Privacy Policy
How Protu Technology Limited collects, uses, stores, and protects your personal data when you use our platform and services.
Introduction
Section titled “Introduction”This Privacy Policy explains how Protu Technology Limited (“Protu”, “we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our platform and services.
Protu is a behavioural intelligence platform that helps organisations understand how their teams work together. We’ve built privacy and security into our platform from day one, and this policy explains exactly how we handle data.
This policy covers:
- Workspace users (company owners, admins, hiring managers)
- Employees invited by their employer
- Candidates applying for roles
Contact us:
- Privacy support, questions or additional documentation: privacy@protu.io
- General support or business enquiries: support@protu.io
Definitions
Section titled “Definitions”| Term | Definition |
|---|---|
| Platform | The Protu web application and related services |
| Workspace | A company’s account on Protu |
| User | Anyone who accesses the Platform |
| Customer | A company that subscribes to Protu |
| Employee | An individual invited by their employer to complete an assessment |
| Candidate | An individual invited by a company to complete an assessment for hiring purposes |
| Assessment | The Protu behavioural assessment process |
| Insights | The behavioural profile generated from an assessment |
| Personal Data | Information that identifies or can identify an individual |
| Controller | The entity that determines the purposes and means of processing personal data |
| Processor | The entity that processes personal data on behalf of a Controller |
Our Role: Controller vs. Processor
Section titled “Our Role: Controller vs. Processor”Protu acts in different capacities depending on the data:
When Protu is the Controller
Section titled “When Protu is the Controller”We are the Controller for:
- Account registration and workspace data
- Billing and payment information
- Platform usage and analytics
- Communications with us (support, marketing)
- Our own employee data
When Protu is the Processor
Section titled “When Protu is the Processor”We are the Processor for:
- Assessment data uploaded or generated by Customers
- Employee and candidate personal data
- Team and role configurations
- Behavioural insights generated for Customers
What this means for you as a Customer: You remain the Controller for your employees’ and candidates’ assessment data. You decide how their data is used within your organisation. Protu processes this data on your behalf, according to your instructions and this policy. We provide tools to help you meet your own data protection obligations.
What We Collect
Section titled “What We Collect”Account Data
Section titled “Account Data”| Category | Specific Data Points | How We Use It |
|---|---|---|
| Identity & Access | Name, email address | To grant and manage your access to the Protu platform |
| Workspace Setup | Company name, size, industry | To properly configure your Protu workspace and environment |
| Permissions & Role | Job title, assigned permissions | To control access levels and enforce security policies |
| Security & Authentication | Login history, active session details | To maintain account security and verify user authenticity |
Assessment Data
Section titled “Assessment Data”| Data Type | Description/Examples | Use Case |
|---|---|---|
| Assessment Responses | The specific answers provided to assessment questions | Used to generate and derive meaningful insights |
| Assessment Status | Details on progress and completion, including relevant timestamps | Used to track progress through the assessment |
| Behavioural Markers | Identified markers, sub-markers, and resulting user profiles | Essential for providing the core service |
How we handle assessment responses:
- Responses are stored securely and used to generate behavioural insights
- Companies see insights (the behavioural profile), not individual answers
- Responses may be used in anonymised form for model improvement (you can opt out; see Section 6)
- Our support team may access responses to investigate reported issues
Usage Data
Section titled “Usage Data”| Category | Data Examples | How We Use It |
|---|---|---|
| Service Activity | Pages viewed, features utilised | Improving the service and user experience |
| Technical Details | Browser type, device information, IP address | Maintaining security and troubleshooting technical issues |
| Platform Performance | Loading times, error reports | Ensuring the reliability and stability of our platform |
Payment Data
Section titled “Payment Data”We collect the following payment-related data:
- Billing Contact: Used for invoice delivery, this includes your name and email address
- Payment Method: Processed via Stripe (details below) to facilitate transactions
- Transaction History: Maintained for billing records, including copies of invoices and receipts
We never store full credit card details. All payments are processed by Stripe. See: Stripe’s Privacy Policy.
