Live Beta

Icosa is in live beta

Icosa is a holistic personality framework — not medical software. It does not diagnose, prescribe, or observe behavior. Each result describes only what a person’s structure currently supports: the building and the floor plan, not what happens inside. This beta is for practitioners, clinicians, and early‑adopter explorers, not for general clinical use.

The instrument has been rigorously validated against clinical standards, but the system is brand‑new and only beginning real‑world use. Final measurements, terms, and features stabilize by Summer 2026; the public release will be greatly simplified and built for safe, general use.

During this beta, HIPAA, GDPR, privacy policies, terms of service, and data stability are not enforced — everything is changing rapidly as the platform improves toward launch.

Thank you for being part of this new model and community.
Legal

Privacy Policy

Last updated: May 23, 2026

Icosa, LLC ("Icosa," "we," "us," or "our") operates the Icosa personality assessment platform. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our services, including our website, mobile applications, and assessment tools.

By using Icosa, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

Your Data is Private

Your assessment responses, computed profile, and narrative interpretation are private to you. They are never shared with other Icosa users, other practitioners, advertisers, data brokers, or any third party for their own marketing or commercial purposes. The only people who see your results are you and anyone you explicitly choose to share them with (for example, a practitioner you invite to a session, or a partner you invite into a dyadic assessment). Icosa staff access individual data only when required to provide direct support, investigate a security incident, or comply with a lawful request — each such access is logged in our HIPAA-grade audit trail.

How we improve the platform: we use de-identified and aggregated assessment data to operate, calibrate, and improve Icosa — including refining how profiles are computed, validating the assessment methodology against clinical and statistical research, tuning the narrative-generation prompts, and producing internal product analytics. De-identification follows the HIPAA Safe Harbor standard: direct and indirect identifiers (name, email, account ID, IP address, precise timestamps, free-text content, and the 18 HIPAA identifier categories) are removed before the data enters any research or analytics workflow. No personally identifying data (PID) is included. The aggregated learning improves the profile you receive and benefits every user — as more people use Icosa, the assessment gets sharper for everyone.

If you do not wish your de-identified data to be used for research or methodology improvement, you can withdraw that consent at any time through your account Privacy settings or by contacting privacy@icosa.org. Withdrawal does not affect the lawfulness of processing performed before withdrawal, and de-identified data already incorporated into published research or trained statistical models cannot be retroactively extracted; we will exclude your data from all future workflows.

1. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name. We use passwordless authentication—we do not collect or store passwords.

Single Sign-On (SSO) Sign-In

If you choose to sign in with a third-party identity provider (Apple, Google, or Microsoft), that provider returns your email address and an opaque account identifier to Icosa. We do not receive your social-graph data, contact list, calendar, or any other information from these providers. The provider learns only that you are signing into Icosa.

Assessment Data

When you take an Icosa assessment, we collect your responses to assessment items, which are used to compute your personality profile across 20 dimensions organized within 4 capacities (Open, Focus, Bond, Move) and 5 domains (Physical, Emotional, Mental, Relational, Spiritual). This data includes response values, timing metadata, and the resulting computed scores.

Profile Data

We store your computed personality profile, narrative interpretations, and any assessment history you build over time through longitudinal tracking.

Usage Analytics

We collect anonymized usage data such as page views, route segments, and feature engagement to improve our services. Analytics are powered by PostHog, hosted in the European Union. IP addresses are not recorded, session replay is disabled, and event properties are restricted to a fixed vocabulary that excludes assessment responses and free-text input. After you sign in, your Icosa user ID is sent to PostHog so anonymous events can be linked to the same person; no name, email, or assessment content is sent.

On the marketing site, analytics fire only after you accept the cookie banner. In the mobile and web apps, product analytics operate on a legitimate-interest basis as described in our GDPR Compliance page; you can disable analytics at any time through your account Privacy settings.

Device and Technical Data

We automatically collect device type, browser type, operating system, and IP address for security, fraud prevention, and service optimization purposes.

