GDPR Compliance — Icosa

Icosa, LLC ("Icosa") is committed to protecting the privacy rights of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page describes how we fulfill our obligations as a data controller when processing the personal data of individuals in these jurisdictions.

1. Our Commitment

Icosa processes personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes, and we retain it no longer than necessary. We apply data protection by design and by default throughout our assessment platform, ensuring that privacy is embedded in every aspect of our service.

2. Legal Basis for Processing

We process personal data under the following legal bases as defined by Article 6 of the GDPR:

Consent (Article 6(1)(a))

We rely on your explicit, informed consent for processing assessment responses and computing your personality profile. Consent is freely given, specific, and informed at the time of assessment. You may withdraw consent at any time, though withdrawal does not affect the lawfulness of processing performed before withdrawal.

Legitimate Interest (Article 6(1)(f))

We process certain data based on our legitimate interest in providing, securing, and improving the Service, including:

Service operation, maintenance, and security monitoring
Fraud prevention and abuse detection
Anonymized analytics to improve assessment methodology

We conduct balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.

Legal Obligation (Article 6(1)(c))

We process and retain certain data to comply with legal obligations, including clinical data retention requirements (7-year retention consistent with clinical best practices and applicable state record retention requirements) and tax and accounting regulations.

Contractual Necessity (Article 6(1)(b))

We process data necessary to fulfill our contract with you when you create an account and use our Service, including account management, authentication, and service delivery.

Special Category Data

Personality assessment data may constitute special category data (data concerning health) under Article 9 of the GDPR. We process this data based on your explicit consent (Article 9(2)(a)) provided at the time of assessment.

3. Data Subject Rights

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR. To exercise any of these rights, contact us at privacy@icosa.org with the subject line "GDPR Request." We will respond within 30 days (extendable by 60 days for complex requests, with prior notice).

Right of Access (Article 15)

You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about the purposes, categories, recipients, retention periods, and your rights.

Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. For assessment results, note that computed profiles reflect your actual responses and cannot be manually altered; however, you may retake assessments to generate an updated profile.

Right to Erasure (Article 17)

You may request deletion of your personal data. We will comply unless we have a legal obligation to retain the data (e.g., 7-year clinical record retention consistent with applicable regulations) or another applicable exemption under Article 17(3) applies. Where retention is legally required, we will inform you of the specific basis and expected retention period.

Right to Data Portability (Article 20)

You may request your personal data in a structured, commonly used, machine-readable format (such as JSON). This includes your assessment responses, computed profile scores, and account information. You may also request that we transmit this data directly to another controller where technically feasible.

Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your personal data in certain circumstances, including while we verify the accuracy of contested data, when processing is unlawful but you oppose erasure, or when we no longer need the data but you require it for legal claims.

Right to Object (Article 21)

You may object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right Not to Be Subject to Automated Decision-Making (Article 22)

Icosa's assessment computing generates profiles through automated processing. These profiles are informational and educational—they do not produce legal effects or similarly significant effects on you. You may request human review of any automated assessment output by contacting us.

4. Data Protection Contact

For data protection inquiries, contact our data protection team at:

Icosa, LLC
Email: dpo@icosa.org

5. Cross-Border Data Transfers

Icosa is based in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the US, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (adopted June 2021) as our primary transfer mechanism for EU-to-US data transfers
UK International Data Transfer Agreement: For UK transfers, we use the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office
Supplementary measures: We implement additional technical measures (encryption, pseudonymization, access controls) to supplement the SCCs where necessary based on transfer impact assessments

We also monitor developments regarding the EU-U.S. Data Privacy Framework and will update our transfer mechanisms as appropriate.

6. Consent Management

We obtain and manage consent in accordance with GDPR requirements:

Consent is obtained through clear, affirmative action (not pre-ticked boxes or inaction)
Consent requests are presented in clear and plain language, separate from other terms
We maintain records of consent where applicable and are continuously improving our consent management processes
You may withdraw consent at any time through your account settings or by contacting us
Withdrawal of consent is as easy as giving consent

7. Cookie Consent

Icosa uses minimal cookies. In compliance with the ePrivacy Directive and GDPR:

Strictly necessary cookies (authentication, security) are placed without consent as they are essential for service operation
Analytics cookies are placed only after you provide explicit consent through our cookie banner
We do not use advertising or tracking cookies
You may modify your cookie preferences at any time

8. Data Processing Agreements

Icosa maintains Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf, as required by Article 28 of the GDPR. Our sub-processors include:

Amazon Web Services: Cloud infrastructure (GDPR-compliant, EU data processing addendum in place)
Neon: Database hosting
Cloudflare: Content delivery and security
Amazon SES: Transactional email

We conduct due diligence on all sub-processors and ensure they provide sufficient guarantees regarding data protection. We will notify you of any changes to our sub-processor list.

9. Breach Notification

In accordance with Article 33 of the GDPR, Icosa will:

Notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34)
Document all breaches, including the facts, effects, and remedial actions taken

10. Children's Data

In accordance with Article 8 of the GDPR, Icosa applies the following rules for children's data:

Children under 16 (or the applicable age in their member state) require parental or guardian consent to use the Service
We make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility
Icosa assessments are designed for individuals aged 6 and older; we do not knowingly process data of children under 6
Under the UK GDPR (Data Protection Act 2018), the age threshold for consent is 13 rather than 16
Parents or guardians may exercise data subject rights on behalf of their children

11. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with:

The supervisory authority in your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement
The UK Information Commissioner's Office (ICO), if you are located in the United Kingdom

We encourage you to contact us first at privacy@icosa.org so that we can attempt to resolve your concern directly.

12. Data Protection Impact Assessments

Icosa conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including the systematic evaluation of personal aspects through automated personality assessment profiling. Our DPIAs assess the necessity and proportionality of processing, risks to data subjects, and measures to mitigate those risks.

13. EU Representative

As required by Article 27 of the GDPR, inquiries from EU data subjects may be directed to our data protection team at dpo@icosa.org. We are evaluating the appointment of a formal EU representative and will update this page accordingly.

14. Contact

For GDPR-related inquiries or to exercise your data subject rights, contact us at:

Icosa, LLC
8 The Green, Suite A, Dover, DE 19901
Email: privacy@icosa.org
Data Protection Contact: dpo@icosa.org

Related Policies

See also our Privacy Policy, Terms of Service, and HIPAA Compliance pages.