Privacy notice
How 2Prune handles personal data.
This notice describes 2Prune's data practices for customers, authorized users, assessment participants, and website visitors.
Version 2026-07-12. Effective July 12, 2026.
2Prune, operated by PRUNE PTE. LTD. (UEN: [UEN TO BE INSERTED]). Legal, privacy, and data-protection notices may be sent to hello@2prune.com.
1. Scope and responsibility
This notice applies when 2Prune determines why and how personal data is processed. When a customer administers an assessment, the customer ordinarily determines the assessment purpose and 2Prune processes participant data for that customer. The customer's privacy notice and instructions may also apply.
2Prune remains responsible for account administration, security, service telemetry, support, billing, direct communications, and other processing for which 2Prune determines the purpose.
2. Data we collect
Identity and account data: name, email, organization, role, authentication identifiers, account status, and preferences.
Assessment data: invitations, assessment materials, instructions, submissions, notes, messages, saved sources, checklist state, calculations, scores, reports, risks, and customer review activity.
Workspace activity: opened documents and messages, tool usage, AI prompts and responses, research activity, edits, revisions, navigation events, timestamps, submission events, and integrity or operational-risk signals.
Technical and support data: IP address, browser and device information, session and request metadata, diagnostic records, security events, integration data, and communications with 2Prune.
Inferences: assessment scores, pillar-level observations, evidence strength, score confidence, benchmark comparisons, calibration notes, and other analysis derived from assessment data.
3. Sources
We receive data from you, the customer administering an assessment, authorized workspace users, your use of the service, connected service providers, and publicly available sources used in the research sandbox. Customers are responsible for lawfully providing participant data and required notices before inviting a participant.
4. Purposes and legal grounds
We process data to provide and administer assessments; authenticate users; generate submissions, scores, and reports; provide AI and research features; maintain integrity and security; prevent misuse; support users; bill customers; comply with law; establish or defend claims; and improve reliability and service quality.
Depending on the jurisdiction and context, processing is based on performance of a contract, steps requested before a contract, legitimate interests, compliance with law, customer instructions, consent where required, or another lawful basis. 2Prune will not rely on consent where the law requires a different or more appropriate basis.
Our legitimate interests include operating and securing the service, supporting customers, improving assessment quality, preventing fraud and misconduct, and developing de-identified analytics and benchmarks. We balance those interests against individual rights and expectations.
5. Assessment scoring and human decisions
2Prune may use rules, statistical methods, and AI-assisted analysis to create assessment scores, observations, and reports. Those outputs can evaluate aspects of work performance, but 2Prune does not itself make an employment or other legally significant decision.
Customers must provide meaningful human review where required and remain responsible for decisions made using assessment evidence. Where applicable law provides rights concerning automated decisions, explanations, objections, or human review, requests may be directed to the customer or to 2Prune for routing.
6. How we disclose data
We may disclose data to the customer administering the assessment; authorized users; infrastructure, hosting, database, AI, communications, analytics, and support providers; professional advisers; auditors; insurers; financing or transaction counterparties under confidentiality; and authorities or other parties where required to comply with law, protect rights, investigate abuse, or secure the service.
A current provider overview is available on our Subprocessors page. We do not sell personal data for money. If a jurisdiction treats particular advertising or cross-context disclosures as a sale or share, 2Prune will provide any legally required notice and opt-out mechanism before engaging in that activity.
7. International transfers
2Prune operates from Singapore and uses providers that may process data in other countries. We use contractual, organizational, and technical measures intended to provide protection comparable to Singapore's PDPA and, where applicable, recognized transfer mechanisms such as standard contractual clauses. Local authorities may have lawful access rights in those countries.
8. Retention
We retain personal data only while needed for the stated purpose, customer instructions, security, dispute resolution, legal compliance, backup cycles, or another legitimate business purpose. Retention depends on the data type, contract, assessment lifecycle, sensitivity, and legal requirements.
Assessment records are generally retained for the customer's configured service period and a limited period afterward for export, recovery, disputes, and compliance. Security and audit records may be retained longer where needed to investigate incidents or demonstrate integrity. Data may persist in protected backups until scheduled deletion. De-identified information may be retained without a fixed period where lawful.
9. Security
We use administrative, technical, and organizational safeguards designed for the nature of the data and service. No system is completely secure. See our Security page for current practices and reporting guidance.
10. Your rights
Rights vary by location and role. They may include notice, access, correction, deletion, restriction, portability, withdrawal of consent, objection, appeal, human review, and complaint to a regulator. These rights can be limited by exceptions for evaluative material, legal claims, security, another person's rights, or other grounds provided by law.
Singapore residents may request access to personal data under 2Prune's possession or control and information about use or disclosure during the preceding year, and may request correction, subject to PDPA exceptions. Consent may be withdrawn with reasonable notice, but withdrawal may prevent continued service use and does not affect prior lawful processing.
EEA and UK residents may have additional rights under applicable data-protection law. California residents may have rights to know, delete, correct, limit certain sensitive-data uses, opt out of sale or sharing, and receive non-discriminatory treatment, where the relevant law applies to 2Prune.
11. Exercising rights
Submit a privacy request with your name, email, relationship to 2Prune, and request type. We may verify identity, request authorization for an agent, deny or limit a request where law permits, and retain a record of the request. If 2Prune processes data only for a customer, we may direct the request to that customer and assist it as required.
You may complain to the Personal Data Protection Commission of Singapore or another competent regulator. Please contact us first so we can investigate.
12. Cookies and communications
2Prune uses cookies and similar storage needed for authentication, session continuity, security, preferences, and core service operation. We will request consent before using non-essential cookies where required. You can unsubscribe from marketing messages, but we may still send service, security, assessment, and legal communications.
13. Children
2Prune is not directed to children. Customers must not invite anyone under 18, or under the applicable age of legal majority, without first entering a written arrangement with 2Prune that addresses authorization, notices, consent, and additional safeguards.
14. Changes and contact
We may update this notice to reflect changes in law, providers, or the service. Material changes will be communicated through the service, email, or another reasonable method and will state a new effective date.
The Data Protection Officer for PRUNE PTE. LTD. can be contacted at hello@2prune.com. This address also accepts privacy requests, complaints, and questions about this notice.