Privacy Policy

1. Introduction

Tomorrows Compass (Pty) Ltd ("Tomorrows Compass", "we", "us", "our"), registered in the Republic of South Africa (Company Registration Number 2025/356280/07), operates the website at www.tomorrows-compass.com and the Tomorrows Compass Assessment Platform at discover.tomorrows-compass.com (together, the "Services").

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you interact with our Services. It applies to all users of our website, assessment platform, coaching programmes, and related services worldwide.

We are committed to protecting your privacy and processing your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and, where applicable, the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

For the purposes of data protection legislation, Tomorrows Compass (Pty) Ltd is the responsible party (under POPIA) and data controller (under GDPR). The designated Information Officer is Ricardo Albertini (privacy@tomorrows-compass.com), registered with the Information Regulator of South Africa per POPIA Section 55.

2. Information We Collect

We collect and process the following categories of personal information:

2.1 Contact and Enquiry Information

Information you provide when contacting us, submitting enquiries, requesting information, or downloading resources through our website. This includes your name, email address, company name, and the content of your message.

2.2 Account and Registration Information

Information you provide when creating an account on the assessment platform, including your name, email address, password (which is cryptographically hashed and never stored in plaintext), mobile number, and company or organisational affiliation.

2.3 Demographic Information

Optional demographic details you may provide before completing an assessment, such as age group, gender, geographic region, professional seniority, industry sector, and work experience. You may choose not to provide this information or select "Prefer not to say" where available.

Where you provide demographic details, they may, in anonymised aggregate, contribute to the construction of peer-norm reference populations used in future Phase B and Phase C scoring (see the methodology page at www.tomorrows-compass.com/methodology/discover for an explanation of the Phase A → B → C transition). Demographic inputs are never stored against your identity in any norm dataset. If you decline to provide demographic information, your assessment results are unaffected; no access to your report is restricted as a result.

2.4 Assessment and Interaction Data

Information generated during your assessment, including your responses to assessment items, response timing per item, response sequences, assessment progress, and completion timestamps. The full 215-item response stream is required to score the assessment; partial-completion data is not retained beyond the in-progress save state and is cleared upon assessment completion.

2.5 Results and Profile Data

Scores, profiles, and insights generated from your assessment responses. The current Tomorrows Compass Discover assessment uses Phase A absolute scoring, which assigns each of 12 capabilities to one of four named strength bands (Development Priority, Baseline Strength, Established Strength, Signature Strength), alongside an Enneagram personality blueprint (primary type, wing, secondary type, centre) and a public response-quality verdict (Confident, Nuanced, Layered) produced by a 5-flag validity engine. The full methodology, including the Phase A → B → C transition plan and the maturity statement, is published at www.tomorrows-compass.com/methodology/discover. See Section 9 for further detail on automated processing.

2.6 Reports and Documents

Assessment reports generated based on your results, including downloadable PDF reports and temporary shareable report links. Strength-band assignments computed at scoring time are preserved on your record. If, in a future Phase B or Phase C transition, your Report is re-rendered against an updated scoring approach, your original Phase A interpretation will remain on your record and is available on request via privacy@tomorrows-compass.com.

2.7 Payment Information

Information related to purchases made through the platform. We do not store, process, or have access to your payment card numbers, CVV codes, or bank account details. All payment card processing is handled entirely by our PCI-compliant third-party payment processor. We retain only transaction references, amounts paid, and the service tier purchased.

2.8 Coaching and Programme Data

Information related to coaching relationships and organisational programmes, including coach assignments, programme membership, team designations, and invitation records. A single User may belong to more than one Programme concurrently (multi-Membership); each Programme governs its own scope of data access, sharing, and consent.

2.9 Feedback and User-Generated Content

Content you voluntarily submit, including feedback ratings and comments, support requests, and personal journal or reflective notes. Coaches may also record private development notes about users they are coaching. These coaching notes are visible to the coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. They are not visible to the user being coached. See Section 5.2 for further detail.

