Privacy Policy - Candidates/Participants

Last updated: May 28, 2026

PRIVACY POLICY

VERSION FOR CANDIDATES/PARTICIPANTS

This Privacy Policy sets out the rules for processing your personal data in connection with the use of the Heroify platform. Our goal is to objectively assess your skills, cognitive abilities, and suitability for specific professional challenges.

1. Who manages your data?

As part of the competency assessment process, your data is processed by two entities performing different roles:

Data Controller (Heroify Client):
The entity (company/employer) that invited you to complete the assessment. This entity decides for what purpose your skills are being assessed (e.g., recruitment, promotion, training planning). The obligation to provide you with information pursuant to Articles 13 or 14 of the GDPR rests with the Controller and should be communicated to you directly by that company, for example in the invitation to the process.

Data Processor (Heroify):
Heroify sp. z o.o., with its registered office in Warsaw, ul. Padewska 23/7, 00-777 Warsaw, VAT ID: 5213930518, provides the technology and processes data on behalf of the Controller, acting solely in accordance with its instructions. Heroify does not make employment decisions and does not use candidates’ data for other recruitment purposes without their consent.

Independent Controller (Heroify) – for selected categories of data:
With regard to certain categories of data, Heroify acts as an independent data controller (Article 4(7) GDPR). This applies to:

Your individual user profile, where you collect the history of all your results;
Phone number – used for SMS code authentication and assessment integrity mechanisms;
Behavioral and technical data (anti-cheating) – described in Section 2 below.

The legal basis for this processing is Heroify’s legitimate interest (Article 6(1)(f) GDPR), consisting in ensuring the reliability and security of the assessment process for all platform users.

Contact regarding data protection matters: gdpr@heroify.co

2. Scope and purpose of data processing

We collect data necessary for a reliable assessment of your professional potential:

Identification and contact data
First name, last name, and email address – necessary to create a test session and provide you with your results. Heroify processes this data on behalf of the Controller (the company that invited you).

Phone number
In recruitment processes, providing a phone number is required. This number is used to verify your identity via SMS code and ensure the integrity of the assessment process.

In employee assessment processes, the Controller (your employer) may disable the requirement to provide a phone number in the platform configuration. If this option has been enabled, we will not ask you to provide your number.

Heroify processes the phone number as an independent data controller based on legitimate interest (Article 6(1)(f) GDPR).

Assessment results
We record your responses in tests and open-ended questions. Heroify processes this data on behalf of the Controller.

Integrity mechanisms (anti-cheating)
To ensure objectivity and equal opportunities for all assessed individuals, the system monitors certain activities during the test session in order to detect unfair practices. For this purpose, we process the following categories of technical and behavioral data:

IP address,
Device type and browser information,
Time spent on individual questions,
Start and end time of the test session,
System events recorded in the browser window during the test session.

Detailed monitoring mechanisms are not publicly disclosed in order to prevent circumvention. Monitoring takes place only during an active test session. Heroify processes this data as an independent controller based on legitimate interest (Article 6(1)(f) GDPR).

Fairness Policy
Before starting the test, you will be asked to accept the Fairness Policy, which sets out the rules for completing tasks independently (prohibition on using AI tools, prohibition on assistance from third parties). Acceptance is a condition for participating in the assessment.

Feedback
Based on your results, we generate a report to help you understand your strengths and areas for development.

3. Legal basis

We process your data on the basis of:

Legitimate interest of the Controller and Heroify (Article 6(1)(f) GDPR) – objective verification of professional competencies, ensuring process fairness, platform security, and integrity mechanisms (including SMS authentication and anti-cheating, for which Heroify acts as an independent controller).
Necessity for the performance of a contract or taking steps prior to entering into a contract (Article 6(1)(b) GDPR) – in the case of participation in a recruitment process. Providing data is voluntary; however, it is necessary to participate in the assessment process – failure to provide the data prevents participation in the test.
Compliance with a legal obligation (Article 6(1)(c) GDPR) – to the extent required by law.

4. Automated decision-making and profiling

The Heroify platform generates results and reports based on the answers provided in assessments. These results serve solely as support for the decision-making process – final decisions regarding employment, promotion, or other use of the results are always made by the Data Controller (employer or entity organizing the assessment).

Heroify does not make any automated decisions producing legal effects concerning you or similarly significantly affecting you within the meaning of Article 22 GDPR.

5. Data recipients

Your data may be shared with the following categories of recipients:

The Controller (employer or entity organizing the assessment) – as the entity commissioning the assessment,
Technical service providers (hosting, IT infrastructure, SMS services) – acting solely on our behalf under data processing agreements,
Providers of analytical and security tools,
Public authorities – only where required by law.

We do not sell your personal data to third parties.

6. Transfers of data outside the EEA

Your personal data is stored on servers located within the European Union. If we use tools provided by suppliers outside the EEA, we apply appropriate safeguards in accordance with Article 46 GDPR, in particular Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the supplier’s registration under the EU-US Data Privacy Framework (DPF). In this way, we ensure an adequate level of data protection.

7. Access to results

As a user, you have access to a dedicated panel where you can view the history of all your assessments completed on the Heroify platform. This allows you to track your own development independently of the organization that commissioned the assessment and constitutes the implementation of your right of access to data and right to data portability.

8. Cookies and system logs

The Heroify platform uses cookies and records session logs only to the extent necessary for the proper functioning of the service, ensuring security, and analytical purposes. This data is processed on the basis of Heroify’s legitimate interest (Article 6(1)(f) GDPR).

9. Data retention period

The retention period depends on the purpose of processing:

Data related to the assessment (including results) – for the period resulting from the agreement with the Controller or until the recruitment purpose has been fulfilled, but no longer than 24 months after the end of the process, unless the Controller decides otherwise or legal provisions require a different period.
User profile (history of results) – until the account is deleted or for one year after the last activity.
Data processed to ensure test integrity (including phone number and anti-cheating data) – for the period necessary to resolve potential disputes regarding results, no longer than until the expiration of the limitation period for claims.
Data processed on the basis of a legal obligation – for the periods required by law.

10. Your rights

Under the GDPR, you have the right to:

Access your data and obtain a copy thereof (Article 15 GDPR),
Rectify or complete your data (Article 16 GDPR),
Erase your data – in specific cases (Article 17 GDPR),
Restrict processing (Article 18 GDPR),
Data portability – with regard to data processed on the basis of a contract or consent (Article 20 GDPR),
Object to processing based on legitimate interest, including profiling and activity monitoring within integrity mechanisms – which may result in invalidation of the assessment results (Article 21 GDPR),
Lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

Please note: With regard to data for which the company inviting you to the assessment is the controller, your requests should be directed directly to that company. Heroify will forward requests to the Controller if they are sent to us. With regard to data for which Heroify acts as an independent controller (user profile, phone number, anti-cheating data), requests should be sent directly to us at gdpr@heroify.co.

11. Contact

For matters relating to your personal data on the Heroify platform, please contact us:

Email: gdpr@heroify.co
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw