Privacy Policy

This Privacy Policy ("Policy") explains how Praxicraft ("Praxicraft", "we", "us", or "our") collects, uses, stores, discloses, and otherwise processes personal information when you visit our websites, use our applications, APIs, or related services (collectively, the "Services").

We are committed to transparency and to handling personal information in accordance with applicable data protection and privacy laws. The laws that apply to you may depend on where you live and how you use the Services.

Please read this Policy carefully. If you do not agree with this Policy, you should not access or use the Services. For contractual terms governing your use of the Services, please also review our Terms of Service.

There are several ways you may use the Services. Depending on how you use them, we may collect and process your information when you are a:

• Visitor to our public marketing websites or documentation;
• Community Member — an individual who registers for and uses the Praxicraft career simulation platform in your own capacity, including practising tasks, earning XP, and progressing through curriculum;
• User — an individual who accesses the Services through an organisation that has authorised your access (for example, as an organisation administrator or member);
• Candidate — an individual invited by an organisation to complete a technical assessment through Praxicraft Assess.

The data we collect and how we use it depends on how you use the Services. Where an organisation uses Assess to evaluate candidates, that organisation may act as a controller or joint controller for certain processing activities, as described in sections below.

We collect and process your personal information in the following ways:

2.1. Automatically. We collect certain information automatically when you use the Services. This may include technical information about your device and browser, pages or features you access, actions you take, session identifiers, and diagnostic data needed to operate and secure the Services.

2.2. Provided by you. We collect information you provide when you register for an account, sign in, complete tasks or assessments, submit code or written answers, configure your profile, contact support, or otherwise interact with the Services.

2.3. Provided by organisations. If you are a User or Candidate, we may receive information that an organisation provides to us when it invites you to use the Services or assigns you an assessment. You may contact the respective organisation for more information about the data it provides to us.

2.4. Received from third parties. We may receive information from third parties that help us provide the Services, including authentication providers (when you use social login), payment processors (Stripe), and infrastructure or communication providers.

The types of personal information we collect and process depend on which Services you use and how you use them.

3.1. Data we automatically collect. Praxicraft may automatically collect IP address, browser type and version, device and operating system information, approximate location derived from IP, pages visited, features used, session timestamps, and log data generated by your use of the Services. We may use cookies and similar technologies as described in section 7.

3.2. Data you provide to us. Depending on how you use the Services, we may collect:

• Account and identity information

  Name, username, email address, password hash, profile details you choose to provide, organisation membership and role, and authentication identifiers received from third-party sign-in providers when you use social login (Google or GitHub).

• Security and authentication data

  Session identifiers, two-factor authentication (TOTP) configuration where enabled, login timestamps, and records of security-sensitive account actions.

• Career simulation and progress data

  Rank, experience points (XP), streaks, badges, fictional workplace attributes generated by the platform, curriculum and task completion history, and related gameplay metadata.

• Submissions and technical artefacts

  Source code, queries, written answers, file attachments, command-line activity, execution outputs, timing metadata, and automated evaluation results associated with practice tasks or assessments.

• Assess and candidate evaluation data

  Candidate name and contact details supplied by an inviting organisation, secure invitation tokens, assessment configuration, session start and end times, scores, reviewer notes entered by the organisation, and proctoring-related signals where enabled by the organisation (such as fullscreen exit counts and copy/paste attempt counts).

• Billing and commercial information

  Organisation name, billing contact details, subscription plan, usage counters, invoice references, and payment-related identifiers processed by Stripe. We do not store full payment card numbers on our servers.

• Communications

  Messages you send to us, support correspondence, notification preferences, and email delivery metadata.

We do not intentionally collect special categories of personal data (such as health information or biometric data for identification) unless you voluntarily include such information in free-text fields. Please avoid submitting sensitive information unless a feature explicitly requires it.

4.1. Purpose of processing. We use personal information for the following purposes, relying on lawful bases recognised under applicable data protection law:

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you may have the right to object in certain circumstances as described in section 8.

4.2. Processing duration. If you are a Visitor or Community Member, we process your personal information for as long as permitted by law or until you cancel your account, subject to any retention obligations described in section 9. If you are a User or Candidate, we will process your information in accordance with our agreement with the inviting organisation and applicable law.

4.3. Controller and processor roles. For most personal information collected from Community Members and Visitors, Praxicraft acts as the data controller. For many Assess workflows, the inviting organisation acts as the controller for candidate evaluation data, and Praxicraft acts as a processor on the organisation's documented instructions, supplemented by any data processing agreement between Praxicraft and the organisation.

We do not sell your personal information. We may disclose the categories of personal information described in this Policy to the following recipients where necessary to operate the Services, comply with law, or with your direction:

• Organisations. If you are a Candidate or User, we disclose your assessment data, scores, submissions, and related evaluation information to the organisation that invited or authorised your use of the Services.
• Service providers and subprocessors. We use third-party providers to perform functions of our platform, including cloud hosting, database and caching infrastructure, sandbox execution, email delivery, authentication (Google and GitHub), and payment processing (Stripe).
• Integrations. Where an organisation integrates the Services with third-party tools it uses, we may disclose your data to those integrated services as configured by the organisation.
• Legal or compliance purposes. We may disclose personal information where required to comply with applicable law, respond to lawful requests, enforce our agreements, or protect the rights, property, or safety of Praxicraft, our users, or others.
• Affiliates. We may disclose personal information to affiliated entities that own, are owned by, or share common ownership with Praxicraft, consistent with this Policy.
• Business transfers. If we sell or merge our business or substantially all of our assets, your personal information may be transferred to a prospective buyer or successor, subject to protections at least as protective as this Policy.
• With your consent. We may disclose personal information for other specific purposes where you have given consent.

