Privacy Policy

1. Data Controller

The data controller for your personal information is: Evaligned, operating at evaligned.ai. Legal correspondence: legal@evaligned.ai.

UK/EU users: For the purposes of UK GDPR and EU GDPR, Aligned Self is the data controller. If you are located in the UK or EU and have concerns that cannot be resolved directly with us, you have the right to lodge a complaint with your local supervisory authority (UK: the Information Commissioner's Office at ico.org.uk; EU: your national data protection authority).

2. Information We Collect

We collect the following categories of personal information:

2.1 Account and identity information

• Name and email address (provided at registration)
• Account authentication data (managed via Supabase)

2.2 Assessment and self-report data

• Your responses to all assessment questions (scale ratings and open-text answers)
• Calculated dimension scores and overall alignment scores
• AI-generated reports, pattern archetypes assigned, and pathway recommendations
• Open-text responses describing personal circumstances, feelings, and experiences
• Follow-up conversation messages exchanged with the AI system
• Weekly check-in responses and daily accountability entries

Important notice regarding sensitive information: Your assessment responses and the insights generated from them may constitute sensitive or health-adjacent personal information under applicable law. This may include information touching on your emotional wellbeing, mental state, relationships, and sense of meaning or purpose. We handle this information with the additional care appropriate to its sensitivity.

2.3 Usage and technical data

• Pages visited, features used, and time spent on the platform
• Browser type, operating system, device type, and screen resolution
• IP address and approximate geographic location (country/region level)
• Referring URL and session identifiers

2.4 Payment data

• Subscription and billing records. Payment card details are processed directly by our payment processor and are not stored on Evaligned servers.

2.5 Communications

• Emails you send to us and our responses
• Email communications sent to you via our email service provider (Resend)

3. How We Collect Your Information

We collect information:

• Directly from you when you register, complete an assessment, use the AI companion, or contact us;
• Automatically through your use of the platform (usage data, technical data);
• From third-party services we use to operate the platform (see Section 6).

We do not collect information from third-party sources such as social media platforms, data brokers, or advertising networks.

4. Lawful Basis for Processing (UK/EU Users)

For users in the UK and EU, we rely on the following lawful bases under UK GDPR and EU GDPR:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the services you have requested, including delivering assessment results, generating AI reports, and managing your account and subscription.
• Legitimate interests (Article 6(1)(f)): Processing for platform security, fraud prevention, aggregate analytics, and methodology improvement — where these interests are not overridden by your privacy rights.
• Consent (Article 6(1)(a) and Article 9(2)(a)): For processing of special category data (including health-adjacent assessment responses) and for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Article 6(1)(c)): Where we are required to process information to comply with applicable law.

5. How We Use Your Information

We use your personal information to:

• Create and manage your account;
• Deliver the Life Alignment Assessment, generate scores, and produce your AI-personalised report;
• Power the AI follow-up conversation and ongoing check-in features;
• Process subscription payments and manage billing;
• Send transactional and platform-related communications (account notifications, reports, onboarding emails);
• Send marketing communications (only with your consent; you may opt out at any time);
• Improve the platform, AI models, and underlying methodology — using anonymised and aggregated data only;
• Detect and prevent fraud, abuse, and security incidents;
• Comply with applicable legal obligations;
• Respond to your enquiries and support requests.

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

6. Third-Party Service Providers and Data Transfers

We share your information with the following categories of third-party service providers, solely to operate and improve the platform:

International data transfers. Your personal information is transferred to and processed in countries outside your country of residence. Primary data storage is in Singapore (Supabase / AWS ap-southeast-1). AI processing and email delivery occur in the United States (OpenAI, Resend). Platform hosting is served from the United States and a global CDN (Vercel).

Singapore is governed by the Personal Data Protection Act 2012 (PDPA) and is not currently designated as an adequate country under EU GDPR or UK GDPR. The United States does not have a general EU or UK adequacy decision (the EU-US Data Privacy Framework applies only to certified US organisations). We address these transfers as follows:

• UK users: Transfers to Singapore and the USA are made under the UK International Data Transfer Agreement (IDTA) or equivalent approved safeguards under UK GDPR Article 46. Where Supabase and OpenAI are certified under the EU-US Data Privacy Framework or equivalent UK adequacy mechanism, transfers rely on that framework. Otherwise, Standard Contractual Clauses (SCCs) or the UK IDTA apply.
• EU users: Transfers to Singapore and the USA are made under Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision (EU) 2021/914), or pursuant to the EU-US Data Privacy Framework where the recipient is a certified participant. Singapore does not have an EU adequacy decision; SCCs govern all transfers to Supabase's Singapore infrastructure.
• Australian users: Overseas disclosures to Singapore and the USA are made under Australian Privacy Principle 8. We have taken reasonable steps to ensure that Supabase (Singapore), OpenAI (USA), Vercel (USA), and Resend (USA) handle your information consistently with the Australian Privacy Principles, including through contractual data processing agreements with each provider.

OpenAI and your assessment data: Your assessment responses and conversation messages are transmitted to OpenAI's API solely to generate your personalised report. By using the AI features, you acknowledge this transfer. OpenAI's use of this data is governed by OpenAI's API Terms of Service and Privacy Policy. We have configured our OpenAI integration to opt out of training data usage where that option is available.

7. Cookies and Tracking Technologies

We use essential cookies and similar technologies necessary to operate the platform (session management, authentication). We may use analytics cookies to understand platform usage in aggregate. We do not use advertising or tracking cookies.

