Privacy Policy

1. Introduction

SmartEnneagram ("SmartEnneagram," "we," "us," or "our"), operated by Lucas Ayala, is committed to protecting the privacy and security of your personal information. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data.

This policy applies to all information collected through our website at smartenneagram.com (the "Site"), our AI-powered Enneagram personality assessment (the "Assessment"), and any related services, communications, or interactions (collectively, the "Service"). Learn more at our Enneagram education hub.

By using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

Key Points Summary

What we collect: Assessment responses, email (optional), payment info (via Stripe), usage data. What we do NOT collect: We do not collect health information, Social Security numbers, or data from children under 16. AI processing: Your assessment responses (without personal identifiers) are sent to OpenAI, Anthropic, and Google for analysis. Your rights: You can request access to, deletion of, or correction of your data at any time.

2. Information We Collect

2.1 Information You Provide Directly

Data Type	When Collected	Purpose
Assessment responses	When you complete the Enneagram assessment (50 free questions + 65 premium adaptive questions)	To generate your personality analysis and report
Email address	When you request your results via email or purchase premium features	To deliver your results, PDF report, and transactional communications
Payment information	When you purchase premium features	To process your payment (handled entirely by Stripe; we do not store card numbers)
Contact information	When you contact us via email	To respond to your inquiries

2.2 Information Collected Automatically

Data Type	How Collected	Purpose
IP address	Server logs	Security, fraud prevention, and general geographic analytics
Browser type and version	HTTP headers	To ensure the Site renders correctly across devices
Device information	HTTP headers	Screen size, operating system - for responsive design optimization
Pages visited and time spent	Analytics tools	To understand which content is most useful and improve the Site
Referring URL	HTTP headers	To understand how users discover SmartEnneagram
Cookies and similar technologies	Browser cookies	Session management, analytics, and user preferences (see Section 5)

2.3 Information We Do NOT Collect

We do not collect health insurance information, medical records, or clinical data
We do not collect Social Security numbers, government-issued ID numbers, or financial account numbers (payment processing is handled entirely by Stripe)
We do not collect biometric data (fingerprints, facial recognition, voice prints)
We do not collect precise geolocation data (GPS coordinates)
We do not knowingly collect information from children under 16 (see Section 12)

3. Personality Assessment Data — Special Considerations

Your personality assessment responses deserve special attention because they reveal information about your psychological tendencies, motivations, and behavioral patterns. We treat this data with heightened care:

Important Classification

While personality assessment data reveals psychological tendencies, SmartEnneagram is not a healthcare provider and our assessment is not a clinical instrument. Your assessment data is not classified as Protected Health Information (PHI) under HIPAA, and we are not a Covered Entity or Business Associate under HIPAA. However, we apply elevated privacy protections to this data because we recognize its sensitive nature.

3.1 How Assessment Data Is Processed

Storage: Your assessment responses are stored in our MariaDB database hosted on Hostinger Cloud infrastructure. Data is encrypted at rest and in transit.
AI processing: Your assessment responses (without your name, email, or other personal identifiers) are sent to OpenAI (GPT-4o), Anthropic (Claude Sonnet 3.5), and Google (Gemini 1.5 Pro) via their respective APIs for personality analysis. See our Transparency Policy for detailed information about this process.
Results storage: Your generated assessment results (AI analyses, type scores, PDF report) are stored in our database and associated with your session or email address.
No third-party sharing for marketing: We do not sell, rent, or share your assessment responses or results with third parties for marketing, advertising, or data brokerage purposes.

3.2 AI Provider Data Handling

When your assessment responses are sent to AI providers for analysis:

Only your responses and question context are sent, no personal identifiers
We use API (not consumer) versions of all three services
Under current API terms: OpenAI, Anthropic, and Google do not use API data for model training
Data is transmitted via encrypted (TLS/HTTPS) connections
AI providers may retain API data for a limited period for abuse monitoring (typically 30 days), after which it is deleted per their respective policies

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery

To administer the Enneagram assessment and generate your personality analysis
To send your assessment results and PDF report via email (through Resend API)
To process payments for premium features (through Stripe)
To provide customer support and respond to inquiries

4.2 Service Improvement

To analyze usage patterns and improve the Site's content, functionality, and user experience
To identify and fix technical issues, bugs, and errors
To improve the accuracy and quality of our assessment methodology
To develop new features and content

4.3 Security and Legal

To detect and prevent fraud, abuse, and unauthorized access
To comply with applicable laws, regulations, and legal processes
To enforce our Terms of Use and protect our rights and the rights of others

4.4 Communications

To send transactional emails (assessment results, purchase confirmations, support responses)
We do NOT send unsolicited marketing emails. If we introduce a newsletter in the future, it will be strictly opt-in with a clear unsubscribe mechanism in every email.

