Our Top Courses

Privacy Policy

Effective Date: 1 July 2026
Last Updated: 1 July 2026

DigiVal IT Solutions Limited ("DigiVal", "we", "us", "our") is the data controller for personal data processed through the DigiAssess online assessment platform and our website at www.digiassess.com.

Registered address: Unit 13B, Level P7, Damac Park Towers, Dubai International Financial Centre (DIFC), Dubai, UAE

Data Protection Officer:

Name: Shirajuddeen Desai
Email: privacy@digi-val.com

All data protection enquiries, Subject Access Requests, and exercise of rights should be directed to the DPO at the email address above.

1. What Data We Collect

1.1 Data you provide directly

  •       Account registration: full name, email address, password (hashed), organisation/institution.
  •       Profile information: date of birth, student or employee ID, contact details.
  •       Assessment activity: answers, submitted files, scores, completion timestamps.
  •       Communications: support requests, emails and messages sent to us.

 

1.2 Data collected automatically

  •       Technical data: IP address, browser type, device type, operating system.
  •       Usage data: pages visited, features used, session duration, click events.
  •       System logs: login events, access logs, error logs.

 

1.3 Special category data (collected only where enabled by your institution)

  •       Biometric data: facial recognition images or scan data used for identity verification during proctored assessments.
  •       Behavioural data: eye-tracking, keystroke patterns, screen activity during proctored assessments.

 

Collection of special category data requires separate explicit consent (see Section 8 — Biometric Data & Proctoring). You have the right to request a non-biometric alternative. Refusing biometric proctoring will not prevent access to the service — an alternative verification method will be offered.

2. Lawful Basis for Processing

We process your personal data on the following legal grounds under GDPR Article 6 and Article 9:

 

Processing Activity

Lawful Basis

Details

Creating and managing your DigiAssess account

Contract (Art. 6(1)(b))

Necessary to deliver the service you have signed up for.

Delivering assessments and scoring

Contract (Art. 6(1)(b))

Core service delivery — assessment administration and results.

Sending transactional emails (login, results, confirmations)

Contract (Art. 6(1)(b))

Necessary to inform you about your account and assessment activity.

Institutional reporting (to schools, universities)

Contract (Art. 6(1)(b))

Sharing results with the institution that enrolled you, as part of the service agreement.

Security monitoring and fraud prevention

Legitimate Interests (Art. 6(1)(f))

Protecting the platform and our users from unauthorised access. LIA available on request.

System analytics and performance monitoring

Legitimate Interests (Art. 6(1)(f))

Maintaining and improving platform stability and performance.

Sending marketing emails

Consent (Art. 6(1)(a))

Only where you have opted in. Withdraw at any time by clicking ‘Unsubscribe’.

Non-essential cookies and tracking

Consent (Art. 6(1)(a))

Collected only after you give consent via our cookie banner.

Proctoring / biometric verification (where enabled by your institution)

Consent (Art. 6(1)(a)) + Explicit Consent (Art. 9(2)(a))

Special category data. Separate explicit consent is obtained. You may request a non-biometric alternative — see Section 8.

Complying with legal obligations

Legal Obligation (Art. 6(1)(c))

E.g. responding to lawful requests from supervisory authorities.

A Legitimate Interests Assessment (LIA) for processing carried out on the basis of legitimate interests is available on request from the DPO.

3. How We Use Your Data

  •       Creating and managing your DigiAssess account.
  •       Delivering assessments, scoring results and generating reports for you and your institution.
  •       Communicating with you about your account, results and service updates.
  •       Verifying your identity during proctored assessments (where applicable).
  •       Improving the security, stability and performance of the platform.
  •       Complying with legal and regulatory obligations.
  •       Sending marketing communications where you have opted in (you may opt out at any time).

4. Who We Share Your Data With

4.1 Your institution

If you access DigiAssess through a school, university or employer, your assessment results and performance data will be shared with that institution as part of the service agreement. Your institution is an independent data controller for how it uses your results.