How We Use Your Data
Section titled “How We Use Your Data”Delivering the service:
- Legal Basis (GDPR): Contract (Art. 6(1)(b))
- Data Involved: Account, assessment, and usage data
Processing transactions:
- Legal Basis (GDPR): Contract (Art. 6(1)(b))
- Data Involved: Billing and payment information
Sending essential service notifications:
- Legal Basis (GDPR): Contract (Art. 6(1)(b))
- Data Involved: Contact information
Preventing security issues and fraud:
- Legal Basis (GDPR): Legitimate interest (Art. 6(1)(f))
- Data Involved: Technical and usage data
Improving the platform:
- Legal Basis (GDPR): Legitimate interest (Art. 6(1)(f))
- Data Involved: Usage and performance metrics
Meeting statutory and regulatory requirements:
- Legal Basis (GDPR): Legal obligation (Art. 6(1)(c))
- Data Involved: Data as mandated by law
Promotional communications (when permission is given):
- Legal Basis (GDPR): Consent (Art. 6(1)(a))
- Data Involved: Contact information
What We Don’t Do
Section titled “What We Don’t Do”- We never sell your personal data
- We never use your data for advertising
- We never share insights with third parties for their own purposes
- We never use your assessment data to train AI models without consent
AI and Automated Processing
Section titled “AI and Automated Processing”Protu uses proprietary behavioural models to generate insights from assessment responses. Here’s how it works:
How Insights Are Generated
Section titled “How Insights Are Generated”- Your assessment responses are processed by our behavioural models
- Models are based on 80+ validated psychological and organisational frameworks
- Insights describe workplace behaviour tendencies, not personality traits
- Results are presented as profiles with multiple dimensions, not single scores
No Automated Decisions
Section titled “No Automated Decisions”Protu provides insights, not decisions. We comply with GDPR Article 22:
- No automated decisions with legal or significant effects
- All hiring decisions are made by humans using insights as one input
- You will never be automatically rejected or ranked by Protu
- Insights inform; humans decide
Human Oversight
Section titled “Human Oversight”- Expert review of model updates before deployment
- Quality assurance on edge cases
- Manual investigation of user-reported inaccuracies
- Regular audits of system outputs
Model Training
Section titled “Model Training”- We do not use your individual, identifiable data to train models
- Aggregate, anonymised patterns may inform model improvement
- No demographic data is used in scoring
- No external data scraping
Opt-out: You can opt out of anonymised data being used for model improvement in your workspace settings. This does not affect your access to insights or platform features.
Data Sharing & Sub-Processors
Section titled “Data Sharing & Sub-Processors”We share personal data only as necessary to provide our services:
Sub-Processors
Section titled “Sub-Processors”We use the following third-party providers to help us deliver our services. These sub-processors have access to data for the specific purposes listed and adhere to robust data protection safeguards:
| Provider | Purpose of Processing | Data Location | Data Protection Safeguards |
|---|---|---|---|
| DigitalOcean | Cloud hosting and database infrastructure | EU (Netherlands/Germany) | Data Processing Addendum (DPA), ISO 27001 Certification |
| Mailgun | Sending transactional emails (e.g., password resets, notifications) | EU | Data Processing Addendum (DPA), Standard Contractual Clauses (SCCs) |
| Sentry | Monitoring application performance and logging errors | US | Data Processing Addendum (DPA), Standard Contractual Clauses (SCCs) |
| Stripe | Processing customer payments and managing subscriptions | US | PCI-DSS Compliance, Standard Contractual Clauses (SCCs) |
Other Sharing
Section titled “Other Sharing”We may share data:
- With your employer: They see insights (not raw responses) for their employees and candidates
- With service providers: As listed above, under contract
- For legal compliance: When required by law, court order, or regulatory authority
- In business transfers: If Protu is acquired (with notice to you)
Sub-Processor Changes
Section titled “Sub-Processor Changes”We provide 30 days’ notice before adding new sub-processors. Customers may object to changes that materially affect data protection.
