Privacy Policy

1. Introduction

Tomorrows Compass (Pty) Ltd ("Tomorrows Compass", "we", "us", "our"), registered in the Republic of South Africa (Company Registration Number 2025/356280/07), operates the website at www.tomorrows-compass.com and the Tomorrows Compass Assessment Platform at discover.tomorrows-compass.com (together, the "Services").

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with our Services. It applies to all users of our website, assessment platform, coaching programmes, and related services worldwide.

We are committed to protecting your privacy and processing your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and, where applicable, the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

For the purposes of data protection legislation, Tomorrows Compass (Pty) Ltd is the responsible party (under POPIA) and data controller (under GDPR) for personal information it processes on its own account (see Section 1.1 below for organisational and reseller use). The designated Information Officer is Ricardo Albertini (privacy@tomorrows-compass.com), registered with the Information Regulator of South Africa per POPIA Section 55.

1.1 Who Is Responsible for Your Data (Direct, Employer / Coach, and Reseller Use)

Tomorrows Compass serves individuals directly, and also serves organisations that provide assessment access to their own people or customers. Who is the "responsible party" (POPIA) or "controller" (GDPR) for your information depends on how you came to use the Services:

• You signed up directly. If you purchased or registered for an Assessment yourself, Tomorrows Compass is the responsible party / controller for your personal information, and this Privacy Policy governs that processing in full.
• An organisation gave you access — your employer, a coach, an institution, or a reseller that purchased assessment seats. In that case, that organisation is the responsible party / controller for your assessment responses, results, and Report, and Tomorrows Compass processes that information as its operator (POPIA) / processor (GDPR) on the organisation's documented instructions, under a separate agreement that includes a Data Processing Agreement. You should also read that organisation's own privacy notice, which explains why your data was provided to us and how the organisation uses your results.
• In every case, Tomorrows Compass remains the responsible party / controller for your account and login credentials, platform security and fraud prevention, and our own product analytics and service-improvement data, because we maintain a direct relationship with you as a platform user regardless of who arranged your access (see Sections 9 and 11).

Where Tomorrows Compass acts as operator / processor for an organisation, the data-protection commitments we make to that organisation — security, breach notification, sub-processors, international transfers, and the return or deletion of data — are set out in our Data Processing Agreement, available to organisational customers on request at privacy@tomorrows-compass.com.

2. Information We Collect

We collect and process the following categories of personal information:

2.1 Contact and Enquiry Information

Information you provide when contacting us, submitting enquiries, requesting information, or downloading resources through our website. This includes your name, email address, company name, and the content of your message.

2.2 Account and Registration Information

Information you provide when creating an account on the assessment platform, including your name, email address, password (which is cryptographically hashed and never stored in plaintext), mobile number, and company or organisational affiliation.

2.3 Demographic Information

Optional details you may provide before completing an assessment: your country of residence, date of birth, gender, nationality, home language, highest level of education, years of professional experience, industry, functional area, and role seniority. Some fields offer an "Other / not listed" free-text option, and we periodically expand the available options. You may choose not to provide this information or select "Prefer not to say" where available. Where an organisation provides your access (Section 1.1), it may also require additional information — for example, an employee or student identifier — or make certain fields mandatory, on its instruction as the responsible party.

Where you provide demographic details, they may, in anonymised aggregate, contribute to the construction of peer-norm reference populations used in future Phase B and Phase C scoring (see the methodology page at www.tomorrows-compass.com/methodology/discover for an explanation of the Phase A → B → C transition). Demographic inputs are never stored against your identity in any norm dataset. If you decline to provide demographic information, your assessment results are unaffected; no access to your report is restricted as a result.

2.4 Assessment and Interaction Data

Information generated during your assessment, including your responses to assessment items, response timing per item, response sequences, assessment progress, and completion timestamps. The full 215-item response stream is required to score the assessment; partial-completion data is not retained beyond the in-progress save state and is cleared upon assessment completion.

2.5 Results and Profile Data

Scores, profiles, and insights generated from your assessment responses. The current Tomorrows Compass Discover assessment uses Phase A absolute scoring, which assigns each of 12 capabilities to one of four named strength bands (Development Priority, Baseline Strength, Established Strength, Signature Strength), alongside an Enneagram personality blueprint (primary type, wing, secondary type, centre) and a public response-quality verdict (Confident, Nuanced, Layered) produced by a 5-flag validity engine. The full methodology, including the Phase A → B → C transition plan and the maturity statement, is published at www.tomorrows-compass.com/methodology/discover. See Section 9 for further detail on automated processing.