5. Cookies and Tracking Technologies

SmartEnneagram uses cookies and similar technologies on the Site. Here is what we use and why:

5.1 Essential Cookies

Required for the Site to function properly. These cannot be disabled without breaking core functionality.

Session cookies: Maintain your assessment session so your responses are preserved as you navigate between questions
Security cookies: CSRF (Cross-Site Request Forgery) protection tokens

5.2 Analytics Cookies

Help us understand how visitors use the Site so we can improve it.

We may use privacy-focused analytics tools to track aggregate page views, bounce rates, and navigation patterns
Analytics data is aggregated and does not identify individual users

5.3 Third-Party Cookies

Stripe: May set cookies for payment processing and fraud detection when you make a purchase
Font providers: Google Fonts may set cookies when loading web fonts

5.4 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent the assessment from functioning correctly. For detailed instructions on managing cookies, visit allaboutcookies.org.

6. Third-Party Services

We share information with the following third-party service providers, solely for the purposes described:

Provider	Purpose	Data Shared	Location
OpenAI	AI personality analysis (GPT-4o)	Assessment responses (anonymized)	USA
Anthropic	AI personality analysis (Claude Sonnet 3.5)	Assessment responses (anonymized)	USA
Google	AI personality analysis (Gemini 1.5 Pro)	Assessment responses (anonymized)	USA
Stripe	Payment processing	Payment details, email, IP address	USA
Resend	Email delivery	Email address, email content	USA
Hostinger	Cloud hosting & database	All stored data	EU/USA

We do not sell your personal information to third parties. We do not share your data with data brokers. We do not allow third parties to use your data for their own marketing purposes.

7. Data Retention

We retain your data for the following periods:

Assessment responses and results: Retained for up to 24 months from the date of your last assessment, then automatically deleted or anonymized
Email address: Retained as long as necessary to deliver your results and for any subsequent communications. Deleted upon request.
Payment records: Retained for 7 years as required by applicable tax and financial regulations. Payment card details are stored by Stripe, not by us.
Server logs (IP addresses, access logs): Retained for up to 90 days, then automatically purged
Analytics data: Retained in aggregated, non-personally-identifiable form indefinitely
Support communications: Retained for up to 36 months after the last communication

You may request earlier deletion of your data at any time (see Section 9).

8. Data Security

We implement technical and organizational measures to protect your personal information:

Technical Measures

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
Encryption at rest: Database contents are encrypted at rest on our Hostinger Cloud infrastructure
Access controls: Database access is restricted to authorized personnel only, using strong authentication
API security: All communications with AI providers (OpenAI, Anthropic, Google) use encrypted API connections with authenticated API keys
Payment security: Payment processing is handled entirely by Stripe, which is PCI-DSS Level 1 certified. We never store, process, or transmit full credit card numbers on our servers.

Organizational Measures

Access to personal data is limited to personnel who need it to provide the Service
We maintain an incident response plan for potential data breaches
We regularly review and update our security practices

No Guarantee

While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information. You use the Service and transmit information at your own risk.

9. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal information:

9.1 Rights Available to All Users

Access: You may request a copy of the personal information we hold about you
Correction: You may request correction of inaccurate personal information
Deletion: You may request deletion of your personal information, subject to our legal retention obligations
Data portability: You may request your assessment data in a structured, commonly used, machine-readable format
Opt-out of communications: You may opt out of any non-transactional communications at any time

To exercise any of these rights, contact us at [email protected] with the subject line "Data Rights Request." We will respond within thirty (30) days.

10. California Residents; CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional privacy rights. This section supplements the rest of our Privacy Policy for California residents.

10.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

Identifiers: Email address, IP address, unique session identifiers
Commercial information: Records of purchases of premium features
Internet or other electronic network activity: Browsing history on our Site, interactions with the Assessment
Inferences drawn from personal information: Personality type assessments generated from your responses

10.2 Your CCPA/CPRA Rights

Right to Know: You have the right to request that we disclose what personal information we have collected, used, disclosed, and sold about you in the last 12 months
Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions
Right to Correct: You have the right to request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. Therefore, there is no sale or sharing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Right to Limit Use of Sensitive Personal Information: Personality assessment data may be considered "sensitive personal information" under the CPRA. You may request that we limit our use of this data to what is necessary to provide the Service.

