Privacy Policy
This Privacy Policy explains how OxBridge Assessments (operated by Lingovera Labs, Pakistan; collectively "we", "our", "us") collects, uses, shares, and protects personal data when you use our website, recruiter portal, candidate assessments, and related services (collectively, the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Pakistan Personal Data Protection Act once in force. This policy describes the standards we apply globally.
1. Who is the data controller
For data we collect about you as a candidate, your employer or prospective employer (the recruiter) is the controller and OxBridge Assessments acts as a processor on their behalf. For data we collect directly from self-service candidates or website visitors, OxBridge Assessments is the controller.
2. What personal data we collect
Identification
- Full name, email address, phone number, date of birth
- National identification document number (CNIC, national ID, or passport), stored encrypted at rest with AES-256-GCM
- Recruiter account holder's designation and signed authorisation letter
Assessment data
- Your responses to test questions
- Your final score, section-by-section breakdown, and pass/fail status
- Webcam still images captured every 30 seconds during the test
- Audio recordings of speaking sections
- Integrity signals: tab-switch count, paste-attempt count, keystroke counts, typing speed
Technical data
- IP address, browser user-agent, referring page, pages visited
- A pseudonymous session identifier (
oxb_sessioncookie) - Device capabilities reported by your browser during the system check
3. How we use the data — lawful bases
- Contract (Art. 6(1)(b) GDPR): to provide the assessment service you or your recruiter contracted for
- Legitimate interest (Art. 6(1)(f)): to detect integrity violations, prevent fraud, debug, and improve the platform
- Consent (Art. 6(1)(a)): for webcam recording and analytics cookies. Consent is collected explicitly before the test begins.
- Legal obligation (Art. 6(1)(c)): to respond to lawful access requests
4. Who we share data with
- Your recruiter, if you were invited by one — they see your assessment result, integrity report, webcam stills, and (with optional certification) your verified certificate.
- Sub-processors — see the Subprocessors list.
- Legal authorities only where compelled by law.
We do not sell personal data. We do not share data with advertising networks.
5. International transfers
Personal data is processed in our hosting region (currently AWS ap-southeast-2 via Supabase). Transfers outside the EU/UK rely on Standard Contractual Clauses (SCCs). EU-resident customers may request an EU-resident data residency option; contact privacy@oxbridgeassessments.com.
6. Retention
- Webcam still images: 90 days after the assessment, then automatically deleted
- Audio recordings: 90 days after the assessment, then automatically deleted
- Assessment scores: retained for 3 years to support the verification URL
- Candidate accounts with no assessment activity: deleted after 12 months of inactivity
- Failed integrity reviews resulting in a 6-month ban: ban record retained 18 months
- Analytics events: aggregated after 13 months; individual rows pruned
7. Your rights
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data (where not overridden by legitimate interest or legal obligation)
- Restrict or object to processing
- Data portability — receive your data in a machine-readable format
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your supervisory authority — for the UK, the ICO; for the EU, your local DPA
To exercise any of these rights, email privacy@oxbridgeassessments.com. We respond within 30 calendar days.
8. Security
We apply layered controls including:
- Encryption at rest (AES-256-GCM for sensitive identifiers; TLS 1.3 in transit)
- Password hashing with bcrypt (cost 12)
- Rate limiting on authentication endpoints
- Role-based access control for the administrative console
- Audit logging of administrative actions
- Multi-factor authentication for administrative accounts
- Regular dependency vulnerability scanning
9. Children
The Service is not intended for users under 16. We do not knowingly collect data from children under 16. If you become aware that we have, please contact us and we will delete it.
10. Changes to this policy
We will post the date of the most recent revision at the top of this page. Material changes will be communicated by email to active account holders at least 14 days before they take effect.
11. Contact
OxBridge Assessments
Lingovera Labs, Karachi, Pakistan
privacy@oxbridgeassessments.com