2.6 Reports and Documents

Assessment reports generated based on your results, including downloadable PDF reports and temporary shareable report links. Strength-band assignments computed at scoring time are preserved on your record. If, in a future Phase B or Phase C transition, your Report is re-rendered against an updated scoring approach, your original Phase A interpretation will remain on your record and is available on request via privacy@tomorrows-compass.com.

2.7 Payment Information

Information related to purchases made through the platform. We do not store, process, or have access to your payment card numbers, CVV codes, or bank account details. All payment card processing is handled entirely by our PCI-compliant third-party payment processor. We retain only transaction references, amounts paid, and the service tier purchased.

2.8 Coaching and Programme Data

Information related to coaching relationships and organisational programmes, including coach assignments, programme membership, team designations, and invitation records. A single User may belong to more than one Programme concurrently (multi-Membership); each Programme governs its own scope of data access, sharing, and consent.

2.9 Feedback and User-Generated Content

Content you voluntarily submit, including feedback ratings and comments, support requests, and personal journal or reflective notes. Coaches may also record private development notes about users they are coaching. These coaching notes are visible to the coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. They are not visible to the user being coached. See Section 5.2 for further detail.

2.10 Usage and Analytics Data

Information about how you use our website and platform, collected only with your consent where required by law. This includes pages visited, features used, session information, and (with explicit analytics consent) anonymised session-replay and heatmap data. We use Google Analytics with Consent Mode and Microsoft Clarity (session replay + heatmaps), both gated behind the same explicit analytics consent collected via our cookie banner. Sensitive form fields are auto-masked in Clarity recordings.

2.11 Technical and Security Data

Information collected automatically for security and service delivery, including IP address, browser type and version, device information, country (determined via IP geolocation), and bot protection verification tokens.

2.12 Cookies and Local Storage

We use a limited number of cookies and local storage items for authentication, consent preferences, and (where you have explicitly consented) analytics. Details are provided in Section 11 of this policy.

2.13 Special Personal Information (Equity and Inclusion Data)

Where an organisational Programme enables an equity or inclusion module — currently available for South Africa's Employment Equity Act — two additional, voluntary questions appear: your population group and whether you have a disability. "Prefer not to say" is always available, and declining does not affect your Assessment, your results, or your access to your Report.

This is "special personal information" under POPIA Section 26 and a "special category of personal data" under GDPR Article 9. We process it only with your explicit, separately obtained consent (POPIA Section 27(1)(a); GDPR Article 9(2)(a)), solely to produce aggregate equity and inclusion reporting for the organisation running your Programme. It is never used to score your Assessment, is never sold, and is never used for marketing. Where the organisation is the responsible party / controller (Section 1.1), it determines the equity-reporting purpose and Tomorrows Compass processes this data as its operator / processor.

3. How We Use Your Information

3.1 Lawful basis summary

The table below summarises the lawful bases on which we process your personal information. Detailed descriptions follow.

3.2 Detailed processing purposes

Service Delivery and Contract Performance: To provide our assessment services, generate behavioural reports, deliver coaching programmes, process payments, and manage your account. Lawful basis: Performance of a contract (GDPR Article 6(1)(b); POPIA Section 11(1)(b)).

Communication and Support: To respond to your enquiries, provide customer support, send transactional emails, and deliver service notifications. Lawful basis: Legitimate interest / contract performance.

Platform Administration: To enable coaches to support your development, allow programme administrators to manage organisational programmes, and enable our team to operate and maintain the platform. Lawful basis: Legitimate interest in service delivery; contract performance for programme users.

Assessment Integrity: To monitor response patterns through the 5-flag validity engine, detect potential misuse, and maintain the quality and validity of assessment results for all users. Lawful basis: Legitimate interest in service quality.

Research, Benchmarking, Norm Computation, and Data Products: To compute and maintain peer-norm reference populations used in future Phase B and Phase C scoring of current and future assessments, and to produce anonymised, aggregated research publications, industry benchmarks, workforce insight reports, and data products. All data used for these purposes is irreversibly anonymised and cannot be attributed to any individual. Lawful basis: Legitimate interest (data is anonymised); consent where applicable.