2. How We Use Your Information

  • To provide, maintain, and improve the Icosa assessment platform
  • To compute and deliver your personality profile and narrative interpretations, including the generation of personalized prose by a large language model sub-processor (see "AI-Assisted Narrative Generation" below)
  • To enable longitudinal tracking of your personality development over time
  • To facilitate dyadic (couples) assessments when you choose to participate
  • To provide practitioner-mediated clinical assessments when authorized by you
  • To communicate service updates, security notices, and account-related messages
  • To process payments and manage subscriptions through our payment processor (see "Third-Party Services" below)
  • To conduct anonymized research to validate and improve our assessment methodology
  • To comply with legal obligations, including HIPAA-grade safeguards for assessment data

AI-Assisted Narrative Generation

The interpretive narrative that accompanies your assessment results is generated by Anthropic's Claude large language model. Your computed personality profile (numerical scores and derived structural features) is sent to Anthropic via their commercial API, along with prose-generation instructions. Your name, email address, and other directly identifying data are not sent; profiles are referenced by an opaque token. Anthropic's commercial terms prohibit the use of customer inputs or outputs to train their foundation models.

If you don't like a generated narrative, you can regenerate it from your results screen — a new run produces fresh prose from the same numerical profile. To stop future narrative generation entirely, revoke the narrative consent via your account Privacy settings; subsequent generations are blocked until you re-grant it. Requests already in flight to Anthropic at the moment of withdrawal complete normally because the data has already left our infrastructure.

3. Data Storage and Security

Your data is stored in managed, encrypted databases hosted on enterprise cloud infrastructure. We implement comprehensive security measures including:

  • AES-256-GCM authenticated encryption for data at rest
  • TLS 1.2 or higher encryption for all data in transit
  • Role-based access controls limiting data access to authorized personnel
  • HIPAA-compliant audit logging of all data access events
  • Regular security assessments and vulnerability testing

4. HIPAA-Compliant Data Handling

Icosa treats assessment data as Protected Health Information (PHI) under HIPAA. We maintain administrative, technical, and physical safeguards as required by the HIPAA Security Rule. For practitioner accounts, we offer Business Associate Agreements (BAAs) to ensure compliant data sharing between Icosa and healthcare providers. See our HIPAA Compliance page for full details.

5. Cookies and Tracking

Icosa uses minimal cookies and similar technologies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics: The marketing site loads PostHog only after you accept the cookie banner. The mobile and web apps use in-memory analytics storage rather than persistent cookies; you may disable analytics through your account Privacy settings.
  • Bot protection (Cloudflare Turnstile): Public forms (newsletter signup, the Simulator gateway) load Cloudflare Turnstile, which sets a short-lived client identifier and collects browser fingerprint and behavioral signals to distinguish humans from automated clients. Turnstile is privacy-preserving by design — no third-party cookies are set, no advertising profile is built, and the verification token is single-use. Details: Cloudflare Turnstile Privacy Policy.

We do not use advertising cookies, tracking pixels for ad networks, or any third-party advertising technology. We do not sell or share your data with advertisers.

We do not currently respond to Do Not Track (DNT) browser signals. We do not track users across third-party websites.

6. Third-Party Services

We engage third-party providers to operate the platform. The full list, with the data each provider receives, the region in which they process it, and the applicable data-transfer mechanism, is published on our Sub-processors page. Categories include:

  • Infrastructure: Application hosting, managed database, and underlying cloud platform (see Sub-processors for vendor names and regions)
  • Edge and security: Cloudflare (CDN, DNS, DDoS protection), Cloudflare Turnstile (bot protection)
  • Communications: Amazon SES (transactional email)
  • Analytics: PostHog (EU-hosted product analytics)
  • AI and language models: Anthropic (Claude — narrative generation), OpenAI (text embeddings)
  • Payments: Stripe (PCI-DSS Level 1; cardholder data tokenized at Stripe, never stored by Icosa)
  • Authentication providers: Apple, Google, Microsoft (SSO sign-in only)
  • Mobile platform: Expo / EAS (over-the-air updates), Apple App Store, Google Play

Each provider acts under a data processing agreement (or equivalent contractual safeguards) and is bound to process data only on our instructions. We do not share your personal data with any third parties for their own marketing or commercial purposes, and our commercial terms with Anthropic and OpenAI prohibit the use of customer inputs or outputs to train their foundation models.

