Building trust through transparency and rigorous data protection

PLUTVO processes personal data for defined and documented purposes connected to the Service: operating the assessment platform, sending secure invitations, collecting answers and attachments, enabling optional video/media questions when configured by the Customer, generating reports for authorized reviewers, supporting customers, maintaining security, preventing abuse, keeping audit records, complying with legal obligations and administering customer accounts. Data may include account and contact details, organization details, candidate or employee identifiers, assessment answers, free-text responses, uploaded files, optional video/audio/image content, timestamps, role and permission data, language preference, IP address, device and browser data, technical logs, support communications and billing or contract records. For most assessment workflows, the Customer determines the purpose, scope and lawful basis and acts as Controller or equivalent responsible party. PLUTVO usually acts as Processor or service provider and processes Customer-controlled data only under documented instructions and the applicable agreement. PLUTVO may act as an independent controller for limited business operations such as website visits, customer communications, billing, service security, legal compliance and account administration. PLUTVO does not sell personal data. Reports and recommendations are decision-support materials and must not be used as the sole automatic basis for hiring, rejection, promotion, termination or any legally or similarly significant decision about a person.

The Service may be used only for lawful organizational assessment, verification, compliance, training and evaluation workflows. The Customer is responsible for choosing the correct assessment type, defining job relevance, providing notices to candidates or employees, obtaining consent or another lawful basis where required, limiting report access to authorized personnel, applying equal-treatment rules, reviewing results fairly, keeping required records, handling disputes and making final decisions through qualified human review. Users may not reverse engineer the Service, bypass access controls, interfere with security, upload malicious or unlawful content, collect data without authority, run assessments for prohibited purposes, discriminate, harass, or use PLUTVO outside the agreed scope. Reports, scores, indicators and recommendations are decision-support materials only. They are not legal advice, medical advice, psychological diagnosis, a guarantee of future conduct or a replacement for the Customer’s legal, HR, security and compliance judgment. PLUTVO may suspend or restrict access to protect the Service, comply with law, investigate misuse, prevent security risk or enforce the agreement. To the maximum extent permitted by law, the Customer must indemnify PLUTVO for claims arising from unlawful configuration, lack of lawful basis, discriminatory use, unauthorized disclosure or misuse of reports.

PLUTVO uses cookies and similar technologies to operate the website and platform, maintain secure sessions, remember language and interface preferences, protect against abuse, store cookie-notice choices and, where enabled, measure aggregated usage. Strictly necessary cookies are required for security, login, routing, load balancing, fraud prevention and service operation and may be used without prior consent where permitted by law. Functional cookies may remember language, region, interface and accessibility preferences. Analytics or performance cookies, if enabled, are used to understand aggregated usage and improve the Service. Marketing, advertising or third-party tracking cookies must not be activated unless valid consent is obtained where consent is required. Users must be able to withdraw or change non-essential cookie choices. Where GDPR/ePrivacy or similar rules apply, non-essential cookies should be blocked before consent, and consent must be freely given, specific, informed and unambiguous. Where U.S. privacy laws such as CCPA/CPRA apply, PLUTVO should provide required notices and honor applicable opt-out, sale/share and sensitive-information choices. PLUTVO does not use cookies to sell personal data.

Where PLUTVO processes personal data on behalf of a Customer, the Customer acts as Controller or equivalent responsible party and PLUTVO acts as Processor or service provider for Customer-controlled personal data, unless a signed DPA, order form or master agreement states otherwise. PLUTVO will process personal data only on documented instructions from the Customer, including with respect to transfers, unless required by law. PLUTVO will ensure confidentiality, implement appropriate technical and organizational measures, assist with data-subject rights requests, assist with data-protection impact assessments and regulator consultations where required, and notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer data. The DPA should define the subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, Customer rights and duties, confidentiality, security, subprocessors, international transfers, deletion or return of data, audit information and termination procedures. Subprocessors may be used only under a written authorization mechanism and must be bound by substantially equivalent data-protection duties.

PLUTVO may use carefully selected subprocessors only where needed to operate the service, such as secure hosting, email delivery, logging and monitoring, storage and backup, support tools, and optional media processing when video questions are enabled. PLUTVO should maintain an up-to-date subprocessor list for customers, apply contractual confidentiality and security obligations, and notify customers of material changes where required by the DPA. Do not list a vendor publicly unless the vendor is actually used in production.

Subprocessor categories

PLUTVO applies a layered security approach: HTTPS, access control, role-based permissions, secure session handling, audit logs, least-privilege access, controlled file access, protected assessment links, backups, monitoring and separation between customer environments where technically implemented. Sensitive reports should be available only to authorized users. Security controls are reviewed as the product evolves and should be supported by customer-side access governance.

PLUTVO aims to provide accessible digital services and to improve usability for people with disabilities. The target standard is WCAG Level AA where applicable. The site should support semantic structure, keyboard navigation, readable contrast, clear focus states, alternative text for meaningful images and accessible forms. If you experience an accessibility issue, contact support@plutvo.com and include the page URL, browser, assistive technology if any, and a short description of the issue.

Depending on the applicable law and the person’s role, individuals may have rights to receive notice, access their personal data, obtain a copy, correct inaccurate data, request deletion, restrict or object to processing, withdraw consent where consent is the basis, request portability, limit the use or disclosure of sensitive personal information where applicable, opt out of sale or sharing where applicable, and lodge a complaint with a competent authority. For Israel-related processing, individuals should be informed whether they are legally required to provide information or whether provision is voluntary, the purpose of the collection, who may receive the information, and the consequences of not providing it where relevant. Individuals may also have rights to inspect and request correction of information held in a database, subject to legal limits. For U.S.-related processing, rights vary by state and by service type. Where background reports or consumer reports are used for employment purposes, the Customer may have duties to provide written notice, obtain written authorization, give pre-adverse and adverse-action notices, allow dispute rights and apply equal-treatment rules. PLUTVO does not sell personal data and will assist Customers with valid privacy requests according to the agreement, DPA and applicable law. Because PLUTVO usually acts as Processor for Customer-controlled assessment content, candidates and employees should generally direct requests about assessment content, scores, reports, deletion or correction to the organization that invited them to complete the assessment.