Data Security

Effective Date: 07 June 2026
Last Updated: 07 June 2026

At PersonaCode, we take the security of your personal data seriously. This page explains what data we collect, how it is stored and protected, who has access, and your rights under data protection law.

1. What Data We Collect

PersonaCode collects only the data necessary to deliver your personality analysis:

• Account information: Your name and email address, used for authentication and to deliver your results.
• Quiz responses: Your answers to the personality assessment questions, used to generate your archetype profile.
• Generated results: Your archetype assignment, strengths, insights, and any AI-generated deep analysis content.
• Payment references: Transaction identifiers from Apple, Google, or Stripe — we never store full card numbers or payment credentials.

We do not collect location data, contact lists, browsing history, or any data beyond what is listed above.

2. How Your Data Is Stored

• Encryption at rest: All personal data and quiz responses are encrypted at rest using AES-256 encryption within our database infrastructure.
• Encryption in transit: All communication between your device and our servers is protected with TLS 1.2+ (HTTPS). No data is ever transmitted in plain text.
• Secure password storage: Account passwords are hashed using bcrypt and are never stored or transmitted in plain text.
• Database access controls: Access to the production database is restricted to essential personnel only, using role-based access controls and audit logging.

3. Third-Party Services

We use a limited number of trusted third-party services, each operating under strict data processing agreements:

• Apple In-App Purchase: Processes iOS payments. Apple handles all billing data; we receive only purchase verification tokens.
• Google Play Billing: Processes Android payments. Google handles all billing data; we receive only purchase verification tokens.
• Stripe: Processes web payments securely. We do not store card details — Stripe is PCI DSS Level 1 certified.
• OpenRouter AI: Powers the Deep Analysis tier. Only anonymised quiz response patterns are sent to the AI provider — no names, emails, or personally identifiable information is transmitted.

All third-party processors are GDPR-compliant and operate under appropriate data processing agreements.

4. Data Retention and Deletion

• Active accounts: Your data is retained for as long as your account remains active, allowing you to access your results at any time.
• Account deletion: You may request deletion of your account and all associated data at any time by contacting us. Upon deletion, all personal data — including quiz responses, results, and profile information — is permanently erased within 30 days.
• Payment records: Transaction references are retained for up to 7 years to comply with UK tax and accounting obligations.
• Server logs: Technical logs (IP addresses, request metadata) are retained for a maximum of 90 days for security monitoring and are then permanently purged.

5. GDPR Compliance

PersonaCode is fully compliant with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

Under GDPR, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate personal data.
• Right to erasure (Art. 17): Request permanent deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us using the details below. We will respond within 30 days as required by GDPR.

6. Security Incident Response

In the unlikely event of a data breach, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours, as required by GDPR Article 33.
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms.
• Take immediate remedial action to contain the breach and prevent recurrence.

7. Contact Information

For any questions about data security, data protection, or to exercise your GDPR rights, please contact:

Bogdan-Alexandru Zidaru
34 Manor Road
Kings Bromley DE13 7HZ
United Kingdom

Email: support@personacode.ai

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113