Privacy Policy

Dextes is an online SaaS platform for technical assessments, psychometric evaluations, and employee skill tracking, operated from Delhi, India. Our contact email is support@dextes.com.

We collect the following categories of personal data depending on how you interact with our platform:

Identity and account data

Name, email address, company name, job title, and profile information provided when creating an account or inviting team members.

Authentication data

Passwords stored exclusively in hashed, non-reversible form (bcrypt). We never store or access your password in plaintext.

Assessment and test data

Assessments you create (questions, settings, scoring criteria), candidate responses (answers, scores, time spent, code submissions, written responses), and proctoring event logs (tab switches, window blur events) where proctoring is enabled.

Candidate and employee data

Names, email addresses, departments, job titles, and assessment results of individuals you invite to assessments or import into the platform. You, as the account holder, are the data controller for this data.

Payment and billing data

Billing name for invoice purposes. We do not store credit or debit card numbers, CVV, or net banking credentials. All payment transactions are processed directly by Razorpay Technologies Private Limited. We receive only a transaction ID and payment status confirmation.

Usage and technical data

IP address, browser type, operating system, pages visited, features used, session duration, and error logs. Used to operate and improve the platform.

Communications data

Support emails and messages you send us, and records of transactional emails we send to you or your candidates.

Under the SPDI Rules, certain categories of data are classified as sensitive. Our handling:

• Passwords: Stored as one-way hashed values (bcrypt). Never readable by any party, including us.
• Payment information: We do not collect or store raw card numbers, CVV, or bank credentials. This is handled exclusively by Razorpay under their PCI DSS-compliant systems.
• Biometric and health data: We do not collect biometric data, health data, or data about sexual orientation. Psychometric assessments on our platform assess professional competencies only and are not used to infer protected personal characteristics.

• To create and manage your account and provide access to the platform
• To send transactional emails (assessment invitations, reminders, OTPs, results) via Resend
• To process subscription payments via Razorpay
• To generate analytics, reports, and skill insights within your account
• To detect and prevent fraud, abuse, and security incidents
• To troubleshoot bugs and improve platform performance using anonymised error logs
• To comply with legal obligations under Indian law
• To send product updates and announcements (you may unsubscribe at any time)

We do not use your data to train AI models. We do not sell your data to any third party. We do not use your data for advertising or share it with advertising platforms.

• Contract: To provide the services you have subscribed to
• Consent: For non-essential communications and cookies; you may withdraw consent at any time
• Legitimate interests: For security monitoring, fraud prevention, and platform improvement, where these interests are not overridden by your rights
• Legal obligation: To comply with Indian law, including tax record-keeping and regulatory requirements

We use the following trusted third-party services to operate the platform, each bound by appropriate data processing agreements:

• Vercel Inc. - Application hosting and deployment infrastructure
• Neon Inc. - PostgreSQL database hosting (SOC 2 Type II compliant), hosted on AWS infrastructure
• Resend Inc. - Transactional email delivery. Resend receives recipient email addresses and email content for delivery purposes only
• Razorpay Technologies Pvt. Ltd. - Payment processing. Razorpay handles all card data under their own PCI DSS-compliant systems. We do not receive or store raw card data
• Anthropic PBC - AI-powered question generation and grading. Where you use AI features, assessment content may be sent to Anthropic for processing. Anthropic does not use this data to train their models under their enterprise terms
• Judge0 - Code execution for coding assessments. Candidate code is executed in sandboxed Judge0 environments and the result is returned. Code is not retained on Judge0 infrastructure
• Sentry Inc. - Error monitoring and crash reporting. Error payloads may include anonymised usage context; personally identifiable data is scrubbed before transmission

We do not use advertising platforms, social media trackers, or data brokers.

All payment transactions on Dextes are processed by Razorpay Technologies Private Limited, an RBI-authorised Payment Aggregator. Payment transaction data is stored in compliance with the Reserve Bank of India's data localisation requirements. We do not store any card data on our own servers. For details on Razorpay's data practices, refer to Razorpay's Privacy Policy.

• Account data: Retained for the duration of your active subscription and for 2 years after account closure to meet legal and contractual obligations
• Candidate and assessment data: Retained for 12 months after the assessment is completed, unless you request earlier deletion or your account settings specify otherwise
• Payment transaction records: Retained for 7 years in compliance with the Income Tax Act, 1961
• Usage and error logs: Retained for 12 months on a rolling basis
• Email logs: Retained for 6 months for deliverability troubleshooting

You may delete candidate data at any time from within your dashboard. Upon account deletion, all personal data is deleted within 30 days, except where we are legally required to retain it longer.

We have implemented reasonable security practices and procedures as required under Rule 8 of the SPDI Rules, 2011, including:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of data at rest on database servers
• One-way hashing of passwords (bcrypt)
• Role-based access control limiting production data access to authorised personnel only
• Regular security reviews and vulnerability assessments
• Incident response procedures for security events

No system is completely secure. If you discover a security vulnerability, please report it to support@dextes.com.

In the event of a personal data breach that poses a risk to your rights, we will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act, 2023
• Notify affected individuals promptly with details of the nature of the breach, categories of data affected, likely consequences, and remediation steps taken
• Maintain an internal breach register for all security incidents

We use a session cookie to keep you logged in to your account. We do not use third-party advertising cookies, social media tracking pixels, or analytics cookies from services such as Google Analytics. For full details, see our Cookie Policy.

Under the DPDP Act, 2023, the SPDI Rules, 2011, and other applicable Indian law, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to correction: Ask us to correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to portability: Receive your data in a portable, machine-readable format
• Right to withdraw consent: Withdraw consent to processing at any time; this does not affect the lawfulness of prior processing
• Right to grievance: File a complaint with our Grievance Officer before escalating to the Data Protection Board of India
• Right to nominate: Nominate a person to exercise your data rights on your behalf in the event of death or incapacity, as provided under the DPDP Act, 2023

To exercise any of these rights, email support@dextes.com. We will respond within 30 days.

Dextes is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a person under 18, please contact our Grievance Officer immediately and we will delete it promptly.

We may update this policy from time to time. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect. The "last updated" date at the top reflects the most recent version.

In accordance with the Information Technology Act, 2000, the SPDI Rules, 2011, the Consumer Protection (E-Commerce) Rules, 2020, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

We will acknowledge your complaint within 48 hours and endeavour to resolve it within 30 days of receipt, as required under applicable Indian law.

This Privacy Policy is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts at Delhi, India.

For any questions about this Privacy Policy or your personal data:

General enquiries: support@dextes.com

Privacy and grievances: grievance@dextes.com