Marketing and Testimonials: To use feedback you have submitted as testimonials or case studies in our marketing materials, with your consent. Lawful basis: Consent (GDPR Article 6(1)(a); POPIA Section 11(1)(a)).

Analytics and Improvement: To understand how our website and platform are used and to improve our services, with your consent where required. We use Google Analytics with Consent Mode and Microsoft Clarity (session replay and heatmaps), both gated behind explicit analytics consent. Lawful basis: Consent for analytics cookies and analytics processing.

Security and Fraud Prevention: To protect our services against bot attacks, unauthorised access, and abuse through rate limiting, bot verification, and security monitoring. Lawful basis: Legitimate interest in security.

Relationship Management: To manage business relationships and enquiries, which may include storing contact information in customer relationship management systems. Lawful basis: Legitimate interest.

4. Consent Model

We operate a tiered consent model to ensure transparency about how your data is used:

Core Processing (required): By using our services, you consent to the processing of your data necessary to deliver the assessment, generate your reports, and manage your account. This consent cannot be withdrawn without deleting your account, as it is essential to service delivery.

Organisation Sharing (required for programme participants): If you participate in an organisational programme, your assessment results and related data will be shared with your assigned coach and programme administrators as defined by the programme terms. Where you participate in more than one Programme concurrently, each Programme governs its own scope of access, sharing, and consent.

Aggregation, Norm Contribution, and Research (obtained at assessment time, withdrawable): We seek your consent to contribute your anonymised data to benchmarks, research, aggregate data products, and peer-norm reference populations used in future Phase B and Phase C scoring of current and future assessments. You may withdraw this consent at any time without affecting your access to your own results. However, data that has already been irreversibly anonymised cannot be removed from aggregate datasets. Once a norm version has been computed and issued, it represents statistical parameters rather than individual data points, and cannot be retroactively altered by removing an individual contribution.

Analytics (optional, withdrawable): We use Google Analytics and Microsoft Clarity only after you give explicit analytics consent via our cookie banner. You may withdraw analytics consent at any time, after which both providers are disabled and no further analytics or session-replay data is collected.

Marketing and Testimonials (optional, withdrawable): We will only use your feedback as attributed testimonials or in marketing materials with your explicit consent, which you may withdraw at any time.

5. Data Sharing and Disclosure

5.1 Within the Platform

Platform access is assigned across tiered admin roles — platform administrators (Tomorrows Compass staff), programme operations staff, and coaches assigned to specific users or programmes. Each role receives only the data access necessary for their function.

Your data is accessible to different parties based on their role:

• You can access your own results, reports, scores, profiles, journal entries, and feedback history.
• Your Allocated Coach can access your assessment status, results, scores, validity verdict, and their own coaching notes about your development. Coaches cannot see other users' data or platform administration settings.
• Programme Administrators can access data for users within their programmes, including aggregate insights and invitation tracking. They cannot access data for users outside their programmes.
• Tomorrows Compass Staff (platform administrators) can access all data across all users and programmes for the purposes of platform operation, support, and service delivery.

5.2 Coaching Notes

Coaches may record private development notes about users they are coaching. Coaching notes are written by the assigned coach and are visible to that coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. Coaching notes are not visible to the user being coached.

5.3 Third-Party Service Providers (Sub-Processors)

We use a small number of third-party service providers (data processors / sub-processors) to deliver our Services. Each provider processes only the minimum information necessary for its designated purpose. The categories of sub-processor we use are:

• Cloud hosting and infrastructure (United States and European Union regions) — website and platform hosting, serverless compute, IP-based country detection for currency localisation, performance monitoring, and Core Web Vitals collection. Data processed: IP address, HTTP request metadata, country code, page-load timing.
• Primary application database (United States) — the database in which your account, assessment, and results data is stored so we can deliver the Assessment and give you continued access to your results. Data processed: account and contact details, assessment responses and timing, scores and profiles, and generated Reports (the personal information described in Section 2).
• Content management (United States) — content management system and image delivery network for the marketing website. Data processed: published website content and uploaded media assets. No personal user data is stored.
• Transactional email (United States) — email delivery for contact-form submissions, newsletter notifications, and service communications. Data processed: recipient name, email address, and message content.
• Bot protection (Global network) — verification challenges on our forms and platform to prevent automated abuse. Data processed: IP address, browser metadata, and interaction verification tokens.
• Pricing tier configuration (United States) — read-only price-list integration used to display current pricing. No personal data is involved in pricing configuration.
• Currency exchange data (Global) — real-time exchange rates for multi-currency pricing display. No personal data is transmitted.
• Payment processing (South Africa) — PCI DSS compliant payment processor for assessment purchases on the assessment platform. Data shared: name, email address, payment amount, and service tier. Payment card numbers, CVV codes, and bank account details are never transmitted through or stored on our systems.
• Web analytics, consent-gated (United States, with EU-region processing for session replay) — aggregate web analytics and session-replay / heatmap analytics. Both providers operate only after you give explicit analytics consent via our cookie banner. Sensitive form fields are auto-masked in session-replay recordings; keystroke recording is disabled by default. Data processed: anonymised page views, session duration, device type, geographic region, and (with consent) anonymised mouse-movement, scroll, and click traces. Specific provider names for the analytics services we use today are disclosed in Section 11 (Cookies) so that you can match them against the cookies set in your browser.
• Advertising and social media, consent-gated (United States / global) — the Meta (Facebook) Pixel and the LinkedIn Insight Tag, loaded only after you give explicit marketing-cookie consent via our cookie banner. These share limited website-browsing data (such as pages visited and your IP address) with Meta and LinkedIn for advertising measurement and remarketing. On the Discover assessment platform they are limited to consent-gated conversion events (for example, completing an assessment or making a purchase) and are kept off the assessment, dashboard, and administrator screens; they never receive your assessment responses, results, or Reports. You can decline, or withdraw consent at any time, via the cookie banner.

A current list of named sub-processors with full provider details is available on request to enterprise customers as part of our Data Processing Agreement (DPA). Email privacy@tomorrows-compass.com to request the current named sub-processor inventory.

We regularly review our sub-processor arrangements. Material changes to sub-processor categories will be communicated via updates to this Privacy Policy.

5.4 What We Do Not Do

• We do not sell your personal data to third parties.
• We do not share your assessment responses, results, or Reports with advertisers, and we do not use them for advertising or behavioural targeting.
• With your consent (marketing cookies), we use the Meta (Facebook) Pixel and the LinkedIn Insight Tag, which share limited browsing and conversion data (such as pages visited, your IP address, and — on the Discover assessment platform — consent-gated conversion events like completing an assessment or making a purchase) with Meta and LinkedIn for advertising measurement and remarketing. You can decline or withdraw this at any time via our cookie banner.
• We may share anonymised, aggregated data that cannot identify any individual in research publications, industry reports, norm datasets, and data products.

5.5 Report Links

Assessment report PDFs may be accessed via unique URLs. If you use the shareable link feature, you are responsible for managing who you share the link with. Share links expire automatically after 30 days.

5.6 Legal and Regulatory Disclosure

We may disclose your personal information where required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Tomorrows Compass, our users, or the public.

6. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account and assessment data (including raw answers, computed strength bands, validity verdicts, and the methodology version in use at the time of each assessment): Duration of your account plus 7 years after your last activity, for regulatory and audit purposes.
• Retake reuse: Results from a previously completed test component can be reused on a new Assessment attempt within a defined window: TC Future Skills 3 months, Enneagram 48 months, Validity never reused. Outside the window, the test component is re-scored from a new completion.
• Contact form submissions: Duration of the business relationship plus 2 years.
• Coaching records: Duration of the coaching engagement plus 2 years.
• Payment records: 7 years, as required for tax and regulatory compliance.
• Support requests: 2 years from resolution.
• Anonymised research and norm data: Retained indefinitely, as it is no longer personal data.
• Testimonials: Until you withdraw your consent.
• Analytics data: Provider defaults apply; specific retention windows for the analytics services in use are documented in our DPA available to enterprise customers on request.
• Security and server logs: 90 days.
• In-progress assessment responses: Cleared automatically upon assessment completion.
• Verification codes: Expire and are cleared within 15 minutes.
• Shareable report links: Expire automatically after 30 days.