2.10 Usage and Analytics Data

Information about how you use our website and platform, collected only with your consent where required by law. This includes pages visited, features used, session information, and (with explicit analytics consent) anonymised session-replay and heatmap data. We use Google Analytics with Consent Mode and Microsoft Clarity (session replay + heatmaps), both gated behind the same explicit analytics consent collected via our cookie banner. Sensitive form fields are auto-masked in Clarity recordings.

2.11 Technical and Security Data

Information collected automatically for security and service delivery, including IP address, browser type and version, device information, country (determined via IP geolocation), and bot protection verification tokens.

2.12 Cookies and Local Storage

We use a limited number of cookies and local storage items for authentication, consent preferences, and (where you have explicitly consented) analytics. Details are provided in Section 11 of this policy.

3. How We Use Your Information

3.1 Lawful basis summary

The table below summarises the lawful bases on which we process your personal information. Detailed descriptions follow.

3.2 Detailed processing purposes

Service Delivery and Contract Performance: To provide our assessment services, generate behavioural reports, deliver coaching programmes, process payments, and manage your account. Lawful basis: Performance of a contract (GDPR Article 6(1)(b); POPIA Section 11(1)(b)).

Communication and Support: To respond to your enquiries, provide customer support, send transactional emails, and deliver service notifications. Lawful basis: Legitimate interest / contract performance.

Platform Administration: To enable coaches to support your development, allow programme administrators to manage organisational programmes, and enable our team to operate and maintain the platform. Lawful basis: Legitimate interest in service delivery; contract performance for programme users.

Assessment Integrity: To monitor response patterns through the 5-flag validity engine, detect potential misuse, and maintain the quality and validity of assessment results for all users. Lawful basis: Legitimate interest in service quality.

Research, Benchmarking, Norm Computation, and Data Products: To compute and maintain peer-norm reference populations used in future Phase B and Phase C scoring of current and future assessments, and to produce anonymised, aggregated research publications, industry benchmarks, workforce insight reports, and data products. All data used for these purposes is irreversibly anonymised and cannot be attributed to any individual. Lawful basis: Legitimate interest (data is anonymised); consent where applicable.

Marketing and Testimonials: To use feedback you have submitted as testimonials or case studies in our marketing materials, with your consent. Lawful basis: Consent (GDPR Article 6(1)(a); POPIA Section 11(1)(a)).

Analytics and Improvement: To understand how our website and platform are used and to improve our services, with your consent where required. We use Google Analytics with Consent Mode and Microsoft Clarity (session replay and heatmaps), both gated behind explicit analytics consent. Lawful basis: Consent for analytics cookies and analytics processing.

Security and Fraud Prevention: To protect our services against bot attacks, unauthorised access, and abuse through rate limiting, bot verification, and security monitoring. Lawful basis: Legitimate interest in security.

Relationship Management: To manage business relationships and enquiries, which may include storing contact information in customer relationship management systems. Lawful basis: Legitimate interest.

4. Consent Model

We operate a tiered consent model to ensure transparency about how your data is used:

Core Processing (required): By using our services, you consent to the processing of your data necessary to deliver the assessment, generate your reports, and manage your account. This consent cannot be withdrawn without deleting your account, as it is essential to service delivery.

Organisation Sharing (required for programme participants): If you participate in an organisational programme, your assessment results and related data will be shared with your assigned coach and programme administrators as defined by the programme terms. Where you participate in more than one Programme concurrently, each Programme governs its own scope of access, sharing, and consent.

Aggregation, Norm Contribution, and Research (obtained at assessment time, withdrawable): We seek your consent to contribute your anonymised data to benchmarks, research, aggregate data products, and peer-norm reference populations used in future Phase B and Phase C scoring of current and future assessments. You may withdraw this consent at any time without affecting your access to your own results. However, data that has already been irreversibly anonymised cannot be removed from aggregate datasets. Once a norm version has been computed and issued, it represents statistical parameters rather than individual data points, and cannot be retroactively altered by removing an individual contribution.

Analytics (optional, withdrawable): We use Google Analytics and Microsoft Clarity only after you give explicit analytics consent via our cookie banner. You may withdraw analytics consent at any time, after which both providers are disabled and no further analytics or session-replay data is collected.