Data Processing Agreement
Section titled “Data Processing Agreement”Enterprise customers can request a Data Processing Agreement (DPA) that formalises our obligations as a Processor. Contact support@protu.io to request a DPA.
International Transfers
Section titled “International Transfers”Your data may be transferred outside the UK/EU. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved contract terms
- Adequacy decisions: Where the destination country has adequate protections
- Additional safeguards: Technical and organisational measures as required
All our sub-processors have appropriate data transfer mechanisms in place.
Data Security
Section titled “Data Security”Encryption
Section titled “Encryption”Protu ensures robust data protection through multiple layers of encryption:
- Data at Rest: All stored data is secured using AES-256 encryption
- Data in Transit: All connections use TLS 1.3 (HTTPS) for secure transmission
- Backups: Data backups are encrypted using unique, separate encryption keys
Access Controls
Section titled “Access Controls”- Role-based permissions (Owner, Admin, Employee, Candidate)
- Employees and candidates see only their own data
- Magic links with time-limited access:
- Candidates: 30 days (for assessment completion)
- Employees: 72 hours (shorter for ongoing security)
- Two-factor authentication available for workspace users (email-based verification codes)
Session Management
Section titled “Session Management”- Sessions expire after 2 hours of inactivity
- Users can log out of all devices
- Session data (tokens, activity) retained for 90 days
- Session management for workspace ‘Owners’
Infrastructure
Section titled “Infrastructure”- Secure cloud hosting (DigitalOcean EU)
- Network isolation and firewall protection
- Automated daily backups with geographic distribution
- Error monitoring via Sentry
- Incident response within 24 hours
Audit Logging
Section titled “Audit Logging”We maintain logs of:
- User logins and logouts
- Authentication events (including failed attempts)
- Administrative actions
- Data access and modification events
Support Access
Section titled “Support Access”In limited circumstances, authorised Protu support personnel may access user accounts for troubleshooting purposes. This access:
- Is restricted to trained support staff
- Is logged and auditable
- Is governed by contractual and internal policy controls
- Is used only when necessary to investigate reported issues or provide support
Data viewed during support access is not anonymised, as the purpose is to resolve user-specific issues. We minimise access to what is necessary for the support task.
Breach Notification
Section titled “Breach Notification”In the event of a personal data breach that poses a risk to individuals’ rights:
- We notify affected Customers within 72 hours of becoming aware
- We provide details of the breach, data affected, and remediation steps
- We cooperate with Customers’ own notification obligations to supervisory authorities and individuals
Data Retention
Section titled “Data Retention”While Your Account is Active
Section titled “While Your Account is Active”| Data Category | Retention Period |
|---|---|
| Account Information | Retained as long as the account remains active |
| Workspace Data (Assessment data, Behavioural insights, Team configurations) | Retained for the duration that the associated workspace is active |
Individual deletion requests: Employees and candidates can request deletion of their personal data at any time, regardless of whether the workspace remains active. See Section 11 for how to exercise this right.
Specific Retention Periods
Section titled “Specific Retention Periods”| Data Category | Retention Duration |
|---|---|
| Session information | 90 days |
| Email logs | 90 days (Failed deliveries are kept for 1 year) |
| Magic link access tokens | Token expiry period plus an additional 30 days |
| Backup data | Up to 180 days, until the next scheduled backup rotation |
| Recently deleted data | 30 days before being permanently removed |
After Deletion or Account Closure
Section titled “After Deletion or Account Closure”- Immediate: Access revoked
- 30 days: Data retained for recovery
- After 30 days: Permanent deletion from production
- Up to 180 days: Purged from backup systems
We retain billing records for 7 years as required by UK tax law.