7. Data Retention

We retain your data according to the following schedule:

  • Clinical assessment records: 7 years from the date of assessment, consistent with clinical best practices and applicable state record retention requirements
  • Account information: Retained for the duration of your active account, plus 30 days following account deletion to allow for recovery
  • Usage analytics: Anonymized and aggregated data is retained indefinitely; identifiable analytics data is purged after 24 months
  • Audit logs: 7 years, consistent with clinical best practices and applicable state record retention requirements

8. Your Rights

You have the following rights regarding your personal data. Each is exercised through a self-service control in your account — no email request, no waiting period, no human review queue.

  • Access / Export: Download a complete copy of your data (account, assessment responses, computed profiles, narratives, audit log) in machine-readable JSON. Account → Privacy → Export My Data.
  • Deletion: Delete your account and all associated personal data, subject to a brief recovery window and any legally-required retention (audit logs and consent records survive in pseudonymized form). Account → Privacy → Delete My Account.
  • Correction: Assessment scores reflect your actual responses and cannot be edited; retake the assessment to update your profile. Edit your name or email under Account → Profile.
  • Withdraw consent / Restrict processing: Flip the relevant toggle in Account → Privacy. Each toggle takes effect immediately. The two visible toggles cover analytics + behavioral telemetry (the "Help improve Icosa" switch) and de-identified research use (the "Contribute to research" switch). Narrative generation and share-link creation use implicit consent captured at the moment of the action; revoke by stopping the action or by deleting share links.
  • Regenerate AI narrative: If you want a different version of the LLM-generated prose, regenerate it from your results screen. No request required.

For any right not covered by a self-service control (rare edge cases — e.g., a court-ordered restriction notice), email privacy@icosa.org. Standard GDPR response window is 30 days, extendable by 60 days for complex matters.

9. Children's Privacy

Icosa assessments are designed for individuals aged 6 and older. We comply with the Children's Online Privacy Protection Act (COPPA) and similar regulations:

  • Children under 13 may only use Icosa with verified parental or guardian consent
  • Children aged 6–12 must have a parent or guardian create and manage their account
  • We do not knowingly collect personal information from children under 6
  • Parents or guardians manage their child's data through the same self-service controls in Account → Privacy (Export My Data, Delete My Account, consent toggles). For ID-verified parental access to a minor's account, email privacy@icosa.org.

10. California Privacy Rights (CCPA) and Similar State Laws

If you are a California resident (or a resident of Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, or any state with a comparable privacy law), the rights described in Section 8 fulfill the equivalent rights granted by those statutes:

  • Right to know: Section 1 of this Policy describes every category of data we collect; Account → Privacy → Export My Data returns your individual record.
  • Right to deletion: Account → Privacy → Delete My Account.
  • Right to opt out of "sale" or "sharing": Icosa does not sell personal information and does not share it for cross-context behavioral advertising. No opt-out toggle is required because no such processing occurs.
  • Right to non-discrimination: Exercising any of these rights does not change the price or quality of service you receive.

11. Data Residency and International Transfers

Icosa operates regional services so that personal data is stored close to where you live:

  • EU / EEA / UK / Switzerland residents: your data is stored in the European Union.
  • All other regions: your data is stored in the United States.

A small number of specialized sub-processors (e.g., the AI provider that generates your narrative, the analytics provider) may process limited data outside your home region. Where applicable, these transfers from the EU rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, for UK transfers, the UK International Data Transfer Addendum. The data sent to these sub-processors is de-identified (your name and email are not included). See our GDPR Compliance and Sub-processors pages for the transfer mechanism applicable to each sub-processor.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law. For details on our breach notification procedures, see our HIPAA Compliance and GDPR Compliance pages.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting your rights, we will notify you via email.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Icosa, LLC
8 The Green, Suite A, Dover, DE 19901
Email: privacy@icosa.org

Related Policies

See also our Terms of Service, HIPAA Compliance, GDPR Compliance, and Sub-processors pages.