Live Beta

Icosa is in live beta

Icosa is a holistic personality framework — not medical software. It does not diagnose, prescribe, or observe behavior. Each result describes only what a person’s structure currently supports: the building and the floor plan, not what happens inside. This beta is for practitioners, clinicians, and early‑adopter explorers, not for general clinical use.

The instrument has been rigorously validated against clinical standards, but the system is brand‑new and only beginning real‑world use. Final measurements, terms, and features stabilize by Summer 2026; the public release will be greatly simplified and built for safe, general use.

During this beta, HIPAA, GDPR, privacy policies, terms of service, and data stability are not enforced — everything is changing rapidly as the platform improves toward launch.

Thank you for being part of this new model and community.
Legal

Sub-processors

Last updated: May 23, 2026

Icosa, LLC engages the third-party service providers listed below to operate the assessment platform. Each provider acts as a data processor (or sub-processor) under our instructions and is bound by a data processing agreement (DPA) or equivalent contractual safeguards. Data transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum.

We notify users of material changes to this list by updating the "Last updated" date above. For significant additions affecting the categories of data processed, we will provide advance notice by email or in-product banner.

Infrastructure

Render

  • Purpose: Application hosting for the Icosa API
  • Data processed: Inbound API traffic, including authenticated session requests, assessment responses, and computed profiles
  • Region: United States and European Union
  • Transfer mechanism: SCCs where applicable; EU traffic is served from the EU
  • Privacy policy: render.com/privacy

Neon

  • Purpose: Managed database service
  • Data processed: All persistent application data — accounts, assessment responses, computed profiles, audit logs, billing records
  • Region: United States and European Union
  • Transfer mechanism: SCCs where applicable; EU data remains in the EU
  • Privacy policy: neon.tech/privacy-policy

Amazon Web Services (AWS)

  • Purpose: Underlying cloud infrastructure for our database and hosting providers, transactional email delivery, and object storage for non-personal reference data
  • Data processed: See Neon (database), Amazon SES (email); no direct user data via object storage
  • Region: United States and European Union
  • Transfer mechanism: AWS GDPR Data Processing Addendum incorporating SCCs
  • Privacy policy: aws.amazon.com/privacy

Edge and security

Cloudflare

  • Purpose: Content delivery, DNS, TLS termination, DDoS protection, geo-routing, edge caching, rate limiting, and marketing-site hosting
  • Data processed: Request metadata (IP address, headers, user agent), TLS handshakes, cached static responses
  • Region: Global edge network
  • Transfer mechanism: Cloudflare Data Processing Addendum incorporating SCCs
  • Privacy policy: cloudflare.com/privacypolicy

Cloudflare Turnstile

  • Purpose: Bot protection on public forms without traditional CAPTCHAs
  • Data processed: IP address, browser signals, and behavioral telemetry sufficient to distinguish humans from automated clients; a single-use verification token is then returned to our server
  • Region: Global edge
  • Transfer mechanism: Cloudflare DPA / SCCs
  • Privacy policy: cloudflare.com/turnstile-privacy-policy

Communications

Amazon SES

  • Purpose: Transactional email delivery (authentication magic links, assessment-ready notifications, account messages)
  • Data processed: Recipient email address, message body, delivery telemetry
  • Region: United States
  • Transfer mechanism: AWS DPA / SCCs
  • Privacy policy: aws.amazon.com/privacy

Analytics

PostHog

  • Purpose: Product analytics — anonymized event tracking to understand feature engagement and improve the assessment experience
  • Data processed: Anonymous device identifier and event names from a fixed vocabulary. After you sign in, your Icosa user ID is sent so anonymous events can be linked to the same person; no name, email, or assessment content is sent. IP addresses are not recorded. Session replay is disabled.
  • Region: European Union
  • Transfer mechanism: EU-hosted; data remains in the EU
  • Opt out: Disable analytics at any time through your account settings (Privacy → Analytics). In the marketing site, analytics fire only after you accept the cookie banner.
  • Privacy policy: posthog.com/privacy

AI and language models

Anthropic (Claude)

  • Purpose: Generation of the personalized narrative interpretation that accompanies your assessment results
  • Data processed: Your computed personality profile (numerical scores across the 20 dimensions, derived harmonies, and structural features) along with instructions for prose generation. We do not send your name, email, or other directly identifying data to Anthropic; profiles are referenced by an opaque token.
  • Region: United States
  • Transfer mechanism: Anthropic Commercial Terms and DPA incorporating SCCs
  • Training carve-out: Anthropic's commercial terms prohibit the use of customer inputs and outputs to train Anthropic's foundation models
  • Privacy policy: anthropic.com/legal/privacy

OpenAI

  • Purpose: Text-embedding generation used by practitioner-facing client lookup and internal research workflows that improve the assessment methodology
  • Data processed: Free-text search queries entered by practitioners; persona text and term definitions during indexing. Individual assessment responses are not sent to OpenAI.
  • Region: United States
  • Transfer mechanism: OpenAI DPA incorporating SCCs
  • Training carve-out: OpenAI's API terms exclude API inputs and outputs from being used to train OpenAI models
  • Privacy policy: openai.com/policies/privacy-policy

Payments

Stripe

  • Purpose: Payment processing for paid subscriptions and billing management
  • Data processed: Cardholder name, billing address, card details, transaction history, IP address. Card numbers (PAN) are tokenized by Stripe and never reach Icosa servers. Stripe is PCI-DSS Level 1 certified.
  • Region: Global
  • Transfer mechanism: Stripe DPA incorporating SCCs; Strong Customer Authentication (SCA) for EU payments
  • Privacy policy: stripe.com/privacy

Authentication providers

When you choose to sign in with a third-party identity provider, that provider receives the bare minimum information required to complete the OAuth flow (typically your email address and provider account identifier). Icosa does not receive any data from these providers beyond what is required to associate the sign-in with your Icosa account.

Apple (Sign in with Apple)

Google (Sign in with Google)

Microsoft (Sign in with Microsoft)

  • Data received by Microsoft: The fact that you are signing into Icosa
  • Privacy policy: privacy.microsoft.com

Mobile platform services

Expo / EAS

  • Purpose: Over-the-air (OTA) update distribution for the Icosa mobile applications
  • Data processed: Anonymous device identifier, app version, platform, update channel. No assessment data.
  • Region: United States
  • Privacy policy: expo.dev/privacy

Apple App Store and Google Play

  • Purpose: Distribution of the Icosa mobile application; in-app purchase processing where applicable
  • Data processed: Whatever data the App Store or Play Store collects under their own privacy policies — Icosa does not see App Store / Play Store account identifiers

Contact

To request a copy of any DPA, ask about a specific provider, or object to the engagement of a sub-processor, contact:

Icosa, LLC
8 The Green, Suite A, Dover, DE 19901
Email: privacy@icosa.org
Data Protection Contact: dpo@icosa.org

Related Policies

See also our Privacy Policy, Terms of Service, HIPAA Compliance, and GDPR Compliance pages.