← Back to Home

Privacy Policy

Effective date: 11 April 2026  ·  Last updated: 3 May 2026

1. Who we are

Academy of Tribes AS (Norwegian organization number 926 838 601), registered at Bjerregaardsgate 28A, 0172 Oslo, Norway, is the data controller for all personal data described in this policy. We provide personality assessment tools and team analytics for individuals and organisations. This policy explains how we handle your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Norwegian law.

Data controller contact: contact@academyoftribes.com

2. What data we collect

Standard personal data

  • Email address and name — provided when you sign up or update your profile. Used for authentication and to personalise the service.
  • Team membership — which teams you belong to and your role within them. Used to generate team-level analytics visible to team administrators.
  • Authentication tokens — a short-lived magic link token (never stored in full on our servers) and a session cookie that keeps you signed in for up to 30 days.

Special category data (GDPR Article 9)

When you take a personality or well-being assessment, we collect and store your responses and the scores we compute from them. The instruments we use include BFI-2, IPIP-NEO, HEXACO, ECR-R, PID-5-BF, PERMA, and Ryff PWB. Responses to these instruments reveal personality traits and psychological state — including, in some cases, information adjacent to mental health. Under GDPR, this is special category data requiring heightened protection and your explicit consent before we process it.

We also compute a personality vector from your assessment results. This vector is used to generate team analytics (cognitive diversity index, coverage map, bridge scores, resilience metric). It is derived entirely from your assessment responses and inherits their special category status.

3. Legal basis for processing

  • Contract (Art. 6(1)(b)) — processing your email, name, team membership, and authentication data is necessary to deliver the service you signed up for.
  • Explicit consent (Art. 6(1)(b) + Art. 9(2)(a)) — before you take any assessment, we ask for your explicit consent to process special category data, including the cross-border transfer described in section 6. You can withdraw this consent at any time (see section 8); withdrawal does not affect the lawfulness of processing before that point.
  • Legitimate interests (Art. 6(1)(f)) — when you contact us via the contact form, we process your inquiry to respond to it. This is a straightforward interest that does not override your rights.

4. How we use your data

  • Creating and managing your account.
  • Scoring assessments and displaying your results.
  • Generating team analytics — cognitive diversity index (CDI), coverage map, bridge scores, and resilience metric — visible to team administrators.
  • Sending transactional emails: magic link sign-in codes and contact form replies.
  • Maintaining authentication and preventing abuse.

We do not use your data for advertising, profiling for third parties, or any purpose not described here.

5. Third-party processors

We share your data only with the processors below, each bound by a data processing agreement. We do not sell your data.

  • Neon (PostgreSQL database, EU Central / Frankfurt) — stores all personal data including assessment responses and personality vectors.
  • Vercel (web hosting and edge network, primary EU) — serves the web application and handles HTTP requests. Request logs may include IP addresses and are retained for 1–3 months.
  • Render (FastAPI compute, EU Frankfurt) — receives assessment responses to score them and compute personality vectors. Render completed migration to its EU Frankfurt region on 23 April 2026, eliminating the previous cross-border transfer to the United States.
  • Resend (email delivery, EU region) — delivers magic link emails and contact form replies. Only your email address and message content are transmitted.
  • Sentry (error + performance monitoring, EU Frankfurt) — captures application errors and a 10% sample of performance traces so we can detect and fix bugs in production. We have configured Sentry to drop IP addresses and request headers, and we strip assessment response data from error events before they leave our servers. Sentry never receives your assessment items, scores, or personality vectors.
  • Stripe (payments processor) — when you purchase a subscription or one-time plan, Stripe processes the payment. Your full card number is entered directly into Stripe’s checkout form and is never transmitted to or stored on our servers. We store only Stripe’s opaque customer identifier and subscription metadata (plan, status, trial end date) in our database. Stripe handles billing in the EU and is certified under the EU–US Data Privacy Framework for any US-side administrative processing.

6. Cross-border transfers

All operational data plane processing happens within the EU/EEA: Neon (Frankfurt), Vercel (primary EU region), Render (Frankfurt), Resend (Ireland), Sentry (Frankfurt), and Stripe (EU billing). Your identity data, assessment responses, personality vectors, error events, performance traces, and billing records all stay within the EU.

Some of our processors are US-headquartered companies. To the extent any incidental processing (e.g. billing administration, corporate-side account management) reaches their US infrastructure, those companies are certified under the EU–US Data Privacy Framework (DPF) under Article 45 GDPR, providing a lawful transfer mechanism. We verify DPF certification status monthly.

7. Data retention

  • Account data (email, name, team membership) — retained while your account is active, deleted when you delete your account.
  • Assessment responses and personality vectors — retained while your account is active, deleted when you delete your account.
  • Magic link tokens — raw tokens are never stored on our servers. Hashed tokens expire after 15 minutes and are cleaned up periodically.
  • Platform logs — Vercel retains runtime logs for 1–3 months; Render retains logs on a similar schedule per their platform defaults.
  • Contact form submissions — forwarded to Resend for email delivery and retained per Resend's own retention policy; not stored in our database.

8. Your rights (GDPR Articles 15–22)

Under GDPR you have the right to:

  • Access (Art. 15) — request a copy of all personal data we hold about you.
  • Rectification (Art. 16) — ask us to correct inaccurate data.
  • Erasure (Art. 17) — request deletion of your account and all associated personal data.
  • Restriction (Art. 18) — ask us to limit how we process your data in certain circumstances.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art. 7(3)) — withdraw your consent to process special category data at any time, without affecting prior lawful processing.

Self-service data export and account deletion are available on your profile page. You can also exercise any right by emailing contact@academyoftribes.com; we will respond within 30 days.

You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): datatilsynet.no.

9. Security

We take reasonable steps to protect your data. Measures in place include:

  • HTTPS on all connections to Vercel, Render, and Resend.
  • Passwordless authentication — we use magic links, so no password is ever stored.
  • Magic link tokens are 256-bit random values; only a SHA-256 hash is stored server-side, and they expire after 15 minutes.
  • Session cookie (aot_session) is httpOnly, Secure, and SameSite=Lax.
  • Database queries use parameterised statements to prevent SQL injection.
  • Data at rest is encrypted via Neon's default AES-256 storage encryption.

10. Cookies

We set a single session cookie named aot_session. It is strictly necessary for authentication, is marked httpOnly and Secure, and has a maximum age of 30 days. We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

11. Changes to this policy

We will update the “Last updated” date at the top of this page whenever we make changes. If the changes are material — for example, a new processor, a new category of data, or a change in legal basis — we will also notify you by email before the change takes effect.

12. Contact and complaints

Questions about this policy or your data? Email us at contact@academyoftribes.com.

For data-protection-specific requests (access, rectification, erasure, portability, objection, restriction), use the same address; we will route such requests to the data-protection function. We are not currently required to designate a formal Data Protection Officer under Article 37 GDPR, but we maintain a dedicated privacy contact and respond within statutory deadlines (one month, extendable to three for complex requests).

If you believe we have not handled your data correctly, you have the right to complain to the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

← Back to Home