Deletion on request. When you initiate account deletion through the Platform's self-service deletion, or by contacting privacy@tomorrows-compass.com, your account enters a 30-day grace period during which deletion can be reversed. After the grace period, your personal data is permanently purged from our active systems. The only exceptions are: (a) data we must retain to meet a legal or regulatory obligation (for example, payment records retained for 7 years for tax compliance); (b) data already irreversibly anonymised, which is no longer personal data (Section 8.4); and (c) where you participate in an organisational Programme, retention or deletion of your assessment results may be directed by the organisation as responsible party under its agreement with us. The "duration of your account plus 7 years" period above is the maximum period we retain data where no deletion request is made and no shorter Programme instruction applies.

You may request deletion of your personal data at any time by contacting us at privacy@tomorrows-compass.com. Please see Section 8 for details on your rights.

7. International Data Transfers

Tomorrows Compass (Pty) Ltd is registered in South Africa. Our services are delivered using cloud infrastructure located in the United States, European Union, and other global locations.

For users located in the United Kingdom or European Union, international data transfers are safeguarded by Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary technical and organisational measures where applicable.

In compliance with POPIA Section 72, cross-border transfers of personal information occur only to jurisdictions that maintain adequate levels of data protection, or with your consent, or where otherwise permitted by law.

We ensure all third-party service providers maintain appropriate technical and organisational security standards and are contractually bound to protect your data. Where a sub-processor processes data in the EU or UK, SCCs and DPA arrangements with that sub-processor are part of our sub-processor verification.

For users or organisational End-Users located in the United Arab Emirates, transfers and processing are conducted in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and, where the relevant organisation or End-User is established in a financial free zone, the Data Protection Law of the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM), as applicable. Where required, such transfers rely on the transfer mechanisms recognised under those laws (adequacy, standard contractual clauses, or your consent).

8. Your Rights

8.1 Rights Under POPIA (All Users)

As a data subject under the Protection of Personal Information Act, you have the right to:

• Be notified that your personal information is being collected and the purpose of collection.
• Access your personal information held by us.
• Request correction of personal information that is inaccurate, misleading, or incomplete.
• Request deletion of personal information that is no longer necessary for the purpose for which it was collected.
• Object to the processing of your personal information on reasonable grounds.
• Object to the processing of your personal information for direct marketing purposes.
• Not be subject to a decision based solely on automated processing that significantly affects you.
• Submit a complaint to the Information Regulator of South Africa.
• Receive your personal information in a commonly used electronic format.

8.2 Rights Under UK and EU GDPR (UK and EU Users)

If you are located in the United Kingdom or European Union, you additionally have the right to:

• Access your personal data (Subject Access Request).
• Rectification of inaccurate personal data.
• Erasure of your personal data ("right to be forgotten").
• Restriction of processing in certain circumstances.
• Data portability — to receive your data in a structured, commonly used, machine-readable format.
• Object to processing, including profiling.
• Not be subject to automated decision-making that produces legal or similarly significant effects.
• Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or the relevant supervisory authority in your EU member state.

8.3 How to Exercise Your Rights

To exercise any of your rights, contact us at privacy@tomorrows-compass.com. We will respond within 30 days (POPIA) or one calendar month (GDPR) of receiving your request. We may request identity verification before processing your request. Requests are provided free of charge unless they are manifestly unfounded, excessive, or repetitive.

Your Report reflects the currently-active scoring approach. If, in a future Phase B or C transition, you wish to see your original Phase A interpretation, contact privacy@tomorrows-compass.com with your account details and the assessment date or report reference. Your original interpretation is preserved on your record and will be provided alongside your current Report.

8.4 Limitations on Erasure

When you request deletion of your account, we will remove your personal data from our active systems. However:

• Data that has already been irreversibly anonymised and included in aggregate datasets, norm reference populations, research, or publications cannot be removed, as it is no longer personal data and cannot be attributed to or retrieved for any individual.
• We may retain certain data where required by law, regulation, or for the establishment, exercise, or defence of legal claims.

9. Automated Decision-Making and Profiling

Our assessment generates behavioural and capability profiles based on your responses using algorithmic scoring. This constitutes automated profiling under data protection legislation.

