Privacy Policy

1. Introduction

This Privacy Policy describes how Maatrics ("we", "us", "our", or the "Platform") collects, uses, stores, shares, and protects personal information when you use our AI-powered assessment platform and related services. We are committed to protecting your privacy and handling your personal data responsibly. This policy applies to all users of the Platform, including candidates (applicants), company administrators, and any other individuals who interact with our services.

2. Data Controller and Processor Roles

When Company Administrators use the Platform to assess candidates, the Company Administrator's organization acts as the Data Controller for candidate personal data. Maatrics acts as the Data Processor processing personal data on behalf of the Company Administrator.

For account registration, platform usage data, and direct interactions with Maatrics (e.g., demo requests, support inquiries), Maatrics acts as the Data Controller.

Company Administrators who process personal data through the Platform may enter into a Data Processing Agreement (DPA) with Maatrics to govern the processing of personal data.

3. Information We Collect

3.1 Account Information

We collect identity data (name, gender), contact data (email address), professional data (job title, position, department), authentication credentials (username, hashed password, tokens), and account metadata (account type, company affiliation).

3.2 Biometric Data

For identity verification (KYC) and exam proctoring, we may collect: facial video and photo recordings, face embedding vectors (numerical representations of facial geometry), voice audio recordings, and voice embedding vectors (numerical representations of voice characteristics).

Biometric data is used to verify that the person taking the assessment is the same person who enrolled. During exams, face and voice are continuously compared against enrolled biometric templates. Biometric data is retained for the duration of the assessment period and as specified in the applicable data processing agreement.

3.3 Assessment and Exam Data

This includes conversation transcripts from AI-powered interviews, audio and video recordings, screen recordings, secondary camera recordings of the exam environment, assessment responses, AI-generated performance scores and competency ratings, CEFR language levels, and analysis reports.

3.4 Security and Proctoring Data

During assessments, we may collect: browser action logs (tab switches, fullscreen exits, keyboard shortcuts), face presence and verification data, voice verification results, object detection results (e.g., mobile phones in the environment), AI detection results indicating potential use of AI tools, connection reports, device information (browser, OS, hardware capabilities), and aggregated security scores.

3.5 Meeting Analytics Data

When meeting analytics features are used, we may collect: meeting recordings and transcripts, participant information, AI-generated meeting summaries, calendar data, and encrypted OAuth credentials for calendar integrations (Google Calendar, Microsoft Outlook).

3.6 Development and Training Data

Training progress, AI tutor session transcripts, AI-generated evaluations and comments, and follow-up session data.

3.7 Chat and Communication Data

Messages exchanged between candidates and administrators, AI assistant conversations, and message metadata (timestamps, read receipts).

3.8 Technical and Usage Data

IP addresses, session data, activity logs, error reports, and device fingerprint information for trusted device management.

4. How We Use Your Information

4.1 Service Delivery

Operating the assessment platform, conducting AI-powered interviews, transcribing and scoring conversations, generating proficiency reports and competency evaluations, delivering training content, and facilitating communication between candidates and administrators.

4.2 Identity Verification and Security

Verifying candidate identity through biometric matching, monitoring exam integrity through proctoring features, detecting prohibited objects and unauthorized devices, detecting potential use of AI tools, analyzing browser behavior, and preventing fraud and impersonation.

4.3 Communication

Sending assessment invitations and reminders, delivering authentication notifications, providing platform-related updates, and facilitating in-platform messaging.

4.4 Service Improvement

Analyzing usage patterns, monitoring and resolving technical issues, and improving AI models (subject to applicable agreements and data anonymization).

4.5 Legal and Compliance

Complying with applicable laws and regulations, responding to lawful requests, protecting our rights and safety, and enforcing our Terms of Service.

5. Legal Basis for Processing (GDPR)

Where the GDPR applies, we process personal data based on: Contract Performance (providing assessment services, account management); Legitimate Interest (security monitoring, fraud prevention, service improvement); Consent (biometric data processing, calendar integration, optional features); and Legal Obligation (compliance with applicable laws).

