Legal

Privacy Policy

Last updated: April 4, 2026

Icosa, LLC ("Icosa," "we," "us," or "our") operates the Icosa personality assessment platform. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our services, including our website, mobile applications, and assessment tools.

By using Icosa, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

1. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name. We use passwordless authentication—we do not collect or store passwords.

Assessment Data

When you take an Icosa assessment, we collect your responses to assessment items, which are used to compute your personality profile across 20 dimensions organized within 4 capacities (Open, Focus, Bond, Move) and 5 domains (Physical, Emotional, Mental, Relational, Spiritual). This data includes response values, timing metadata, and the resulting computed scores.

Profile Data

We store your computed personality profile, narrative interpretations, and any assessment history you build over time through longitudinal tracking.

Usage Analytics

We collect anonymized usage data such as page views, session duration, and feature engagement to improve our services. We use privacy-focused, first-party analytics that do not track individual users across websites or share data with third parties.

Device and Technical Data

We automatically collect device type, browser type, operating system, and IP address for security, fraud prevention, and service optimization purposes.

2. How We Use Your Information

  • To provide, maintain, and improve the Icosa assessment platform
  • To compute and deliver your personality profile and narrative interpretations
  • To enable longitudinal tracking of your personality development over time
  • To facilitate dyadic (couples) assessments when you choose to participate
  • To provide practitioner-mediated clinical assessments when authorized by you
  • To communicate service updates, security notices, and account-related messages
  • To conduct anonymized research to validate and improve our assessment methodology
  • To comply with legal obligations, including HIPAA clinical data requirements

3. Data Storage and Security

Your data is stored in Neon PostgreSQL databases hosted on Amazon Web Services (AWS) infrastructure. We implement comprehensive security measures including:

  • AES-256-GCM authenticated encryption for data at rest
  • TLS 1.2 or higher encryption for all data in transit
  • Role-based access controls limiting data access to authorized personnel
  • HIPAA-compliant audit logging of all data access events
  • Regular security assessments and vulnerability testing

4. HIPAA-Compliant Data Handling

Icosa treats assessment data as Protected Health Information (PHI) under HIPAA. We maintain administrative, technical, and physical safeguards as required by the HIPAA Security Rule. For practitioner accounts, we offer Business Associate Agreements (BAAs) to ensure compliant data sharing between Icosa and healthcare providers. See our HIPAA Compliance page for full details.

5. Cookies and Tracking

Icosa uses minimal cookies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics cookies: Used to collect anonymized usage data to improve our service. You may opt out of analytics cookies through your browser settings or our cookie preferences.

We do not use advertising cookies, tracking pixels for ad networks, or any third-party advertising technology. We do not sell or share your data with advertisers.

We do not currently respond to Do Not Track (DNT) browser signals. We do not track users across third-party websites.

6. Third-Party Services

We use the following third-party services to operate Icosa:

  • Amazon Web Services (AWS): Cloud infrastructure hosting (SOC 2 Type II certified)
  • Neon: PostgreSQL database hosting
  • Cloudflare: Content delivery, DDoS protection, and DNS
  • Amazon SES: Transactional email delivery (authentication links, notifications)

Each of these providers maintains their own privacy and security certifications. We do not share your personal data with any third parties for their own marketing or commercial purposes.

7. Data Retention

We retain your data according to the following schedule:

  • Clinical assessment records: 7 years from the date of assessment, consistent with clinical best practices and applicable state record retention requirements
  • Account information: Retained for the duration of your active account, plus 30 days following account deletion to allow for recovery
  • Usage analytics: Anonymized and aggregated data is retained indefinitely; identifiable analytics data is purged after 24 months
  • Audit logs: 7 years, consistent with clinical best practices and applicable state record retention requirements

8. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account and associated data, subject to legal retention requirements (e.g., 7-year clinical data retention consistent with applicable regulations)
  • Export: Request a portable copy of your assessment data in a machine-readable format
  • Restriction: Request that we limit processing of your data in certain circumstances

To exercise any of these rights, contact us at privacy@icosa.org. We will respond within 30 days (extendable by up to 60 additional days for complex requests, with prior notice).

9. Children's Privacy

Icosa assessments are designed for individuals aged 6 and older. We comply with the Children's Online Privacy Protection Act (COPPA) and similar regulations:

  • Children under 13 may only use Icosa with verified parental or guardian consent
  • Children aged 6–12 must have a parent or guardian create and manage their account
  • We do not knowingly collect personal information from children under 6
  • Parents or guardians may review, modify, or delete their child's data by contacting us at privacy@icosa.org

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information—Icosa does not sell personal information
  • The right to non-discrimination for exercising your privacy rights

To submit a CCPA request, contact us at privacy@icosa.org with the subject line "CCPA Request."

11. International Data Transfers

Icosa is operated from the United States. If you access our services from outside the US, your data will be transferred to and processed in the United States. For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. See our GDPR Compliance page for more information.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law. For details on our breach notification procedures, see our HIPAA Compliance and GDPR Compliance pages.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting your rights, we will notify you via email.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Icosa, LLC
8 The Green, Suite A, Dover, DE 19901
Email: privacy@icosa.org

Related Policies

See also our Terms of Service, HIPAA Compliance, and GDPR Compliance pages.