Privacy Policy

Last updated: 21 July 2025

This policy is modular. Section 2 lists the categories of Personal Data we collect; Sections 3–8 describe how and why we use Personal Data, how we share it, how we protect it, how long we keep it and where we process it; Sections 9–10 explain your rights and choices; Section 11 addresses cookies and similar technologies; Section 12 explains how we update this notice.

1. Categories of Personal Data We Collect

Identifiers and Account Data

Names, aliases, employer and job titles, contact details (email addresses, telephone numbers, mailing addresses), unique user identifiers, login credentials, authentication tokens, and billing or payment information (when you purchase paid Services).

Diagnostic and Behavioral Data

Responses to diagnostic assessments (e.g. Drift Quotient), behavioral scores, communications patterns, self-reported traits, behavioral signal data derived from interactions with our AI tools, session data (time, duration, frequency), and optional sensitive characteristics (gender, race, ethnicity, disability status or veteran status) when you choose to provide them in order to contextualize behavioral insights. Sensitive data is collected only with explicit consent and may be used to increase diagnostic clarity and calibration accuracy. We do not use diagnostic or sensitive behavioral data to train public AI systems. Any internal model calibration is conducted under strict containment protocols, and only with opt-in participation where applicable.

Consulting Engagement Data

Strategic objectives, organizational charts, governance documents, board materials, performance indicators, leadership profiles, training results, and any materials you or your organization supply in connection with our consulting services. We treat these materials as confidential and process them solely to fulfill the engagement.

Usage and Device Data

IP addresses, device identifiers, browser types, operating systems, timestamps, cookie IDs, general usage trends, pages or screens viewed, referring URLs, and crash logs. We may implement session recording or advanced tracking functionality in future product iterations.

Communications Data

Emails, chat messages, meeting notes, and call recordings when you communicate with us. For quality assurance, recording may be introduced in future offerings, always requiring participant consent.

Marketing and Preference Data

Survey responses, preferences about receiving marketing from us, areas of interest (e.g., AI mastery, board work, executive advisory), and engagement metrics from emails or social media. We may in the future collect information from publicly available sources and third-party data providers to supplement our records and maintain accurate contact information.

We do not intentionally collect data from children under 18 and do not offer services directed to minors.

2. How We Collect Personal Data

Directly from you

When you create an account, use our Platform, request information, participate in diagnostics, engage our consulting services, or communicate with us.

Automatically through the Platform

Via cookies, pixels, analytics tags, log files and other technologies that collect Usage and Device Data. Advanced tools such as session replay or mouse tracking may be used in future versions of the Platform.

From your organization

When your employer or client engages us, it may supply organizational data and employee contact information. We may collect HR-provided data (e.g., role, tenure, performance metrics) to contextualize diagnostics and deliver aggregated insights, where applicable.

From third parties

Including service providers (analytics, payment processors, cloud hosting), public databases, and professional networks. We may enrich contact data with professional profiles in the future.

3. How and Why We Use Personal Data

Service Provision and Account Management

To create and manage your account, deliver diagnostics, generate behavioral insights, provide consulting services, manage billing and payments, authenticate users and troubleshoot issues. Legal basis: contract; legitimate interest in running our business.

Personalization and AI-Driven Insights

To tailor diagnostics, adapt interventions, predict behavioral patterns, match you with advisors or AI models, and improve accuracy over time. Legal basis: consent for sensitive data; legitimate interest for non-sensitive data. We do not use your data to train or fine-tune publicly available large language models. AI-powered personalization occurs within controlled instances configured exclusively for EthosSignal's internal use. These instances are not public LLMs and do not share data externally. Diagnostic data remains contained within the same operational environment used to deliver the Drift Quotient™ outputs.

Research and Development

To develop new products, calibrate algorithms, conduct anonymized analytics, measure performance, and improve Service features. We use aggregated and de-identified data wherever possible. Legal basis: legitimate interest.

Communications and Marketing

To respond to inquiries, send service-related messages, provide thought leadership and product updates, invite you to events, and share insights relevant to your interests. We send marketing emails only with consent or as permitted by law; you may opt-out at any time. Legal basis: legitimate interest or consent.

Security and Compliance

To protect against fraud, abuse and unauthorized access, monitor platform integrity, enforce our contracts, comply with legal obligations (e.g., tax, accounting, regulatory reporting), and respond to lawful requests from public authorities. Legal basis: legal obligation; legitimate interest.

Corporate Transactions

To evaluate or effect mergers, acquisitions, restructurings, or asset sales. If we transfer assets, Personal Data may be transferred as part of the transaction subject to this policy.

We do not use Personal Data for decisions based solely on automated processing that produce legal or similarly significant effects without human review.

4. How We Share Personal Data

Within EthosSignal

Within EthosSignal systems and records, governed by internal access controls. Access is limited within the scope of system functionality and documented operational roles.

Service Providers and Subprocessors

Technical providers under platform agreement that provide cloud hosting, analytics, payment processing, customer support, email delivery, CRM systems, and AI infrastructure. Vendors are chosen based on technical fit and public documentation of compliance practices. We use standard platform agreements or vendor-provided terms that include essential data protection clauses.

Professional Advisors

Auditors, insurers, legal counsel and other advisors who assist us in running our business under confidentiality obligations.

Client Organizations

When we deliver consulting or diagnostic services on behalf of an organization, we may share aggregated and de-identified insights, participation metrics and other data as agreed in the statement of work. We do not share individual diagnostic responses or behavioral scores unless explicitly authorized by the individual.

Legal and Compliance

Competent authorities where required by law, regulation, court order or to protect rights, safety or property of EthosSignal or others. We may notify you of such requests when legally permitted.

Business Transfers

If we engage in or are subject to a merger, acquisition, financing, restructuring or sale of assets, Personal Data may be transferred to the acquiring entity subject to equivalent protections.

5. Data Retention

Account and Billing Data

Kept for the duration of your relationship and up to two years thereafter.

Diagnostic and Behavioral Data

Stored until your account is deleted or your organization instructs us to remove it; aggregated and de-identified data may be retained indefinitely for research and development.

Consulting Engagement Data

Retained for the term of the engagement plus a reasonable period for recordkeeping unless defined in writing by both parties.

Marketing and Preference Data

Retained until you opt out of marketing or request deletion.

6. Your Rights and Choices

• Access and Portability: Request a copy of the Personal Data we hold about you.
• Rectification: Correct or update inaccurate or incomplete information.
• Deletion: Request that we delete your Personal Data, unless retained for legal or operational reasons.
• Restriction and Objection: Object to or request limitation of processing where applicable.
• Withdraw Consent: Revoke previously granted consent.
• Non-Discrimination: Exercise rights without receiving discriminatory treatment.

To submit a request, contact privacy@ethossignal.com. We may verify your identity before responding.

7. Cookies and Similar Technologies

Strictly Necessary

Required for authentication and security.

Functional

Enable personalization and preference retention.

Analytics

Support product improvement and experience optimization. We may in the future configure analytics to respect browser-based privacy controls (e.g., Do Not Track or Global Privacy Control), subject to technical feasibility.

We do not currently serve third-party behavioral ads and do not share data with advertising networks. Users may manage cookie preferences via browser settings or future cookie banners.