Privacy Policy

The data controller for this platform is Humalyzer ApS, CVR no. 46379721. General enquiries and data-subject rights requests may be directed to support@humalyzer.dk.

Where Humalyzer acts as a processor on behalf of a client company (see Section 2), the client company is the data controller for that processing activity. In those cases, data-subject rights requests should be directed to the relevant client company in the first instance. Humalyzer will support the client company in fulfilling such requests as required by Art. 28 GDPR.

Humalyzer ApS operates in two distinct capacities depending on the processing activity.

2.1 As data controller (Art. 4(7) GDPR). Humalyzer ApS determines the purposes and means of processing for the following activities: dashboard admin user accounts (registration, authentication, and profile management); website visits and contact form submissions; security logs and access-attempt records; password reset requests; and company onboarding, being the business relationship with client companies.

2.2 As data processor (Art. 4(8) GDPR). Humalyzer ApS acts on documented instructions from its client companies, who are the controllers, for the following activities: personality assessment data of participants invited by the client company; test session answers, panel responses, and all derived psychometric scores; and consent records created during participant onboarding. A legally binding Data Processing Agreement (DPA) under Art. 28 GDPR governs this relationship. Every client company must accept the DPA before using the platform to invite participants.

The following categories of personal data are processed through the platform.

Where Humalyzer acts as controller: Admin account data (name, work email address, encrypted password, role, company affiliation, last login timestamp); contact form data (first name, last name, email address, company name, free-text message); and security and access logs (IP address, username, timestamp).

Where Humalyzer acts as processor on behalf of the client company: Participant identity data (first name, last name, email address); psychometric assessment data under Art. 9 (all responses; MBTI type scores; Big Five (OCEAN) percentages; Self-Determination Theory (SDT) scores; strength scores; conflict style scores; stress risk indicators; motivation profile; team role profile); consent records (policy version acknowledged, timestamp, IP address, user-agent string); and session data, being a server-side session record tied to a session cookie that expires after 8 hours — this is shared between the controller and processor roles depending on the context.

Art. 9 notice: Psychometric personality assessment data constitutes special category data under Art. 9 GDPR because it reveals psychological characteristics. This data is processed exclusively in our role as a processor, on the instructions of the client company as controller.

4.1 Admin accounts. Legal basis: Art. 6(1)(b) GDPR — processing necessary for the performance of the contract between Humalyzer ApS and the client company, of which the admin user is a designated representative. We process admin user data to provide secure access to the dashboard, manage user profiles, and facilitate account recovery.

4.2 Participant personality assessments. Legal basis for standard personal data: Art. 6(1)(b) GDPR — processing necessary for performance of the employment or pre-employment contract between the participant and the client company. Legal basis for Art. 9 special category data (psychological profiling): Art. 9(2)(b) GDPR — processing necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment law, to the extent authorised by Danish employment law (Databeskyttelsesloven § 12). Where Art. 9(2)(b) is not available in a specific context, the client company relies on Art. 9(2)(a) — the data subject's explicit, freely given consent — as the Art. 9 gateway. Humalyzer processes this data solely as a processor acting on the client company's documented instructions. The client company is responsible for obtaining and documenting the appropriate legal basis.

4.3 Contact form. Legal basis: Art. 6(1)(f) GDPR — legitimate interest. Humalyzer has a legitimate interest in receiving and responding to business enquiries. This interest is not overridden by data subjects' interests given the nature of the communication, which is business contact initiated by the data subject. Data is not used for any other purpose and is retained for a maximum of 12 months.

4.4 Security logs & access attempts. Legal basis: Art. 6(1)(f) GDPR — legitimate interest. Humalyzer has a legitimate interest in protecting the integrity of its systems, detecting and preventing unauthorised access, and maintaining audit trails sufficient for incident response. Logs are retained for 90 days. Passwords and other sensitive fields are never written to logs.

