Your data is protected

For the purposes of applicable data-protection law, GROW.AI operates the criter platform and acts as the data controller in relation to information collected from candidates and administrators.

For all privacy enquiries, deletion requests, and complaints, contact us at grow-ai@outlook.com.

We collect only the information necessary to deliver the assessment service:

• Account data — name, email address, and a salted scrypt hash of your password. Plain-text passwords are never stored, transmitted in clear, or accessible to any operator.
• Curriculum vitae — the document you upload. Used to personalise interview questions and to validate self-reported credentials.
• Identity verification data — a photograph of your government-issued identity document and a short live selfie sequence used solely to confirm the person taking the assessment matches the registered account holder.
• Assessment recordings — the audio and video of the interview, and a recording of the shared screen, captured strictly during the active assessment window.
• Integrity signals — browser-level events (e.g., tab visibility changes, focus loss, device fingerprint) that support fair-assessment review.
• Operational logs — standard server access logs (IP address, timestamp, request path, status code) retained for security monitoring and abuse prevention.

We process the categories above on the following lawful bases:

• Contract — processing your account data, CV, and assessment results is necessary to deliver the service you requested.
• Explicit consent — we capture identity-verification photographs and assessment recordings only after you have given informed, specific consent at the start of each session. You may withdraw consent at any time, in which case the recording will not proceed.
• Legitimate interest — fraud prevention, integrity monitoring, and platform security, balanced against your reasonable expectations.

We apply technical and organisational safeguards in line with recognised industry standards.

Encryption

• In transit — all traffic between your browser and our servers is protected by TLS 1.2 or above with modern cipher suites and HTTP Strict Transport Security.
• Credentials — passwords are hashed with scrypt using per-user salts. Even our own engineers cannot recover your password.
• Session integrity — authentication cookies are HMAC-SHA-256-signed, marked HttpOnly and Secure, and bound to a short, finite expiry.

Access control

• Candidate data is accessible only to the candidate themselves and to the administrators of the institution that invited the candidate.
• Operator access to production systems is limited to a small number of authorised engineers, requires SSH key authentication, and is logged.
• Administrative endpoints are gated behind an authenticated, short-lived signed cookie, never a static API key embedded in client code.

Storage and isolation

• All assessment data is held on infrastructure operated solely for the criter service. We do not co-locate candidate data with unrelated tenants.
• The application server is reachable from the public internet only via a hardened reverse-proxy on TLS-terminated ports (443). Internal services are not exposed.
• Backups, where taken, are stored under the same access controls as the primary data.

To deliver the service we engage carefully-vetted external AI sub-processors for tasks such as document parsing, identity verification, the live interview dialogue, and scorecard grading. All such processors operate under contractual commitments that:

• prohibit the use of submitted data to train any provider model;
• require the data to be processed only for the purpose for which it was sent;
• require equivalent or stronger security measures than those we apply ourselves.

We do not sell, rent, or otherwise share your data with advertisers, data brokers, or any party outside our sub-processor list. The list is reviewed before any addition or replacement and the current list is available on request.

Where data is processed outside the jurisdiction in which it was collected, transfers are made under the contractual safeguards put in place by the receiving processor and are limited to the data strictly required to fulfil the request.

We hold data only as long as necessary for the purposes described above:

• Assessment records (transcript, scorecard, recording, integrity signals) are retained for the duration of the admissions cycle of the inviting institution and are deleted on request thereafter.
• Account data is retained while your account is active and removed within 30 days of account closure.
• Identity-verification images are retained only for as long as is necessary to support a verification challenge and may be deleted on request once the assessment has concluded.
• Operational logs are rotated and removed under a fixed schedule consistent with security-monitoring needs.

You have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request that we delete your data, subject to overriding legal-retention obligations.
• Restriction — ask us to limit how we process your data while a query is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — at any time, where processing is based on consent.
• Complain — to the appropriate data-protection authority in your jurisdiction.

To exercise any of these rights, email grow-ai@outlook.com. We will acknowledge requests within 7 calendar days and substantively respond within 30 days.

In the unlikely event of a security incident affecting your personal data, we will notify affected users without undue delay, describe the nature of the incident and the data categories involved, set out the steps we have taken to contain and remediate the issue, and provide guidance on any protective action you may wish to take. Where required by law, we will also notify the relevant supervisory authority within the statutory timeframe.

criter is intended for prospective university applicants and is not directed at children under the age of 16. We do not knowingly collect data from individuals below this age. If we become aware that such data has been collected, we will delete it promptly.

We will update this notice whenever the underlying practices change. The effective date below is updated on every revision. Material changes will be highlighted on the home page and communicated to active users by email.

For any privacy-related question, request, or complaint:

GROW.AI — Data Protection
grow-ai@outlook.com