PRIVACY POLICY

SECTION 1 - INTRODUCTION AND SCOPE

This Privacy Policy describes how 9Personas LLC (‘NinePersonas,’ ‘we,’ ‘us,’ or ‘our’) collects, uses, discloses, and protects your personal information when you visit our website, take a personality assessment, purchase a report, or otherwise interact with our services.

By accessing or using our website and services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our services.

This policy applies to all users of our platform, including individual assessment takers, enterprise account managers, enterprise assessment participants, and general site visitors.

SECTION 2 - INFORMATION WE COLLECT

We collect the following categories of information:

A. Personal Information You Provide

- Account registration: first name, last name, email address, and password.
- Enterprise registration: first name, last name, email address, password, and company name (optional).
- Assessment data: your answers to personality assessment questions, ratings, and the resulting personality type.
- Payment information: your name and email in connection with purchases. Credit card details are collected directly by Stripe and are never stored on our servers (see Section 7).
- Contact form submissions: first name, last name, email address, company name (optional), and your message.
- Friend and colleague referrals: when you invite someone via our platform, we collect the recipient’s name and email address. You represent that you have the recipient’s permission to share this information with us.

B. Information Collected Automatically

- Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data: pages visited, time spent on pages, clickstream data, referral URLs, and landing pages.
- Session and behavioral data: mouse movements, clicks, scroll depth, and page interactions captured through session replay technology (see Microsoft Clarity in Section 7).
- Log data: server logs that include IP addresses, access times, and pages viewed.
- Login security data: IP address, email address, and timestamps of login attempts for rate limiting and fraud prevention.

C. Information from Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect usage data. See Section 6 for a full list of cookies used.

D. Marketing Attribution Data

We collect and store marketing attribution information, including UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), Google Ads click identifiers (gclid), and Facebook Ads click identifiers (fbclid). This data is associated with your user account to help us understand how users discover our service.

E. A/B Testing and Behavioral Event Data

We track behavioral events within our platform for product improvement and marketing purposes, including assessment completion events, page views of specific features, purchase-related events, and engagement metrics. This data may be used to trigger automated communications (see Section 5).

SECTION 3 - HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

- To provide our services: administering personality assessments, generating assessment results and reports, processing purchases, and managing your account.
- To personalize your experience: using artificial intelligence to enhance and personalize your assessment report content (see Section 5).
- To process payments: charging for premium reports and enterprise services through our payment processor.
- To communicate with you: sending transactional emails such as email verification codes, assessment results, purchase receipts, assessment invitations and reminders, password reset emails, and friend invitation notifications.
- To send marketing communications: with your consent, we may send promotional emails about our services. You may opt out at any time by using the unsubscribe link in the email or by contacting us.
- To send automated behavioral emails: based on your activity on our platform, we may send follow-up emails such as abandoned checkout reminders if you viewed a purchase option but did not complete a transaction.
- To improve our services: analyzing usage patterns, conducting A/B tests, and reviewing session recordings to optimize our website and user experience.
- To ensure security: monitoring for fraud, rate limiting login attempts, and preventing unauthorized access.
- To comply with legal obligations: responding to lawful requests from public authorities, including law enforcement.
- For enterprise services: providing assessment management tools to enterprise account managers, including access to assessment results of their team members.
- For internal notifications: notifying our team of significant events such as new user registrations and purchases to support customer service operations.

SECTION 4 - LEGAL BASIS FOR PROCESSING (EEA/UK USERS)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds:

- Contractual necessity: processing required to provide you with our services, such as account creation, assessment administration, report delivery, and payment processing.
- Consent: processing based on your explicit consent, such as marketing communications and the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legitimate interests: processing necessary for our legitimate business interests, provided these interests are not overridden by your rights. This includes product improvement, fraud prevention, security monitoring, internal analytics, and team notifications about service activity.
- Legal obligation: processing necessary to comply with applicable laws and regulations, such as tax record keeping and responding to lawful government requests.