Marketing and Testimonials (optional, withdrawable): We will only use your feedback as attributed testimonials or in marketing materials with your explicit consent, which you may withdraw at any time.

5. Data Sharing and Disclosure

5.1 Within the Platform

Platform access is assigned across tiered admin roles — platform administrators (Tomorrows Compass staff), programme operations staff, and coaches assigned to specific users or programmes. Each role receives only the data access necessary for their function.

Your data is accessible to different parties based on their role:

• You can access your own results, reports, scores, profiles, journal entries, and feedback history.
• Your Allocated Coach can access your assessment status, results, scores, validity verdict, and their own coaching notes about your development. Coaches cannot see other users' data or platform administration settings.
• Programme Administrators can access data for users within their programmes, including aggregate insights and invitation tracking. They cannot access data for users outside their programmes.
• Tomorrows Compass Staff (platform administrators) can access all data across all users and programmes for the purposes of platform operation, support, and service delivery.

5.2 Coaching Notes

Coaches may record private development notes about users they are coaching. Coaching notes are written by the assigned coach and are visible to that coach, to Tomorrows Compass programme operations staff (read-only, for operational oversight and continuity), and to Tomorrows Compass platform administrators. Coaching notes are not visible to the user being coached.

5.3 Third-Party Service Providers (Sub-Processors)

We use a small number of third-party service providers (data processors / sub-processors) to deliver our Services. Each provider processes only the minimum information necessary for its designated purpose. The categories of sub-processor we use are:

• Cloud hosting and infrastructure (United States and European Union regions) — website and platform hosting, serverless compute, IP-based country detection for currency localisation, performance monitoring, and Core Web Vitals collection. Data processed: IP address, HTTP request metadata, country code, page-load timing.
• Content management (United States) — content management system and image delivery network for the marketing website. Data processed: published website content and uploaded media assets. No personal user data is stored.
• Transactional email (United States) — email delivery for contact-form submissions, newsletter notifications, and service communications. Data processed: recipient name, email address, and message content.
• Bot protection (Global network) — verification challenges on our forms and platform to prevent automated abuse. Data processed: IP address, browser metadata, and interaction verification tokens.
• Pricing tier configuration (United States) — read-only data integration storing our pricing configuration. No personal data is transmitted to or stored in this service.
• Currency exchange data (Global) — real-time exchange rates for multi-currency pricing display. No personal data is transmitted.
• Payment processing (South Africa) — PCI DSS compliant payment processor for assessment purchases on the assessment platform. Data shared: name, email address, payment amount, and service tier. Payment card numbers, CVV codes, and bank account details are never transmitted through or stored on our systems.
• Web analytics, consent-gated (United States, with EU-region processing for session replay) — aggregate web analytics and session-replay / heatmap analytics. Both providers operate only after you give explicit analytics consent via our cookie banner. Sensitive form fields are auto-masked in session-replay recordings; keystroke recording is disabled by default. Data processed: anonymised page views, session duration, device type, geographic region, and (with consent) anonymised mouse-movement, scroll, and click traces. Specific provider names for the analytics services we use today are disclosed in Section 11 (Cookies) so that you can match them against the cookies set in your browser.

A current list of named sub-processors with full provider details is available on request to enterprise customers as part of our Data Processing Agreement (DPA). Email privacy@tomorrows-compass.com to request the current named sub-processor inventory.

We regularly review our sub-processor arrangements. Material changes to sub-processor categories will be communicated via updates to this Privacy Policy.

5.4 What We Do Not Do

• We do not sell your personal data to third parties.
• We do not share your personal data with advertisers.
• We do not use your personal data for automated advertising or behavioural targeting.
• We may share anonymised, aggregated data that cannot identify any individual in research publications, industry reports, norm datasets, and data products.

5.5 Report Links

Assessment report PDFs may be accessed via unique URLs. If you use the shareable link feature, you are responsible for managing who you share the link with. Share links expire automatically after 30 days.

5.6 Legal and Regulatory Disclosure

We may disclose your personal information where required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Tomorrows Compass, our users, or the public.

6. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account and assessment data (including raw answers, computed strength bands, validity verdicts, and the methodology version in use at the time of each assessment): Duration of your account plus 7 years after your last activity, for regulatory and audit purposes.
• Retake reuse: Results from a previously completed test component can be reused on a new Assessment attempt within a defined window: TC Future Skills 3 months, Enneagram 48 months, Validity never reused. Outside the window, the test component is re-scored from a new completion.
• Contact form submissions: Duration of the business relationship plus 2 years.
• Coaching records: Duration of the coaching engagement plus 2 years.
• Payment records: 7 years, as required for tax and regulatory compliance.
• Support requests: 2 years from resolution.
• Anonymised research and norm data: Retained indefinitely, as it is no longer personal data.
• Testimonials: Until you withdraw your consent.
• Analytics data: Provider defaults apply; specific retention windows for the analytics services in use are documented in our DPA available to enterprise customers on request.
• Security and server logs: 90 days.
• In-progress assessment responses: Cleared automatically upon assessment completion.
• Verification codes: Expire and are cleared within 15 minutes.
• Shareable report links: Expire automatically after 30 days.

You may request deletion of your personal data at any time by contacting us at privacy@tomorrows-compass.com. Please see Section 8 for details on your rights.

7. International Data Transfers

Tomorrows Compass (Pty) Ltd is registered in South Africa. Our services are delivered using cloud infrastructure located in the United States, European Union, and other global locations.

For users located in the United Kingdom or European Union, international data transfers are safeguarded by Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary technical and organisational measures where applicable.

In compliance with POPIA Section 72, cross-border transfers of personal information occur only to jurisdictions that maintain adequate levels of data protection, or with your consent, or where otherwise permitted by law.

We ensure all third-party service providers maintain appropriate technical and organisational security standards and are contractually bound to protect your data. Where a sub-processor processes data in the EU or UK, SCCs and DPA arrangements with that sub-processor are part of our sub-processor verification.

8. Your Rights

8.1 Rights Under POPIA (All Users)

As a data subject under the Protection of Personal Information Act, you have the right to:

• Be notified that your personal information is being collected and the purpose of collection.
• Access your personal information held by us.
• Request correction of personal information that is inaccurate, misleading, or incomplete.
• Request deletion of personal information that is no longer necessary for the purpose for which it was collected.
• Object to the processing of your personal information on reasonable grounds.
• Object to the processing of your personal information for direct marketing purposes.
• Not be subject to a decision based solely on automated processing that significantly affects you.
• Submit a complaint to the Information Regulator of South Africa.
• Receive your personal information in a commonly used electronic format.

8.2 Rights Under UK and EU GDPR (UK and EU Users)

If you are located in the United Kingdom or European Union, you additionally have the right to:

• Access your personal data (Subject Access Request).
• Rectification of inaccurate personal data.
• Erasure of your personal data ("right to be forgotten").
• Restriction of processing in certain circumstances.
• Data portability — to receive your data in a structured, commonly used, machine-readable format.
• Object to processing, including profiling.
• Not be subject to automated decision-making that produces legal or similarly significant effects.
• Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or the relevant supervisory authority in your EU member state.

8.3 How to Exercise Your Rights

To exercise any of your rights, contact us at privacy@tomorrows-compass.com. We will respond within 30 days (POPIA) or one calendar month (GDPR) of receiving your request. We may request identity verification before processing your request. Requests are provided free of charge unless they are manifestly unfounded, excessive, or repetitive.

Your Report reflects the currently-active scoring approach. If, in a future Phase B or C transition, you wish to see your original Phase A interpretation, contact privacy@tomorrows-compass.com with your account details and the assessment date or report reference. Your original interpretation is preserved on your record and will be provided alongside your current Report.

8.4 Limitations on Erasure

When you request deletion of your account, we will remove your personal data from our active systems. However:

• Data that has already been irreversibly anonymised and included in aggregate datasets, norm reference populations, research, or publications cannot be removed, as it is no longer personal data and cannot be attributed to or retrieved for any individual.
• We may retain certain data where required by law, regulation, or for the establishment, exercise, or defence of legal claims.

9. Automated Decision-Making and Profiling

Our assessment generates behavioural and capability profiles based on your responses using algorithmic scoring. This constitutes automated profiling under data protection legislation.