Your Rights (GDPR)
Section titled “Your Rights (GDPR)”If you’re in the UK, EU/EEA, or your data is processed under GDPR, you have these rights:
| Right | Description |
|---|---|
| Right of Access | You can ask for a copy of the personal data we hold about you |
| Right to Rectification | You have the right to get your personal data corrected if it is inaccurate or incomplete |
| Right to Erasure | You may request the deletion or removal of your personal data |
| Right to Data Portability | You can request to receive your personal data in a structured, commonly used, and machine-readable format |
| Right to Restriction of Processing | You have the right to limit how we process your personal data under certain conditions |
| Right to Object | You can object to the processing of your personal data when it is based on our legitimate interests |
| Right to Withdraw Consent | Where our legal basis for processing is your consent, you can remove that consent at any time |
Automated Decision-Making
Section titled “Automated Decision-Making”Protu does not make automated decisions with legal or significant effects. Our insights inform human decision-makers.
How to Exercise Your Rights
Section titled “How to Exercise Your Rights”For employees and candidates:
- Contact your employer first, as they are the Controller for your assessment data
- If your employer doesn’t respond within 14 days, or you’re unable to reach them, contact our support team at support@protu.io, and we’ll assist you directly
For workspace users: Contact privacy@protu.io with:
- Your name and email
- Your company name
- What you’re requesting
- Any relevant details
Response Time
Section titled “Response Time”We respond within 30 days. Complex requests may take longer, and we will let you know.
Cookies
Section titled “Cookies”We use cookies to make Protu work properly:
Essential Cookies
Section titled “Essential Cookies”- Session authentication
- Security tokens
- User preferences
These cannot be disabled. They’re required for the platform to function.
Analytics Cookies
Section titled “Analytics Cookies”- Anonymised usage patterns
- Performance monitoring
- Error tracking (via Sentry)
We use these to improve the platform. They do not identify individuals.
What We Don’t Use
Section titled “What We Don’t Use”- No third-party advertising cookies
- No cross-site tracking
- No social media pixels
Managing Cookies
Section titled “Managing Cookies”To opt out of analytics cookies, contact support@protu.io. Essential cookies cannot be disabled as they’re required for the platform to function.
Children’s Privacy
Section titled “Children’s Privacy”Protu is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children.
If we discover that a user is under 18, we will:
- Terminate their account
- Delete their personal data
- Notify the relevant Customer
If you believe a child has provided data to us, contact privacy@protu.io.
Changes to This Policy
Section titled “Changes to This Policy”We may update this Privacy Policy from time to time.
Material Changes
Section titled “Material Changes”For significant changes affecting your rights:
- Email notification at least 30 days before the change
- Clear explanation of what’s changing
- Prominent notice in the Platform
Non-Material Changes
Section titled “Non-Material Changes”For minor updates:
- Posted on our website
- Version history updated and time-stamped
By continuing to use Protu after changes take effect, you agree to the updated policy.
Regional Supplements
Section titled “Regional Supplements”California (CCPA/CPRA)
Section titled “California (CCPA/CPRA)”If you’re a California resident, you have additional rights:
Categories of personal information we collect:
- Identifiers (name, email, IP address)
- Commercial information (billing records)
- Internet activity (usage data)
- Professional information (job title, company)
- Inferences (behavioural insights)
Your rights:
- Know what personal information we collect
- Delete your personal information
- Opt-out of sale (we don’t sell personal information)
- Non-discrimination for exercising rights
We do not sell personal information. To exercise your rights, contact privacy@protu.io or use the methods in Section 11.
UK and EU/EEA
Section titled “UK and EU/EEA”Supervisory Authority: You have the right to lodge a complaint with your local data protection authority:
UK: Information Commissioner’s Office (ICO)
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
EU: Your local Data Protection Authority
Contact
Section titled “Contact”For privacy-related matters: privacy@protu.io
For support or general enquiries: support@protu.io