Sign In
ForumAssessmentCoursesSocietyBlogServices Discover your AIQ →
Sign In
Legal

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller responsible for your personal data is:

Optimal AI (Rambjorg R&D2)
Norway
hello@theoptimal.org

For data subject requests under GDPR — including access, rectification, erasure, portability, restriction, or objection — please email the above address with the subject line "GDPR Request" and describe your request. We will respond within 30 days.

2. What Data We Collect

We collect only the data necessary to deliver the AIQ service. The following personal data may be collected and stored:

  • Email address — collected when you sign up or request a magic link. Stored in Supabase Auth (auth.users table).
  • Lesson progress — which lessons you have started or completed, identified by lesson ID and course ID. Stored in the lesson_progress table in Supabase.
  • Assessment results — your AIQ score, tier, tier label, and radar dimension data from the AIQ Assessment. Stored in the assessment_results table.
  • Reflection notes — optional free-text notes you write within lessons. Stored in the reflection_notes table. These are private to your account unless you choose to share them.
  • Stripe identifiers — your Stripe customer ID and subscription ID, used to verify and manage your membership status. Stored in the profiles table. AIQ never stores your card number, CVC, or other sensitive payment data — these are handled entirely by Stripe.
  • Certificates — your name as entered, the tier achieved, and the completion date when you earn an AIQ Certificate. Stored in the certificates table.
  • Share cards — your AIQ score and tier in publicly accessible rows if you choose to share your result. Stored in the share_cards table. You can opt in or out of public sharing.
  • localStorage (client-side only) — lesson progress cache, assessment result cache, and the aiq-consent-dismissed flag. This data is stored in your browser only and is never sent to any server.
  • Session tokens — Supabase Auth session tokens stored in cookies (httpOnly where possible) to maintain your authenticated session across page visits.

We do not use advertising cookies, third-party tracking pixels, or analytics services that collect personal data. AIQ has no analytics platform (no Google Analytics, no Mixpanel, no Segment).

3. How We Use Your Data

Your data is used solely to operate the AIQ service:

  • Authenticate your account via magic link and maintain your session.
  • Deliver course content and track your progress across lessons.
  • Process your subscription payment via Stripe and verify your membership status to enforce content gating.
  • Issue certificates upon course completion.
  • Display your AIQ score publicly if you choose to share it.
  • Store your reflection notes privately so they are available when you return to a lesson.

4. Legal Basis (GDPR Art. 6)

We process your personal data on the following legal bases under GDPR Article 6:

  • Performance of contract (Art. 6(1)(b)): Processing your email address, lesson progress, assessment results, and Stripe identifiers is necessary to perform the subscription service you signed up for. Without this processing, we cannot deliver course access or membership benefits.
  • Legitimate interest (Art. 6(1)(f)): We process minimal technical data (session tokens, IP address in server logs) to prevent fraud and abuse, ensure platform security, and maintain service reliability. This interest is not overridden by your rights and freedoms given the limited and non-intrusive nature of this processing.

We do not rely on consent as a legal basis for any processing that is necessary to deliver the service. The consent banner on our site is an informational notice, not a consent gate — it does not affect data processing.

5. Third-Party Processors

We share your data with the following third-party processors, each of whom acts as a data processor on our behalf:

  • Supabase (supabase.com) — database storage and authentication. Supabase stores your email, lesson progress, assessment results, reflection notes, Stripe identifiers, certificates, and share cards. Data may be stored in EU or US regions depending on project configuration. Supabase is ISO 27001 certified and SOC 2 Type II compliant.
  • Stripe (stripe.com) — payment processing. Stripe processes your card payment and stores your billing information. AIQ receives only a Stripe customer ID and subscription ID; we never see your card details. Stripe is PCI-DSS Level 1 certified. Stripe's own privacy policy governs their handling of your card data.
  • Vercel (vercel.com) — website hosting and serverless functions (including Stripe webhook handlers). Vercel serves AIQ pages from CDN nodes globally. Access logs may contain IP addresses and request metadata for a limited retention period.
  • Google Fonts (fonts.googleapis.com) — typography (Space Grotesk, Inter, JetBrains Mono fonts). Your browser makes a direct request to Google's font servers on each page load. This request may log your IP address and browser metadata to Google. If you wish to avoid this, you may use a browser extension that blocks Google Fonts requests.

We do not sell your personal data to any third party. We do not share your data with advertisers.

6. Data Retention

We retain your personal data for as long as your account is active and as long as necessary to fulfil the purposes described in this policy. Specifically:

  • Account and membership data is retained while your account exists.
  • Lesson progress, assessment results, and reflection notes are retained until you request account deletion.
  • Certificates are retained indefinitely unless you request deletion, as they serve as a permanent record of your achievement.
  • Stripe identifiers are retained for as long as necessary to manage subscription billing and comply with financial record-keeping requirements.

If you request account deletion, we will permanently delete your personal data within 30 days of your request, except where retention is required by applicable law (for example, transaction records required by Norwegian accounting law).

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access — you have the right to request a copy of the personal data we hold about you.
  • Right to rectification — you have the right to request correction of inaccurate or incomplete personal data.
  • Right to erasure — you have the right to request deletion of your personal data ("right to be forgotten"), subject to applicable legal obligations.
  • Right to data portability — you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to restrict processing — you have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to object — you have the right to object to processing based on legitimate interest.

To exercise any of these rights, email hello@theoptimal.org with the subject line "GDPR Request" and describe your request. We will respond within 30 days.

8. International Transfers

Supabase, Vercel, and Stripe may process your data outside the European Economic Area (EEA). Where such transfers occur, they are subject to appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) adopted by the European Commission, or adequacy decisions where applicable. By using AIQ, you acknowledge that your data may be transferred to and processed in countries outside the EEA under these safeguards.

9. Contact

If you have questions about this Privacy Policy or our data practices, please contact:

Optimal AI (Rambjorg R&D2)
hello@theoptimal.org

You also have the right to lodge a complaint with your national data protection supervisory authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet): datatilsynet.no. If you are based in another EU member state, you may contact your local supervisory authority.