4.5 Company onboarding. Legal basis: Art. 6(1)(b) GDPR — processing necessary for the performance of the contract between Humalyzer ApS and the client company, including acceptance of the Data Processing Agreement.

We engage the following sub-processors to operate the platform. All are located in the European Union. No personal data is transferred to sub-processors outside the EU/EEA.

Google Cloud Platform provides application hosting (Cloud Run), task queue (Cloud Tasks), and secret management (Secret Manager). Their servers are located in the EU - europe-west1 (Belgium). The applicable safeguard is the Google Cloud Data Processing Addendum.

Google Cloud SQL (PostgreSQL) serves as our primary relational database, located in the EU - europe-west4 (Netherlands). The applicable safeguard is the Google Cloud Data Processing Addendum.

Microsoft Azure handles transactional email delivery, including participant invitations, password reset emails, and admin onboarding emails. Servers are based in the EU, and the applicable safeguard is the Microsoft Products and Services Data Protection Addendum (DPA).

We do not share personal data with any other third parties for marketing, analytics, or advertising purposes. This list will be updated when sub-processors change; material changes will be communicated to client companies in accordance with our DPA.

All personal data is stored and processed within the European Union. The application tier runs on Google Cloud Run in europe-west1 (Belgium). The primary database (Cloud SQL PostgreSQL) resides in europe-west4 (Netherlands). Transactional email is delivered via Sender.net, headquartered in Lithuania.

No personal data is transferred to countries outside the EU/EEA. No Standard Contractual Clauses (SCCs) or other Chapter V transfer mechanisms are therefore required for any of our current sub-processors. Should this change, this policy will be updated and appropriate safeguards implemented before any transfer takes place.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following are our standard retention periods and the action taken at expiry.

• Completed test sessions, scores and panel responses - retained for 24 months from completion. At expiry, participant PII is anonymised (email hashed, names nulled); aggregate scores are deleted unless contractually agreed otherwise.
• Abandoned or incomplete test sessions - retained for 90 days from creation, then hard deleted.
• Invitations (participant and company) - retained for 30 days after expiry or acceptance, then hard deleted.
• Password reset tokens - retained for 7 days after use or expiry, then hard deleted.
• Security logs (access attempts) - retained for 90 days, then hard deleted.
• Web sessions (sessionid cookie) - retained for 8 hours from last activity. The server-side session record is purged by a daily clearsessions job.
• Contact form submissions - retained for 12 months, then hard deleted.
• Admin user accounts - retained for the duration of the client company's contract with Humalyzer, plus 30 days. Deleted on request or upon contract termination.

Retention periods for participant data are enforced automatically by a scheduled cleanup process. Client companies may request earlier deletion in line with the Art. 17 erasure right described in Section 8.

Subject to applicable conditions and exemptions, you have the following rights in relation to personal data that Humalyzer holds about you as a data controller.

Right of access (Art. 15). You may request a copy of the personal data we hold about you and information about how we use it.

Right to rectification (Art. 16). You may ask us to correct inaccurate or incomplete data we hold about you.

Right to erasure (Art. 17). You may ask us to delete your personal data where there is no compelling reason for its continued processing. We will respond within 30 days.

Right to restriction (Art. 18). You may ask us to restrict processing of your data in certain circumstances, for example while we investigate an accuracy dispute.

Right to data portability (Art. 20). You may request a structured, machine-readable export of data you have provided to us, where processing is based on consent or contract.

Right to object (Art. 21). You may object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds.

Rights related to automated decision-making (Art. 22). You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 9 for full details on how we handle automated profiling.

How to exercise your rights. Admin users and contact form enquirers (where Humalyzer is the controller) may submit a data subject access request (DSAR) by emailing support@humalyzer.dk. Please include your full name, email address, and a description of your request. We will acknowledge within 3 working days and respond in full within one calendar month, extendable by a further two months for complex requests with notification. Assessment participants (where Humalyzer is the processor) should contact the company that invited them to complete the assessment. Humalyzer will support that company in fulfilling the request under Art. 28(3)(e) GDPR.

