Effective Date: June 28, 2026 | Version: 4.8 | Last Updated: June 28, 2026
This Privacy Policy is established by TraitTune, Inc. (“TraitTune,” “we,” “us”) in compliance with global data protection law. We apply GDPR as our baseline standard for all users worldwide.
TraitTune is not available to persons or entities located in jurisdictions subject to (a) U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) comprehensive sanctions — Crimea Region of Ukraine, Cuba, Iran, North Korea, Syria, and the Donetsk (DNR) and Luhansk (LNR) regions; (b) sectoral OFAC programs and broader U.S./EU/UK restrictive measures we apply by business decision — Russia and Belarus; and (c) jurisdictions where on-the-ground operations make platform availability inappropriate — Afghanistan and Myanmar. Access from these locations is blocked at the network level.
Because TraitTune is established outside the EU and UK but offers its services to individuals there, we are in the process of designating representatives under Article 27 of the EU GDPR and Article 27 of the UK GDPR. Until that designation is finalised, EU/EEA and UK data subjects, as well as supervisory authorities, may contact us directly at privacy@traittune.com on all matters relating to the processing of their personal data.
EU Representative: Being appointed — in the interim, contact privacy@traittune.com
UK Representative: Being appointed — in the interim, contact privacy@traittune.com
Special Category Data — Explicit Consent Required
Your psychometric assessment data is classified as special category data under GDPR Article 9. We can only process it with your explicit, recorded consent. At signup you will be asked to confirm your agreement before any assessment begins.
To exercise GDPR rights, email privacy@traittune.com with subject “GDPR Rights Request”. We respond within 30 days; complex requests may extend to 90 days with notice.
We Do Not Sell Your Personal Information; Limited Sharing for Advertising Only With Your Consent
TraitTune does not sell, rent, or trade your personal information or psychometric data for money or other valuable consideration. When you give us marketing consent, advertising and analytics partners (TikTok, Reddit; Meta if and when we enable it) receive conversion events — such as that a TraitTune page was viewed, an account was created, or a subscription was started — to measure ad performance and show TraitTune ads to similar audiences. To match these events to an ad click, we may include a one-way SHA-256 hash of your email (a code we cannot reverse back into your address) and, for purchases, a coarse value and currency — never your readable email address. Under CCPA / CPRA this counts as "sharing" for cross-context behavioral advertising and we disclose it here. Your psychometric responses, free-text answers, readable email, and personality scores never leave TraitTune.
| Category | Examples | Sold? | Shared (for advertising)? |
|---|---|---|---|
| Identifiers | Name, account ID; email only as a non-reversible SHA-256 hash | No | Only with your marketing consent |
| Professional information | Job title, company, industry | No | No |
| Psychometric / assessment data | Personality responses, behavioral patterns, cognitive scores | No | Never (these never leave TraitTune) |
| Internet activity | Pages viewed, feature usage (anonymized) | No | Only with your marketing consent |
| Device / technical data | IP address, browser type, OS | No | Only with your marketing consent |
| Commercial information | Subscription plan and payment token (these never leave TraitTune); for a purchase, only a coarse value and currency are shared | No | Only with your marketing consent |
We use your sensitive personal information solely to provide the service you have requested and for no other purpose; we do not use or disclose it to infer characteristics about you. Because our use is limited in this way under California Civil Code §1798.121(d), the CPRA right to limit the use of sensitive personal information does not apply, and we do not provide a separate “Limit the Use of My Sensitive Personal Information” link.
We honor Global Privacy Control signals. If your browser sends a GPC header, we treat it as a hard opt-out of cross-context behavioral advertising — our TikTok and Reddit pixels are disabled even if you previously consented to marketing cookies. Sale of personal information is not affected because no sale takes place.
See Do Not Sell or Share My Personal Information for the standalone disclosure.
To submit a CCPA request, email privacy@traittune.com with subject “CCPA Rights Request”, or call +1 (347) 667-9624. We respond within 45 days.
If a personal data breach occurs, we will respond in line with GDPR Articles 33 and 34: where the breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it; and where the breach is likely to result in a high risk to you, we will notify affected users without undue delay. Our internal target is to inform affected users within 24 hours of confirming a breach affects them, which is consistent with — and never later than — the GDPR “without undue delay” standard. Notifications describe the nature of the breach, its likely consequences, and the measures we have taken or propose to take.
We do not sell your data. TraitTune is the controller for your psychometric and account data. The vendors below act as processors under our instruction (GDPR Art. 28) — each is bound by a Data Processing Agreement with Standard Contractual Clauses. Stripe is listed separately because, for payment-card data it collects directly during checkout, Stripe acts as an independent controller under its own privacy notice (GDPR Art. 26). Advertising partners are listed in a third group: when you give us marketing consent they receive conversion events (such as page view, sign-up, subscription, or purchase) and, for matching, a one-way SHA-256 hash of your email — never your readable email or any psychometric data — and process this as independent controllers under their own privacy notices.
Current sub-processor list — last updated June 25, 2026.
This is the complete, dated list of sub-processors we engage (GDPR Art. 28(2)). We will update it and notify subscribed users of any new or replaced sub-processor before it begins processing your data, giving you a reasonable opportunity to object.
