Privacy Policy

Effective Date: 3 June 2026

1. Who We Are

PersonalityMe is a website and web app operated by molebyte Ltd, a company registered in the United Kingdom under company number [INSERT COMPANY NUMBER], with its registered office at 86-90 Paul Street, London, England, EC2A 4NE. In this Privacy Policy, "PersonalityMe", "we", "us" and "our" mean molebyte Ltd.

For UK data protection purposes, molebyte Ltd is the controller of personal information processed through PersonalityMe, except where this Privacy Policy says otherwise. We have not appointed a Data Protection Officer. Privacy questions, data protection complaints, and rights requests should be sent to privacy@personalityme.co.

2. What PersonalityMe Does

PersonalityMe provides free personality and interest self-assessments, generated reports, public profile pages, and educational blog content. Current assessments include 16-Type, Big Five, Enneagram, and RIASEC-style career-interest assessments.

The assessments and reports are for self-reflection, coaching, personal development, and career-interest exploration only. They are not diagnosis, clinical advice, therapy, employment-selection advice, hiring guidance, proof of ability, or a guarantee that a person is suited to any role, relationship, activity, or life path.

3. Information We Collect

Assessment information

When you complete an assessment, we may collect and store:

• your assessment responses;
• generated scores, result code or type, preferences, borderline or clarity labels, framework name, source version, item wording version, and completed-at timestamp;
• item-level response records, including selected value, scored value where relevant, item metadata, trait, scale, area or facet metadata, and source or source URL metadata where applicable; and
• a public result token used to retrieve your saved result page.

Technical and usage information

When you use the site, we may process technical information such as IP address, request metadata, browser and device information, user agent, Laravel session data, security logs, and server logs. Where available from request headers or infrastructure data, we may also process coarse location information such as country code, country name, region, and city.

Cookies and local identifiers

We use cookies and similar technologies. These may include essential Laravel session cookies, cookie-preference cookies, optional assessment-result recall cookies, and optional analytics cookies.

Admin and CMS information

PersonalityMe has an admin/CMS login for authorised staff only. For authorised admin users, we may process name, email address, password hash, remember token, profile photo path, designation, bio, session IP address, user agent, and session payload.

Conditional blog, comment, newsletter, and media information

The CMS may support blog posts, comments, newsletter email records, tags, categories, SEO details, and public media uploads. Comment and newsletter processing applies only if those features are enabled publicly. If enabled, we may process the information you submit, such as your name, email address, comment content, subscription status, and related technical metadata.

4. Public Tokenised Result Pages

After you submit an assessment, PersonalityMe may generate a saved result page available through a public tokenised URL. This is a bearer-link page, not private account storage. Anyone who has the full result link may be able to view the result page.

You are responsible for keeping the link private if you do not want other people to see it. Result links may appear in browser history, messages, screenshots, link previews, logs, or third-party services if you share or open them in those contexts.

We set saved result pages to noindex and send noindex/no-referrer headers from the result route. We also do not load Google Analytics on tokenised saved result pages. These measures reduce risk, but they do not make a shared link confidential.

5. How We Use Personal Information and Our Lawful Bases

Purpose	Information	Lawful basis
Provide assessments, score responses, generate reports, and save result pages you request.	Assessment responses, item-level records, scores, result labels, result token, timestamps.	Contract, because the processing is needed to provide the requested assessment and result page.
Operate, maintain, debug, and secure the site and admin/CMS systems.	Technical logs, IP address, request metadata, session data, admin account and session data.	Legitimate interests in running, securing, and improving the service; legal obligation where security or compliance records are required by law.
Remember your latest result for an assessment when you choose result-recall cookies.	Assessment-result recall cookie containing the latest result token for the relevant assessment.	Consent under PECR/UK GDPR for optional cookies and related processing.
Measure aggregate site usage with Google Analytics when you choose analytics cookies.	Analytics identifiers, page and event data, device/browser information, approximate location, and related usage data.	Consent under PECR/UK GDPR for analytics cookies and related analytics processing.
Load web fonts from Google Fonts where fonts are not self-hosted.	IP address, requested font or stylesheet URL, user agent, referrer, and related request metadata processed by Google LLC when your browser requests the font files.	Legitimate interests in presenting the site with the intended brand typography, balanced against the privacy impact of third-party font requests.
Respond to privacy, legal, support, and rights requests.	Contact details, request content, identity checks, correspondence, and related records.	Legal obligation where we must respond under data protection law; legitimate interests in handling enquiries and keeping appropriate records.
Protect rights, investigate misuse, and handle disputes or legal claims.	Account, technical, assessment, correspondence, and log records relevant to the issue.	Legitimate interests in protecting the service and legal rights; legal obligation where disclosure or retention is required by law.
Send newsletters or manage comments if those features are enabled.	Email address, subscription status, comment content, moderation data, and related metadata.	Consent for newsletter marketing; legitimate interests in moderation, abuse prevention, and managing submitted comments where comments are enabled.