The Humalyzer platform performs automated profiling of assessment participants within the meaning of Art. 4(4) GDPR. This section provides the disclosure required by Art. 13(2)(f) and Art. 22 GDPR.

9.1 What is automated. When a participant completes the personality assessment, the platform automatically calculates a set of psychometric scores from the participant's answers. These include MBTI personality type, Big Five (OCEAN) trait percentages, Self-Determination Theory (SDT) motivation scores, Gallup-style strength rankings, conflict style profiles, stress risk indicators, motivation profiles, and team role fit scores. No human reviews the raw answers before scores are generated.

9.2 Logic and significance. Scores are derived by aggregating the participant's responses using predefined trait-delta weights for each answer choice. Percentages are normalised within the observed score range for the assessment instrument. The output is a structured personality profile report, applied uniformly and deterministically to every participant. The resulting report is shared with the client company's HR team and may inform employment-related decisions such as hiring, team composition, or professional development planning.

9.3 Human oversight. The platform does not make autonomous hiring decisions. No solely automated decision under Art. 22(1) GDPR is made. All final employment-related decisions are made by human HR professionals at the client company, who are responsible for interpreting the profile report in context. Humalyzer requires all client companies to communicate this clearly to participants.

9.4 Your rights. Even where Art. 22(1) does not technically apply because a human makes the final decision, participants retain the right to request human review, express their point of view, and contest any decision that the client company makes based on their profile. Please contact the client company's HR department to exercise these rights. You may also contact support@humalyzer.dk if you have concerns about how the profiling logic operates.

Humalyzer implements appropriate technical and organisational measures (TOMs) as required by Art. 32 GDPR. Key measures include:

• All traffic encrypted in transit via TLS 1.2+; HTTPS enforced with HTTP Strict Transport Security (HSTS).
• Invitation and password reset tokens stored as HMAC-SHA256 hashes; raw values never persisted.
• Tokens rotated on state transitions; one-time use enforced.
• Passwords hashed using Django's default PBKDF2-SHA256 algorithm.
• Authentication rate-limited; automated account lockout after repeated failures (django-axes).
• Strict Content Security Policy; no third-party scripts or CDN fonts.
• Database credentials and encryption keys stored in Google Secret Manager; not in source code or environment files.
• Application logs do not record request bodies or email addresses.
• Admin setup emails use one-time setup links, not plaintext passwords.
• Session cookies: HttpOnly, Secure, SameSite=Lax.
• Tenant isolation enforced at the database query level; each client company can only access their own participants' data.

In the event of a personal data breach, Humalyzer will notify the Danish Data Protection Authority (Datatilsynet) within 72 hours where required by Art. 33 GDPR, and affected data subjects where required by Art. 34 GDPR. Client companies will be notified within 24 hours in accordance with the DPA.

The Humalyzer platform is a professional B2B service intended for use by adults in employment or pre-employment contexts. We do not knowingly process personal data of individuals under the age of 16. If you believe a minor's data has been submitted to the platform in error, please contact support@humalyzer.dk immediately and we will arrange for its deletion.

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. We will post the updated version on this page with a new "Last updated" date. For material changes — particularly those affecting the legal bases or categories of data processed — we will notify affected users and client companies directly before the changes take effect.

The version number in the header of this policy corresponds to the version recorded in each participant's consent record.

Version history: 1.0 — 15 April 2026, initial publication.

You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data infringes the GDPR or other applicable data protection law.

As Humalyzer ApS is established in Denmark, the lead supervisory authority is Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark. Website: www.datatilsynet.dk. Email: dt@datatilsynet.dk. Phone: +45 33 19 32 00.

We would, however, appreciate the opportunity to address any concerns you have before you contact the supervisory authority. Please reach out to us at support@humalyzer.dk in the first instance.