Privacy Policy

1 Information We Collect

Account Information

When you register for a DoYouPrompt account, we collect:

• Name: Your first and last name, used to identify you in assessments and reports.
• Email address: Used for account verification, authentication, and essential communications.
• Locale preference: Your preferred language setting for the Platform interface.
• Password: Stored as a secure, one-way cryptographic hash. We never store or have access to your plain-text password.

Assessment Data

During assessments, we collect detailed interaction data to enable accurate behavioral scoring:

• Prompts and responses: The text of every prompt you submit and every AI response generated during the assessment.
• Interaction traces: Detailed behavioral data including keystroke timing patterns, prompt editing sequences, branching decisions, and iteration strategies.
• Timing data: Time spent on each task, time between actions, and overall assessment duration.
• Scores and reports: Computed scores, rubric evaluations, and generated assessment reports.

Technical Data

We automatically collect certain technical information when you use the Platform:

• Browser information: Browser type, version, and capabilities.
• IP address: Used for security purposes, anti-cheating analysis, and approximate geolocation.
• Device type: Device category (desktop, tablet, mobile) and screen resolution.

Cookies

We use session cookies only for authentication and maintaining your session state. We do not use tracking cookies, analytics cookies, or advertising cookies. See Section 6 for details.

2 How We Use Your Data

We process your data for the following specific purposes:

• Deliver and score assessments: Your prompts, interaction traces, and timing data are analyzed by our scoring engine to evaluate prompt engineering competency and generate detailed reports.
• Generate reports for linked recruiters: When you are explicitly connected to a recruiter through an invitation link, your assessment report is made available to that recruiter. This only occurs when a clear recruiter-candidate relationship exists.
• Improve the platform: We use anonymized, aggregated assessment data to improve scoring accuracy, refine rubrics, develop new assessment tracks, and enhance the overall assessment experience.
• Anti-cheating analysis: Interaction traces and behavioral patterns are analyzed to detect potential integrity violations, ensuring fair assessment conditions for all candidates.
• Essential communications: We send verification emails, password reset links, assessment completion notifications, and report availability notifications. We do not send marketing emails without your explicit consent.

3 Who Sees Your Data

Self-Registered Users

If you register on your own (without a recruiter invitation), your assessment data and reports are entirely private. No one else can see your results unless you explicitly choose to share them.

Recruiter-Invited Candidates

If you were invited by a recruiter, the recruiter who invited you can view:

• Your assessment scores and overall performance summary
• Your detailed assessment report, including dimension breakdowns
• Comparison data relative to other candidates they have invited

Recruiters can only see data for candidates they have personally invited. They cannot access data for candidates linked to other recruiters or self-registered users.

DoYouPrompt Team

Our team may access your data for the following limited purposes:

• Platform operation, maintenance, and troubleshooting
• Customer support (when you contact us with an issue)
• Security incident investigation
• Scoring accuracy verification and calibration

Third Parties

We may share anonymized, aggregated statistical data (e.g., "average scores across 10,000 assessments") in research publications or public reports. This data cannot be used to identify any individual.

4 Data Storage & Security

We take the security of your data seriously and implement multiple layers of protection:

• Secure servers: All data is stored on secure, professionally managed servers with industry-standard physical and logical access controls.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). We enforce HTTPS across the entire Platform.
• Password security: Passwords are hashed using strong, one-way cryptographic algorithms. We never store plain-text passwords.
• Access controls: Internal access to user data is restricted on a need-to-know basis. All data access is logged and audited.
• Audit logging: We maintain comprehensive audit logs of administrative actions and data access events.
• Regular security reviews: We conduct periodic security assessments and promptly address any identified vulnerabilities.

While we implement robust security measures, no system is completely immune to security threats. In the unlikely event of a data breach, we will notify affected users and relevant authorities in accordance with applicable laws.

5 Your Rights

You have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you. You can view much of this data directly through your account settings and assessment history.
• Right to correction: You can update your account information at any time through your profile settings. For corrections to assessment data, please contact us.
• Right to deletion: You can request deletion of your account and associated personal data. We will process deletion requests within thirty (30) days.
• Right to data portability: You can request an export of your personal data in a structured, commonly used, machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

GDPR Compliance for EU Users

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to restriction: You can request restriction of processing of your personal data in certain circumstances.
• Right to object: You can object to processing of your personal data for certain purposes, including profiling.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us through the contact page or email our Data Protection Officer at dpo@doyouprompt.com.

6 Cookies

Our cookie usage is minimal and limited to what is essential for the Platform to function:

• Session cookie: A single session cookie is used to maintain your authenticated session after login. This cookie is essential for the Platform to function and does not require separate consent under ePrivacy regulations.
• CSRF token: A security token stored in your session to protect against cross-site request forgery attacks.

We do not use:

• Analytics cookies (no Google Analytics, no Mixpanel, etc.)
• Advertising or retargeting cookies
• Third-party tracking cookies
• Social media cookies

Because we only use strictly necessary cookies, no cookie consent banner is required. Our session cookie is deleted when you close your browser or when your session expires.

7 Data Retention

We retain your data according to the following schedule:

• Active accounts: Your account data (name, email, preferences) is retained for as long as your account remains active. You can delete your account at any time.
• Deleted accounts: When you delete your account, personal data (name, email, profile information) is permanently removed within thirty (30) days. During this period, data may be retained in backups but is not accessible.
• Assessment traces: Interaction traces and detailed behavioral data are retained for two (2) years from the date of assessment completion. This retention period is necessary for scoring calibration, recalibration research, and dispute resolution.
• Anonymized data: Anonymized, aggregated statistical data derived from assessments may be retained indefinitely for research and platform improvement purposes. This data cannot be linked back to any individual.

8 Children's Privacy

DoYouPrompt is designed for professional skill assessment and is intended for users who are at least 16 years of age. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal data from a child under the age of 16, we will take immediate steps to delete that information. If you believe that we may have collected data from a child under 16, please contact us immediately at dpo@doyouprompt.com.

9 Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

• Minor changes: For non-material updates (e.g., clarifications, formatting changes), we will update the "Last Updated" date at the bottom of this page.
• Material changes: For changes that materially affect how we collect, use, or share your personal data, we will provide prominent notice via email to the address associated with your account at least fourteen (14) days before the changes take effect.

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of the Platform and may request account deletion.

10 Contact

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is being handled, please contact us:

• Contact page: doyouprompt.com/contact
• General privacy inquiries: hello@doyouprompt.com
• Data Protection Officer: dpo@doyouprompt.com

We aim to respond to all privacy-related inquiries within five (5) business days. For data access, correction, or deletion requests, we will complete processing within thirty (30) days.