 

4.2 Service providers (processors)

We share data with third-party service providers who process data on our behalf under signed Data Processing Agreements:

 

Provider

Service

Data Shared

Amazon Web Services (AWS)

Cloud hosting (EU-West-1)

All platform data

Google Cloud Platform (GCP)

Cloud hosting (ME-Central2, Dammam)

All platform data

MongoDB Atlas

Database hosting

Assessment and user data

New Relic

Performance monitoring

System logs, usage metrics (anonymised)

Email service provider

Transactional and marketing emails

Name, email address

Cookie Consent Platform

Consent management

Consent records, IP (anonymised)

 

4.3 We do not sell your data

DigiVal does not sell, rent, or trade your personal data to any third party for commercial purposes.

5. International Data Transfers

Your personal data may be transferred to and stored in countries outside the European Economic Area (EEA), including the UAE, Saudi Arabia and India. DigiVal ensures that all international transfers are protected by appropriate safeguards:

 

  •       Standard Contractual Clauses (SCCs) — approved by the European Commission — are in place with all third-party processors located outside the EEA.
  •       Transfer Impact Assessments (TIAs) have been conducted for each transfer destination to assess the adequacy of local data protection laws.
  •       All processors outside the EEA are contractually required to implement equivalent technical and organisational security measures to those we apply ourselves.

 

Copies of the applicable SCCs and TIA summaries are available on request from the DPO.

6. Data Retention

We retain personal data only for as long as necessary. Specific retention periods by data category are set out below:

 

Data Category

Retention Period

Reason

Account / profile data

Duration of account + 24 months after account closure

Service delivery and legal claims period.

Assessment records and scores

Duration of account + 36 months after account closure

Institutional requirements and academic record integrity.

Consent records

7 years from date of consent

GDPR accountability — proof of consent must be retained.

Proctoring / biometric data

90 days from assessment date, then securely deleted

Minimum period for review or dispute resolution.

Security and access logs

12 months

Security investigation and incident response.

Marketing consent and activity

Until consent is withdrawn, then 2 years

Accountability for direct marketing activity.

Support / communication records

3 years from last interaction

Dispute resolution and legal claims.

Billing and payment records

7 years

Legal and tax obligations.

 

When the applicable retention period expires, personal data is securely deleted or anonymised, including from backup copies, within a defined backup rotation window of 30 days.

7. Biometric Data & Proctoring

Where your institution has enabled proctored assessments, DigiAssess may collect biometric and behavioural data (facial scan, keystroke patterns, screen activity) to verify your identity and maintain assessment integrity.

 

  •       Collection of biometric data requires your separate explicit consent, which is obtained before any proctored session begins.
  •       Refusing biometric consent will not prevent you from accessing your assessment. You have the right to request a non-biometric alternative verification method. Contact your institution or our DPO to arrange this.
  •       Biometric data is retained for 90 days from the assessment date and then securely and permanently deleted.
  •       Biometric data is not used for any purpose other than identity verification for the specific assessment session.
  •       Biometric data is not shared with your institution or any third party other than the proctoring sub-processor, which operates under a signed DPA.

8. Automated Decision-Making

DigiAssess uses automated systems to assist in assessment scoring and, where proctoring is enabled, to flag potential academic integrity concerns (e.g. unusual behavioural patterns).

 

  •       Automated scoring: Assessment scores are generated automatically based on your submitted answers. The scoring logic is defined by your institution or assessment provider.
  •       Academic integrity flags: Our AI-assisted proctoring system may automatically flag an assessment session for review. A flag does not constitute a finding of misconduct — it is reviewed by a human assessor before any consequence is applied.

 

Your right to human review (Art. 22 GDPR): If an automated decision significantly affects you (e.g. a flagged academic integrity decision, an unexpectedly low score), you have the right to request a human review of that decision. Submit your request to privacy@digi-val.com. We will acknowledge within 5 working days and complete the review within 1 month.

