Skip to content
TraitTuneTraitTune

Privacy Policy

Effective Date: May 9, 2026 | Version: 4.2 | Last Updated: May 9, 2026

1. Who We Are & Regulatory Framework

1.1 Legal Basis and Authority

This Privacy Policy is established by TraitTune, Inc. (“TraitTune,” “we,” “us”) in compliance with global data protection law. We apply GDPR as our baseline standard for all users worldwide.

a) United States Federal Laws:

  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Federal Trade Commission Act
  • Electronic Communications Privacy Act
  • Stored Communications Act
  • Computer Fraud and Abuse Act

b) European Union Regulations:

  • General Data Protection Regulation (GDPR)
  • ePrivacy Directive
  • Data Protection Directive
  • Network and Information Security Directive

1.2 Sanctions Compliance Notice

TraitTune is not available to persons or entities located in jurisdictions subject to (a) U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) comprehensive sanctions — Crimea Region of Ukraine, Cuba, Iran, North Korea, Syria, and the Donetsk (DNR) and Luhansk (LNR) regions; (b) sectoral OFAC programs and broader U.S./EU/UK restrictive measures we apply by business decision — Russia and Belarus; and (c) jurisdictions where on-the-ground operations make platform availability inappropriate — Afghanistan and Myanmar. Access from these locations is blocked at the network level.

2. Information We Collect

2.1 Direct User-Provided Information

Account Information:

  • Full legal name, email address, professional title
  • Company affiliation, industry sector, geographic location
  • Professional background, educational history, career objectives
  • Team role preferences, development goals, specialized skills

Assessment Responses:

  • Psychometric test answers and behavioral questionnaires
  • Personality assessments and cognitive evaluations
  • Skills assessments and performance metrics
  • Voice recordings during conversational assessments

2.2 Automatically Collected Information

Technical Data:

  • Device information and specifications
  • IP addresses and network data
  • Browser configuration and settings
  • Operating system details

Usage Analytics:

  • Session duration and feature usage
  • Navigation patterns and tool preferences
  • Assessment completion metrics
  • Response patterns and engagement levels

3. Legal Basis for Processing

Special Category Data — Explicit Consent Required

Your psychometric assessment data is classified as special category data under GDPR Article 9. We can only process it with your explicit, recorded consent. At signup you will be asked to confirm your agreement before any assessment begins.

3.1 Explicit Consent (GDPR Article 9(2)(a))

  • Required: Explicit consent is the legal basis for processing psychometric data
  • Granular: Core assessment consent is required; AI analysis and analytics are optional
  • Revocable: Withdraw consent anytime — we cease processing and delete data
  • Audited: Every consent event is logged with timestamp, IP, and version

3.2 Retroactive Consent — Existing Participants

If you participated in our 2025–2026 contest, you have not yet provided explicit consent under current regulations. In April 2026 we will contact you to request consent or offer to delete your data. You will have 30 days to respond.

3.3 Core Service Provision

  • Conduct personality and skills assessments
  • Generate personalized insights and recommendations
  • Provide assessment results and reports
  • Support your account and technical access

4. Your Privacy Rights

4.1 Universal Rights

  • Right to Access: Request copies of your personal data
  • Right to Correction: Update inaccurate or incomplete data
  • Right to Deletion: Request removal of your personal data
  • Right to Portability: Receive your data in a structured format (JSON/CSV), free of charge, within 30 days

4.2 GDPR Rights (EU/EEA Residents)

  • Right to erasure (“right to be forgotten”): Request complete deletion of your account and all associated psychometric data. We will action within 30 days and confirm in writing.
  • Right to restrict processing: Ask us to pause processing while a dispute is resolved
  • Right to object: Object to processing based on legitimate interests
  • Right not to be subject to automated decisions: Request human review of any automated personality profiling outputs
  • Right to withdraw consent: Withdraw at any time; withdrawal does not affect lawfulness of prior processing

To exercise GDPR rights, email privacy@traittune.com with subject “GDPR Rights Request”. We respond within 30 days; complex requests may extend to 90 days with notice.

4.3 CCPA / CPRA Rights (California Residents)

We Do Not Sell or Share Your Personal Information

TraitTune does not sell, rent, or share your personal information or psychometric data to third parties for their own marketing or commercial purposes.

CategoryExamplesSold/Shared?
IdentifiersName, email, account IDNo
Professional informationJob title, company, industryNo
Psychometric / assessment dataPersonality responses, behavioral patterns, cognitive scoresNo
Internet activityPages viewed, feature usage (anonymized)No
Device / technical dataIP address, browser type, OSNo
Commercial informationSubscription plan, payment tokenNo

Global Privacy Control (GPC)

We honor Global Privacy Control signals. If your browser sends GPC, we treat it as an opt-out of any data sharing or sale, even though no sale or sharing is taking place.

See Do Not Sell or Share My Personal Information for the standalone disclosure.

To submit a CCPA request, email privacy@traittune.com with subject “CCPA Rights Request”, or call +1 (347) 667-9624. We respond within 45 days.

