Privacy Policy

    Last updated: 3 July 2026

    This Privacy Policy explains how Datakaru OÜ, a private limited company registered in Estonia (registry code: 17103247, registered address: Väike-Patarei 1/4, Tallinn, Estonia) ("Datakaru", "we", "us", or "our"), collects, uses, and protects personal data in connection with the Datakaru platform, websites, and related services (together, the "Service").

    We are committed to processing personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR").

    This Policy applies to:

    • Visitors — anyone who browses our websites;
    • Customers and Authorised Users — organisations that register for the Service and the individuals (such as hiring managers, recruiters, and reviewers) who use it on their behalf; and
    • Candidates — individuals invited by a Customer to complete an assessment through the Service.

    If you have any questions, contact us at [email protected].

    1. Our role: controller or processor

    Our role under data protection law depends on the type of data:

    • Datakaru as controller. We act as the controller for personal data relating to website visitors, account registration, Authorised Users, billing, communications with us, and our own operation, security, and improvement of the Service. This Policy describes that processing.
    • Datakaru as processor. When a Customer invites Candidates and processes their personal data through the Service (including assessment content, submissions, and results), the Customer is the controller and Datakaru acts as the Customer's processor. That processing is governed by our Data Processing Agreement ("DPA") with the Customer. Section 8 of this Policy explains, for transparency, how Candidate data is handled within the Service.

    If you are a Candidate, the organisation that invited you to complete an assessment is primarily responsible for how your personal data is used in its hiring process. Please refer to that organisation's own privacy notice for information about its recruitment practices. For requests concerning your data in the Service, you may contact the organisation that invited you, or contact us and we will assist or refer your request to them.

    2. Personal data we collect

    2.1 Website visitors

    When you visit our websites, we collect:

    • Usage and device data — pages viewed, interactions (such as clicks on links and buttons), approximate location derived from IP address, browser and device type, referral source, and similar analytics data collected via cookies and similar technologies (see Section 5).
    • Contact data — if you contact us by email, we receive your email address, name, and the content of your message.

    2.2 Customers and Authorised Users

    When an account is created or the Service is used, we collect:

    • Account data — name, email address, organisation name, role within the account, and password (stored only in securely hashed form; we never store your password in plain text).
    • Billing data — subscription plan, billing history, and usage relevant to billing (such as candidate volumes). Payment card details are collected and processed directly by our payment processor; we do not store full card numbers.
    • Usage data — how you use the Service, such as features used, actions taken, sign-in times, and product analytics events (see Section 5), used to operate, secure, and improve the Service.
    • Communications — support requests, emails, and feedback you send us.
    • Transactional email data — we send service emails (such as account verification, password resets, invitations, assessment notifications, and subscription notices) that necessarily contain personal data such as names and email addresses.

    2.3 Candidates

    When a Customer invites you to complete an assessment, the following data is processed in the Service on the Customer's behalf:

    • Identification and contact data — your name and email address, as provided by the Customer, used to deliver the assessment invitation.
    • Assessment data — the code, queries, answers, and other material you submit; time taken; and assessment results and scores (including AI-assisted scores, see Section 6).
    • Assessment-integrity data — to help Customers protect the fairness of assessments, the assessment environment records certain in-assessment activity, such as copy-and-paste events and a log of actions taken within the assessment editor during the assessment session (see Section 7).
    • Technical data — standard technical information such as IP address, browser type, and session information needed to deliver the assessment securely.

    We do not ask Candidates for, and Customers should not request through the Service, any special categories of personal data (such as health data or data revealing racial or ethnic origin) except as strictly necessary and lawful for the assessment concerned.

    3. Purposes and legal bases

    Where we act as controller, we process personal data for the following purposes and on the following legal bases:

    PurposeLegal basis (GDPR)
    Providing the Service: accounts, authentication, core featuresPerformance of a contract (Art. 6(1)(b))
    Billing, subscriptions, and payment administrationPerformance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting records
    Transactional and service communicationsPerformance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in keeping users informed about the Service
    Security, fraud prevention, and abuse detectionLegitimate interests (Art. 6(1)(f)) in protecting the Service, our users, and Candidates
    Product analytics and improving the ServiceLegitimate interests (Art. 6(1)(f)) in understanding and improving how the Service is used; consent (Art. 6(1)(a)) where required for non-essential cookies and similar technologies
    Website analyticsConsent (Art. 6(1)(a)) where required; otherwise legitimate interests (Art. 6(1)(f))
    Responding to enquiries and support requestsLegitimate interests (Art. 6(1)(f)); performance of a contract (Art. 6(1)(b))
    Compliance with legal obligations and legal claimsLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) in establishing, exercising, or defending legal claims

    Where we act as processor for Candidate data, we process it only on the Customer's documented instructions and as set out in the DPA; the Customer is responsible for having a lawful basis for that processing.

    4. Automated decision-making

    The Service can generate automated scores, summaries, and suggestions for Candidate submissions using AI-based tools (see Section 6). These outputs are a decision-support aid only. Datakaru does not make hiring decisions about Candidates, and the Service is designed so that Customers review results and remain responsible for all evaluation and hiring decisions. Customers are contractually required not to rely on automated scoring as the sole basis for a hiring decision.

    5. Cookies, analytics, and similar technologies

    We use cookies and similar technologies (such as local storage and analytics scripts) on our websites and in the Service.