Biometric data constitutes special category data under GDPR Article 9 and is processed based on explicit consent obtained during KYC enrollment.

6. Data Sharing and Disclosure

6.1 Company Administrators

Assessment scores, proficiency ratings, conversation transcripts and recordings, security and proctoring results, AI-generated reports, and training progress are shared with the Company Administrators who engaged our services.

6.2 Third-Party Service Providers

We engage third-party providers for: AI and language model processing, speech-to-text and text-to-speech services, cloud storage (AWS S3), meeting platform integrations (Microsoft Teams, Zoom, Google Meet), email delivery, and error monitoring. These providers may be located in various jurisdictions including the United States.

Biometric processing (face detection, voice analysis, object detection) is performed on self-hosted GPU infrastructure and is not shared with external cloud services.

6.3 ATS Integrations

When configured by Company Administrators, assessment results and candidate data may be shared with connected Applicant Tracking Systems via webhook notifications.

6.4 Legal Requirements

We may disclose personal data when required by law, regulation, or legal process, or to protect the rights, property, or safety of Maatrics, our users, or the public.

7. International Data Transfers

Personal data may be transferred to and processed in countries other than the country in which it was collected. For transfers from the EEA, UK, or Switzerland, we implement appropriate safeguards including Standard Contractual Clauses (SCCs), adequacy decisions, and other legally recognized transfer mechanisms.

8. Data Security

We implement appropriate technical measures including encryption of data in transit (TLS/HTTPS) and at rest, password hashing, token-based authentication, secure API endpoints, and rate limiting. Organizational measures include role-based access control, audit logging, read-only database access for analytics, and incident response procedures.

In the event of a personal data breach, we will notify affected parties and supervisory authorities within the timeframes mandated by applicable law.

9. Data Retention

Account data is retained for the duration of the active account plus a reasonable period after termination. Assessment data, recordings, and transcripts are retained as specified in agreements with Company Administrators. Biometric data is retained for the assessment period plus a reasonable period. Technical logs follow a rolling retention policy.

When data is deleted, it may initially be soft-deleted before permanent deletion occurs. Data required for legal compliance or dispute resolution may be retained beyond standard periods. Company Administrators may request data deletion upon subscription termination.

10. Your Rights

Under GDPR

You have the right to: access your personal data, rectify inaccurate data, request erasure ("right to be forgotten"), restrict processing, data portability, object to processing, withdraw consent, and not be subject to solely automated decisions producing legal effects.

Under CCPA/CPRA

California residents have the right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. Maatrics does not sell personal information.

Biometric Data Rights

In jurisdictions with biometric privacy laws, we obtain informed consent before collection, do not sell biometric data, protect it with reasonable security measures, and destroy it when the purpose for collection is satisfied.

Exercising Your Rights

Candidates should contact the Company Administrator who invited them to the assessment. Direct users may contact us at [email protected]. We respond within the timeframe required by applicable law.

11. Automated Decision-Making and Profiling

The Platform uses automated processing, including AI-based profiling, to score competencies, evaluate language skills, detect security violations, and generate reports. AI-generated scores are intended as decision-support tools presented to Company Administrators for human review.

Company Administrators are responsible for making final hiring or evaluation decisions. Candidates have the right to request human review of automated decisions that significantly affect them.

12. Cookies and Tracking Technologies

We use essential session cookies for maintaining your authenticated session (HttpOnly, SameSite=Lax, 120-minute lifetime). API authentication uses Bearer tokens stored in local storage.

We do not use third-party advertising or marketing tracking cookies. We do not engage in cross-site tracking or behavioral advertising.

13. Children's Privacy

The Platform is not intended for individuals under 18. We do not knowingly collect personal information from children. If we become aware of such collection without appropriate consent, we will delete that information.

14. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated with at least 30 days' notice. Your continued use of the Platform after changes take effect constitutes acknowledgment of the updated policy.

15. Contact Information

For questions regarding this Privacy Policy or our data practices, please contact us at:

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority.