As a leading provider of assessment systems, the privacy and security of individuals whose personal data we process is critical to us. This Global Privacy Notice ("notice") explains how we manage and protect your personal data ("data") when you:
visit our website (a Visitor),
use our assessment platform services as a representative of a school to which we provide services (a School User), or
use our services as a student or parent of a school which uses our services (a Service User).
If you are a Service User, for the majority of personal data we process about you, we act as a processor on behalf of your school (the controller) and process data only as directed by them. We recommend reviewing your school’s privacy notice to understand how your school manages your personal data.
This notice tells you who we are, what data we collect, how we use it, with whom we share it, and your rights. To learn more about our approach to EU privacy compliance, see Appendix A – GDPR Information below.
1. Who are we ?
AssessPrep ("AssessPrep", "we", "us") is part of Codeyug Web Services Pvt. Ltd. AssessPrep is the next-generation assessment platform for leading international schools. Founded in 2016, we serve schools in 37 countries, providing a platform for all their assessment needs. We are responsible for managing your data in connection with our services.
Details of how to contact us can be found in Section 8 – Who should you contact with questions?
2. What data do we collect about you?
We use different types of data for purposes connected with the management of our website and the delivery of our assessment platform services. If you are a ManageBac school, certain information is synced to AssessPrep during setup.
Visitor
We may collect and process the following information to provide and improve our website and to communicate with you:
(i) We will collect and process the information you provide to us if you register for a demonstration, trial account, blog or webinar, which includes your name, email address, phone number, school name, information regarding the curriculums your school offers,details about your position at the school (e.g., subjects you teach or tenure), and other information collected to provide the website or services. We will also process your name and email address to send you email messages about our newsletters, product updates and other marketing materials. We will only send you such email messages as permitted under applicable law and in line with your marketing preferences which you can update at any time as described below.
(ii) We will collect information through cookies, including analytics information about your use of our website and information about your device, internet connection, browser, location, page and search terms used, etc. Learn more about how we use cookies and similar technologies in our cookies policy
(iii) Process a job application which you submit to us. We will collect and process any personal data you provide in your CV / resume and cover letter.
(iv) Responses to surveys you choose to take.
(v) Your e‑mail address for electronic marketing (e.g., newsletters and updates), where you have consented.
(vi) Details of your interactions with us when you contact us via our online customer support, telephone, or e‑mail.
School users
(i) Information necessary to provide our services to your school (e.g but not limited to name, school affiliation, role and permissions within the platform, work contact details), details about your position at the school (e.g., subjects you teach or how long you have worked at the school) and e-mail address used during our registration process in order to communicate with you in relation to the provision of learning platform services to your school.
(ii) If your school uses ManageBac, information may be synced to AssessPrep during setup as directed by your school.
Service users (students and parents)
We may collect and process the following information:
(i) Information captured in your student account, provided by you or your parents, including your name, e‑mail address, nationality, date and place of birth, gender, language, national ID, and parents’ names and contact details. We may use this information to conduct statistical analyses for our own reporting.
(ii) Survey responses or feedback we request in relation to future product developments and educational plans.
(iii) Details of your interactions with us when you contact us via our online customer support, telephone, or e‑mail.
Special category data: We do not process special category data (e.g., information on race or ethnicity) for our own purposes. Your school may request such information and instruct us to process it on their behalf; we do not use it for any other purpose.
3. For what purposes do we use data about you, and on what legal basis?
Throughout your use of our website and/or our provision of services to you or a school, we use data about you for various purposes.
The purposes for which we use data about you, with corresponding legal basis for use, are set out below:
Visitors
School users
Service users
In some instances, we may use personal data in ways not described above. Where this is the case, we will provide a supplemental privacy notice explaining such use and, where required, seek your consent. You should read any supplemental notice together with this notice.
4. Who do we share your data with, and for what purposes?
We may share data about you as follows:
(i) Service providers: With trusted third‑party providers (e.g., IT hosting, customer support) who process data on our behalf under contract and subject to appropriate safeguards.
(ii) Legal and regulatory: With regulators, government departments, law enforcement, or other officials where required or permitted by law, or in response to a lawful request.
(iii) Safety and security: Where we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
(iv) Corporate transactions: In the context of organizational restructuring (e.g., merger, acquisition, or sale of assets), subject to applicable law.
If you would like to learn more about the parties with which we share data, please contact us using the details in Section 8.
5. How do we protect your data?
We implement appropriate technical and organizational measures to protect personal data from unauthorized disclosure, use, alteration, or destruction. Our standard protocols include:
(i) Application security: Traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross‑site scripting, SQL injection, phishing, and others.
(ii) Network security: Firewalls and systems to detect suspicious behavior, stop malicious attempts to gain access, or compromise service resilience (e.g., DDoS attacks).