We want to be clear about how this works:

• Assessment results are produced through deterministic algorithmic analysis of your responses. The current methodology applies Phase A absolute scoring (fixed-cutoff strength bands derived from theoretical priors), within-person centering for the Enneagram personality test, and a 5-flag validity engine that produces one of three public verdicts. The full methodology, including the Phase A → B → C transition plan, is published at www.tomorrows-compass.com/methodology/discover.
• The scoring engine is deterministic and order-independent within a test. No machine-learning models are applied to capability or personality scoring at this stage.
• When the assessment transitions in future to Phase B or Phase C scoring (peer-norm referencing), your Report may be regenerated to reflect the updated approach. Your original Phase A interpretation is preserved on your record. Where you wish to see your original interpretation, you may request it (see Section 8.3).
• Microsoft Clarity (session replay and heatmap analytics on the marketing website) is purely diagnostic for site improvement and does not feed into any automated decision-making about users.
• These profiles are intended solely for personal development, coaching, and organisational insight purposes.
• Results are not used for automated decisions that produce legal or similarly significant effects without human involvement.
• Assessment results are not clinical, psychological, or medical diagnoses.
• You have the right to request human review of any automated assessment output by contacting us.

10. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

Under POPIA, processing of a child's personal information requires the prior consent of a competent person (such as a parent or guardian).

If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information from our systems.

11. Cookies and Tracking Technologies

We use a limited number of cookies and local storage items:

Strictly Necessary: Authentication cookies for maintaining your login session on the platform (HttpOnly, Secure, 24-hour expiry). These are essential for the service to function and do not require consent.

Consent Preferences: We store your cookie consent choice in your browser's local storage to remember your preference (12-month duration; cookie name tc-cookie-consent).

Analytics (Consent-Gated): We use Google Analytics with Consent Mode v2 and Microsoft Clarity (session replay + heatmaps). Analytics storage is denied by default and is only activated after you explicitly accept analytics cookies via our cookie banner. Clarity sets two first-party cookies after analytics consent: _clck (Clarity user identifier, ~1 year) and _clsk (Clarity session identifier, ~1 day). Sensitive form fields are auto-masked in Clarity recordings.

What We Do Not Use: We do not use advertising cookies, retargeting pixels, social media tracking cookies, or third-party behavioural targeting technologies.

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings.

12. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures, including:

• All data is transmitted using HTTPS/TLS encryption.
• Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plaintext.
• Bot protection with server-side verification on all forms.
• Assessment integrity monitoring via the 5-flag validity engine, including response pattern analysis, response-time analysis, straight-line detection, and consistency checks.
• Role-based access controls ensuring users, coaches, and administrators can only access data appropriate to their role, with activity logging.
• Rate limiting on all form submissions and API endpoints.
• Payment card data is never processed or stored by us. All payment processing is handled by a PCI DSS compliant provider.
• Regular security reviews and updates to our systems and practices.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• Under POPIA: We will notify the Information Regulator of South Africa and affected data subjects as soon as reasonably possible after becoming aware of the breach.
• Under GDPR: We will notify the relevant supervisory authority within 72 hours where feasible, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Notification will include the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

Material changes will be communicated via email to registered platform users or via prominent notice on our website and platform at least 14 days before they take effect.

The "Last Updated" date at the top of this policy will always reflect the most recent revision.

Continued use of our Services after changes take effect constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should discontinue use of our Services.

15. Contact and Complaints

If you have any questions about this Privacy Policy or wish to exercise your data protection rights:

Information Officer (POPIA Section 55): Ricardo Albertini

Privacy Enquiries: privacy@tomorrows-compass.com

General Enquiries: info@tomorrows-compass.com

Company: Tomorrows Compass (Pty) Ltd, Registration Number 2025/356280/07, Republic of South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

South Africa: Information Regulator — https://inforegulator.org.za

United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk

European Union: The supervisory authority in your EU member state of residence.

---

This Privacy Policy is at version 1.0 (effective 2026-05-01). It will continue to evolve as Tomorrows Compass grows; material changes will be communicated to registered users per Section 14.