You may disable cookies through your browser settings, but this may affect the functionality of the platform. Where required by law (including the EU ePrivacy Directive and UK equivalent), non-essential cookies are only placed with your consent.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account and assessment data: Retained for the life of your account, plus up to 3 years after account closure for legal compliance purposes, then securely deleted;
• AI conversation transcripts: Retained for up to 24 months from the date of the conversation, then deleted;
• Billing records: Retained for 7 years from the date of transaction as required by applicable financial and tax laws;
• Anonymised aggregate data: May be retained indefinitely for research and platform improvement, as it no longer identifies you.

You may request earlier deletion of your personal data at any time (see Section 10). We will honour valid deletion requests promptly, subject to legal retention obligations.

9. Security

We implement technical and organisational security measures appropriate to the sensitivity of the information processed, including encrypted data transmission (TLS), access controls, authentication protections, and third-party infrastructure security (Supabase/Vercel). Assessment responses and AI conversation data are treated as sensitive and stored with restricted access.

No system is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law (72-hour notification window under GDPR; reasonable timeframe under the Australian Notifiable Data Breaches scheme).

10. Your Rights

Depending on your location, you have the following rights regarding your personal information:

All users:

• Access: Request a copy of the personal information we hold about you;
• Correction: Request correction of inaccurate or incomplete information;
• Deletion: Request deletion of your personal information (subject to legal retention obligations);
• Opt-out of marketing: Unsubscribe from marketing communications at any time using the link in any email or by contacting us.

UK and EU users (additional rights under UK/EU GDPR):

• Data portability (Article 20): Receive your personal data in a structured, machine-readable format;
• Restriction of processing (Article 18): Request that we restrict processing in certain circumstances;
• Object to processing (Article 21): Object to processing based on legitimate interests or for direct marketing;
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing;
• Automated decision-making (Article 22): Not be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. Note: our AI reports are generated through automated processing. They are informational outputs and are not binding determinations. You retain full autonomy over any decisions made in response to them;
• Supervisory authority complaint: Lodge a complaint with the ICO (UK) or your national DPA (EU).

California users (CCPA/CPRA):

• Right to know what personal information is collected and how it is used;
• Right to delete personal information;
• Right to opt-out of the sale or sharing of personal information (we do not sell or share personal information);
• Right to non-discrimination for exercising privacy rights;
• Right to correct inaccurate personal information;
• Right to limit use of sensitive personal information.

To exercise any of these rights, contact us at privacy@evaligned.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

11. Children's Privacy

11.1 Age requirement. The Evaligned platform is intended solely for use by individuals who are 18 years of age or older. We do not direct our platform at children or minors, and the nature of our content — covering life purpose, career, relationships, emotional wellbeing, and personal alignment — is designed for adults. We require users to confirm they are 18 or older before beginning any assessment.

11.2 No knowing collection from minors. We do not knowingly collect, store, or use personal information from any person under the age of 18. If we become aware or reasonably suspect that we have inadvertently collected personal information from a minor, we will take immediate steps to delete that information from our systems.

11.3 COPPA (US users). Evaligned does not direct its services to children under 13 as defined by the United States Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at privacy@evaligned.ai and we will delete it promptly.

11.4 UK/EU (Children's data). Under UK GDPR and EU GDPR, the processing of children's personal data requires additional safeguards. Our platform is not intended for children under 18. In the UK, the Age Appropriate Design Code (Children's Code) sets standards for online services likely to be accessed by children under 18 — we have designed our platform for adults only and do not direct it at persons under 18.

11.5 Reporting. If you believe a minor is using the platform or that we hold information about a minor, please contact us at privacy@evaligned.ai. We will investigate and take appropriate action.

12. AI Data Practices

12.1 What the AI processes. The Evaligned AI Coach processes your dimension scores, assessment results, weekly check-in summaries, daily check-in data (energy, clarity, emotional state), journal entry dimension tags, pathway enrolment status, and archetype identification. This data is used to generate personalised coaching responses, daily insights, weekly pattern reports, monthly narrative letters, and content recommendations.

12.2 What is stored.AI coaching conversations are processed in real-time and streamed to your browser. Conversation transcripts are not stored in our database. A coaching profile — containing thematic summaries (identified values, recurring themes, what works, what doesn't, open commitments) — is maintained to provide cross-session continuity. This profile contains summaries, not verbatim conversation records.

12.3 Safety monitoring. Every AI interaction is monitored by an automated safety protocol that detects signals of distress. When concern thresholds are reached, the system responds with recommendations for professional support or crisis resources. Safety signal data (type and severity, not conversation content) is logged to the coaching profile to maintain continuity of safety monitoring across sessions.

12.4 AI request logging. We log metadata about AI requests (model used, response time, token count, endpoint) for quality monitoring and cost management. These logs are associated with your user ID but do not contain the content of your messages or the AI's responses.

12.5 Third-party AI processing. AI coaching is powered by OpenAI's API. Your data is transmitted to OpenAI for processing in accordance with OpenAI's data usage policies. OpenAI does not use API data for model training. See Section 6 for details on international data transfers.

12.6 Deletion. You may request deletion of your coaching profile and all associated AI data at any time by contacting privacy@evaligned.ai. Upon account deletion, all coaching profile data is permanently removed.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email or prominent in-platform notice at least 14 days before they take effect. For UK/EU users, where changes affect the lawful basis for processing, we will obtain fresh consent where required by law. Your continued use of the platform after changes take effect constitutes your acceptance of the updated policy.

14. Contact

For all privacy enquiries, data subject access requests, or complaints:

• Email: privacy@evaligned.ai
• Subject line: "Privacy Request – [type of request]"

UK/EU users who are not satisfied with our response may escalate to the Information Commissioner's Office (ico.org.uk) or their national data protection authority.

Australian users may contact the Office of the Australian Information Commissioner (oaic.gov.au).