Live Beta

Icosa is in live beta

Icosa is a holistic personality framework — not medical software. It does not diagnose, prescribe, or observe behavior. Each result describes only what a person’s structure currently supports: the building and the floor plan, not what happens inside. This beta is for practitioners, clinicians, and early‑adopter explorers, not for general clinical use.

The instrument has been rigorously validated against clinical standards, but the system is brand‑new and only beginning real‑world use. Final measurements, terms, and features stabilize by Summer 2026; the public release will be greatly simplified and built for safe, general use.

During this beta, HIPAA, GDPR, privacy policies, terms of service, and data stability are not enforced — everything is changing rapidly as the platform improves toward launch.

Thank you for being part of this new model and community.
Compliance

GDPR Compliance

Last updated: May 23, 2026

Icosa, LLC ("Icosa") is committed to protecting the privacy rights of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page describes how we fulfill our obligations as a data controller when processing the personal data of individuals in these jurisdictions.

1. Our Commitment

Icosa processes personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes, and we retain it no longer than necessary. We apply data protection by design and by default throughout our assessment platform, ensuring that privacy is embedded in every aspect of our service.

2. Legal Basis for Processing

We process personal data under the following legal bases as defined by Article 6 of the GDPR:

Consent (Article 6(1)(a))

We rely on your explicit, informed consent for processing assessment responses and computing your personality profile. Consent is freely given, specific, and informed at the time of assessment. You may withdraw consent at any time, though withdrawal does not affect the lawfulness of processing performed before withdrawal.

Legitimate Interest (Article 6(1)(f))

We process certain data based on our legitimate interest in providing, securing, and improving the Service, including:

  • Service operation, maintenance, and security monitoring
  • Fraud prevention and abuse detection
  • Anonymized analytics to improve assessment methodology

We conduct balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.

Legal Obligation (Article 6(1)(c))

We process and retain certain data to comply with legal obligations, including clinical data retention requirements (7-year retention consistent with clinical best practices and applicable state record retention requirements) and tax and accounting regulations.

Contractual Necessity (Article 6(1)(b))

We process data necessary to fulfill our contract with you when you create an account and use our Service, including account management, authentication, and service delivery.

Special Category Data

Personality assessment data may constitute special category data (data concerning health) under Article 9 of the GDPR. We process this data based on your explicit consent (Article 9(2)(a)) provided at the time of assessment.

3. Data Subject Rights

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR. Each is exercised through a self-service control in your account — no email request, no waiting period, no human review queue.

Right of Access (Article 15)

Account → Privacy → Export My Data returns confirmation that we process your data plus a complete copy in JSON, including purposes, recipients, retention, and your rights.

Right to Rectification (Article 16)

Edit your name or email under Account → Profile. Assessment scores reflect your actual responses and cannot be edited; retake the assessment to generate an updated profile.

Right to Erasure (Article 17)

Account → Privacy → Delete My Account erases your personal data subject to a brief recovery window and any legally-required retention (audit logs and consent records survive in pseudonymized form per Article 17(3)). The destruction is automated; no review queue.

Right to Data Portability (Article 20)

The same Export My Data control returns a structured, commonly-used, machine-readable JSON file containing your assessment responses, computed profile scores, and account information. The format is suitable for transmission to another controller.

Right to Restriction of Processing (Article 18)

The consent toggles in Account → Privacy stop the corresponding processing immediately. Toggle off "Help improve Icosa" to halt analytics and behavioral telemetry; toggle off "Contribute to research" to halt aggregated research use. Each toggle is enforced server-side at the data-pipeline seam, not just client-side.

Right to Object (Article 21)

The "Help improve Icosa" and "Contribute to research" toggles double as Article 21 objections to legitimate-interest processing. No email or written objection required.

Right Not to Be Subject to Automated Decision-Making (Article 22)

Icosa's processing includes two automated stages:

  • Profile computation: Your assessment responses are scored deterministically against the Icosa grid to produce numerical scores across 20 personality dimensions.
  • Narrative generation: The numerical profile is then sent to Anthropic's Claude large language model, which generates the personalized prose interpretation that accompanies your results. Your name, email, and other directly identifying data are not sent; the profile is referenced by an opaque token. Anthropic's commercial terms prohibit the use of inputs and outputs for training their foundation models.

Neither stage produces legal effects or similarly significant effects on you — results are informational and educational, are not used for employment, insurance, credit, or other consequential decisions, and any clinical application requires independent judgment by a licensed practitioner. If you want a different narrative, regenerate it from your results screen; if you want to stop narrative generation entirely, revoke narrative consent. No human review request is required because the result is informational rather than consequential.

