Legal

Privacy Policy

Viva Proof, Inc. · Last updated: June 2026 · Applies globally to all institutions and users

This Privacy Policy explains how Viva Proof, Inc. ("Viva," "we," "us") collects, uses, and protects personal data when you use the Viva oral-assessment platform at vivaproof.com.

1. Who We Are

Viva Proof, Inc. is a Delaware-incorporated company that operates the Viva AI oral-assessment platform, serving educational institutions globally.

Contact us: privacy@vivaproof.com
120 Kingston Street, Unit 909, Boston, MA 02111, USA
UK/EU Representative: to be appointed (for enquiries, contact privacy@vivaproof.com)

2. Our Role: Controller vs. Processor

Viva acts as a data processor for student data. The school or university is the data controller for all student-related personal data. Viva processes student data only on the school’s instructions, under a Data Processing Agreement.

Viva acts as a data controller for its own business data (accounts, billing, analytics).

3. Data We Collect and Why

A. Student Data (Viva as Processor, on behalf of your school)

Type of DataPurposeLegal BasisRetention
Name, school email, class detailsAccount creation; assessmentsSchool instructionPer school contract
Submitted work (assignments, essays)Generating interview questions; gradingSchool instructionPer school contract
Voice recording (oral interview)Transcription; teacher review; identity checkSchool instruction; explicit consent for biometric useDeleted within 30 days of session
Interview transcriptAI grading; teacher review; student feedbackSchool instructionContract term + 1 year
AI-suggested grade and teacher gradeAcademic record; feedbackSchool instructionContract term + 1 year
Session metadata (timestamps, duration)Operational monitoringSchool instructionContract term + 1 year
Voiceprint (optional, consent-required)Identity verification onlyExplicit consent obtained by school90 days after contract end, or on request

B. Teacher / Administrator Data (Viva as Controller)

Type of DataPurposeRetention
Name, email, role, login credentialsAccount management; service deliveryAccount lifetime; deleted within 90 days of account closure

C. Website Visitor Data (Viva as Controller)

Type of DataPurposeRetention
IP address, browser type, pages visitedWebsite security; analyticsPer analytics provider settings (see Cookie Policy)

D. Billing Data (Viva as Controller)

Type of DataPurposeRetention
Institution billing contact; usage metricsInvoicing; account managementPer applicable tax/accounting requirements

Viva does not store payment card data. Card processing is handled by Stripe.

4. How We Use Your Data

We use personal data to:

  • Provide and operate the Viva platform
  • Generate personalised interview questions and AI-suggested grades
  • Support teacher review, feedback delivery, and classroom management
  • Detect and flag potential academic integrity issues (advisory only — a teacher always reviews)
  • Maintain platform security
  • Send transactional service emails (assessment reminders, account notifications)
  • Improve the platform (only with explicit permission from your school)
  • Comply with legal obligations

We do not use personal data for advertising, sell data to third parties, or train AI models without an explicit grant from your school.

5. Who We Share Data With

Your school. Teachers and authorised administrators can see student data, including the audio recording of a student's oral interview (accessible within the platform for up to 30 days, for assessment purposes only).

Subprocessors. We engage trusted third-party service providers to operate the Platform. Subprocessors are primarily based in the United States; Supabase and PostHog each offer EU/UK data residency options. Each subprocessor is bound by a written data processing agreement. Our current subprocessors are:

ProviderRoleLocationSOC 2
SupabaseDatabase, authentication, file storageUS / EU-UK availableType II ✓
VercelApplication hostingUSType II ✓
Anthropic (Claude)AI grading and question generation (zero-retention API)USType II ✓
ElevenLabsLive voice interview agent (audio not retained after session)USType II ✓
RenderVoice-identity / speaker-verification microserviceUSType II ✓
ResendTransactional emailUSType II ✓
SentryError monitoring (PII scrubbed before logging)USType II ✓
MicrosoftOffice document viewer (.docx / .pptx preview)USType II ✓
PostHogProduct analytics (consent-gated in EEA/UK)US / EUType II ✓
StripeBilling (Viva does not store card data)USType II ✓

Google Gemini. Viva uses Google Gemini to generate non-personalised platform assets (anti-cheat diagram images). No student or user personal data is transmitted to Google in connection with this use. Google is therefore not acting as a subprocessor in respect of personal data under this Privacy Policy.