(iii) Organizational security: Access policies, audit logs, and confidentiality agreements.
(iv) Physical security: Preventing unauthorized access to infrastructure processing personal data.
(v) Procedural security: IT management processes to minimize the risk of human error; testing regimes to identify software weaknesses before release; and policies to ensure data is processed only on instruction from our customers.
6. How long will data about you be kept?
Retention periods depend on the purposes for which data was collected, whether you have requested deletion, and any applicable legal obligations (e.g., for regulatory compliance). We will not retain data longer than necessary to fulfill the purposes for which it was collected.
7. What rights do you have over your data?
Depending on your place of residence and applicable law, you may have some or all of the following rights regarding personal data we hold about you:
(i) Access – request access and receive a copy of your data.
(ii) Rectification – request that we correct or update inaccurate or incomplete data.
(iii) Erasure – request deletion of your data in certain circumstances.
(iv) Restriction – request that we restrict processing in certain circumstances.
(v) Objection – object to processing in certain circumstances (including profiling).
(vi) Withdrawal of consent – where processing is based on consent, withdraw that consent at any time.
(vii) Data portability – request a copy of your data in a structured, commonly‑used, machine‑readable format, in certain circumstances.
(viii) Direct marketing opt‑out – opt out of electronic direct marketing, in whole or in part. We will always honor such requests.
(ix) Complaint – lodge a complaint with the supervisory authority in your country (if applicable).
You can exercise these rights, or learn more about them, by contacting us using the details in Section 8. We may need to confirm your identity before acting on your request (e.g., by asking you to provide identification documents).
8. Who should you contact with questions?
If you have any questions or wish to exercise your rights, please contact our Data Protection Officer (DPO):
Abhimanyu Jhajharia
E‑mail: info@assessprep.com
If your country has a supervisory authority, you have a right to contact it with questions or concerns. If we cannot resolve your concerns, you also have the right to seek judicial remedy before a national court.
9. Changes to this notice
We may update this notice (and any supplemental privacy notice) from time to time. Where required by law, we will notify you of material changes.
Last modified: September 4, 2025
8. General Data Protection Regulation (GDPR)
he General Data Protection Regulation (GDPR) was approved by the European Union in April 2016 and has been in effect since May 25, 2018. It is a comprehensive data protection law that updates, extends, and harmonizes data protection legislation across the EU/EEA.
Who is subject to GDPR?
Individuals, organizations, and companies that control or process personal data of individuals in the EU/EEA are subject to GDPR. In broad terms, there are three different actors:
(i) Data subjects (e.g., students, families, school employees)
(ii) Data controllers (e.g., the school)
(iii) Data processors (e.g., systems like AssessPrep)
As a data processor, we do not decide the purpose or lawfulness of the data we process and store. We act on our customers’ instructions. As data controllers, schools remain responsible for documenting and deciding how data enters our systems. GDPR imposes obligations on processors as well; we comply with these requirements for all of our services, including AssessPrep and integration partners.
How is GDPR different from prior data protection laws?
Key areas of difference include increased accountability for companies, greater access to personal data for individuals, and higher penalties for non‑compliance.
GDPR explicitly sets out key rights of data subjects:
(i) Right to be informed
(ii) Right of rectification
(iii) Right of erasure
(iv) Right to restrict processing
(v) Right to data portability
(vi) Right to object
(vii) Right of access
These rights form the framework for interactions between the data subject, controller, and processor. While the controller (school) remains responsible for respecting these rights, the processor (us) may assist in accomplishing these tasks.
Penalties for non‑compliance can be significant. A school found in violation of GDPR may be assessed fines of up to 4% of total annual revenue. The Information Commissioner’s Office (ICO) and other EU supervisory authorities enforce GDPR and possess broad powers to do so.
What kind of data is covered, and what may schools collect?
All personal data concerning an identifiable individual is covered by GDPR. Even if personal data has been encrypted, pseudonymized, or anonymized, it may still fall under GDPR if it can be used to identify an individual.
Examples of personal data that our schools collect and store include:
(i) Names
(ii) Addresses
(iii) E‑mail addresses
(iv) Phone numbers
(v) ID numbers (passport, national ID, SSN)
Lawful bases for processing under GDPR include:
(i) Consent
(ii) Contract
(iii) Legal obligation
(iv) Vital interests
(v) Public task
(vi) Legitimate interests
Most schools rely on legal obligations as educational institutions or on legitimate interests. Most bases require that processing be necessary for the stated purpose.
Is AssessPrep GDPR‑compliant?
We have been GDPR‑compliant since May 25, 2018. We maintain robust organizational and technical security measures. AssessPrep was designed with personal data protection in mind, and we are committed to offering schools, students, and parents a high level of security.
As part of our commitment to GDPR, AssessPrep will:
(i) Ensure organizational and technical security for all services.
