PRIVACY POLICY

Date of last update: March 5, 2026

VERSION FOR CANDIDATES

This Privacy Policy sets out the rules for processing your personal data in connection with using the Heroify platform. Our goal is to objectively assess your skills, cognitive abilities, and fit for specific professional challenges.

1. Who manages your data?

In the competency assessment process, your data is processed by two entities:

Data Controller: The entity (company/employer) that invited you to complete the assessment. This entity decides for what purpose your skills are assessed (e.g. recruitment, promotion, training planning). The information obligation towards you - pursuant to Article 13 or 14 GDPR - rests with the Controller and should be provided to you directly by that company, e.g. in the process invitation.

Processor (Heroify): Heroify sp. z o.o., with its registered office in Warsaw, ul. Padewska 23/7, 00-777 Warsaw, NIP: 5213930518, provides technology and processes data on behalf of the Controller, acting solely in accordance with the Controller's instructions. Heroify does not make employment decisions and does not use candidates' data for other recruitment purposes without their consent.

Independent Controller (Heroify): For maintaining your individual user profile, where you collect the history of all your results, Heroify acts as an independent data controller. Legal basis: Heroify's legitimate interest (Article 6(1)(f) GDPR).

Contact for data protection matters: gdpr@heroify.co

2. Scope and purpose of data processing

We collect data necessary for a reliable assessment of your professional potential:

Access data
Your first and last name, email address, and phone number. The phone number is used solely to send an SMS code that enables secure login and confirmation of your data - it replaces a traditional password and increases access security for the test.

Assessment results
We record your responses in tests and open-ended questions.

Fairness mechanisms (Anti-cheating)
To ensure objectivity and equal opportunity for all assessed individuals, the system monitors specified activities during the test session to detect unfair practices. For this purpose, we process the following categories of technical and behavioral data:

IP address,
device type and browser information,
time spent on individual questions,
test session start and end time,
system events recorded in the browser window during the test session.

Detailed monitoring mechanisms are not publicly disclosed so as not to enable circumvention. Monitoring takes place exclusively during an active test session.

Fairness Policy
Before starting the test, you will be asked to accept the Fairness Policy, which sets out rules for independent task completion (prohibition on using AI tools, prohibition on third-party assistance). Acceptance is a condition for participating in the assessment.

Feedback
Based on your results, we generate a report that helps you understand your strengths and areas for development.

3. Legal basis

We process your data based on:

Legitimate interest of the Controller and Heroify (Article 6(1)(f) GDPR): objective verification of professional competencies, ensuring process fairness, and platform security.
Necessity for performance of a contract or taking steps prior to entering into a contract (Article 6(1)(b) GDPR): in the case of participation in a recruitment process. Providing data is voluntary, but necessary to participate in the assessment process - failure to provide it makes participation in the test impossible.
Compliance with a legal obligation (Article 6(1)(c) GDPR): to the extent required by law.

4. Automated decision-making and profiling

The Heroify platform generates results and reports based on responses given in assessments. These results constitute support for the decision-making process only - final decisions concerning employment, promotion, or other uses of results are always made by the data Controller (employer or entity organizing the assessment).

Heroify does not make any automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

5. Data recipients

Your data may be transferred to the following categories of recipients:

Controller (employer or entity organizing the assessment) - as the entity commissioning the assessment,
Technical service providers (hosting, IT infrastructure, SMS services) - acting solely on our behalf, based on data processing agreements,
Providers of analytics and security tools,
Public authorities - only where required by law.

We do not sell your personal data to third parties.

6. Transfers of data outside the EEA

Your personal data is stored on servers located in the European Union. When using tools from providers outside the EEA, we apply appropriate safeguards, in particular Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR), ensuring an adequate level of data protection.

7. Access to results

As a user, you have access to a dedicated panel where you can see the history of all your assessments completed on the Heroify platform. This allows you to track your own development regardless of the organization that commissioned the assessment and constitutes implementation of your right of access to data and your right to data portability.

8. Cookies and system logs

The Heroify platform uses cookies and records session logs only to the extent necessary for proper service operation, security, and analytics purposes. This data is processed on the basis of Heroify's legitimate interest (Article 6(1)(f) GDPR).

9. Data retention period

The retention period depends on the processing purpose:

Data related to the assessment (including results) - for the period resulting from the agreement with the Controller or until the recruitment purpose is fulfilled, but no longer than 24 months after completion of the process, unless the Controller decides otherwise or legal provisions require another period.
User profile (result history) - until account deletion or for one year from the last activity.
Data processed to ensure test fairness - for the period necessary to resolve potential disputes regarding results, no longer than until expiry of the limitation period for claims.
Data processed on the basis of a legal obligation - for periods required by law.

10. Your rights

Under GDPR, you have the right to:

Access your data and obtain a copy of it (Article 15 GDPR),
Rectify or supplement data (Article 16 GDPR),
Erase data - in specified cases (Article 17 GDPR),
Restrict processing (Article 18 GDPR),
Data portability - in relation to data processed on the basis of a contract or consent (Article 20 GDPR),
Object to processing based on legitimate interest, including profiling and activity monitoring as part of fairness mechanisms - which may result in invalidation of assessment results (Article 21 GDPR),
Lodge a complaint with the supervisory authority - President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

Note: For data where the controller is the company inviting you to the assessment, your requests should be addressed directly to that company. Heroify will redirect requests to the Controller if they are sent to us.

11. Contact

For matters concerning your personal data on the Heroify platform, contact us:

Email: gdpr@heroify.co
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw