Privacy Policy

Constructive FZE, a Dubai Free Zone Establishment registered in the United Arab Emirates ("Constructive FZE", "we", "us"), operates Survyr at survyr.ai (the "Service"). This Privacy Policy explains what personal data we collect, how we use and store it, who we share it with, and the rights you have over it.

We comply with the UK General Data Protection Regulation (UK GDPR), the UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data, and the DIFC Data Protection Law No. 5 of 2020, to the extent each applies to your use of the Service.

Constructive FZE is the data controller for personal data processed through the Service. Contact us at privacy@survyr.ai for any data protection query.

We collect the following categories of personal data:

• Account data: email address, first name, last name, and password. Your password is stored as a one-way hash. We never see or hold it in readable form.
• Profile data: career stage, assessment route, RICS pathway, region, selected competencies and their levels, enrolment date, target assessment session, plus optional fields such as employer name, counsellor name, and supervisor name.
• Content data (Supabase): diary entries, case study drafts, summary of experience, CPD records, AI coaching conversation history, mock interview transcripts, presentation scripts, question bank progress, bookmarks, evidence portfolio entries, senior professional profile, counsellor relationships and document signoffs, submission planner items, and uploaded appendix files.
• Local device data (browser storage): to keep the app responsive we cache working state in your browser's localStorage. Categories cached locally include onboarding progress, diary drafts, mock interview state, senior professional profile drafts, evidence portfolio drafts, streak data, summary of experience drafts, presentation history, counsellor meeting notes, submission checklist progress, spaced-repetition state, question bookmarks, notification preferences, tier overrides, and your cookie notice preference. This data stays on your device and is mirrored to your Survyr account where relevant; clearing browser storage will remove the local copy but not the server copy.
• Usage data: sign-in frequency, feature usage, pages visited, quiz results, and session length.
• Technical data: browser type, device type, IP address, and operating system.
• Payment data: subscription plan, billing dates, invoice history. Payment card details are handled directly by Stripe and are never stored on our servers.
• Communication data: support requests, email preferences, and any correspondence with us.

We process your personal data for the following purposes:

• Provide and personalise the Service (lawful basis: contract).
• Process payments (contract).
• Send transactional emails: account confirmation, password reset, billing notices (contract).
• Send onboarding and engagement emails: study nudges, feature tips (legitimate interest; you can opt out at any time).
• Send marketing emails: newsletters and feature announcements are sent only to accounts that have opted in. If a marketing opt-in is not collected at sign-up, the only emails we send are operational and transactional (lawful basis: contract for those; consent only where you have explicitly opted in).
• Improve the Service through anonymised usage analytics (legitimate interest).
• Comply with legal obligations including tax, accounting, and regulatory requirements (legal obligation).
• Protect the security of the Service and prevent fraud (legitimate interest).

When you use Survyr AI features, the text of your messages and any context the feature attaches (for example, the competency you are practising) is sent to Anthropic's API for processing. Anthropic's commercial API terms state that customer data is not used to train their models.

When you use voice-enabled features (mock interview, presentation rehearsal, and spoken-answer practice in the question bank), your microphone audio is streamed to Deepgram for real-time speech-to-text transcription. Audio is processed in real time and is not stored permanently by Survyr. Deepgram processes the audio under their standard service terms; we do not authorise Deepgram to use this audio for model training.

When the panel speaks back to you (mock interview voices, presentation feedback, and Survyr AI voice replies), the text we want spoken is sent to Deepgram for text-to-speech synthesis. The synthesised audio is streamed back to your browser and not stored by Survyr.

Lawful basis for AI processing (Anthropic and Deepgram): performance of contract under UK GDPR Article 6(1)(b), as voice and AI coaching are core features of the paid Service.

AI conversation history is stored in your Survyr account so you can review past sessions. You can delete any AI conversation from the app at any time.

We share personal data only with the processors we need to run the Service:

• Supabase: database hosting and authentication. Processes account and content data.
• Anthropic: AI model provider. Processes the text you send to AI coaching features.
• Stripe: payment processing. Processes your payment information.
• Resend: email delivery. Processes your email address and name for transactional and marketing emails.
• Deepgram: real-time speech-to-text for voice-enabled features (mock interview, presentation rehearsal, spoken-answer question practice) and text-to-speech for the voices used in those features and in Survyr AI voice replies.
• Vercel: web hosting. Processes technical data (IP address, browser).

We do not sell your personal data to any third party. We do not share your Content (diary entries, case study drafts, summary of experience, CPD records) with any third party unless required to do so by law, regulation, or legally binding court order.

Your personal data may be transferred to and processed in countries outside the UAE, including the United States (Supabase, Anthropic, Stripe, Vercel, Deepgram, Resend) and the European Union.

Where we transfer personal data outside the UK or the European Economic Area we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, executed with each processor (UK GDPR Article 46). Where a destination country has received a UK adequacy decision, the transfer relies on that decision. We do not rely on user consent (Article 49) as a routine transfer mechanism.

• Active accounts: personal data is retained while your account is active.
• Deleted accounts: personal data is permanently deleted within 30 days of account closure. Anonymised usage data may be retained for analytics.
• AI conversations: retained for 12 months for your reference and for quality improvement, then deleted. You can delete any conversation at any time.
• Payment records: retained for 7 years as required by UAE tax and accounting regulations.
• Support correspondence: retained for 3 years after the last interaction.

Subject to applicable law you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data.
• Right to data portability: receive your data in a common machine-readable format.
• Right to restrict processing: limit how we use your data in certain circumstances.
• Right to object: object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent: withdraw consent for marketing emails at any time.

To exercise any of these rights email privacy@survyr.ai. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

Survyr uses essential cookies for authentication and session management only. We do not currently use analytics or marketing cookies. Full detail is set out in our Cookie Policy.

Survyr is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child we will delete it promptly. If you believe a child has provided personal data to us, contact privacy@survyr.ai.

• All data in transit is protected by HTTPS (TLS).
• Passwords are stored as one-way hashes. We cannot see or recover your password.
• Database access is protected by Row Level Security. Users can only read and write their own data.
• API keys and secrets are stored in Supabase Vault and are never exposed to the frontend.
• We conduct regular reviews of our infrastructure and dependencies.

No system is completely secure. If a data breach occurs we will notify affected users and the relevant supervisory authority in accordance with applicable law.

We may update this Privacy Policy from time to time. Material changes will be notified by email to active subscribers. The current version is always available at survyr.ai/privacy.

If you are unsatisfied with how we have handled your personal data, please contact us first at privacy@survyr.ai so we can try to put it right.

UK users: under Article 77 of the UK GDPR and the Data Protection Act 2018 you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

UAE users: you may lodge a complaint with the UAE Data Office at u.ae/.../uae-data-office.

Constructive FZE
Dubai, United Arab Emirates
Email: privacy@survyr.ai