(ii) Assist with documentation to demonstrate compliance and keep users informed.
(iii) Provide contract addenda that comply with GDPR requirements for Data Processing Agreements (DPAs).
(iv) Offer support when your users exercise their data subject rights.
I have heard that AssessPrep is not secure enough under GDPR! Is this true?
(i) GDPR does not specify precise security requirements for cloud-based services.
(ii) As a data processor, we have a shared responsibility with our schools (controllers) to provide appropriate organisational and technical security, and be able to demonstrate it.
(iii) GDPR strengthens the liabilities and penalties for companies that are unable to demonstrate those security protocols.
(iv) For over a decade, AssessPrep has successfully protected data from millions of users. We continue to invest in organisational security, network and infrastructure security, and application security to ensure we can offer world-class security beyond standard requirements. We regularly allow third parties to audit our security measures, and we invite customers to perform their own audits.
We continue to invest in organizational, network, infrastructure, and application security. While we avoid publishing sensitive implementation details, our standard protocols include:
(i) Application security: Traffic encryption, strongly hashed passwords, and safeguards against vulnerabilities such as cross‑site scripting, SQL injection, phishing, and others.
(ii) Network security: Firewalls and systems to detect suspicious behavior, stop malicious attempts to gain access, or compromise service resilience (e.g., DDoS attacks).
(iii) Organizational security: Access policies, audit logs, and confidentiality agreements.
(iv) Physical security: Preventing unauthorized access to infrastructure processing personal data.
(v) Procedural security: IT management processes to minimize human error; testing regimes to identify software weaknesses before release; and policies to ensure data is processed only on customer instruction.
How does AssessPrep obtain personal data about users, and how is it used?
User data enters our platforms in three ways:
(i) Directly by users.
(ii) By representatives authorized by users (e.g., a school technology director uploads data to our platform).
(iii) Via an integration with a third‑party system.
Data typically enters our systems via student information systems independently maintained and controlled by our customer schools. We import data from third‑party systems only under direct instruction from our customers.
We use personal data under our protection only when we receive direct instructions from the customer school. The data stored on our systems belongs to our customers, and only a limited number of AssessPrep staff have access to personal data under strict confidentiality and security. We process personal data independently only if it is vital to the integrity or security of the service, or to analyze or evaluate service quality.
Can users request data deletion under the “right to be forgotten”?
A data deletion request is generally valid only if the lawful basis for the processing is consent, or if the original purpose is no longer valid. We recommend that schools implement clear processes for evaluating such requests. Our DPO can assist with advice in complex cases. If a data subject is granted the right to deletion, AssessPrep will, either through our software or support services, help execute these rights and confirm deletion.
When does AssessPrep delete personal data?
AssessPrep deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. Procedures around deletion upon termination should be provided in writing or in a Data Processing Agreement. An instruction to delete a user can be performed in‑platform by a customer representative or upon request to our support team. Safeguards are in place to prevent errors leading to irreplaceable loss of data; in many cases customers must manually confirm deletion.
Can a user contact AssessPrep directly to exercise GDPR rights?
Under GDPR, data subject rights are exercised between the data subject and the controller (our customer). Any data subject requests received by AssessPrep will be forwarded to the customer. We will cooperate in good faith with customers to ensure rights can be exercised promptly.
Will AssessPrep notify users if a data breach has occurred?
(i) Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities.
(ii) AssessPrep is required to notify its customers when becoming aware of a data breach, and to help them in fulfilling obligations in notifying users.
Do I require a cloud service provider to only host personal data in my country?
(i) One of the GDPR’s primary objectives is the free flow of personal data inside the European Economic Area (EEA), under one common regulation.
(ii) In most cases, restricting vendors in processing data across the EEA would not be permitted under GDPR.
Does AssessPrep process data outside the EEA? Is it allowed to process data outside the EEA?
(i) GDPR does not forbid personal data to flow outside the EEA, but expects that any data processing outside the EEA is done following the same principles.
(ii) Controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing. In some cases, they must also allow customers or users to object to the processing.
(iii) The European Commission has recognized Canada as a jurisdiction with ‘adequate’ data protection.
Will AssessPrep notify users if a data breach has occurred?
Depending on the nature of a data breach, customers may be required to notify affected users and supervisory authorities. AssessPrep is required to notify its customers when becoming aware of a data breach and to help them fulfill any notification obligations.
Does GDPR impact customers outside the EU?
Not legally. GDPR applies to the processing of personal data of individuals in the EU/EEA. However, we generally offer the same services and the same level of personal data security to all customers, regardless of location.
Who do I contact with further questions?
For general questions related to AssessPrep, contact support@assessprep.com.
For GDPR‑specific questions from customers, contact our DPO, Abhimanyu Jhajharia, at info@assessprep.com.
(Please note: communications with our DPO should be in English.)