    5.1 Categories we use

    • Strictly necessary — required for the Service to function: authentication and session management, security, load balancing, and remembering essential settings. These do not require consent.
    • Analytics (websites) — our marketing website uses a web analytics service to measure page views and interactions (such as clicks on sign-up buttons, pricing views, and FAQ opens) so we can understand how visitors use the site and improve it.
    • Product analytics (application) — the application uses a product analytics service to understand how the Service is used (such as features used and actions taken). For signed-in Customer users, analytics may be linked to your account identity. Analytics data for the application is processed on servers located in the EU.
    • Session replay (application) — for signed-in Customer (administrative) users, we may record how the interface is used during a session (such as navigation, clicks, and interface interactions) to diagnose usability problems and improve the product. Sensitive inputs are handled in accordance with the tool's masking capabilities. Session replay is not used on Candidates during assessments; Candidate assessment activity is covered by Section 7 instead.

    5.2 Managing cookies

    Where consent is required for non-essential cookies or similar technologies, we will request it before they are set, and you can withdraw consent at any time. You can also control or delete cookies through your browser settings; blocking strictly necessary cookies may prevent parts of the Service from working.

    6. AI-assisted scoring

    To provide automated scoring, relevant parts of an assessment — such as the task description, instructions, and the Candidate's submitted code, queries, and outputs — are shared with a third-party AI model provider for analysis. We share only what is needed to score the submission; the scoring input is the assessment content itself, not the Candidate's contact details. AI-assisted scoring is performed on behalf of the Customer as part of the Service, and its outputs are returned to the Customer for human review (see Section 4).

    7. Assessment-integrity monitoring (Candidates)

    To help Customers run fair assessments, the assessment environment includes integrity measures. During an assessment session, the Service may record:

    • copy-and-paste events within the assessment environment; and
    • a log of actions taken within the assessment editor during the session.

    This monitoring operates only within the assessment environment during the assessment — it does not access your device, files, camera, or other applications. Integrity signals are made available to the Customer as a decision-support aid; they may produce false positives and are intended to be interpreted by a human reviewer.

    8. How we share personal data

    We do not sell personal data. We share personal data only as follows:

    • Service providers (sub-processors) — we use carefully selected third-party providers to operate the Service, limited to what is necessary for their function. These fall into the following categories:
      • hosting and infrastructure providers;
      • database and storage providers;
      • payment processors;
      • email delivery providers;
      • web and product analytics providers;
      • AI model providers (for automated scoring, see Section 6); and
      • application performance and error-monitoring providers.

      A current list of the sub-processors that process Candidate and Customer data is maintained under our DPA and is available on request at [email protected].

    • Within the Customer's account — assessment data and results are visible to the Customer's Authorised Users in accordance with the Customer's account settings.
    • Legal and safety — we may disclose personal data where required by law, to comply with legal process, or to protect the rights, safety, or property of Datakaru, our users, Candidates, or others.
    • Business transfers — if we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate confidentiality protections and this Policy.

    9. International transfers

    We are based in the European Union, and we aim to process personal data within the European Economic Area (EEA) where practicable. Some of our service providers may process personal data outside the EEA. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under the GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses, together with additional measures where appropriate. You may contact us at [email protected] for more information about the safeguards we use.

    10. Data retention

    We retain personal data only for as long as necessary for the purposes described in this Policy, and in particular:

    • Account and usage data — for the duration of the Customer's account and for a reasonable period afterwards, to handle post-termination matters and comply with legal obligations.
    • Candidate data — for as long as instructed by the Customer under the DPA. Customers can delete Candidate data through the Service, and Candidate data is deleted or returned in accordance with the DPA when the Customer's account ends.
    • Billing and accounting records — for the periods required by applicable tax and accounting law.
    • Communications and support records — for as long as needed to handle the matter and for a reasonable period afterwards.

    When personal data is no longer needed, we delete it or irreversibly anonymise it. We may retain aggregated and de-identified data that does not identify any individual.

    11. Security

    We apply appropriate technical and organisational measures to protect personal data, including encryption of data in transit, secure password hashing, access controls, and isolation of the environments in which Candidate code is executed. No system is completely secure; if we become aware of a personal data breach affecting you, we will act in accordance with applicable law, including notifying affected parties and supervisory authorities where required.

    12. Your rights

    Where the GDPR applies, you have the right to:

    • access the personal data we hold about you;
    • rectify inaccurate or incomplete personal data;
    • erase your personal data in certain circumstances;
    • restrict or object to processing in certain circumstances, including processing based on legitimate interests;
    • data portability — receive certain data in a structured, commonly used, machine-readable format;
    • withdraw consent at any time, where processing is based on consent (this does not affect processing before withdrawal); and
    • lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) — or with the supervisory authority of your habitual residence or place of work.

    To exercise your rights, contact us at [email protected]. We may need to verify your identity before acting on a request.

    Candidates: where your request concerns data processed on behalf of the organisation that invited you (such as your submission or results), that organisation is the controller and is responsible for responding. We will assist and will forward your request to them where appropriate.

    13. Children

    The Service is intended for business use and for Candidates taking part in professional recruitment. It is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

    14. Changes to this Policy

    We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or through the Service) before they take effect. The "Last updated" date at the top of this Policy shows when it was last revised.

    15. Contact us

    Datakaru OÜ
    Väike-Patarei 1/4
    Tallinn, Estonia, European Union
    Email: [email protected]