5. Data Security

Technical Measures:

  • AES-256 encryption for data at rest
  • TLS 1.3 protocols for data in transit
  • Multi-factor authentication systems
  • 24/7 security monitoring and threat detection

Organizational Controls:

  • Role-based access controls
  • Regular security training for staff
  • Incident response procedures
  • Security controls aligned to ISO 27001 / SOC 2 principles (formal third-party attestation in progress)

6. Data Processors & Sub-processors

We do not sell your data. TraitTune is the controller for your psychometric and account data. The vendors below act as processors under our instruction (GDPR Art. 28) — each is bound by a Data Processing Agreement with Standard Contractual Clauses. Stripe is listed separately because, for payment-card data it collects directly during checkout, Stripe acts as an independent controller under its own privacy notice (GDPR Art. 26).

Processors (acting on TraitTune's instruction):

Supabase — Database, authentication, storage

All user data, including account profile and assessment responses. Region: EU (Frankfurt). Row-Level Security enforced. DPA + SCCs. Privacy: https://supabase.com/privacy

AWS Bedrock — LLM inference

Open-text responses sent to Anthropic Claude models for personality interpretation. Region: US (us-east-1). Bedrock does not retain prompts and is not used for model training. DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/

AWS SES — Transactional email delivery

Outbound transactional email (signup, password reset, results). Region: US (us-east-1). Recipient address only; email content is generated by us. DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/

AWS (RUM, Lambda, API Gateway, ECR) — Application runtime & analytics

Adaptive psychometric engine, request routing, real-user monitoring (page-load metrics, JS errors, anonymized session traces). Region: US (us-east-1). DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/

Sentry — Error tracking & session replay

Stack traces, release health, session replay (DOM-text and IP scrubbed before send). Region: US (traittune.sentry.io). PII scrubbing rules enforced org-wide. DPA + SCCs. Privacy: https://sentry.io/privacy/

PostHog — Product analytics (optional, separate consent)

Pseudonymized product-usage events for funnel and retention analysis. Region: US (us.i.posthog.com). Only activated after explicit analytics consent. DPA + SCCs. Privacy: https://posthog.com/privacy

Independent controllers (acting on their own legal basis):

Stripe — Payment processing

Card details and billing address are submitted directly to Stripe via Stripe Elements; we never see or store the raw card number — only a payment token. PCI-DSS Level 1 certified. Region: Global (Stripe-managed). For card data, Stripe is an independent controller and processes under its own privacy notice. Privacy: https://stripe.com/privacy

7. Cookies & Tracking Technologies

TypePurposeConsent Required?
Strictly NecessaryAuthentication session, security tokens, CSRF protectionNo — essential
FunctionalLanguage preference, assessment progress, UI stateNo — required
AnalyticsGoogle Analytics 4, PostHog — usage patternsYes — opt-in
MarketingUTM campaign trackingYes — opt-in

8. International Data Transfers

  • Standard Contractual Clauses approved by regulatory authorities
  • Adequacy decisions for data transfers to approved countries
  • Technical and organizational measures to protect data
  • Regular compliance monitoring and audits

9. Data Retention & Deletion

  • Active accounts: Duration of account plus 30 days after closure
  • Psychometric data: Up to 5 years from collection date, or until you request deletion
  • Transaction records: 7 years for payment information (legal/tax obligation)
  • Server logs: 90 days

How to Request Data Deletion

  1. Email privacy@traittune.com with subject “Data Deletion Request”
  2. Include your registered email address and account ID
  3. We verify identity and confirm receipt within 5 business days
  4. Deletion completed within 30 days (GDPR) / 45 days (CCPA)
  5. Written confirmation when deletion is complete

10. Children’s Privacy (COPPA Compliance)

TraitTune is designed for users aged 18 and above.

  • Under 13: We do not knowingly collect data. Contact privacy@traittune.com to request deletion.
  • Ages 13–17: Parental/guardian consent required. Enhanced protections apply.
  • Ages 18+: May use TraitTune independently.

11. Policy Updates

We may update this Privacy Policy from time to time. We will notify you of any material changes at least 30 days in advance through email notifications, platform announcements, and website updates.

12. Contact Information

TraitTune Privacy Office

1007 N Orange St, 4th Floor 3460

Wilmington, Delaware 19801

United States

Email: privacy@traittune.com

Phone: +1 (347) 667-9624

Security Issues: security@traittune.com

Data Protection Officer (DPO)

Per GDPR Article 37, TraitTune has designated a DPO responsible for overseeing compliance with data protection obligations.

DPO Contact: dpo@traittune.com

Subject line: “DPO Inquiry — [Your Name]”

Document Control:

  • Effective Date: May 9, 2026
  • Version: 4.2
  • Document ID: PN-2026-05-V4.2
  • Last Review: May 9, 2026
  • Next Review: August 9, 2026
  • Changes in v4.2: actualized sub-processor list (added AWS Bedrock, AWS SES, AWS RUM, Sentry, PostHog; removed Google Analytics in favor of PostHog), added GPC clause and /do-not-sell cross-link in CCPA section, refined controller/processor terminology (Stripe disclosed as independent controller for card data).