9. Children's Data

DigiAssess is used by educational institutions including those serving students under the age of 16. We take additional care when processing children’s personal data:

 

  •       For students under 16, DigiVal relies on the educational institution (as the enrolling entity) to obtain and document appropriate parental or guardian consent before enrolment in DigiAssess.
  •       DigiVal does not knowingly collect data from children under 16 through direct sign-up on our public website. If we become aware that a child under 16 has registered directly without institutional onboarding, we will delete that data promptly.
  •       Biometric and proctoring data is not collected from students under 16 without explicit parental consent facilitated by the institution.
  •       Institutions that enrol students under 16 must sign a Data Processing Agreement that includes specific provisions for the protection of minor data subjects.

10. Cookies

We use cookies and similar tracking technologies on our website and platform. A cookie consent banner is presented to all users on first visit. Non-essential cookies (e.g. analytics, advertising) are only loaded after you give your consent.

 

  •       Essential cookies: Required for the platform to function (e.g. session management, login state). These cannot be disabled.
  •       Analytics cookies: Used to understand how the platform is used and improve performance. Loaded only with your consent.
  •       Marketing cookies: Used to show relevant content. Loaded only with your consent.

 

You can manage or withdraw your cookie consent at any time using the cookie preference centre accessible from the footer of every page.

11. Your Rights

Under GDPR, you have the following rights. We will respond to all requests within 1 calendar month of receipt. Complex requests may be extended by a further 2 months — we will notify you if this applies.

 

Right

What It Means

How to Exercise It

Access (Art. 15)

Request a copy of all personal data we hold about you.

Email us at privacy@digi-val.com. We will respond within 1 month.

Rectification (Art. 16)

Correct any inaccurate or incomplete data.

Update your profile in DigiAssess or email us.

Erasure (Art. 17)

Request deletion of your data where there is no overriding reason to keep it.

Submit a deletion request from Account Settings. An admin will review and process it.

Restriction (Art. 18)

Ask us to pause processing while a dispute is resolved.

Email us at privacy@digi-val.com.

Portability (Art. 20)

Download your data in a machine-readable format.

Use ‘Download My Data’ in Account Settings.

Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Email us, or use the ‘Unsubscribe’ link in any marketing email.

Human Review (Art. 22)

Request a human to review any automated decision that significantly affects you (e.g. AI-flagged academic integrity decision).

Email us at privacy@digi-val.com. We will arrange a review within 1 month.

Withdraw Consent (Art. 7)

Withdraw any previously given consent at any time.

Account Settings > Privacy, or email us.

 

There is no fee for exercising your rights in ordinary circumstances. We may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

12. How to Make a Complaint

If you have a concern about how we process your personal data, please contact our DPO at privacy@digi-val.com in the first instance. We aim to resolve all concerns within 30 days.

 

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

 

  •       UK users: Information Commissioner’s Office (ICO) — ico.org.uk
  •       EU users: The supervisory authority in your EU Member State of habitual residence.
  •       UAE/KSA users: UAE Data Office — uaedataoffice.gov.ae

13. Security

DigiVal is SOC 2 Type II certified, having completed an independent third-party audit of its security controls across the Trust Services Criteria of Security, Confidentiality and Availability. This certification demonstrates that DigiVal’s technical and organisational measures have been independently verified to operate effectively over a sustained period — not just at a point in time.

Specific security measures in place include encryption in transit (TLS 1.3) and at rest (AES-256 via cloud-native key management), role-based access controls, multi-factor authentication on all critical systems, monthly automated vulnerability scanning, annual penetration testing by CyberHeals (a qualified third-party provider), business continuity and disaster recovery plans tested annually, and continuous compliance monitoring via the Truzta platform.

A copy of the SOC 2 Type II report is available to customers and institutional partners on request, subject to a signed non-disclosure agreement.

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the highest reasonable standard.

14. Changes to This Policy

This Privacy Policy was last updated on 16 June 2026. We may update it periodically to reflect changes in our processing activities or applicable law. We will notify you of material changes by email or by a prominent notice in the platform at least 30 days before the change takes effect. The current version is always available at www.digiassess.com/privacy.

©2026. All rights reserved by DigiAssess.

[academy_login_form]