Privacy Policy

Summary

MVQS Online is operated by [COMPANY_NAME] and is a software platform for licensed vocational rehabilitation professionals to perform McCroskey Vocational Quotient System analyses. We store account credentials (email and hashed password), professional profile information, and the evaluee case data that evaluators enter on behalf of their clients. Only authenticated and admin-approved users can access the system; no data is shared with third parties for marketing purposes. Data is protected in transit via TLS and at rest via Postgres row-level security, role-based access control, and optional TOTP multi-factor authentication.

1. Who We Are

[COMPANY_NAME] is the data controller for information processed through MVQS Online.

Contact email

[CONTACT_EMAIL]

Mailing address

[MAILING_ADDRESS]

2. What Data We Collect

Account data

When you create an account, we collect your email address and name. Your password is processed by Supabase Auth and stored only as a bcrypt hash — we never store or transmit your plaintext password. If you enroll in multi-factor authentication, a TOTP factor is registered with Supabase Auth.

Profile data

We store your assigned role (admin, evaluator, or viewer), your account status (pending, active, or rejected), and your last-viewed evaluee state so the application can resume where you left off.

Evaluee case data

Evaluators enter case data on behalf of the individuals they are evaluating. This data may include:

• Personal identifiers: full name, date of birth, last four digits of SSN, contact information, and address
• Work and case context: work location, employer, job title, referral reason, diagnosis, and case notes
• Assessment data: standardized test scores, worker trait ratings, work values, and vocational profiles
• Occupation data: DOT codes, ECLR classifications, and job-match results generated by the analysis pipelines

This data is owned by the evaluator (or their organization) and is processed by us solely to provide the analysis service. All evaluee records are isolated by evaluator via row-level security.

Technical data

When an administrator performs a privileged action (such as approving or rejecting a user account, resetting a password, or setting a temporary password), the system records an audit log entry containing: the action type, the acting administrator's user ID and email, the target user's email, a timestamp, and the requesting IP address and user-agent string.

Cookies

We use a single essential session cookie issued by Supabase Auth (cookie name format: sb-<host>-auth-token). This cookie is strictly necessary to keep you signed in; the service cannot function without it. We do not use tracking cookies, advertising cookies, or analytics cookies.

3. How We Use Your Data

• To authenticate your identity and maintain your session
• To enforce role-based access control and the admin-approval gate
• To provide the vocational quantification analysis service
• To generate reports based on evaluee data you have entered
• To maintain an audit log of privileged administrative actions
• To comply with applicable legal obligations
• To detect and respond to security incidents

We do not use your data for marketing, advertising, or profiling.

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Contract: Processing your account data and delivering the analysis service is necessary to perform the agreement between you and [COMPANY_NAME].
• Legitimate interests: We maintain an audit log of administrative actions to protect the security and integrity of the platform. Our legitimate interest is overridden only where your fundamental rights require otherwise.
• Legal obligation: We may process and retain data where required by applicable law.

5. Who We Share Data With

We share data only with the sub-processors listed below, solely to the extent necessary to operate the service. We do not sell personal data. We do not share personal data for marketing or advertising purposes.

• Supabase Inc. — Provides authentication (Supabase Auth) and the managed Postgres database. Infrastructure is hosted on Amazon Web Services. Supabase processes credentials, profile data, evaluee case data, and audit log entries on our behalf.
• Railway Corp. — Hosts the Next.js application runtime. Railway processes request/response data in the course of serving the application.
• Cloudflare Inc. — When Turnstile CAPTCHA is enabled, Cloudflare processes client-side signals (browser characteristics, IP address) to assess whether form submissions are human-generated. Cloudflare does not receive evaluee case data.

6. International Data Transfers

Our sub-processors may transfer or store personal data outside the European Economic Area. Where such transfers occur, they are made on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, or another lawful transfer mechanism recognized under applicable data protection law. For further information about the safeguards in place, contact us at [CONTACT_EMAIL].

7. Data Retention

• Account data: Retained until you request deletion of your account. After deletion, your Supabase Auth record and application profile are removed.
• Evaluee case data: Retained until the controlling evaluator deletes it. You are responsible for managing the retention of case data in accordance with your professional obligations.
• Audit log entries: The audit log is append-only and is retained for [TBD years] to meet compliance and security obligations. Individual log entries cannot be deleted by users.
• Technical data (IP / user-agent in audit log): Retained as part of the audit log record for the same period.

8. Your Rights

Depending on your location and applicable law, you may have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that inaccurate data be corrected.
• Deletion: Request deletion of your account and associated personal data (subject to our audit-log retention obligations).
• Export / portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing carried out on the basis of legitimate interests.
• Supervisory authority: Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at [CONTACT_EMAIL]. We will respond within the timeframe required by applicable law (generally 30 days). Please send formal data requests by post to [MAILING_ADDRESS].

9. Security

We implement the following technical and organizational measures to protect your data:

• TLS encryption for all data in transit
• bcrypt hashing for all passwords (via Supabase Auth)
• Optional TOTP multi-factor authentication
• Role-based access control (admin / evaluator / viewer)
• Admin-approval gate: new accounts cannot access data until approved
• Postgres row-level security on every application table
• Per-evaluee data isolation: evaluee records are accessible only to their creating evaluator and admins
• Append-only audit log for all privileged administrative actions

No method of transmission or storage is 100% secure. If you become aware of a security issue, please contact us immediately at [CONTACT_EMAIL].

10. Children

MVQS Online is a professional software platform not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently received information from a child, please contact us at [CONTACT_EMAIL] so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. We encourage you to review this page periodically. Continued use of the service after the effective date of a revised policy constitutes your acceptance of the changes.

12. Contact

Questions or requests regarding this Privacy Policy may be directed to:

Email

[CONTACT_EMAIL]

Mailing address

[MAILING_ADDRESS]