Privacy Policy

Last updated: February 2026

1. Who We Are

Data Processor: LOVEUAD LTD (Company Number: 16838046), registered in England and Wales.

Data Controller: The organisation (employer or assessment provider) that created your assessment. They determine why and how your data is processed.

2. What Data We Collect

Category	Data	Purpose
Identity	Name, email address	Account creation, authentication
Assessment	Written responses, code/document submissions	Performance evaluation
Voice	Voice recordings and transcriptions (if enabled)	Voice-based assessment steps
Visual	Webcam snapshots (if enabled)	Proctoring / identity verification
Behavioural	Timing data, tab switches, paste attempts	Anti-cheat monitoring
Technical	IP address, browser type	Security, troubleshooting

3. Legal Basis for Processing

Legitimate interest (GDPR Article 6(1)(f)) — The administering organisation has a legitimate interest in assessing candidates' professional abilities.
Consent (GDPR Article 6(1)(a)) — Explicit consent is obtained before camera monitoring or voice recording.
Contractual necessity (GDPR Article 6(1)(b)) — Processing is necessary for the assessment engagement between the candidate and the administering organisation.

4. How We Use Your Data

To run your assessment and generate AI-powered evaluations
To provide scores and feedback to the administering organisation
To detect and prevent cheating
To maintain audit trails for fairness and accountability
To improve the platform (aggregated, anonymised data only)

5. AI Processing

Your responses are processed by Google Gemini AI models to generate evaluations. This constitutes automated decision-making under GDPR Article 22. The administering organisation is responsible for ensuring a human reviews AI-generated scores before making consequential decisions.

6. Data Sharing

Recipient	Purpose	Safeguards
Administering organisation	Receives your scores, responses, audit data	Data controller obligations
Google Cloud (Gemini API)	AI processing of responses	Standard Contractual Clauses, EU-US DPF
Cloud hosting provider	Database and application hosting	EU region available, encryption at rest

We do not sell your data. We do not share data with advertisers.

7. Data Retention

Assessment data is retained for a period configured by the administering organisation (default: 12 months). After this period, data is automatically deleted. You may request earlier deletion — see Section 8.

8. Your Rights (GDPR)

Under the UK GDPR and Data Protection Act 2018, you have the right to:

Access — Request a copy of all data we hold about you
Rectification — Request correction of inaccurate data
Erasure — Request deletion of your data ("right to be forgotten")
Portability — Receive your data in a machine-readable format (ZIP)
Objection — Object to processing based on legitimate interest
Restrict processing — Request limitation of how your data is used
Withdraw consent — For camera/voice recording at any time

How to exercise your rights

Contact your administering organisation (the data controller) directly. Alternatively, email us at [email protected] and we will forward your request to the appropriate controller.

9. International Transfers

Your data may be processed outside the UK/EEA when sent to Google's AI APIs. These transfers are protected by Standard Contractual Clauses and/or adequacy decisions. EU-region hosting is available upon request by the administering organisation.

10. Security

We implement appropriate technical and organisational measures including encryption in transit (TLS) and at rest, access controls, regular security reviews, and secure cloud infrastructure.

11. Cookies

We use functional session cookies only. These are necessary for the platform to work (login, assessment state). We do not use tracking cookies, analytics cookies, or advertising cookies.

12. Children

writendraw is designed for professional assessment of adults. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a child, contact us immediately.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33) and inform affected individuals without undue delay (GDPR Article 34).

14. Complaints

If you are unhappy with how your data is handled, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
ico.org.uk/make-a-complaint

15. Contact

LOVEUAD LTD
Email: