Privacy Policy — Velocode Assess

1. Overview

Velocode Assess is the B2B technical-assessment product operated by Velocode AI (“Velocode”, “we”, “us”), based in New York, NY. This policy explains how we handle data when a hiring team (the “Customer”) uses Velocode Assess to evaluate candidates. It covers both the Customer's own data and the candidate data that flows through the platform under our role as a data processor.

For the candidate-facing product (velocode.ai/practice and related routes), see our general privacy policy.

2. Information we collect

2.1 Customer account information

When a hiring team signs up for Velocode Assess, we collect the company name, work email addresses of users on the account, authentication tokens, and dashboard activity (assessments created, candidates invited, reports viewed). We use this data to run the product and to bill the account.

2.2 Candidate data

When a Customer invites a candidate to take an assessment, we collect, on the Customer's behalf:

• The candidate's name and email address as supplied by the Customer
• The candidate's assessment submissions (code, written answers, attached files)
• Anti-cheat telemetry — keystroke timing, paste events, tab switches, time-per-section, session duration
• Generated outputs — automated scoring, dimension breakdowns, and comparisons to the golden answer

Candidate data is collected and processed under the Customer's instructions. Candidates interact with assessments branded by the Customer; they never see Velocode marketing and we never contact them directly.

2.3 Payment information

Payments are processed by Stripe. We never see or store full credit card numbers. We retain the Customer's Stripe customer ID, subscription status, and invoice history.

2.4 Technical data

We collect standard server logs (IP address, browser type, request path) and aggregated, anonymised traffic analytics via Vercel. These are used for operational debugging and capacity planning.

3. How we use this information

• Provide the Velocode Assess platform to Customers
• Score candidate submissions and surface results to the inviting Customer
• Send transactional emails (invitations, assessment completion notifications, billing) via Resend
• Detect fraud, abuse, and unauthorised access
• Improve scoring accuracy and platform reliability
• Comply with legal obligations

We do not sell candidate or Customer data. We do not use candidate data to train AI models or to market other products to candidates. We do not contact candidates outside of the assessment they were invited to take.

4. Our role as a data processor

For candidate data, the Customer is the data controller and Velocode is a data processor acting under the Customer's instructions. The Customer is responsible for obtaining the legal basis to invite the candidate (e.g. recruiting consent or legitimate interest), for the scope of data they ask us to collect, and for responding to candidate data-subject requests directed at them.

If a candidate contacts Velocode directly with a data-subject request, we will direct them back to the Customer that administered their assessment and, where appropriate, notify the Customer.

5. Third-party services

We use the following sub-processors to operate Velocode Assess:

• Clerk (clerk.com) — Customer authentication
• Supabase (supabase.com) — Database and object storage (US-East)
• Vercel (vercel.com) — Hosting and infrastructure
• Stripe (stripe.com) — Payment processing
• Anthropic (anthropic.com) — AI scoring and golden-answer generation
• OpenAI (openai.com) — Embeddings and golden-answer tournament
• Resend (resend.com) — Transactional email
• E2B (e2b.dev) — Sandboxed code execution for candidate submissions

Candidate code submitted for evaluation runs inside isolated E2B sandboxes with no outbound network access and is destroyed after execution. AI scoring providers receive submission text and golden-answer context only; they do not receive candidate identity unless the candidate has included it in their own written response.

6. Storage, encryption, and residency

All Customer and candidate data is encrypted at rest (Supabase + AWS, US-East region) and in transit (TLS 1.3). Access to production data is restricted to a limited set of Velocode personnel under audit logging.

EU data residency is available on Enterprise contracts on request. Other regional residency arrangements are also handled via Enterprise.

7. Data retention

• Candidate submissions and anti-cheat telemetry: retained for 90 days by default. Configurable down to 30 days on Enterprise. After the retention window, submissions are deleted and only an aggregate score record is preserved.
• Customer account data: retained while the account is active. On account deletion, personal information is deleted within 30 days, except where retention is required by law (e.g. billing records under tax law).
• Aggregated, anonymised analytics: may be retained indefinitely for platform improvement.

8. Confidentiality and candidate experience

• We do not sell candidate data to any third party.
• Candidates never receive marketing email from Velocode.
• Candidates see the Customer's branding on their assessment; the Velocode name appears only as a small footer credit.
• Customer hiring pipelines are not shared, benchmarked across companies, or surfaced to any other Customer.

9. Customer rights

Customers can, at any time:

• Access the data we hold about their account
• Export candidate submission data via the dashboard
• Request early deletion of specific assessments or candidate records
• Terminate the account and have associated data deleted within 30 days

To exercise these rights, email sanjna@velocode.ai from a verified account-admin address.

10. Security incidents

In the event of a security incident materially affecting Customer or candidate data, we will notify the affected Customer's primary contact without undue delay and provide the information required for the Customer to meet its own breach-notification obligations.

11. Changes to this policy

We may update this policy. Material changes will be communicated to active Customers by email and reflected in the “Last updated” date above.

12. Contact

Questions about this policy, requests for a Data Processing Addendum, or other privacy enquiries:
sanjna@velocode.ai
Velocode AI, New York, NY