Skip to content
HomeHow It WorksThe 12 SkillsEnterpriseIndustriesInsightsPricingContactLoginStart Assessment

Privacy Policy

Last updated: April 18, 2026

1. Introduction

Tomorrows Compass (Pty) Ltd ("Tomorrows Compass", "we", "us", "our"), registered in the Republic of South Africa (Company Registration Number 2025/356280/07), operates the website at www.tomorrows-compass.com and the Tomorrows Compass Assessment Platform at discover.tomorrows-compass.com (together, the "Services").

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with our Services. It applies to all users of our website, assessment platform, coaching programmes, and related services worldwide.

We are committed to protecting your privacy and processing your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and, where applicable, the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

For the purposes of data protection legislation, Tomorrows Compass (Pty) Ltd is the responsible party (under POPIA) and data controller (under GDPR).

2. Information We Collect

We collect and process the following categories of personal information:

2.1 Contact and Enquiry Information

Information you provide when contacting us, submitting enquiries, requesting information, or downloading resources through our website. This includes your name, email address, company name, and the content of your message.

2.2 Account and Registration Information

Information you provide when creating an account on the assessment platform, including your name, email address, password (which is cryptographically hashed and never stored in plaintext), mobile number, and company or organisational affiliation.

2.3 Demographic Information

Optional demographic details you may provide before completing an assessment, such as age group, gender, geographic region, professional seniority, industry sector, and work experience. You may choose not to provide this information or select "Prefer not to say" where available.

Where you provide demographic details, they may contribute in anonymised aggregate to the construction of sub-norms used to compute assessment results across the platform. Demographic inputs are never stored against your identity in any norm dataset. If you decline to provide demographic information, your assessment results are compared against the general norm for the applicable assessment; no access to your report is restricted as a result.

2.4 Assessment and Interaction Data

Information generated during your assessment, including your responses to assessment questions, interaction patterns such as time spent on questions and response sequences, assessment progress, and completion timestamps. In-progress response data is cleared upon assessment completion and is not retained.

2.5 Results and Profile Data

Scores, profiles, and insights generated from your assessment responses, including overall readiness scores, cluster and individual skill scores, personality and behavioural profiles, and response quality indicators. For any assessment that uses peer-norm scoring, scores are expressed as percentile ranks against a reference population, and the norm version in use at the time of your assessment is recorded against your results. See Section 9 for further detail on automated processing, and the corresponding methodology page at www.tomorrows-compass.com/methodology/[assessment] for a plain-English explanation.

2.6 Reports and Documents

Assessment reports generated based on your results, including downloadable PDF reports and temporary shareable report links. Where we publish updated norm versions, your Report is updated to reflect the expanded peer group, and the norm version in use is displayed on the Report. Your original interpretation (computed against the norm version active at your assessment time) is preserved on your record and available on request.

2.7 Payment Information

Information related to purchases made through the platform. We do not store, process, or have access to your payment card numbers, CVV codes, or bank account details. All payment card processing is handled entirely by our PCI-compliant third-party payment processor. We retain only transaction references, amounts paid, and the service tier purchased.

2.8 Coaching and Programme Data

Information related to coaching relationships and organisational programmes, including coach assignments, programme membership, team designations, and invitation records.

2.9 Feedback and User-Generated Content

Content you voluntarily submit, including feedback ratings and comments, support requests, and personal journal or reflective notes. Coaches may also record private development notes about users they are coaching. These coaching notes are visible to the coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. They are not visible to the user being coached. See Section 5.2 for further detail.

2.10 Usage and Analytics Data

Information about how you use our website and platform, collected only with your consent where required by law. This includes pages visited, features used, and session information. We use Google Analytics with Consent Mode, meaning analytics data is only collected after you explicitly accept analytics cookies via our cookie banner.

2.11 Technical and Security Data

Information collected automatically for security and service delivery, including IP address, browser type and version, device information, country (determined via IP geolocation), and bot protection verification tokens.

2.12 Cookies and Local Storage

We use a limited number of cookies and local storage items for authentication, consent preferences, and application functionality. Details are provided in Section 11 of this policy.

3. How We Use Your Information

We process your personal information for the following purposes and on the following legal bases:

Service Delivery and Contract Performance: To provide our assessment services, generate behavioural reports, deliver coaching programmes, process payments, and manage your account. Lawful basis: Performance of a contract (GDPR Article 6(1)(b)); POPIA Section 11(1)(b).

Communication and Support: To respond to your enquiries, provide customer support, send transactional emails, and deliver service notifications. Lawful basis: Legitimate interest / contract performance.

Platform Administration: To enable coaches to support your development, allow programme administrators to manage organisational programmes, and enable our team to operate and maintain the platform. Lawful basis: Legitimate interest in service delivery; contract performance for programme users.

Assessment Integrity: To monitor response patterns, detect potential misuse, and maintain the quality and validity of assessment results for all users. Lawful basis: Legitimate interest in service quality.

Research, Benchmarking, Norm Computation, and Data Products: To compute and maintain peer-norm reference populations used to score current and future assessments, and to produce anonymised, aggregated research publications, industry benchmarks, workforce insight reports, and data products. All data used for these purposes is irreversibly anonymised and cannot be attributed to any individual. Lawful basis: Legitimate interest (data is anonymised); consent where applicable.

Marketing and Testimonials: To use feedback you have submitted as testimonials or case studies in our marketing materials, with your consent. Lawful basis: Consent (GDPR Article 6(1)(a)); POPIA Section 11(1)(a).

Analytics and Improvement: To understand how our website and platform are used and to improve our services, with your consent where required. Lawful basis: Consent for analytics cookies.

Security and Fraud Prevention: To protect our services against bot attacks, unauthorised access, and abuse through rate limiting, bot verification, and security monitoring. Lawful basis: Legitimate interest in security.

Relationship Management: To manage business relationships and enquiries, which may include storing contact information in customer relationship management systems. Lawful basis: Legitimate interest.

4. Consent Model

We operate a tiered consent model to ensure transparency about how your data is used:

Core Processing (required): By using our services, you consent to the processing of your data necessary to deliver the assessment, generate your reports, and manage your account. This consent cannot be withdrawn without deleting your account, as it is essential to service delivery.

Organisation Sharing (required for programme participants): If you participate in an organisational programme, your assessment results and related data will be shared with your assigned coach and programme administrators as defined by the programme terms.

Aggregation, Norm Contribution, and Research (obtained at assessment time, withdrawable): We seek your consent to contribute your anonymised data to benchmarks, research, aggregate data products, and peer-norm reference populations used to score current and future assessments. You may withdraw this consent at any time without affecting your access to your own results. However, data that has already been irreversibly anonymised cannot be removed from aggregate datasets. Once a norm version has been computed and issued, it represents statistical parameters rather than individual data points, and cannot be retroactively altered by removing an individual contribution.

Marketing and Testimonials (optional, withdrawable): We will only use your feedback as attributed testimonials or in marketing materials with your explicit consent, which you may withdraw at any time.

5. Data Sharing and Disclosure

5.1 Within the Platform

Platform access is assigned across tiered admin roles — platform administrators (Tomorrows Compass staff), programme operations staff, and coaches assigned to specific users or programmes. Each role receives only the data access necessary for their function.

Your data is accessible to different parties based on their role:

  • You can access your own results, reports, scores, profiles, journal entries, and feedback history.
  • Your Allocated Coach can access your assessment status, results, scores, quality indicators, and their own coaching notes about your development. Coaches cannot see other users' data or platform administration settings.
  • Programme Administrators can access data for users within their programmes, including aggregate insights and invitation tracking. They cannot access data for users outside their programmes.
  • Tomorrows Compass Staff (platform administrators) can access all data across all users and programmes for the purposes of platform operation, support, and service delivery.

5.2 Coaching Notes

Coaches may record private development notes about users they are coaching. Coaching notes are written by the assigned coach and are visible to that coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. Coaching notes are not visible to the user being coached.

5.3 Third-Party Service Providers (Sub-Processors)

We use the following third-party service providers (data processors/sub-processors) to deliver our Services. Each provider processes only the minimum information necessary for its designated purpose.

Vercel Inc. (United States) provides website and platform hosting, serverless compute, and IP-based country detection for currency localisation. Data processed: IP address, HTTP request metadata, and country code.

Sanity AS (United States) provides our content management system and image delivery network for the marketing website. Data processed: published website content and uploaded media assets. No personal user data is stored in Sanity.

Resend Inc. (United States) provides transactional email delivery for contact form submissions, newsletter subscription notifications, and service communications. Data processed: recipient name, email address, and message content.

Cloudflare Inc. (Global network) provides bot protection via Cloudflare Turnstile to prevent automated abuse of our forms and platform. Data processed: IP address, browser metadata, and interaction verification tokens.

Airtable Inc. (United States) stores our pricing tier configuration. This is a read-only integration. No personal data is transmitted to or stored in Airtable.

exchangerate.host (Global) provides real-time currency exchange rates for multi-currency pricing display. No personal data is transmitted.

PayFast (Pty) Ltd (South Africa) processes payments for assessment purchases on the assessment platform at discover.tomorrows-compass.com. Data shared with PayFast: name, email address, payment amount, and service tier. Payment card numbers, CVV codes, and bank account details are never transmitted through or stored on our systems. PayFast is PCI DSS compliant.

Google LLC (United States) provides website analytics via Google Analytics with Consent Mode v2. Analytics data is only collected after you explicitly accept analytics cookies via our cookie banner. Data processed: anonymised page views, session duration, device type, and geographic region.

Vercel Inc. (United States) also provides performance monitoring via Vercel Analytics and Speed Insights for measuring page load performance and Core Web Vitals. Data processed: page load metrics and performance timing data. No personally identifiable information is collected through these services.

We regularly review our sub-processor arrangements and will update this list when providers change. Material changes to sub-processors will be communicated via updates to this Privacy Policy.

5.4 What We Do Not Do

  • We do not sell your personal data to third parties.
  • We do not share your personal data with advertisers.
  • We do not use your personal data for automated advertising or behavioural targeting.
  • We may share anonymised, aggregated data that cannot identify any individual in research publications, industry reports, norm datasets, and data products.

5.5 Report Links

Assessment report PDFs may be accessed via unique URLs. If you use the shareable link feature, you are responsible for managing who you share the link with. Share links expire automatically after 30 days.

5.6 Legal and Regulatory Disclosure

We may disclose your personal information where required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Tomorrows Compass, our users, or the public.

6. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account and assessment data (including raw answers, computed percentiles, the norm version in use at the time of each assessment, and historical norm-version records from subsequent updates): Duration of your account plus 7 years after your last activity, for regulatory and audit purposes.
  • Contact form submissions: Duration of the business relationship plus 2 years.
  • Coaching records: Duration of the coaching engagement plus 2 years.
  • Payment records: 7 years, as required for tax and regulatory compliance.
  • Support requests: 2 years from resolution.
  • Anonymised research and norm data: Retained indefinitely, as it is no longer personal data.
  • Testimonials: Until you withdraw your consent.
  • Analytics data: 26 months (standard analytics retention period).
  • Security and server logs: 90 days.
  • In-progress assessment responses: Cleared automatically upon assessment completion.
  • Verification codes: Expire and are cleared within 15 minutes.
  • Shareable report links: Expire automatically after 30 days.

You may request deletion of your personal data at any time by contacting us at privacy@tomorrows-compass.com. Please see Section 8 for details on your rights.

7. International Data Transfers

Tomorrows Compass (Pty) Ltd is registered in South Africa. Our services are delivered using cloud infrastructure located in the United States, European Union, and other global locations.

For users located in the United Kingdom or European Union, international data transfers are safeguarded by Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary technical and organisational measures where applicable.

In compliance with POPIA Section 72, cross-border transfers of personal information occur only to jurisdictions that maintain adequate levels of data protection, or with your consent, or where otherwise permitted by law.

We ensure all third-party service providers maintain appropriate technical and organisational security standards and are contractually bound to protect your data.

8. Your Rights

8.1 Rights Under POPIA (All Users)

As a data subject under the Protection of Personal Information Act, you have the right to:

  • Be notified that your personal information is being collected and the purpose of collection.
  • Access your personal information held by us.
  • Request correction of personal information that is inaccurate, misleading, or incomplete.
  • Request deletion of personal information that is no longer necessary for the purpose for which it was collected.
  • Object to the processing of your personal information on reasonable grounds.
  • Object to the processing of your personal information for direct marketing purposes.
  • Not be subject to a decision based solely on automated processing that significantly affects you.
  • Submit a complaint to the Information Regulator of South Africa.
  • Receive your personal information in a commonly used electronic format.

8.2 Rights Under UK and EU GDPR (UK and EU Users)

If you are located in the United Kingdom or European Union, you additionally have the right to:

  • Access your personal data (Subject Access Request).
  • Rectification of inaccurate personal data.
  • Erasure of your personal data ("right to be forgotten").
  • Restriction of processing in certain circumstances.
  • Data portability - to receive your data in a structured, commonly used, machine-readable format.
  • Object to processing, including profiling.
  • Not be subject to automated decision-making that produces legal or similarly significant effects.
  • Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or the relevant supervisory authority in your EU member state.

8.3 How to Exercise Your Rights

To exercise any of your rights, contact us at privacy@tomorrows-compass.com. We will respond within 30 days (POPIA) or one calendar month (GDPR) of receiving your request. We may request identity verification before processing your request. Requests are provided free of charge unless they are manifestly unfounded, excessive, or repetitive.

Your Report reflects the currently-active norm version. If you wish to see your original interpretation (computed against the norm version active at your assessment time, before any subsequent norm updates), contact privacy@tomorrows-compass.com with your account details and the assessment date or report reference. Your original interpretation is preserved on your record and will be provided alongside your current Report.

8.4 Limitations on Erasure

When you request deletion of your account, we will remove your personal data from our active systems. However:

  • Data that has already been irreversibly anonymised and included in aggregate datasets, norm reference populations, research, or publications cannot be removed, as it is no longer personal data and cannot be attributed to or retrieved for any individual.
  • We may retain certain data where required by law, regulation, or for the establishment, exercise, or defence of legal claims.

9. Automated Decision-Making and Profiling

Our assessment generates behavioural and capability profiles based on your responses using algorithmic scoring. This constitutes automated profiling under data protection legislation.

We want to be clear about how this works:

  • Assessment results are produced through algorithmic analysis of your responses. Where an assessment uses peer-norm scoring, your pattern of responses is additionally compared against an anonymised reference population to produce percentile scores. The full methodology for each assessment, including current norm version and interpretation bands, is published at www.tomorrows-compass.com/methodology/[assessment].
  • When we publish updated norm versions, your Report is regenerated to reflect the expanded peer group. The norm version in use is recorded on your Report. Your original interpretation (computed against the norm version active at your assessment time) is preserved on your record. Where you wish to see your original interpretation, you may request it (see Section 8.3).
  • These profiles are intended solely for personal development, coaching, and organisational insight purposes.
  • Results are not used for automated decisions that produce legal or similarly significant effects without human involvement.
  • Assessment results are not clinical, psychological, or medical diagnoses.
  • You have the right to request human review of any automated assessment output by contacting us.

10. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

Under POPIA, processing of a child's personal information requires the prior consent of a competent person (such as a parent or guardian).

If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information from our systems.

11. Cookies and Tracking Technologies

We use a limited number of cookies and local storage items:

Strictly Necessary: Authentication cookies for maintaining your login session on the platform (HttpOnly, Secure, 24-hour expiry). These are essential for the service to function and do not require consent.

Consent Preferences: We store your cookie consent choice in your browser's local storage to remember your preference (12-month duration).

Analytics (Consent-Gated): We use Google Analytics with Consent Mode v2. Analytics storage is denied by default and is only activated after you explicitly accept analytics cookies via our cookie banner.

What We Do Not Use: We do not use advertising cookies, retargeting pixels, social media tracking cookies, or third-party behavioural targeting technologies.

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings.

12. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures, including:

  • All data is transmitted using HTTPS/TLS encryption.
  • Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plaintext.
  • Bot protection through Cloudflare Turnstile with server-side verification on all forms.
  • Assessment integrity monitoring, including response pattern analysis and misuse detection.
  • Role-based access controls ensuring users, coaches, and administrators can only access data appropriate to their role, with activity logging.
  • Rate limiting on all form submissions and API endpoints.
  • Payment card data is never processed or stored by us. All payment processing is handled by PayFast (Pty) Ltd, a PCI DSS compliant provider.
  • Regular security reviews and updates to our systems and practices.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • Under POPIA: We will notify the Information Regulator of South Africa and affected data subjects as soon as reasonably possible after becoming aware of the breach.
  • Under GDPR: We will notify the relevant supervisory authority within 72 hours where feasible, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Notification will include the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

Material changes will be communicated via email to registered platform users or via prominent notice on our website and platform at least 14 days before they take effect.

The "Last Updated" date at the top of this policy will always reflect the most recent revision.

Continued use of our Services after changes take effect constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should discontinue use of our Services.

15. Contact and Complaints

If you have any questions about this Privacy Policy or wish to exercise your data protection rights:

Privacy Enquiries: privacy@tomorrows-compass.com

General Enquiries: info@tomorrows-compass.com

Company: Tomorrows Compass (Pty) Ltd, Registration Number 2025/356280/07, Republic of South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

South Africa: Information Regulator - https://inforegulator.org.za

United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk

European Union: The supervisory authority in your EU member state of residence.