Privacy policy

Information We Collect

We collect the following categories of information to provide, improve, and secure our Services:

Profile or Contact Data

• Full name, email address, and profile photo.
• Institutional affiliation, department, and role (student, instructor, or administrator).
• Student ID or employee ID as provided by your institution.
• Authentication credentials — hashed passwords or OAuth tokens from Google/Microsoft SSO.

Biometric & Examination Data

Classified as Sensitive Personal Data under SPDI Rules

• Voice recordings captured during AI oral examinations.
• Facial video data for identity verification and proctoring.
• Exam transcripts generated by our AI Examiner.
• AI-generated scores, rubric evaluations, and performance analytics.

Device/IP Data

• IP address, browser type and version, operating system, and device identifiers.
• Page views, click patterns, feature usage, session duration, and referral URLs.
• Error logs and crash reports.

Communication Data

• Emails, chat messages, or support tickets you send to us.
• Survey responses, feedback submissions, and newsletter preferences.

Purpose and Legal Basis for Processing

We process your personal data only when we have a lawful basis to do so:

• Performance of Contract. Conducting and grading AI oral examinations, generating performance analytics, and sending transactional emails.
• Legitimate Interest. Identity verification and proctoring, fraud prevention, improving AI models with anonymized data, and enforcing academic integrity.
• Legal Obligation. Complying with applicable laws, regulations, and court orders.
• Consent. Recording audio/video during exams (explicit consent obtained at exam start) and marketing communications (opt-in only).

Consent for Audio & Video Recording

By initiating an assessment on Scire, you provide explicit, informed, and freely given consent to the recording of your audio and video. This data is processed in real-time by our AI systems to analyze your oral responses, monitor for suspicious behavior (gaze aversion, unauthorized persons, secondary devices), and verify your identity against pre-registered biometric templates.

Withdrawal of Consent: You may withdraw this consent at any time by terminating the exam session. Withdrawal will result in the immediate termination and invalidation of the assessment. Previously processed data may be retained for academic integrity records, subject to the retention periods below.

Disclosure to Third Parties

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes. We may share your information with:

• Your Educational Institution. Examination results, AI-generated transcripts, performance analytics, and academic integrity reports. Your institution acts as the Data Fiduciary / Data Controller for this data.
• Infrastructure & Service Providers. Cloud hosting (AWS), database management (MongoDB Atlas), email delivery (AWS SES), error monitoring (Sentry), and analytics (PostHog). All sub-processors are bound by Data Processing Agreements.
• AI Model Providers. Exam prompts and responses may be transmitted to third-party LLM APIs (e.g., Google Gemini) for real-time grading. We anonymize or pseudonymize data before transmission wherever feasible.
• Legal & Regulatory Authorities. When required by applicable law, regulation, court order, or governmental request.
• Business Transfers. In a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, provided they honor this Policy.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required by law:

• Account Data — Duration of account plus 30 days after closure.
• Exam Recordings — Up to 2 academic years, or as specified by your institution's retention policy, whichever is shorter.
• Exam Transcripts & Scores — Up to 5 academic years for audit trails and institutional compliance.
• Usage & Analytics Data — 24 months. Anonymized aggregate data may be retained indefinitely.

Data Storage & International Transfers

Your personal data is primarily stored on secure servers in India (AWS Mumbai Region, ap-south-1), ensuring data sovereignty and compliance with Indian data localization requirements.

Where data must be transferred outside India, we ensure adequate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EEA data subjects.
• Data Processing Agreements with all international sub-processors.
• Transfer Impact Assessments for high-risk jurisdictions.
• Data minimization and pseudonymization prior to cross-border transfers.

Your Rights

Depending on your jurisdiction, you may exercise the following rights with respect to your Personal Data:

• Access. Obtain confirmation and a copy of your personal data we process.
• Correction. Request rectification of inaccurate or incomplete data.
• Erasure. Request deletion of your personal data, subject to legal retention obligations.
• Restrict Processing. Request limitation on how we process your data in certain circumstances.
• Data Portability. Receive your data in a structured, machine-readable format (GDPR/DPDPA).
• Withdraw Consent. Revoke previously granted consent at any time, without affecting prior processing.
• Object. Object to processing based on legitimate interests or direct marketing.
• Lodge Complaint. File a complaint with the Data Protection Board of India or your local supervisory authority.

To exercise any of these rights, submit a written request to dpo@mail.scire.in. We will respond within 30 days. Identity verification may be required.

Security Measures

We implement comprehensive technical and organizational security measures in accordance with the SPDI Rules and industry best practices, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls with mandatory MFA, comprehensive audit logging, and automated vulnerability scanning in CI/CD pipelines.

Despite our best efforts, no method of electronic storage or transmission is entirely secure. We commit to promptly notifying affected individuals and regulatory authorities in the event of a data breach, as required by applicable law. For full details, see our Security page.

Children's Privacy

As noted in the Terms of Service, we do not knowingly collect or solicit Personal Data from anyone under the age of 13. If you are under 13, please do not attempt to register for the Services or send any Personal Data to us. If we learn that we have collected Personal Data from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us Personal Data, please contact us at hello@mail.scire.in.

Cookies & Tracking

We use cookies and similar technologies to enhance your experience, analyze usage, and maintain session security. For details on what cookies we set, their purpose, and how to manage them, see our Cookie Policy.

Changes to This Policy

We're constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time, but we will alert you to any such changes by placing a notice on the Scire website, by sending you an email, and/or by some other means. Please note that if you've opted not to receive legal notice emails from us, those legal notices will still govern your use of the Services. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

Grievance Officer & Contact

In accordance with the IT Act, 2000, SPDI Rules, 2011, and DPDPA, 2023, the details of the Grievance Officer are as follows. For GDPR-related inquiries, this individual also serves as our Data Protection Officer.

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

Email: grievance@mail.scire.in · dpo@mail.scire.in
Address: Remote, India