Where we rely on consent, you may withdraw it at any time. Withdrawing consent does not affect processing that took place before withdrawal.

6. Assessment Data and Sensitive Information

PersonalityMe assessments are designed as self-reflection and educational tools. We do not ask for medical records, diagnosis information, therapy notes, ethnicity, religion, political opinions, trade union membership, genetic data, biometric identification data, sex life, or sexual orientation information.

Personality, interest, and self-description data is not automatically special category data under UK GDPR. However, it can feel personal and may become more sensitive depending on context, combination with other information, or use. For example, assessment data could create higher risk if someone tried to use it for clinical, employment, insurance, credit, legal, educational, or other high-stakes decisions. We do not provide PersonalityMe for those uses, and our Terms prohibit them.

If we intentionally process special category data in the future, we will need both a lawful basis under Article 6 UK GDPR and a separate condition under Article 9 UK GDPR, plus suitable safeguards.

7. Automated Scoring and Profiling

Assessment scoring is automated. Your answers are converted into scores, labels, result types, or reports according to the relevant framework and scoring model. These outputs are interpretive and may be wrong, incomplete, borderline, or context-dependent.

We do not use PersonalityMe assessment scoring to make decisions with legal or similarly significant effects about you. We do not use results for diagnosis, therapy, recruitment, selection, promotion, insurance, lending, eligibility, or access to essential services.

8. Cookies, Analytics, and Similar Technologies

Essential cookies

Essential cookies are used to run the site, maintain sessions, remember cookie choices, support security, and provide features you request. These may include Laravel session cookies and cookie-preference cookies. Essential cookies do not require consent under UK PECR where they are strictly necessary, but we still provide information about them.

Result-recall cookies

If you choose result-recall cookies, we may set one or more of the following cookies for approximately 365 days to remember the token for your latest saved result for each assessment:

• personalityme_16_type_latest_result;
• personalityme_big_five_latest_result;
• personalityme_enneagram_latest_result; and
• personalityme_riasec_latest_result.

If you do not choose result-recall cookies, your result page may still be generated and shown after submission, but PersonalityMe will not use a recall cookie to redirect you to that result later.

Google Analytics

Google Analytics is configured using Google tag ID G-394PDKQNDE. If you choose analytics cookies, Google Analytics may use cookies and similar technologies to collect usage information such as page views, approximate location, device/browser information, and interaction events.

We do not load Google Analytics unless analytics consent has been granted, and we do not load Google Analytics on tokenised saved result pages.

Managing cookie choices

Our cookie banner explains: "We use essential cookies to run PersonalityMe. With your permission, we also use Google Analytics cookies from Google LLC to understand site usage and result-recall cookies to help you return to your latest assessment results."

Manage cookie choices

Cookie details

Cookie	Purpose	Duration	Type
personalityme_cookie_consent	Records that you have made a cookie choice so we do not show the banner on every page.	Up to 180 days	Essential preference cookie
personalityme_cookie_analytics	Records whether you have accepted or rejected Google Analytics cookies.	Up to 180 days	Essential preference cookie
personalityme_cookie_result_recall	Records whether you have accepted or rejected latest-result recall cookies.	Up to 180 days	Essential preference cookie
personalityme_*_latest_result	Stores the latest saved result token for an assessment where you choose result-recall cookies.	Up to 365 days	Optional result-recall cookie
_ga and related Google Analytics cookies	Used by Google Analytics / Google LLC to distinguish visits and measure site usage where you choose analytics cookies.	Set by Google Analytics, commonly up to 2 years depending on configuration	Optional analytics cookie
Laravel session cookies	Used to operate sessions, security, and requested site functionality.	Usually session-based or as configured by the application	Essential session cookie

9. How We Share Personal Information

We do not sell personal information. We may share personal information with:

• Hosting and infrastructure providers: Amazon Web Services, Inc. and Amazon Web Services EMEA SARL provide hosting/infrastructure services. The site is hosted on AWS EC2 infrastructure in the London region. AWS acts as a hosting/infrastructure processor and may process server logs, IP addresses, request metadata, security logs, database or storage data, and backup data as needed to host, maintain, and secure the service.
• Analytics providers: Google Analytics / Google LLC, where analytics are enabled with valid consent.
• Font providers: Google Fonts / Google LLC may receive font request metadata, including IP address, requested URL, user agent, and referrer, where Google-hosted fonts are loaded instead of self-hosted fonts.
• Software and service providers: suppliers that help us operate the website, admin/CMS, security, backups, email, storage, diagnostics, or support, where those services are confirmed and governed by appropriate terms.
• Email providers: configuration may include possible providers such as Postmark, Resend, or AWS SES. They are active processors only if used in production.
• Storage providers: AWS S3 support may exist in configuration. It is active storage only if used in production.
• Professional advisers: lawyers, accountants, insurers, auditors, and other advisers where reasonably necessary.
• Authorities or third parties where required: regulators, courts, law enforcement, or third parties where we reasonably believe disclosure is required by law or necessary to protect rights, safety, security, or legal claims.
• Business transfer parties: potential or actual buyers, investors, or successors if molebyte Ltd is involved in a restructuring, merger, acquisition, asset sale, or similar transaction, subject to appropriate confidentiality and legal safeguards.

We do not describe AWS as controlling PersonalityMe or using PersonalityMe user data for its own product purposes. AWS provides infrastructure services under its contractual role for hosting and security.

10. International Transfers

The service is UK-operated and hosted on AWS EC2 infrastructure in the London region. Some suppliers, including Google Analytics / Google LLC, Google Fonts / Google LLC, and cloud, support, diagnostics, storage, or email providers, may process personal information outside the United Kingdom.

Where international transfers occur, we will use appropriate safeguards required by UK data protection law. These may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework where applicable, supplier data processing terms, and transfer risk assessments where required.

11. Retention

We keep personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required for legal, security, accounting, dispute, or compliance reasons. Our current retention targets are:

• assessment results and item-level responses: 24 months from completion, unless deletion is requested earlier and no exception applies;
• assessment result recall cookies: up to 12 months;
• IP address and coarse location data: 12 months, then delete or anonymise where feasible;
• server/session logs: 30 to 90 days unless needed for security investigation, abuse prevention, or legal claims;
• Google Analytics data: 14 months, or the period configured in Google Analytics;
• admin/CMS account data: while the account is active, then up to 6 years where needed for legal, accounting, audit, or security records;
• newsletter email records, if newsletters are enabled: until unsubscribe, then minimal suppression records where necessary;
• comment records, if comments are enabled: while the comment remains published or as needed for moderation, abuse prevention, legal claims, or compliance; and
• legal, privacy, support, and rights request records: up to 6 years.

Backup copies may remain until backup rotation removes them. Some deletion and anonymisation steps may be handled manually, and we will handle deletion requests where required and reasonably feasible.

12. Security

We use reasonable technical and organisational measures intended to protect personal information, such as hosting controls, access controls, authentication for admin/CMS users, password hashing, HTTPS where configured, logging, backups, and security monitoring. No website, database, network, or transmission is completely secure, and we cannot guarantee absolute security.

You should keep tokenised result links private if you do not want others to view them. If you believe a result link or admin account has been accessed without authorisation, contact us promptly.

13. Your Rights and Complaints

Depending on the circumstances and legal basis, you may have the right to:

• access a copy of your personal information;
• ask us to correct inaccurate or incomplete personal information;
• ask us to erase personal information;
• ask us to restrict processing;
• object to processing based on legitimate interests;
• receive personal information you provided to us in a portable format where the right applies;
• withdraw consent where processing is based on consent; and
• complain to the UK Information Commissioner's Office.

To make a request or complaint to us, email privacy@personalityme.co. Please include enough information for us to understand the issue and identify the relevant record, such as the result URL or token if your request concerns a saved result page. We may ask for information to verify your identity or authority to act for someone else.

We will acknowledge and investigate data protection complaints in line with applicable UK data protection law. If we cannot resolve the issue, or if you are unhappy with our response, you can complain to the ICO at https://ico.org.uk/make-a-complaint/ or by telephone on 0303 123 1113. We ask that you contact us first so we have a chance to address your concern.

14. Children and Age Limits

You must be at least 16 to use PersonalityMe. If you are 16 or 17, you should use the service with the awareness of a parent or guardian. PersonalityMe is not directed at children under 13, and we do not knowingly collect personal information from children under 13.

If we learn that someone under 16 has used PersonalityMe, we may delete or restrict the relevant information unless we have a lawful reason to keep it. If a parent or guardian believes a child has provided personal information to us, they should contact privacy@personalityme.co.

We do not use assessment results for advertising to children, high-stakes decisions, diagnosis, or employment selection. If paid products are introduced later, purchases should require users to be 18 or over.

15. Users Outside the UK

PersonalityMe is operated from the United Kingdom and is primarily intended to comply with UK law. Because the site may be accessible internationally, users outside the UK may have local privacy rights.

We do not currently include a full CCPA/CPRA or other US state privacy notice because the business details provided describe a UK-operated free service, with no sale of personal information and no confirmed threshold facts suggesting those laws apply. We will reassess this if we target US residents, meet statutory revenue or data-volume thresholds, sell or share personal information for cross-context behavioural advertising, introduce paid services, or run targeted advertising.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new effective date. If a change is material, we will take reasonable steps to bring it to users' attention, proportionate to the nature of the change and the information affected.

17. Contact

For privacy requests and data protection complaints, contact privacy@personalityme.co.

For general or legal enquiries, contact hello@personalityme.co or legal@personalityme.co.