Slack. Viva uses Slack for internal operational alerting (system health, usage metrics, and de-identified product-feedback summaries). No Student Data or other personal data is transmitted to Slack, so Slack is not acting as a subprocessor of personal data under this Privacy Policy.

Legal authorities. We may disclose data if required by law, court order, or regulatory authority.

We do not sell or commercially exploit personal data.

6. International Transfers

Viva is based in the United States. When student data is transferred to Viva or its subprocessors from outside the US, we ensure such transfers comply with applicable law in your jurisdiction.

For institutions in the EEA and UK, transfers are protected by EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), with supplementary measures (encryption, access controls, data minimisation).

For institutions in jurisdictions with specific cross-border data transfer requirements, including (but not limited to) the Republic of Korea under PIPA Article 28-8, the EEA under EU GDPR Article 46, and others, Viva works with the institution to put appropriate transfer mechanisms in place. Where required, a jurisdiction-specific addendum to the Data Processing Agreement is executed alongside the Master Service Agreement.

For a copy of the transfer documentation applicable to your jurisdiction, or to request in-region data residency where available, contact privacy@vivaproof.com.

7. Your Rights

Depending on where you live, you may have the right to:

  • Access — request a copy of the data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion ("Right to be Forgotten") — request deletion of your data, subject to your school's legal record-keeping requirements
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • No automated decision-making — Viva does not make final grading decisions automatically; a teacher always reviews

For students: please contact your school first. They are the data controller and will liaise with Viva on your behalf.

For parents/guardians: if your child is below the age requiring additional consent where you live (see Section 8), contact your child's school.

To exercise rights directly: privacy@vivaproof.com

You may also have the right to complain to your local data protection supervisory authority, for example:

  • EEA: your national Data Protection Authority (edpb.europa.eu for a list)
  • UK: Information Commissioner’s Office (ico.org.uk)
  • US: Federal Trade Commission (ftc.gov)
  • Korea: Personal Information Protection Commission (pipc.go.kr)
  • Other jurisdictions: contact your national data protection authority

8. Children’s Privacy

The platform is designed for students aged 14 and older.

Schools are responsible for obtaining any additional consent required under applicable law for younger students. Requirements vary by jurisdiction, for example:

  • Under 13 (US COPPA / UK GDPR): Schools are responsible for obtaining verifiable parental consent before enrolling students under 13.
  • Under 14 (Korea PIPA): Where a school enrols students under 14, the school is responsible for obtaining legal guardian consent before their data is processed.
  • Under 16 (some EU member states): School-specific consent rules may apply.

If you believe a child's data has been collected in error, contact privacy@vivaproof.com immediately.

9. Security

We protect your data with:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Per-school tenant isolation via row-level database security
  • Least-privilege access controls and audit logging
  • Automated vulnerability scanning
  • Breach notification to affected schools within 72 hours of becoming aware

No system is perfectly secure. If you discover a security issue, please report it to privacy@vivaproof.com.

10. Cookies

We use cookies on our website. See our Cookie Policy for details. For EEA/UK visitors, non-essential cookies are placed only with your consent via the cookie banner.

11. Changes to This Policy

We may update this policy from time to time. We will notify institutions of material changes by email at least 30 days before they take effect and will update the "Last updated" date above.

12. Contact Us

privacy@vivaproof.com
Viva Proof, Inc., 120 Kingston Street, Unit 909, Boston, MA 02111, USA
vivaproof.com