Privacy policy

Effective Date: July 29, 2025

At DokimAI ("we," "our," or "us"), we are committed to protecting the privacy and security of the personal data of our users. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our SaaS platform and services (collectively, the "Services").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

  • Data Processing
  • Definitions
  • Personal Data
  • AI Usage
  • Sharing Personal Data
  • Data Transfers
  • GDPR
  • Data Security
  • Data Retention
  • Children's Privacy
  • Changes
  • Contact Us

1. Who is Responsible for Your Data?

For the purposes of the GDPR, the data controller is:

DokimAI

24 Aghmashenebeli Avenue.

Kutaisi, 4600, Georgia

Email: [email protected]

If you are a B2B user, your organization (the “Client”) acts as a separate data controller for the personal data of the individuals taking assessments through your account. In such cases, DokimAI acts as a data processor on behalf of the Client. Our obligations as a data processor are further detailed in a separate Data Processing Addendum (DPA) that we enter into with our B2B Clients.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Data Subject: The identified or identifiable natural person to whom personal data relates.
  • Services: Our SaaS platform, website, and all related testing and assessment services.

3. What Personal Data Do We Collect and Why?

We collect different types of personal data depending on how you interact with our Services.

a) For B2C Users (You are the Data Subject and Controller Relationship with us):

  • Account Data:
    • Data Collected: Name, email address, password (encrypted), country of residence.
    • Purpose: To create and manage your account, provide access to the Services, communicate with you about your account, and ensure security.
    • Legal Basis: Performance of a contract (Terms of Service).
  • Assessment Data:
    • Data Collected: Responses to test questions, assessment results, performance metrics on tests (e.g., time taken, accuracy). Depending on the nature of the test, this may include data that could be considered sensitive (e.g., related to cognitive abilities, personality traits).
    • Purpose: To generate accurate psychometric test results, provide you with personalized assessment reports, and enable your self-assessment.
    • Legal Basis: Explicit consent (for sensitive data where required) and performance of a contract (to provide the assessment service you requested). We obtain your explicit consent before you begin any assessment that might involve sensitive data.
  • Usage Data:
    • Data Collected: IP address, browser type, operating system, pages visited, time spent on pages, referral source, device identifiers.
    • Purpose: To analyze and improve the performance and usability of our Services, troubleshoot technical issues, and ensure security.
    • Legal Basis: Legitimate interests (improving our Services, ensuring security).
  • Communication Data:
    • Data Collected: Content of your communications with us (e.g., support inquiries, feedback).
    • Purpose: To respond to your inquiries, provide customer support, and improve our services.
    • Legal Basis: Performance of a contract (customer support), Legitimate interests (improving customer service).


b) For B2B Users (Client is Controller, We are Processor Relationship):

When a B2B Client uses our Services to assess their employees, candidates, or other individuals, the Client is the Data Controller, and DokimAI acts as a Data Processor. In this scenario:

  • Client Account & Administrative Data:
    • Data Collected: Business name, contact person name, email, phone number, billing information.
    • Purpose: To manage the Client’s account, provide administrative support, process payments, and communicate about the service.
    • Legal Basis: Performance of a contract (with the B2B Client).
  • Assessment Data (of Individuals Assessed by Client):
    • Data Collected: As instructed by the Client, this may include names, email addresses, and assessment results (responses, scores, reports) of individuals taking tests facilitated by the Client. We process this data strictly on the Client’s instructions.
    • Purpose: To generate and deliver assessment results and reports to the B2B Client, as per our contractual obligations with the Client.
    • Legal Basis: For us as a Processor, our legal basis is the contract with the Controller (our B2B Client). The Client is responsible for establishing the legal basis for processing the personal data of their data subjects (e.g., consent, legitimate interests, performance of a contract, legal obligation).
  • Usage Data:
    • Data Collected: As described above for B2C users, related to the Client’s administrative use of the platform.
    • Purpose: To analyze and improve the performance and usability of our Services for B2B Clients.
    • Legal Basis: Legitimate interests.

c) For All Users (Aggregated & Anonymized Data):

  • Data Collected: We may aggregate and anonymize personal data (e.g., assessment results from many users, usage patterns) in a way that it can no longer be identified with an individual.
  • Purpose: For research, analysis, product development, to improve our AI models, and for marketing our services (e.g., demonstrating the efficacy of our tests).
  • Legal Basis: Legitimate interests (improving our services, developing our AI, market research). This data is no longer considered “personal data” under GDPR.

