CultureHub

Privacy Policy

Version 1.0 · Last updated 1 March 2025

1. Who we are

CultureHub ("we", "us") operates the CultureHub DISC Profiles platform. We are the data controller for personal data processed through this service. For questions about this policy or your personal data, contact us at privacy@culturehub.io.

2. What data we collect

We collect and process the following personal data:

  • Identity data: your name and email address.
  • Assessment responses: your answers to the 48-question DISC assessment.
  • Derived scores: your DISC profile scores (D, I, S, C), calculated from your responses.
  • Usage data: IP address and browser type, collected at login and consent for security and audit purposes.
  • Consent records: a record that you consented to this policy before completing your assessment, including the policy version and date.

3. Legal basis for processing

We process your personal data on the basis of your explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR), given before you begin your assessment. You may withdraw consent at any time by requesting deletion of your data.

4. How we use your data

  • To calculate and display your DISC profile report.
  • To share your results with your manager or organisation, if you enable sharing.
  • To allow your organisation's administrator to view team dynamics and patterns.
  • For security and audit purposes (login events, admin actions).

We do not sell your data to third parties. We do not use your data for automated decision-making.

5. Data retention

Your personal data is retained for a maximum of 12 months from the date your assessment was completed. After this period, your name and email address are pseudonymised. Your anonymised DISC scores may be retained indefinitely for aggregate team reporting.

Raw assessment responses (your 48 individual answers) are deleted when your data is pseudonymised.

6. Who we share your data with

We share your data with the following processors:

  • Supabase: cloud database and infrastructure, hosted in the EU (EU West region). Supabase processes data under a Data Processing Agreement.
  • Groq: AI inference service used to generate narrative summaries from your scores. Only derived scores (not raw responses) are sent to Groq. No personally identifiable information is included.
  • Postmark: transactional email provider used to send login links and notifications.
  • Vercel: hosting platform for the web application.

7. Your rights

Under the GDPR, you have the right to:

  • Access a copy of your personal data (Article 15) — available via the "Download My Data" button on your data page.
  • Erasure of your personal data (Article 17) — request via the "Right to Erasure" section on your data page. We will action your request within 30 days.
  • Restriction of processing (Article 18) — contact us to discuss.
  • Portability of your data (Article 20) — included in the data download.
  • Object to processing (Article 21) — contact us.

You also have the right to lodge a complaint with your national supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

8. Security

We use HTTP-only session cookies, hashed tokens, and TLS encryption in transit. Access to personal data is restricted to authorised personnel with appropriate roles. All admin actions are logged in an immutable audit trail.

9. Changes to this policy

We may update this policy from time to time. The version number and date at the top of this page reflect the current version. Your consent record includes the version of the policy you agreed to.

10. Contact

For any questions or to exercise your rights, contact us at privacy@culturehub.io.

← Back to login