Privacy Policy
Last updated: 8 April 2026
1. Who We Are
Fluency is operated by Sondera Studios Ltd ("we", "us", "our"), a company registered in England and Wales. We provide an AI literacy assessment platform for organisations assessing candidates and employees.
Data Protection Contact: privacy@sonderastudios.com
ICO Registration Number: [Pending]
2. Data Controller & Processor Roles
When an organisation ("the Client") uses Fluency to assess candidates or employees:
- The Client is the data controller — they determine why the assessment is being conducted and which individuals are assessed.
- Sondera Studios is the data processor— we process personal data on the Client's behalf to deliver the assessment service.
For assessor account data (names, emails, login credentials), Sondera Studios acts as the data controller.
A Data Processing Agreement (DPA) governs our obligations under GDPR Article 28 and is provided to all Clients as part of the service agreement.
3. What Data We Collect
We collect and process the following categories of personal data:
Assessor Account Data
- Full name and work email address
- Organisation name and sector
- Hashed password (we cannot see your password)
- Account activity and login timestamps
Candidate / Employee Data
- Full name and email address (provided by the Client)
- Assessment responses — including live chat conversations with AI, decision choices, drag-and-drop rankings, slider allocations, written reviews, and corrected prompts
- AI-generated scores, per-module breakdowns, and behavioural profiles
- Session metadata — timestamps, time spent per module, completion status
Technical Data
- IP address and browser/device information
- Session cookies (authentication only — we do not use tracking or advertising cookies)
- Error logs (collected via Sentry for platform stability — we take steps to exclude personal data from error reports)
4. How We Use Your Data
- Assessment delivery: To present assessment modules, facilitate AI chat interactions, and record responses.
- AI-powered scoring: To generate scores, behavioural profiles, and insights using artificial intelligence (see Section 6 for details on automated decision-making).
- Reporting: To produce assessment reports for the Client organisation.
- Candidate feedback: To provide assessment feedback to candidates where the Client has enabled this feature.
- Communication: To send invitation emails to candidates and account notifications to assessors.
- Account management: To authenticate users, manage subscriptions, and process payments.
- Platform improvement: To improve the assessment platform using aggregated, anonymised data only. Individual assessment data is never used for AI model training.
5. Legal Basis for Processing
We process personal data under the following legal bases (UK GDPR Article 6):
- Contract performance (Art. 6(1)(b)): Processing assessor account data to provide the service under our agreement with the Client.
- Legitimate interest (Art. 6(1)(f)):Processing candidate/employee data to deliver assessments commissioned by the Client. The legitimate interest is the Client's need to evaluate AI literacy for hiring or workforce development purposes. We have conducted a balancing test and concluded that this interest is not overridden by the data subjects' rights, given the professional context and safeguards in place.
- Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or legal compliance purposes.
6. Automated Decision-Making & Profiling
This section is important — please read it carefully.
Fluency uses artificial intelligence (specifically, large language models) to score assessment responses and generate behavioural profiles. This constitutes automated processing with profiling under GDPR Article 22.
What the AI Does
- Evaluates your assessment responses against structured scoring rubrics
- Generates numerical scores (0–100) across multiple dimensions
- Produces a behavioural profile categorising your approach to working with AI
- Creates narrative insights and suggested interview questions for the assessor
What the AI Does Not Do
- The AI does not make hiring, promotion, or employment decisions — these are made by the Client organisation
- The AI does not access your personal data beyond what you provide during the assessment
- Your assessment data is not used to train AI models
Your Rights Regarding Automated Decisions
Under GDPR Article 22, you have the right to:
- Request human review — ask that a qualified person reviews your AI-generated scores
- Express your point of view — provide additional context about your assessment performance
- Contest the decision — challenge the outcome if you believe it is inaccurate or unfair
To exercise these rights, contact the organisation that invited you to the assessment (the data controller), or contact us directly at privacy@sonderastudios.com.
7. Data Sharing & Subprocessors
We share personal data with the following third-party service providers ("subprocessors") who assist in delivering the platform:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and user authentication | EU (Frankfurt) |
| Anthropic | AI chat delivery and assessment scoring (Claude API) | United States |
| Vercel | Application hosting and serverless compute | Global (US primary) |
| Resend | Transactional email delivery (invitations, notifications) | United States |
| Sentry | Error monitoring and platform stability | United States |
We do not sell personal data to third parties. We do not share personal data with any party other than those listed above and the Client organisation that commissioned the assessment.
8. International Data Transfers
Some of our subprocessors are based in the United States. When personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework: Where the subprocessor is certified under the DPF, transfers are covered by the adequacy decision.
- UK International Data Transfer Agreement (IDTA): Where DPF certification is not available, we use the UK IDTA (the UK equivalent of Standard Contractual Clauses).
- Transfer Impact Assessments: We assess the data protection laws of recipient countries to ensure adequate protection.
Your primary assessment data (responses, scores, reports) is stored in Supabase's EU (Frankfurt) region. Data is transmitted to Anthropic's US servers for AI scoring and is not retained by Anthropic after processing.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Assessment data (responses, scores, reports) | Duration of Client account + 24 months |
| Assessor account data | Duration of account + 12 months |
| Chat conversation logs | Duration of Client account + 24 months |
| Payment records | 7 years (UK tax law requirement) |
| Error logs | 90 days |
Clients may request deletion of specific candidate data at any time. Upon account termination, all data is deleted after the retention period unless a legal obligation requires us to keep it.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data:
- All data is encrypted in transit (TLS/HTTPS) and at rest
- Row-Level Security (RLS) ensures organisations can only access their own data
- Candidate API routes require cryptographic session token validation
- Passwords are salted and hashed — never stored in plain text
- Access to production systems is restricted and logged
- All user-supplied content is sanitised before rendering to prevent injection attacks
11. Cookies
We use only strictly necessary cookies for authentication and session management. These cookies are essential for the platform to function and do not require consent under PECR.
We do not use analytics cookies, advertising cookies, or any form of cross-site tracking.
12. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that we limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Automated decisions — rights relating to AI scoring (see Section 6)
We will respond to valid requests within 30 days. If you were invited to an assessment by an organisation, we may direct your request to that organisation (the data controller) where appropriate.
To exercise any of these rights, contact privacy@sonderastudios.com.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay. Client organisations will be notified within 48 hours under the terms of our Data Processing Agreement.
14. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to privacy@sonderastudios.com first.
15. Changes to This Policy
We may update this policy from time to time. We will notify registered assessors of significant changes via email. The "last updated" date at the top reflects the most recent revision. We recommend reviewing this page periodically.