SECTION 5 - AI AND AUTOMATED PROCESSING

Our service uses artificial intelligence to enhance certain portions of your personality assessment report. Specifically:

- Assessment affirmation statements may be processed through OpenAI’s GPT-4 language model to rephrase and personalize insights in a more detailed, psychologist-style format.
- To perform this processing, your assessment result data (personality type and associated affirmations) is transmitted to OpenAI’s servers via their API. No directly identifying information such as your name or email address is sent to OpenAI as part of this processing.
- AI-generated content is cached on our servers after initial processing to minimize repeated data transmission.
- AI-generated content may contain inaccuracies or generalizations. Assessment results and AI-enhanced content are provided for informational and self-development purposes only and do not constitute professional psychological, medical, or therapeutic advice.

For more information about how OpenAI handles data, please review OpenAI’s privacy policy at https://openai.com/privacy.

Automated Decision-Making: Our personality assessment uses an automated algorithm to determine your personality type based on your responses. This automated profiling is necessary for the performance of our service and is not used to make decisions that produce legal or similarly significant effects on you. You have the right to request human review of any automated decision by contacting us.

SECTION 6 - COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies to operate our website, analyze usage, and improve your experience. Below is a complete list of cookies used on our site:

Essential Cookies:

ci_session - Session cookie used by our application framework to maintain your session state. Type: sessional.

_session_id - Unique token that allows us to store information about your session such as referrer and landing page. Type: sessional.

nprmc - Remember-me cookie that maintains your sign-in session so you do not need to re-enter credentials. Type: persistent (7 days).

csrf_cookie_name - Cross-site request forgery protection token to secure form submissions. Type: sessional.

Analytics and Performance Cookies (Google Analytics 4):

_ga - Used by Google Analytics to distinguish unique users by assigning a randomly generated number as a client identifier. Type: persistent (2 years).

_ga_[container-id] - Used by Google Analytics 4 to persist session state. Type: persistent (2 years).

_gid - Used by Google Analytics to distinguish users. Type: persistent (24 hours).

_gat - Used by Google Analytics to throttle request rate. Type: sessional (1 minute).

Session Replay and Behavioral Analytics Cookies (Microsoft Clarity):

_clck - Used by Microsoft Clarity to store a unique user ID and to remember user preferences and settings. Type: persistent (1 year).

_clsk - Used by Microsoft Clarity to store and combine page views by a user into a single session recording. Type: sessional.

CLID - Used by Microsoft Clarity to identify the first time a user visited the site. Type: persistent (1 year).

ANONCHK - Used by Microsoft Clarity to store a user’s session ID to verify page views from the same browsing session. Type: sessional.

MR - Used by Microsoft Clarity to indicate whether to refresh MUID. Type: sessional.

MUID - Used by Microsoft to identify unique web browsers visiting Microsoft sites. Used for advertising, site analytics, and other operational purposes. Type: persistent (1 year).

SM - Used by Microsoft Clarity in synchronizing the MUID across Microsoft domains. Type: sessional.

Managing Cookies: You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling essential cookies may affect the functionality of our website. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

SECTION 7 - THIRD-PARTY SERVICES

We use the following third-party service providers who may process your personal information:

A. Stripe (Payment Processing)

We use Stripe, Inc. to process all payments. When you make a purchase, your credit card information is collected directly by Stripe through their secure payment element embedded on our site. We never receive or store your full credit card number. Stripe stores your card data for recurring payments and encrypts it in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). We store only a reference identifier and the last four digits of your card for your records. For more information, see Stripe’s privacy policy at https://stripe.com/privacy.

B. Google Analytics 4 (Website Analytics)

We use Google Analytics 4 to analyze website traffic and usage patterns. Google Analytics collects information such as how often users visit our site, what pages they visit, what other sites they visited prior to coming to our site, and demographic information. We use this data to improve our website and services. Google Analytics collects only the IP address assigned to you on the date you visit our site, rather than your name or other identifying information. For more information, see Google’s privacy policy at https://policies.google.com/privacy. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.

C. Microsoft Clarity (Session Replay and Heatmaps)

We use Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay. Session replay records your mouse movements, clicks, scrolls, and page interactions to help us understand how users navigate our site, identify usability issues, and improve our services. Website usage data is captured using first and third-party cookies and other tracking technologies. We use this information for site optimization, analytics, fraud prevention, and security purposes. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement at https://privacy.microsoft.com/privacystatement.

D. OpenAI (AI Content Enhancement)

We use OpenAI’s GPT-4 API to enhance and personalize certain portions of assessment reports. Only assessment result data (personality type and associated affirmations) is transmitted to OpenAI; no personally identifying information is included in these API requests. For more information, see OpenAI’s privacy policy at https://openai.com/privacy.

E. Postmark (Transactional Email)

We use Postmark by ActiveCampaign to send transactional emails including verification codes, assessment invitations, reminders, purchase receipts, and other service-related communications. Postmark processes recipient email addresses, names, and email content on our behalf. Postmark also provides us with email delivery analytics including open rates, click tracking, and bounce notifications. For more information, see Postmark’s privacy policy at https://postmarkapp.com/privacy-policy.

F. Google reCAPTCHA (Spam Prevention)

We use Google reCAPTCHA on our contact form to prevent spam and abuse. reCAPTCHA collects hardware and software information, such as device and application data, and sends it to Google for analysis. Your use of reCAPTCHA is subject to Google’s Privacy Policy at https://policies.google.com/privacy and Terms of Service at https://policies.google.com/terms.

G. Google Fonts and Hosted Frontend Assets

We use Google Fonts and third-party content delivery networks such as jsDelivr, cdn.datatables.net, and cdnjs to load fonts, icons, scripts, and other frontend assets. When your browser requests these resources, the provider may receive your IP address, browser details, and standard request metadata necessary to deliver the content.

H. Slack (Internal Notifications)

We use Slack for internal team notifications about service activity, such as new user registrations and purchases. User information included in these notifications (name, email, purchase details, and marketing attribution data when available) is transmitted to Slack’s servers. This information is used solely for our internal operational purposes. For more information, see Slack’s privacy policy at https://slack.com/privacy-policy.

I. Survey and Feedback Tools

In some cases, we may use third-party survey or feedback tools, such as Google Forms, to collect voluntary feedback from users. If you choose to submit feedback through such a tool, the information you provide will also be processed by that third-party provider in accordance with its privacy practices.

J. Amazon Web Services (Hosting)

Our website and data are hosted on Amazon Web Services (AWS) infrastructure located in the United States. AWS acts as a data processor on our behalf. For more information, see AWS’s privacy policy at https://aws.amazon.com/privacy.

Links to Third-Party Websites

When you click on links on our website, they may direct you away from our site. We are not responsible for the privacy practices of other websites and encourage you to read their privacy statements.

SECTION 8 - DATA SHARING AND DISCLOSURE

We do not sell your personal information for monetary consideration. We may share your information in the following circumstances:

- With service providers and infrastructure partners: we share information with the third-party providers described in Section 7, including providers that support hosting, analytics, communications, payments, AI processing, spam prevention, and frontend asset delivery, to the extent reasonably necessary for them to provide their services to us.
- Enterprise assessments: if you take an assessment through an enterprise account, your assessment results (including your personality type and related insights) will be shared with the enterprise account manager who initiated the assessment. Your password and login credentials are never shared.
- Legal requirements: we may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business transfers: if 9Personas LLC is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or use of your personal information.
- With your consent: we may share your information for other purposes with your explicit consent.
- Violation of terms: we may disclose your information if you violate our Terms of Service.

SECTION 9 - DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law:

- Account information: retained for as long as your account is active. If you request account deletion, we will delete or anonymize your personal data within 30 days, except as required by law.
- Assessment results: retained for as long as your account is active to allow you to access your results and retake assessments.
- Payment and transaction records: retained for a minimum of 7 years after the transaction date as required for tax, accounting, and legal compliance purposes.
- Login attempt logs: retained for 90 days for security and fraud prevention purposes.
- Email delivery data: email tracking data (delivery, open, click, and bounce records) is retained for 12 months.
- Marketing attribution data: retained for as long as your account is active.
- AI-processed content cache: retained for as long as the associated assessment result exists.
- Contact form submissions: retained for 2 years.

When personal data is no longer needed, we securely delete or anonymize it.

SECTION 10 - DATA SECURITY

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.

- We use administrative, technical, and organizational safeguards designed to protect personal information during transmission, processing, and storage.
- Credit card information is handled exclusively by Stripe in compliance with PCI-DSS requirements. We never receive or store full credit card numbers on our servers.
- Passwords are securely hashed before storage using industry-standard algorithms.
- We implement rate limiting on login attempts and other sensitive endpoints to prevent brute-force attacks.
- Access to personal data within our organization is restricted to authorized personnel who require it for legitimate business purposes.
- We use CSRF (Cross-Site Request Forgery) protection on all form submissions.

Although no method of transmission over the Internet or electronic storage is 100% secure, we implement commercially reasonable security measures and continuously work to enhance our security posture.

SECTION 11 - YOUR PRIVACY RIGHTS

A. Rights for All Users

Regardless of your location, you may:

- Request access to the personal information we hold about you.
- Request correction of inaccurate personal information.
- Request deletion of your personal information (subject to legal retention requirements).
- Withdraw consent for marketing communications at any time, including by using the unsubscribe link in marketing emails.
- Request information about what data we have collected about you.

To exercise any of these rights, please contact us via our website Contact form or by emailing contact@ninepersonas.com.

B. Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR):

- Right of access: the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
- Right to rectification: the right to have inaccurate personal data corrected.
- Right to erasure: the right to request deletion of your personal data (the ‘right to be forgotten’), subject to certain exceptions.
- Right to restriction of processing: the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability: the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transferred to another controller.
- Right to object: the right to object to processing based on legitimate interests, including profiling.
- Rights related to automated decision-making: the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Our personality assessment involves automated profiling, but does not produce legal or similarly significant effects.
- Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority in your country of residence.

We will respond to all legitimate requests within one month. In certain circumstances, we may need to extend this period by up to two additional months, in which case we will notify you.

C. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

- Right to know: you have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.
- Right to delete: you have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct: you have the right to request that we correct inaccurate personal information.
- Right to opt-out of sale or sharing: we do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
- Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a verifiable consumer request, contact us via our website Contact form or by emailing contact@ninepersonas.com. We will verify your identity before fulfilling your request.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email address, IP address), commercial information (purchase history), internet or other electronic network activity information (browsing history, interaction with our website), and inferences drawn from the above (personality assessment results).

SECTION 12 - INTERNATIONAL DATA TRANSFERS

Our services are hosted and operated in the United States. If you are accessing our services from outside the United States, please be aware that your personal information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

If you are located in the EEA or UK, we rely on the following safeguards for international data transfers:

- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
- Service provider certifications and data processing agreements that ensure adequate levels of data protection.

By using our services, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions as described in this policy.

SECTION 13 - CHILDREN’S PRIVACY

Our services are not directed to individuals under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately via our website Contact form or by emailing contact@ninepersonas.com.

By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority and have given consent for any minor dependents to use this site.

SECTION 14 - ENTERPRISE AND B2B DATA PROCESSING

When our services are used through an enterprise account:

- The enterprise organization (employer or contracting entity) acts as the data controller for assessment data collected from its employees or team members. NinePersonas acts as a data processor on behalf of the enterprise organization.
- Enterprise account managers may access assessment results, personality types, and related insights for their team members. They do not have access to login credentials or passwords.
- Assessment invitations and reminders are sent on behalf of the enterprise account manager.
- Enterprise billing information (including saved payment methods for recurring charges) is managed by the enterprise account manager and processed through Stripe.
- Enterprise organizations requiring a Data Processing Agreement (DPA) may request one by contacting us via our website Contact form or by emailing contact@ninepersonas.com.

SECTION 15 - DATA BREACH NOTIFICATION

In the event of a data breach that affects your personal information, we will:

- Notify affected users without undue delay and, where required by GDPR, within 72 hours of becoming aware of the breach.
- Provide details about the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
- Notify the relevant supervisory authority where required by applicable law.
- Document all breaches, including their effects and the remedial actions taken.

SECTION 16 - CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you by updating the ‘last modified’ date at the bottom of this page and, for significant changes, by sending a notice to the email address associated with your account.

If our company is acquired or merged with another company, your information may be transferred to the new owners. We will notify you before your personal information becomes subject to a different privacy policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

SECTION 17 - QUESTIONS AND CONTACT INFORMATION

If you would like to access, correct, amend, or delete any personal information we have about you, exercise any of your privacy rights, register a complaint, or simply want more information, you may contact us by:

- Using our website’s Contact form.
- Emailing our Privacy Compliance Officer at contact@ninepersonas.com.

We will respond to all inquiries within a reasonable timeframe and in accordance with applicable law.

This document has been last modified on March 19th, 2026