Supabase — Database, authentication, storage
All user data, including account profile and assessment responses. Region: EU (Frankfurt). Row-Level Security enforced. DPA + SCCs. Privacy: https://supabase.com/privacy
AWS Bedrock — LLM inference
Open-text responses sent to enterprise foundation models hosted on AWS Bedrock for personality interpretation. Region: US (us-east-1). Bedrock does not retain prompts and is not used for model training. DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/
AWS SES — Transactional email delivery
Outbound transactional email (signup, password reset, results). Region: US (us-east-1). Recipient address only; email content is generated by us. DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/
AWS (Lambda, API Gateway, ECR) — Application runtime
Adaptive psychometric engine, request routing, and container image hosting. Region: US (us-east-1). DPA + SCCs via AWS. Privacy: https://aws.amazon.com/privacy/
Sentry — Error tracking & session replay
Stack traces, release health, session replay (DOM-text and IP scrubbed before send). Region: US (traittune.sentry.io). PII scrubbing rules enforced org-wide. DPA + SCCs. Privacy: https://sentry.io/privacy/
PostHog — Product analytics (optional, separate consent)
Product-usage events together with your account email and identifiers — but never psychometric data (scores, theta, IRT parameters, or assessment answers) — used for funnel, retention, and audience analysis. Region: US (us.i.posthog.com). Only activated after explicit analytics consent. DPA + SCCs. Privacy: https://posthog.com/privacy
Google Analytics 4 — Web analytics
Aggregated traffic and usage measurement (page views, sessions, campaign attribution). Loaded only after explicit analytics consent, using Google Consent Mode v2; advertising signals stay off unless you also accept the advertising category. Google processes this data under the Google Ads Data Processing Terms. Region: Global (Google-managed). Privacy: https://policies.google.com/privacy
Stripe — Payment processing
Card details and billing address are submitted directly to Stripe via Stripe Elements; we never see or store the raw card number — only a payment token. PCI-DSS Level 1 certified. Region: Global (Stripe-managed). For card data, Stripe is an independent controller and processes under its own privacy notice. Privacy: https://stripe.com/privacy
To measure which ads lead to sign-ups and subscriptions, we forward conversion events (such as a completed sign-up, a started lead, a subscription, or a purchase) to these advertising partners through their server-to-server conversion APIs. To match a conversion to the right ad click, we may include a one-way SHA-256 hash of your email address — a fixed-length code that we cannot reverse back into your address; the partner can only use it to match you to an account it already holds. We never send your readable email. We also pass the conversion event name and, for purchases, a coarse value and currency, together with technical signals such as IP address and user agent. We never send your psychometric data (scores, theta, IRT parameters, or assessment answers) or the free-text you write to any advertising partner — this is the same hashed identifier they receive, whereas our analytics sub-processor (see PostHog above) operates under a separate analytics consent. Because these advertising partners are independent controllers, an identifier we have already shared is then subject to their own retention and deletion: to have them stop using or delete it, exercise your privacy rights with the partner directly. This forwarding happens only when you have given marketing consent and have not signalled Global Privacy Control, and you can withdraw your consent at any time — see "Do Not Sell or Share".
TikTok Ads — Advertising and conversion measurement
Receives conversion events (such as page view, sign-up, subscription, purchase) via the TikTok Events API, plus your TikTok cookie, when you give us marketing consent. For advanced matching we may include a one-way SHA-256 hash of your email — never your readable address — and, for purchases, a coarse value and currency. Used to measure ad performance and show TraitTune ads to similar audiences. TikTok is an independent controller for what it receives and processes it under its own privacy notice. Region: US / Ireland. Privacy: https://www.tiktok.com/legal/privacy-policy
Reddit Ads — Advertising and conversion measurement
Receives conversion events (such as sign-up, subscription, purchase) via the Reddit Conversions API, plus your Reddit cookie, when you give us marketing consent. For advanced matching we may include a one-way SHA-256 hash of your email — never your readable address — and, for purchases, a coarse value and currency. Used to measure ad performance and show TraitTune ads to similar audiences. Reddit is an independent controller for what it receives and processes it under its own privacy notice. Region: US. Privacy: https://www.reddit.com/policies/privacy-policy
Meta Ads (Facebook / Instagram) — Not yet active
We have prepared an integration but it is currently disabled and sends nothing. If we enable it we will update this list and notify subscribed users before any data flows. Privacy: https://www.facebook.com/privacy/policy
| Type | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Authentication session, security tokens, CSRF protection | No — essential |
| Functional | Language preference, assessment progress, UI state | No — required |
| Analytics | PostHog and Google Analytics (GA4) — usage and traffic patterns, plus privacy-masked session monitoring on public pages (assessment, results, and chat excluded) | Yes — opt-in |
| Advertising | Campaign attribution (UTM) plus advertising and conversion-tracking from TikTok and Reddit (Meta if and when we enable it), including server-side forwarding of conversion events via their conversion APIs. Used to measure ad performance and show TraitTune ads to similar audiences. For matching we may include a one-way SHA-256 hash of your email — never your readable email, your psychometric data, or your free-text answers. | Yes — opt-in |
Some of our processors are located in the United States. Where we transfer your personal data outside the European Economic Area, the United Kingdom, or Switzerland, we rely on the following safeguards:
You may request a copy of the relevant transfer safeguards by emailing privacy@traittune.com.
We keep personal data only as long as necessary for the purpose it was collected. The schedule below is our single, coherent retention schedule:
To be explicit: when you withdraw your Article 9 consent, all psychometric assessment data is erased within 30 days, even though some records (such as tax-mandated transaction records) must be retained for the periods stated above.
TraitTune is designed for users aged 18 and above.
We may update this Privacy Policy from time to time. We will notify you of any material changes at least 30 days in advance through email notifications, platform announcements, and website updates.
1007 N Orange St, 4th Floor 3460
Wilmington, Delaware 19801
United States
Email: privacy@traittune.com
Phone: +1 (347) 667-9624
Security Issues: security@traittune.com
You can reach our data-protection contact for any privacy or data-protection question, including requests to exercise your rights. (Where GDPR Article 37 requires a formally designated Data Protection Officer, we will appoint one and update this section accordingly.)
Data-protection contact: dpo@traittune.com
Subject line: “Data Protection Inquiry — [Your Name]”
Document Control: