Privacy Policy

1. Data We Collect and Why

1.1 Account Registration Data

When you create an account, we collect your email address, name (if provided), and a securely hashed password. This data is necessary to create and authenticate your account and to deliver the Service.

Legal basis: Performance of contract (GDPR Article 6(1)(b)).

1.2 Organizational Profile Data

We collect your company name, company size (employee range), industry vertical, and country of operation. This information is used to select industry-specific assessment questions, contextualize your results, and provide relevant benchmark comparisons.

Legal basis: Performance of contract; legitimate interest (providing relevant benchmarks).

1.3 Assessment Response Data

We collect your answers to 27–45 assessment questions (Likert scale responses), the computed pillar scores, composite score, maturity level, and identified critical gaps. This data is used to compute your AI readiness score and generate reports. Raw assessment answers are automatically deleted 90 days after submission. Aggregate scores (not raw answers) are retained as part of your assessment record for the duration of your account.

Raw answers are not used for AI model training.

Legal basis: Performance of contract.

1.4 Payment Information

When you purchase a report, we record the transaction ID, purchase amount, payment tier, payment status, and billing country. We do not store your card number, CVV, or bank details—these are handled exclusively by our payment processor, Dodo Payments.

Transaction records are retained for 7 years per accounting and tax law requirements.

Legal basis: Performance of contract; legal obligation (financial record retention).

1.5 Report Generation Data

For Starter ($19) and Pro ($29) tier reports, your assessment scores and pillar data are processed by third-party large language models (LLMs) to generate personalized analysis. Before any data is transmitted to LLM providers, all personally identifiable information is removed via our anonymization process. LLM providers receive only: numeric pillar scores, score ranges, industry category, and company size band. They never receive your name, email, company name, user ID, or any other identifying information.

Template tier ($9) reports use pre-written content blocks and involve no LLM processing whatsoever.

Legal basis: Legitimate interest (service delivery).

1.6 Technical and Usage Data

We collect IP addresses (for rate limiting and fraud prevention), authentication session tokens, and server-side request logs (retained 30 days). We do not use third-party analytics, advertising trackers, or behavioral profiling.

Legal basis: Legitimate interest (security and abuse prevention).

2. Cookies and Tracking

ReadyPillar uses only authentication session cookies set by our authentication provider (Supabase Auth). These are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, cross-site tracking cookies, fingerprinting, or any third-party analytics scripts (no Google Analytics, no Meta Pixel, etc.).

Assessment answers are temporarily stored in your browser's localStorage (not cookies) under the key rp-assessment. This data is not transmitted to our servers automatically and does not trigger cookie consent requirements.

Because we use no non-essential cookies, a cookie consent banner is not required under the EU ePrivacy Directive.

3. Third-Party Data Processors

We share your data with the following service providers who process data on our behalf:

All LLM providers receive only fully anonymized, non-identifiable assessment data. No personally identifiable information is ever transmitted to LLM providers. Each processor has a Data Processing Agreement (DPA) in place.

4. International Data Transfers

ReadyPillar may transfer your data to countries outside the European Economic Area (EEA), including the United States. For each transfer, we rely on appropriate safeguards:

• Supabase: EU Commission Standard Contractual Clauses (SCCs)
• Email provider: Transactional email delivered via SMTP with TLS encryption
• Google Gemini: Google Cloud SCCs and DPA
• xAI Grok: xAI DPA with SCCs
• Dodo Payments: Dodo Payments DPA

You may request a copy of the applicable transfer safeguards by contacting us at the address listed in Section 10.

5. Data Retention

6. Benchmark Data Program

ReadyPillar offers an optional benchmark program that allows you to compare your AI readiness scores against anonymized, aggregated peer data. Participation is opt-in only and is not enabled by default.

If you opt in, we contribute your anonymized scores to an aggregate dataset. Data is only published when a cohort (defined by industry and company size) reaches a minimum of 30 entries. No individual organization can be identified from the aggregate data. Contributed data includes only: pillar score ranges, composite score range, company size band, and industry vertical.

You may withdraw from the benchmark program at any time. Previously contributed data that has already been incorporated into aggregates cannot be individually removed.

Legal basis: Consent (GDPR Article 6(1)(a)).

7. Your Data Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under GDPR. We respond to all requests within 30 days.

Right of Access (Article 15)

You may request a copy of all personal data we hold about you. Use the data export feature in your account settings or contact us at the address in Section 10.

Right to Data Portability (Article 20)

You may receive your data in a structured, machine-readable format (JSON). This includes data you provided directly (assessment answers, account data) and data generated by automated processing (scores). Use the data export API or contact us.

Right to Erasure (Article 17)

You may request deletion of all your personal data. Upon request, we delete your account data, assessment answers, scores, profile data, and email address. Transaction records are retained for 7 years per legal obligations. Anonymized benchmark contributions cannot be individually identified or removed.

Right to Rectification (Article 16)

You may update your account profile data directly in your account settings. Assessment data represents a point-in-time snapshot and cannot be retroactively corrected, but you may retake the assessment.

Right to Object (Article 21)

You may object to processing based on legitimate interests, including security logging. Contact us and we will conduct a balancing test and respond within 30 days.

Automated Decision-Making (Article 22)

ReadyPillar uses automated scoring to compute your AI readiness score. This is an informational assessment tool and does not constitute automated decision-making with legal or similarly significant effects as defined under Article 22. Your score is computed by normalizing Likert-scale answers to a 0–100 scale per pillar, then applying weighted averages: Data Readiness (25%), Strategic Alignment (20%), People & Skills (20%), Infrastructure (15%), Governance (10%), Process Maturity (10%).

Right to Lodge a Complaint

You may lodge a complaint with your local data protection supervisory authority. In the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk.

8. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of personal information collected in the past 12 months: identifiers (email), commercial information (transaction records), internet/electronic activity (server logs), and professional/employment information (company, industry).

ReadyPillar does not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.

You have the right to know, delete, correct, and opt out of the sale of personal information (though we do not sell your data). To exercise your rights, contact us at the address in Section 10.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data in transit is encrypted with TLS 1.2 or higher
• All data at rest is encrypted with AES-256 encryption
• Three-layer security architecture: proxy-layer protection, Data Access Layer with per-query authentication re-verification, and database Row-Level Security (RLS) policies
• Rate limiting via Upstash Redis to prevent abuse
• Nonce-based Content Security Policy (CSP) headers
• All personally identifiable information is stripped before any external LLM API call (architectural requirement, not optional)
• Authentication via Supabase Auth with secure session tokens; no passwords stored in plaintext

Data Breach Response

In the event of a data breach likely to result in risk to individuals, we will notify the relevant supervisory authority within 72 hours. Where a breach is likely to result in high risk, we will notify affected users without undue delay via the email address on their account.

10. Children's Privacy

ReadyPillar is a business-to-business (B2B) platform designed exclusively for organizational use by business professionals. The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will delete the account and all associated data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or an in-app notification at least 30 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

The current version of this policy is always available at this page.