing your personal information.

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Email address (required)
• Full name (optional)
• Password (encrypted)
• Account creation date

3.2 Assessment Data

• Assessment responses and answers
• Time spent on questions
• Assessment scores and results
• Code submissions (for coding assessments)
• Test execution logs

3.3 Proctoring Data

• Tab switching events
• Time away from assessment
• Browser and device information

3.4 Technical Data

• IP address
• Browser type and version
• Device information
• Session data

4. Purpose of Processing

We process your personal data for the following purposes:

• Assessment Delivery: To provide and administer technical assessments
• Performance Evaluation: To evaluate your responses and generate results
• Integrity Monitoring: To ensure assessment integrity and prevent cheating
• Communication: To send assessment invitations, reminders, and results
• Service Improvement: To analyse and improve our platform
• Legal Compliance: To comply with legal obligations

5. Legal Basis for Processing

We process your personal data based on:

• Consent: You have given explicit consent for specific processing activities (e.g., proctoring)
• Contract: Processing is necessary to provide the assessment service you requested
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., fraud prevention)
• Legal Obligation: Processing is required by law

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy:

• Assessment Data: 12 months after completion (unless extended retention is consented)
• Account Data: Until account deletion is requested
• Audit Logs: Minimum 3 years for compliance purposes
• Consent Records: 7 years for legal compliance

You can request earlier deletion of your data by exercising your right to erasure (see Section 7).

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

To exercise any of these rights, visit your Privacy Dashboard or contact us directly.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (database encryption)
• Password hashing using bcrypt (12 rounds)
• Secure session management with httpOnly cookies
• Regular security audits and updates
• Access controls and role-based permissions
• Rate limiting to prevent abuse

9. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with:

• Service Providers: AWS (hosting), Google (email services) - all with appropriate data processing agreements
• Employers/Recruiters: Assessment results may be shared with the organization that invited you (with your knowledge)
• Legal Authorities: When required by law or to protect our legal rights

Data Location: All data is stored in UK/EU AWS regions. We do not transfer data outside the UK/EU.

10. Cookies and Tracking

We use cookies to provide and secure our service. All cookies we use are "strictly necessary" for the platform to function and are exempt from consent requirements under GDPR Article 5(3) and the ePrivacy Directive.

10.1 Essential Cookies We Use

10.2 Cookie Security

All our cookies are configured with security best practices:

• HttpOnly: Cookies cannot be accessed by JavaScript (prevents XSS attacks)
• Secure: Cookies are only sent over HTTPS in production
• SameSite: Set to "Lax" to prevent CSRF attacks while allowing normal navigation
• Encrypted: Session data is base64-encoded before storage
• Time-limited: All cookies expire automatically

10.3 Third-Party Cookies

We do not use any third-party cookies for:

• Analytics or tracking (no Google Analytics, Facebook Pixel, etc.)
• Advertising or marketing
• Social media integration
• Behavioural profiling

10.4 Managing Cookies

You can manage cookies through your browser settings. However, please note:

10.5 Future Changes

If we introduce non-essential cookies in the future (such as analytics), we will:

• Update this policy and notify you
• Implement a cookie consent banner
• Provide granular control over cookie preferences
• Only use such cookies after obtaining your explicit consent

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email if you have an account
• Request renewed consent if required by law

Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.