4. Data Protection Contact

For data protection inquiries, contact our data protection team at:

Icosa, LLC
Email: dpo@icosa.org

5. Data Residency and Cross-Border Transfers

Icosa offers EU and non-EU regional storage. Personal data of EU, EEA, UK, and Swiss residents is stored within the European Union; personal data of users in other regions is stored in the United States.

A limited set of sub-processors (e.g., the AI provider that generates narratives and the analytics provider) may process de-identified data outside your home region. The data they receive does not include your name, email, or other directly identifying fields. For any such transfer from the EU we maintain:

  • Standard Contractual Clauses (SCCs): European Commission SCCs (adopted June 2021) as the primary transfer mechanism
  • UK International Data Transfer Agreement: UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office
  • Supplementary measures: Encryption in transit and at rest, opaque-token referencing, contractual prohibitions on training-data use by the sub-processor

We monitor developments regarding the EU-U.S. Data Privacy Framework and will update our transfer mechanisms as appropriate.

6. Consent Management

We obtain and manage consent in accordance with GDPR requirements:

  • Consent is obtained through clear, affirmative action (not pre-ticked boxes or inaction)
  • Consent requests are presented in clear and plain language, separate from other terms
  • We maintain records of consent where applicable and are continuously improving our consent management processes
  • You may withdraw consent at any time through your account settings or by contacting us
  • Withdrawal of consent is as easy as giving consent

7. Cookie Consent

Icosa uses minimal cookies and similar technologies. In compliance with the ePrivacy Directive and GDPR:

  • Strictly necessary cookies (authentication, security) are placed without consent as they are essential for service operation
  • Analytics on the marketing site (PostHog, EU-hosted) is loaded only after you provide explicit consent through our cookie banner; in the mobile and web apps, product analytics operate on a legitimate-interest basis (no IP capture, no session replay, fixed event vocabulary) and can be disabled at any time through your account Privacy settings
  • Bot protection on public forms uses Cloudflare Turnstile, which collects browser fingerprint and behavioral signals to score whether a request originates from a human. Turnstile is privacy-preserving by design and does not set third-party advertising cookies. See the Cloudflare Turnstile Privacy Policy.
  • We do not use advertising or tracking cookies
  • You may modify your cookie and analytics preferences at any time

8. Data Processing Agreements and Sub-processors

Icosa maintains Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf, as required by Article 28 of the GDPR. The complete and current sub-processor list — including the data each provider receives, the region in which they process it, and the applicable transfer mechanism — is published at /sub-processors.

Categories of sub-processor include cloud infrastructure (Render, Neon, AWS), edge and security (Cloudflare, Cloudflare Turnstile), communications (Amazon SES), product analytics (PostHog, EU-hosted), AI and language models (Anthropic, OpenAI), payments (Stripe), authentication identity providers (Apple, Google, Microsoft), and mobile platform services (Expo / EAS, Apple App Store, Google Play).

We conduct due diligence on all sub-processors and ensure they provide sufficient guarantees regarding data protection. We will notify you of material changes to the sub-processor list by updating the "Last updated" date on the Sub-processors page; for significant additions affecting the categories of data processed, we will provide advance notice by email or in-product banner.

9. Breach Notification

In accordance with Article 33 of the GDPR, Icosa will:

  • Notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34)
  • Document all breaches, including the facts, effects, and remedial actions taken

10. Children's Data

In accordance with Article 8 of the GDPR, Icosa applies the following rules for children's data:

  • Children under 16 (or the applicable age in their member state) require parental or guardian consent to use the Service
  • We make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility
  • Icosa assessments are designed for individuals aged 6 and older; we do not knowingly process data of children under 6
  • Under the UK GDPR (Data Protection Act 2018), the age threshold for consent is 13 rather than 16
  • Parents or guardians may exercise data subject rights on behalf of their children

11. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with:

  • The supervisory authority in your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement
  • The UK Information Commissioner's Office (ICO), if you are located in the United Kingdom

If a self-service control in your account does not resolve the issue, email privacy@icosa.org — we will respond within the GDPR-mandated 30-day window (extendable by 60 days for complex matters).

12. Data Protection Impact Assessments

Icosa conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including the systematic evaluation of personal aspects through automated personality assessment profiling. Our DPIAs assess the necessity and proportionality of processing, risks to data subjects, and measures to mitigate those risks.

13. EU Representative

As required by Article 27 of the GDPR, inquiries from EU data subjects may be directed to our data protection team at dpo@icosa.org. We are evaluating the appointment of a formal EU representative and will update this page accordingly.

14. Contact

Exercise your data subject rights through the self-service controls in your account (see Section 3 above). For inquiries that those controls don't address, contact us at:

Icosa, LLC
8 The Green, Suite A, Dover, DE 19901
Email: privacy@icosa.org
Data Protection Contact: dpo@icosa.org

Related Policies

See also our Privacy Policy, Terms of Service, HIPAA Compliance, and Sub-processors pages.