Bisect is an operational engineering assessment platform. Hiring teams ("Customers") use Bisect to invite engineering candidates ("Candidates") into a sandboxed Linux environment, where the Candidate's terminal input, file edits and outcomes are recorded so the Customer can review the session afterwards. This notice explains what personal data we process, why, and what rights you have.
The service operates in two distinct roles:
- For Customer accounts (account owners, reviewers, billing contacts), Bisect is the controller of personal data we collect to provide and bill the service.
- For Candidate sessions, the Customer that invited the Candidate is the controller of the Candidate's session data. Bisect acts as a processor on the Customer's behalf, under our Customer Agreement and Data Processing Addendum.
If you are a Candidate and want to exercise rights over your data, your first point of contact is the Customer that invited you. We will assist them in responding.
We are: [Bisect Legal Entity Name], registered at [registered address]. Contact: privacy@bisect.io.
1. Personal data we collect
When you create or use a Customer account
- Account details: name, work email, password (stored as a salted hash), workspace name.
- Reviewer activity: comments, scores, the Candidates and replays you have viewed.
- Billing information: company name, billing address, VAT number where applicable. Card details are processed by our payment processor; we do not see or store full card numbers.
- Operational logs: IP address, browser/user-agent, timestamps and similar metadata generated when you sign in or use the dashboard.
When you are invited to take a Bisect session
We collect data from two sources: what your Customer provided to invite you (name, email, the role they are assessing) and what the assessment itself records.
A Bisect session captures, server-side:
- Every terminal command, keystroke and shell output, with timestamps.
- Every file you create, open, edit or delete inside the sandbox, including the file contents.
- Browser-side telemetry needed to play the session back: pane focus, scroll position, copy and paste events, idle gaps.
- Network metadata: your IP address, browser/user-agent, approximate location derived from IP.
- Outcome data: which checks passed, time to first signal, total duration, completion state.
Important — please do not enter personal credentials into a session. The sandbox is isolated from your personal accounts and you will never be asked to log in with real credentials. Treat anything you type during a session as something that will be visible to the Customer reviewing your replay.
When you visit our marketing site
We use a small amount of first-party analytics to understand site usage. We store a bisect-theme preference in your browser's localStorage. We do not use third-party advertising cookies.
2. Why we use this data, and the lawful basis
| Purpose | Data | Lawful basis (UK / EU GDPR) |
|---|---|---|
| Provide the assessment service to Customers | Account + session data | Contract |
| Record and play back Candidate sessions for the inviting Customer | Session recordings | Legitimate interest of the Customer in evaluating candidates fairly; the Customer is responsible for obtaining consent or another appropriate basis from the Candidate |
| Bill and prevent fraud | Account + billing + log data | Contract; legitimate interest |
| Keep the platform secure and detect abuse | Logs, IP, telemetry | Legitimate interest |
| Comply with legal obligations | As required | Legal obligation |
| Send service emails (invite, completion, billing) | Email + name | Contract |
| Send product updates to Customer accounts | Legitimate interest, with opt-out |
We do not sell personal data. We do not use Candidate session content to train machine-learning models.
3. Automated decision-making
Bisect produces signals (timeline markers, rubric scores, outcome checks) that help Customers review a session. Bisect does not automatically reject Candidates and does not produce a binary hire/no-hire decision. The hiring decision is made by the Customer and is subject to the Customer's own employment-law obligations.
4. Who we share data with
- Hosting and infrastructure providers that run the sandboxed VMs and our application: Hetzner Online GmbH (Germany / Finland) and Amazon Web Services EMEA SARL (Ireland, eu-west-1).
- Email delivery provider for invitations and notifications.
- Payment processor for subscription billing.
- Customer personnel of the Customer that invited a Candidate — they can view the Candidate's replay, score and any data the Candidate enters during the session.
- Professional advisers and authorities where we are legally required to disclose data.
- A successor entity in the event of a merger, acquisition or asset transfer, subject to this notice.
A current list of sub-processors is available at docs.bisect.io/legal/subprocessors.
5. International transfers
Our primary infrastructure is located in the European Economic Area. Where data is transferred outside the EEA or UK (for example, to a sub-processor in the United States), we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with appropriate technical safeguards.
6. How long we keep data
| Data | Retention |
|---|---|
| Customer account data | While the account is active, plus 12 months after termination |
| Billing records | 7 years (or as required by tax law) |
| Candidate session recordings | While the inviting Customer's account is active and they have not deleted the session, up to a maximum of 24 months. Customers can shorten this in workspace settings. |
| Server access logs | 90 days |
| Marketing site analytics | 13 months |
Customers may delete a session, a Candidate or an entire workspace from the dashboard, after which we delete it from primary systems within 30 days and from backups within 90 days.
7. How we keep data secure
Each Candidate session runs in an isolated micro-VM that is destroyed after the session ends. Recordings are stored encrypted at rest. Access to production systems requires SSO and is restricted to a small number of staff on a need-to-know basis. We log production access. We use TLS in transit and run regular dependency and vulnerability scans.
No system is perfectly secure. If we ever experience a breach involving your personal data, we will notify you and the relevant authority as required by law.
8. Your rights
Under the UK and EU GDPR you have the right to:
- access the personal data we hold about you;
- correct it if it is inaccurate;
- delete it (subject to legal retention requirements);
- restrict or object to certain processing;
- receive a portable copy where applicable;
- withdraw consent where we rely on it;
- complain to a supervisory authority (in the UK, the ICO; in the EEA, your local DPA).
If you are a Candidate, please first contact the Customer that invited you — they are the controller of your session data. We will assist them. If you are unable to reach them, contact us at privacy@bisect.io and we will help.
If you are a Customer, contact privacy@bisect.io.
We will respond within one month.
9. Cookies and similar technologies
We use only the cookies and storage strictly necessary to operate the service:
- Session cookies for sign-in and CSRF protection.
- A localStorage entry to remember your light/dark theme preference.
- A first-party analytics cookie to count site visits without tracking individuals.
We do not use advertising or cross-site tracking cookies.
10. Children
Bisect is not intended for children under 16. If you believe a child has been invited to Bisect, contact us and we will delete their data.
11. Changes to this notice
We will post any material changes to this notice on this page and, for Customers, by email at least 14 days before they take effect.
12. Contact
privacy@bisect.io
[Bisect Legal Entity Name]
[Registered address]