4. How We Use Artificial Intelligence (AI)

Our Services utilize AI to generate psychometric tests and analyze responses.

  • The AI processes your (or the assessed individual’s) responses to generate scores, insights, and reports.
  • We use anonymized and aggregated data to train and improve our AI models, ensuring the ongoing accuracy and breadth of our test generation capabilities. This process is designed to protect your privacy as individual data is stripped of identifying information.

5. How We Share Your Personal Data

We only share personal data in limited circumstances and with appropriate safeguards:

  • With B2B Clients: If you are an individual taking an assessment through a B2B Client’s account, your assessment data and results will be shared directly with that B2B Client as per their instructions.
  • With Third-Party Service Providers (Processors): We use trusted third-party service providers to help us operate, provide, and improve our Services. These include:
    • Cloud hosting providers (e.g., AWS, Google Cloud)
    • Payment processors (e.g., Stripe, PayPal)
    • Customer support platforms
    • Analytics providers
    • Email communication services

These providers are contractually bound to protect your personal data and use it only for the purposes for which we disclose it to them, and in compliance with GDPR.

  • For Legal Reasons: We may disclose your personal data if required to do so by law or in the good faith belief that such action is necessary to:
    • Comply with a legal obligation (e.g., court order, subpoena).
    • Protect and defend the rights or property of DokimAI.
    • Prevent or investigate possible wrongdoing in connection with the Services.
    • Protect the personal safety of users of the Services or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such change in ownership or control of your personal data.
  • With Your Consent: We may share your personal data with third parties when we have your explicit consent to do so.

6. International Data Transfers

Our servers and some of our service providers may be located outside of the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place to protect your data, such as:

  • Standard Contractual Clauses (SCCs): Implementing the European Commission’s approved SCCs.
  • Adequacy Decisions: Relying on countries deemed by the European Commission to provide an adequate level of data protection.
  • Binding Corporate Rules (BCRs): For intra-group transfers (if applicable).

By using our Services, you acknowledge and agree to such transfers.

7. Your Data Protection Rights (GDPR)

Under the GDPR, you have the following rights concerning your personal data:

  • Right to Information (Art. 13 & 14 GDPR): You have the right to be informed about the collection and use of your personal data. This Privacy Policy serves this purpose.
  • Right of Access (Art. 15 GDPR): You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16 GDPR): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure (“Right to be Forgotten”) (Art. 17 GDPR): You have the right to request the deletion of your personal data under certain conditions (e.g., if the data is no longer necessary for the purposes for which it was collected).
  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data under certain conditions (e.g., if you contest the accuracy of the data).
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent (Art. 7 GDPR): Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data infringes GDPR.

 

How to Exercise Your Rights:

To exercise any of these rights, please contact us Info@dokimAI. We will respond to your request within one month. We may require you to verify your identity before fulfilling your request.

Important Note for B2B Assessed Individuals: If you have taken an assessment through a B2B Client’s account, and wish to exercise your data protection rights regarding that assessment data, you should primarily contact the B2B Client (your employer or prospective employer), as they are the Data Controller of that data. We will assist our B2B Clients in fulfilling your requests as per our Data Processing Addendum.

8. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing your personal data, including:

  • Encryption: Data at rest and in transit.
  • Access Controls: Restricting access to personal data to authorized personnel only.
  • Regular Security Audits: To identify and address vulnerabilities.
  • Data Minimization: Collecting only the data necessary for the stated purposes.
  • Pseudonymization/Anonymization: Where appropriate, to reduce identifiability.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee its absolute security.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • B2C User Account Data: Retained for as long as your account is active and for a reasonable period thereafter to facilitate reactivation or comply with legal obligations.
  • B2C Assessment Data: Retained for a period consistent with the purpose of providing you with your assessment results and historical access, typically DokimAIe.g., 2-5 years, or until you request deletion], unless a longer period is required by law.
  • B2B Client Data: Retained as per the terms of our agreement and Data Processing Addendum with the B2B Client.
  • Aggregated/Anonymized Data: May be retained indefinitely as it no longer constitutes personal data.

When personal data is no longer required, we will securely delete or anonymize it.

10. Children's Privacy

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on our website and/or by other reasonable means (e.g., email notification for significant changes). Your continued use of the Services after the Effective Date of the revised Privacy Policy constitutes your acceptance of the changes.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact our Data Protection Officer (DPO) at:

Data Protection Officer: Paata Sirbiladze

Email: [email protected]