6.1. Automated scoring. We use automated systems to evaluate certain technical submissions, including code execution in sandboxed environments, test results, and scoring for practice tasks and Assess assessments. Automated scores and feedback may inform whether you pass a task or how an organisation reviews your performance.

6.2. Organisation discretion. For organisations using Assess, hiring and selection decisions are made by the organisation, not by Praxicraft alone. Automated evaluation outputs are tools to support human review and organisational decision-making.

6.3. Integrity signals. Where enabled by an organisation, we may collect proctoring-related signals (such as fullscreen exit counts and copy/paste attempt counts) to support fair evaluation. These features operate on a best-effort basis and may be limited by browser, device, or embedded editor technology.

6.4. Human review. Where required by applicable law, you may request human review of significant automated decisions that produce legal or similarly significant effects, subject to the role Praxicraft plays as controller or processor in your specific case. Candidates seeking review of how an organisation uses assessment results should contact that organisation in the first instance.

We use cookies and similar technologies when you use the Services. These are commonly used technologies that help our Services work efficiently and securely.

7.1. How we use cookies. We may use cookies, local storage, and similar technologies as follows:

• Essential cookies and technologies to authenticate your identity, maintain sessions, and prevent fraud — including session authentication cookies and CSRF protection tokens (such as the bureau_csrf cookie used with the X-CSRFToken header);
• Preference storage to remember interface settings (such as theme) and your cookie consent choice stored in localStorage under praxicraft_cookie_consent_v1;
• Non-essential technologies (for example certain analytics or personalisation beyond core operation), only where we obtain your consent as required by law through our in-product cookie notice.

7.2. Your cookie choices. When you select "Reject" or "Accept all" in our cookie banner, we record that preference so the banner does not appear on every visit. You can manage cookies through your browser settings. Blocking strictly necessary cookies may prevent you from signing in or using parts of the Services. You can reset your cookie consent choice by clearing site data for this domain and revisiting the site.

Depending on where you live and applicable law, you may have some or all of the following rights in relation to your personal information:

• Right of access — obtain confirmation of whether we process your personal information and obtain a copy of certain data we hold about you;
• Right to rectification — request correction of inaccurate or incomplete personal information;
• Right to erasure — request deletion of your personal information where applicable legal conditions are met;
• Right to restrict processing — request that we limit how we use your personal information in defined circumstances;
• Right to object — object to certain processing based on legitimate interests, where provided by law;
• Right to data portability — receive personal information you provided to us in a structured, commonly used, machine-readable format, where technically feasible;
• Right to withdraw consent — where processing is based on consent, withdraw consent at any time without affecting prior lawful processing;
• Right to lodge a complaint — contact your local data protection or supervisory authority if you believe our processing violates applicable law.

8.1. Exercising your rights. To exercise any of these rights, contact us at support@praxicraft.com. We will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling a request. Deleting or restricting processing of your personal information may impact features of the Services that require that information to function.

8.2. Candidates and organisation users. If you are a Candidate or User and your request relates to how an organisation uses your assessment or account data in its hiring or evaluation process, please contact that organisation in the first instance. We will follow the organisation's instructions regarding your data where we act as its processor and will cooperate with organisations as needed.

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. Retention periods vary depending on the type of data and how it is used.

• Account data is retained while your account is active and for a reasonable period afterwards to resolve disputes, enforce our terms, and comply with legal obligations.
• Submissions and evaluation results may be retained to provide history, analytics, and organisational reporting features, subject to applicable agreements and configuration.
• Billing records may be retained for longer periods to meet tax, accounting, and audit requirements.
• Security and diagnostic logs are generally retained for shorter periods unless needed for an investigation or legal hold.

When retention periods expire, we delete or irreversibly anonymise personal information where feasible. Data may persist in encrypted backups for a limited period until those backups are rotated or overwritten.

Your personal information may be processed in countries other than your own. Some of our service providers may store or process data outside your country of residence, where data protection laws may differ from those in your jurisdiction.

Where we transfer personal information internationally, we implement appropriate safeguards required under applicable law, such as contractual protections, adequacy decisions, or other recognised transfer mechanisms.

If you access the Services from outside the United Kingdom, you acknowledge that you may be transferring personal information to jurisdictions where our infrastructure and service providers operate.

We implement technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, or alteration. These measures include:

• Encryption in transit (HTTPS/TLS) for connections between your browser and our Services;
• Industry-standard password hashing for credentials managed directly by Praxicraft;
• Session-based authentication with CSRF protection for web requests;
• Optional two-factor authentication (TOTP) for account security;
• Role-based access controls and administrative audit logging for sensitive operations;
• Monitoring and incident response procedures designed to detect and mitigate security threats.

No method of transmission or storage is completely secure. If you believe your account or personal information has been compromised, please contact us promptly at support@praxicraft.com.

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: support@praxicraft.com

When submitting a rights request, please include enough information for us to verify your identity and describe the information or action you are requesting. We may ask for additional details where required by law or to protect your account.