10.3 How to Exercise CCPA Rights

To submit a verifiable consumer request, contact us at [email protected] with the subject line "CCPA Request." You may also designate an authorized agent to submit requests on your behalf, provided the agent has your written permission and you verify your identity directly with us.

We will verify your identity before processing any request by matching the information you provide with the information we have on file. We will respond to verifiable consumer requests within 45 days. If we need additional time (up to 45 additional days), we will notify you of the extension and explain the reason.

10.4 Financial Incentives

We do not offer financial incentives for the collection, sale, retention, or deletion of personal information.

10.5 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals because there is no industry-standard interpretation of DNT signals for websites. However, you can control tracking through your browser settings and cookie preferences.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws provide you with additional rights regarding your personal data.

11.1 Legal Basis for Processing

We process your personal data under the following legal bases:

Consent: You provide affirmative consent when you submit your assessment responses and provide your email address. You may withdraw consent at any time.
Contract performance: Processing necessary to deliver the Service you have requested (assessment results, premium features)
Legitimate interests: Processing necessary for our legitimate business interests (analytics, service improvement, security), balanced against your rights and freedoms
Legal obligation: Processing necessary to comply with applicable laws (tax records, fraud prevention)

11.2 Your GDPR Rights

In addition to the rights described in Section 9, you have the following GDPR-specific rights:

Right to restrict processing: You may request that we restrict the processing of your personal data in certain circumstances
Right to object: You may object to our processing of your personal data based on legitimate interests
Right to withdraw consent: Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal
Right to lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe our data processing violates the GDPR

11.3 International Data Transfers

Your personal data may be transferred to and processed in the United States, where our AI providers (OpenAI, Anthropic, Google), payment processor (Stripe), and email service (Resend) are located. The United States may not provide the same level of data protection as your country of residence.

For transfers from the EEA/UK to the US, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-US Data Privacy Framework, where applicable
Service provider certifications and compliance programs

11.4 Data Protection Contact

For GDPR-related inquiries, please contact our data protection point of contact at [email protected] with the subject line "GDPR Request." We will respond within thirty (30) days, or sooner as required by applicable law.

12. Children's Privacy

SmartEnneagram is not intended for use by children under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us at [email protected] and we will promptly delete the data.

We comply with the Children's Online Privacy Protection Act (COPPA) and do not target our Service to children under 13.

13. International Data Transfers

SmartEnneagram operates from infrastructure located in the United States and European Union (Hostinger Cloud). Your data may be processed in any of these locations, as well as in the locations of our third-party service providers.

If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States and other countries that may not have the same data protection laws as your jurisdiction.

14. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, SmartEnneagram will:

Investigate the breach promptly and take immediate steps to contain it
Notify affected users via email within seventy-two (72) hours of becoming aware of the breach, where feasible
Notify relevant regulatory authorities as required by applicable law (including state attorneys general under US state breach notification laws, and data protection authorities under the GDPR)
Provide a description of the breach, the types of data involved, the likely consequences, and the measures taken to address the breach

15. "Do Not Sell or Share My Personal Information"

SmartEnneagram does not sell your personal information, as "sell" is defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising. We do not disclose your personal information to third parties for monetary or other valuable consideration.

If this practice ever changes, we will update this Privacy Policy, provide clear notice, and implement an opt-out mechanism before any such sharing begins.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Provide notice through the Site (such as a banner or pop-up notification)
For material changes affecting how we handle assessment data or AI processing, we will provide at least thirty (30) days' notice before the changes take effect
Send email notification to users who have provided their email address, when feasible

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Subject line for data requests: "Privacy Request"
Website: smartenneagram.com

Data Protection Point of Contact

For specific data protection inquiries, including GDPR and CCPA requests:

Name: Lucas Ayala, Data Protection Contact
Email: [email protected]
Response time: We aim to respond to all privacy-related inquiries within thirty (30) days

For unresolved privacy concerns, you may also have the right to contact your local data protection authority or, in the United States, file a complaint with the Federal Trade Commission (FTC) at ftc.gov/complaint.