Privacy Policy

Last updated: 11 May 2026

This policy explains what personal data ProveExperience collects, why we use it, who we share it with, and the rights you have over it. We've written it in plain English — if anything is unclear, contact us.

Who we are

ProveExperience is operated by ProveExperience.com, registered at PO BOX 56723. We are the "controller" of the personal data described below.

For any privacy question, write to privacy@proveexperience.com.

The personal data we collect

We only collect what we need to run the service:

• Account details — email, first/middle/last name, date of birth, gender, country of residence, hashed password.
• Lab work — the answers and files you submit when completing levels.
• Messages — anything you send us via the Contact page.
• Payment references — Stripe session and customer identifiers if you purchase a level. We never see your card details — Stripe handles those directly.
• Operational data — IP address (for rate-limiting and abuse prevention) and standard server logs with anonymised request paths.
• Analytics (only if you consent) — Google Analytics visitor identifiers, with IP anonymisation enabled.

Why we use your data and the legal basis

• To provide your account and certify your experience — legal basis: performance of a contract (UK GDPR Art 6(1)(b)).
• To take payment for level access — legal basis: performance of a contract (Art 6(1)(b)).
• To keep the site secure and prevent abuse (rate-limiting, anti-fraud, audit logs) — legal basis: our legitimate interest (Art 6(1)(f)).
• To confirm your years of experience to employers who contact us — legal basis: performance of a contract with you (Art 6(1)(b)) plus, where applicable, our legitimate interest in providing the reference service you signed up for.
• To send service emails (email confirmation, password reset, admin replies to your Contact messages) — legal basis: performance of a contract (Art 6(1)(b)).
• Google Analytics — legal basis: your consent (Art 6(1)(a)). You can withdraw consent at any time via the Cookie preferences link in the footer.

Who we share data with

We don't sell your data. We use a small number of trusted processors who handle data on our behalf under written contracts:

• Stripe — payment processing. Stripe holds your card details directly; we hold only opaque session and customer references.
• Our email provider — delivers transactional emails (confirmation, password reset, admin notifications).
• Microsoft Azure — hosting and storage.
• Google Analytics — only if you give consent.

We may disclose data when legally required (court order, regulator request), but we'll push back on anything that looks overbroad.

International transfers

Our primary hosting region is Singapore (Microsoft Azure Southeast Asia). Your account data, lab submissions, and operational logs sit there.

Two processors are based in the United States:

• Stripe — for payments. Card data goes directly to Stripe; we never see it.
• Google Analytics — only if you accept analytics cookies.

Cross-border transfers to these services are protected by contractual safeguards (Standard Contractual Clauses or equivalent transfer mechanisms recognised under the data-protection laws of your country). Where regional Stripe entities exist (for example Stripe India for Indian customers), your payment data is handled by that local entity.

How long we keep your data

• Account data — for as long as your account exists, plus 30 days for clean shutdown. Deleted on request.
• Lab submissions — kept while your account exists so we can substantiate the years-of-experience claim to employers. Deleted with the account.
• Contact messages — up to 2 years after the last reply, then deleted.
• Payment records — 7 years, to comply with tax-record requirements (e.g. UK HMRC, India Income Tax Act). The exact period varies by jurisdiction; we use the longest period that applies.
• Operational logs — up to 90 days, then deleted.
• Analytics — subject to Google Analytics' default 2-month event-data retention (configured at the property level).

Your rights

Whichever country you're in, you generally have the rights below. The legal label differs (UK / EU GDPR, India's DPDP Act 2023, Singapore PDPA, Vietnam's Decree 13/2023, etc.) but the substance is similar.

• Access — ask for a copy of the personal data we hold about you.
• Rectify — correct inaccurate data. You can edit most of your profile from your profile page.
• Erase — have your account and personal data deleted (the "right to be forgotten").
• Restrict or object — ask us to stop or limit processing in specific cases.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — turn off analytics any time via the Cookie preferences link in the footer.
• Complain — lodge a complaint with your local data protection authority. Examples:
  • India — Data Protection Board of India (under the DPDP Act 2023).
  • Vietnam — Ministry of Public Security (Cybersecurity & Personal Data Protection).
  • Singapore — Personal Data Protection Commission (PDPC).
  • United Kingdom — Information Commissioner's Office (ico.org.uk).
  • European Union — your country's national data protection authority.

How to exercise your rights

Email privacy@proveexperience.com from the address registered to your account. We respond within 30 days. There's no charge unless requests are repetitive or excessive.

Children

ProveExperience is built for adults entering or progressing in technical careers. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us and we'll remove the account.

Cookies

We use cookies in two categories. The banner you see on your first visit lets you decide which ones to allow.

Essential cookies (always on)

These keep the site working. You cannot turn them off without breaking sign-in or anti-fraud protection.

• .AspNetCore.Identity.Application — keeps you signed in.
• .AspNetCore.Antiforgery.* — protects form submissions from CSRF.
• cookieConsent — remembers your cookie choice for one year.

Analytics cookies (only with your consent)

If you accept these, we use Google Analytics to understand which pages help and which don't. We anonymise your IP address before it reaches Google's servers. We never use this data for advertising.

• _ga, _ga_* — Google Analytics visitor IDs (anonymised).

Changing your mind

Use the Cookie preferences link in the footer to re-open the banner at any time. Switching to "Essential only" will stop analytics cookies from being set on subsequent visits.

Changes to this policy

We update this page when our practices change. The "last updated" date at the top tells you when. For material changes that affect your rights we'll send an email and surface a notice on the site.