We want to be clear about how this works:

• Assessment results are produced through deterministic algorithmic analysis of your responses. The current methodology applies Phase A absolute scoring (fixed-cutoff strength bands derived from theoretical priors), within-person centering for the Enneagram personality test, and a 5-flag validity engine that produces one of three public verdicts. The full methodology, including the Phase A → B → C transition plan, is published at www.tomorrows-compass.com/methodology/discover.
• The scoring engine is deterministic and order-independent within a test. No machine-learning models are applied to capability or personality scoring at this stage.
• When the assessment transitions in future to Phase B or Phase C scoring (peer-norm referencing), your Report may be regenerated to reflect the updated approach. Your original Phase A interpretation is preserved on your record. Where you wish to see your original interpretation, you may request it (see Section 8.3).
• Microsoft Clarity (session replay and heatmap analytics on the marketing website) is purely diagnostic for site improvement and does not feed into any automated decision-making about users.
• These profiles are intended solely for personal development, coaching, and organisational insight purposes.
• Results are not used for automated decisions that produce legal or similarly significant effects without human involvement.
• Assessment results are not clinical, psychological, or medical diagnoses.
• You have the right to request human review of any automated assessment output by contacting us.

10. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

Under POPIA, processing of a child's personal information requires the prior consent of a competent person (such as a parent or guardian).

If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information from our systems.

11. Cookies and Tracking Technologies

We use a limited number of cookies and local storage items:

Strictly Necessary: Authentication cookies for maintaining your login session on the platform (HttpOnly, Secure, 24-hour expiry). These are essential for the service to function and do not require consent.

Consent Preferences: We store your cookie consent choice in your browser's local storage to remember your preference (12-month duration; cookie name tc-cookie-consent).

Analytics (Consent-Gated): We use Google Analytics with Consent Mode v2 and Microsoft Clarity (session replay + heatmaps). Analytics storage is denied by default and is only activated after you explicitly accept analytics cookies via our cookie banner. Clarity sets two first-party cookies after analytics consent: _clck (Clarity user identifier, ~1 year) and _clsk (Clarity session identifier, ~1 day). Sensitive form fields are auto-masked in Clarity recordings.

Marketing (Consent-Gated): With your explicit marketing-cookie consent, we load the Meta (Facebook) Pixel and the LinkedIn Insight Tag for advertising measurement and remarketing. These set third-party cookies and share limited browsing data with Meta and LinkedIn. They are denied by default. On the Discover assessment platform they fire only on consent-gated conversion events (such as completing an assessment or making a purchase) and are kept off the assessment, dashboard, and administrator screens. You can withdraw consent at any time via the cookie banner.

What We Do Not Do: On the assessment platform we limit advertising and social-media pixels to consent-gated conversion events and keep them off the assessment, dashboard, and administrator screens, and we never share your assessment responses, results, or Reports with advertising or social-media networks.

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings.

12. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures, including:

• All data is transmitted using HTTPS/TLS encryption.
• Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plaintext.
• Bot protection with server-side verification on all forms.
• Assessment integrity monitoring via the 5-flag validity engine, including response pattern analysis, response-time analysis, straight-line detection, and consistency checks.
• Role-based access controls ensuring users, coaches, and administrators can only access data appropriate to their role, with activity logging.
• Rate limiting on all form submissions and API endpoints.
• Payment card data is never processed or stored by us. All payment processing is handled by a PCI DSS compliant provider.
• Regular security reviews and updates to our systems and practices.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• Under POPIA: We will notify the Information Regulator of South Africa and affected data subjects as soon as reasonably possible after becoming aware of the breach.
• Under GDPR: We will notify the relevant supervisory authority within 72 hours where feasible, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Notification will include the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

Material changes will be communicated via email to registered platform users or via prominent notice on our website and platform at least 14 days before they take effect.

The "Last Updated" date at the top of this policy will always reflect the most recent revision.

Continued use of our Services after changes take effect constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should discontinue use of our Services.

15. Contact and Complaints

If you have any questions about this Privacy Policy or wish to exercise your data protection rights:

Information Officer (POPIA Section 55): Ricardo Albertini

Privacy Enquiries: privacy@tomorrows-compass.com

General Enquiries: info@tomorrows-compass.com

Company: Tomorrows Compass (Pty) Ltd, Registration Number 2025/356280/07, Republic of South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

South Africa: Information Regulator — Information Regulator of South Africa

United Kingdom: Information Commissioner's Office (ICO) — Information Commissioner's Office (ICO)

European Union: The supervisory authority in your EU member state of residence.

---

This Privacy Policy is at version 1.1 (effective 2026-06-18). It will continue to evolve as Tomorrows Compass grows; material changes will be communicated to registered users per Section 14.