Privacy Policy

From customers. Account details (name, work email, company), billing information, and the configuration of any assessments you create.

From candidates. Name and contact email (provided by the inviting company), plus the full record of the assessment session: prompts, AI responses, code edits, test runs, terminal output, and timestamps.

From everyone. Standard server logs (IP address, user-agent, request timing) and cookies necessary for the product to function. We do not use third-party advertising cookies.

• To operate the assessment platform and generate candidate reports.
• To send transactional emails (account, billing, assessment invites, report delivery).
• To improve our scoring models — only on aggregated, de-identified data and only when the customer has opted in.
• To prevent fraud and abuse.
• To comply with legal obligations and respond to lawful requests.

For people in the EEA or UK, we rely on the following legal bases: contract performance (to provide the service to customers), consent (where you opt in to optional features such as model improvement), and legitimate interests (security, fraud prevention).

We do not sell personal data. We share data with:

• The inviting company — candidate reports are shared with the company that invited the candidate.
• Sub-processors we rely on to run the service — cloud hosting, email delivery, error monitoring, and analytics. All sub-processors are bound by data-processing agreements.
• Authorities, when required by law and when we have a valid legal request.

Production data is hosted in the United States and, for EU customers, in the EU (Frankfurt). Assessment sessions are retained for the duration of the customer's subscription plus 12 months, then deleted. Candidates can request earlier deletion at any time.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). See our Security page for our infrastructure, access-control, and incident-response practices.

Depending on where you live, you may have the right to access, correct, delete, port, or restrict our processing of your personal data, and to object to processing or withdraw consent. Candidate-specific rights are detailed in our Candidate Rights page. EU and UK residents — see our GDPR page for additional rights and our DPO contact.

Quala is not intended for anyone under 16. We do not knowingly collect data from children.

When we make material changes to this policy we will email account owners and update the effective date above. Continued use of Quala after a change means you accept the revised policy.

Privacy questions or rights requests: privacy@quala.dev.