Privacy Policy
GDPR · FADP · CCPA Compliant
1. Data Controller
The data controller responsible for the processing of your personal data is:
- Company: ZIYON SAS
- Country: France (European Union)
- Email: privacy@pathfinder.app
- Data Protection Contact: privacy@pathfinder.app
2. Data We Collect
2.1 Account Data
When you register or sign in, we collect:
- Email address (required for authentication)
- Full name (optional, from OAuth profile)
- Profile picture (optional, from OAuth provider)
- Authentication provider (Apple, Google, or email)
- Account creation date and last login timestamp
2.2 Assessment & Psychometric Data
To provide our career guidance service, we collect and process your assessment responses. This data is classified as special category data under GDPR Article 9 (psychometric/personality data).
- Answers to career assessment questions
- RIASEC personality type scores
- OCEAN/Big-5 personality trait scores
- Derived career match scores and fit percentages
- Assessment drafts (auto-saved during completion)
2.3 Usage & Technical Data
We automatically collect certain technical information when you use the Service:
- IP address (anonymised after 24 hours)
- Browser type, operating system, and device type
- Pages visited and features used (anonymised analytics)
- Session duration and interaction patterns
- Error logs (when the Service malfunctions)
2.4 Payment Data
If you subscribe to PathFinder Pro, payment processing is handled entirely by Stripe, Inc. (Web) or Apple, Inc. (iOS). We do not store your full credit card number, CVV, or bank account details. We receive only a payment confirmation token and subscription status from these processors.
2.5 Communications Data
If you contact us or opt in to email communications, we collect your email address and the content of your messages.
3. Legal Basis for Processing (GDPR)
We process your personal data only when we have a valid legal basis. The specific bases we rely on are:
3.1 Contract Performance — Art. 6(1)(b)
Processing your account data and assessment results is necessary to provide you with the PathFinder service you requested.
- Account creation and authentication
- Generating career pathways and roadmaps
- Subscription management and billing
3.2 Explicit Consent — Art. 6(1)(a) & Art. 9(2)(a)
For the processing of psychometric data (RIASEC, OCEAN scores), which is considered special category data under GDPR Article 9, we rely on your explicit consent given at the start of the assessment.
For optional analytics and email marketing communications, we also rely on consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
3.3 Legitimate Interests — Art. 6(1)(f)
We rely on legitimate interests for:
- Security monitoring and fraud prevention
- Service improvement using aggregated, anonymised analytics
- Internal error logging to maintain service quality
3.4 Legal Obligation — Art. 6(1)(c)
We may process data where required to comply with applicable law, including tax and accounting obligations, or in response to lawful requests by public authorities.
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing, maintaining, and personalising the PathFinder service
- Generating AI-powered career pathway recommendations
- Displaying your psychometric profile and career fit scores
- Processing and managing your subscription payments
- Sending transactional emails (account confirmation, password reset, invoices)
- Sending marketing communications (with your consent; unsubscribe any time)
- Improving the Service through aggregated and anonymised usage analysis
- Detecting, preventing, and responding to security incidents and fraud
- Complying with legal obligations
7. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this Policy, or as required by law:
- Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion request.
- Assessment results: Retained indefinitely while your account is active (needed to provide the Service). Deleted with your account.
- Assessment drafts: Automatically purged after 90 days of inactivity — GDPR Art. 5(1)(e) storage limitation basis.
- Payment records: Retained for 10 years to comply with French accounting law (Code de Commerce Art. L123-22).
- Email communications: Retained for 12 months after your last interaction.
- Technical logs: Anonymised after 24 hours; raw logs deleted after 30 days.
- Backups: Encrypted database backups are retained for 30 days before permanent deletion.
8. Your Rights
Under the GDPR (EU), FADP (Switzerland), and CCPA (California), you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@pathfinder.app.
8.1 GDPR Rights (EU & EEA Users)
- Right of Access (Art. 15): Obtain a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure / Right to be Forgotten (Art. 17): Request deletion of your data (subject to legal retention obligations).
- Right to Restriction (Art. 18): Restrict processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent for psychometric data processing at any time.
- Right to Lodge a Complaint: File a complaint with the CNIL (France) at cnil.fr or your local supervisory authority.
8.2 Swiss FADP Rights
Swiss users have equivalent rights under the Federal Act on Data Protection (FADP/nDSG), including the right of access, correction, deletion, and to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
8.3 California Privacy Rights (CCPA/CPRA)
California residents have the following additional rights:
- Right to Know: Know what personal information we collect, use, share, or sell.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out of Sale: We do NOT sell your personal information.
- Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment.
- Right to Correct: Correct inaccurate personal information.
8.4 How to Exercise Your Rights
Submit a request to privacy@pathfinder.app with the subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or 45 days (CCPA). We may require identity verification before processing certain requests.
9. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA) and Switzerland, primarily in the United States. We ensure that all international transfers of personal data comply with applicable law through appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Data Processing Agreements (DPAs) with all sub-processors
- Technical and organisational security measures
- EU/EEA data residency options where available (e.g., Supabase Frankfurt region)
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
- Encryption in transit: TLS 1.2+ for all data transmission
- Encryption at rest: AES-256 database encryption (Supabase)
- Row-Level Security (RLS): Supabase RLS policies ensure users can only access their own data
- Authentication: OAuth 2.0 with PKCE and secure session management
- Access control: Principle of least privilege for internal data access
- Cron-based data purge: Automatic deletion of stale draft data (90-day retention)
- Dependency monitoring: Automated security updates via Dependabot
11. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@pathfinder.app and we will delete such data promptly.
For users aged 16–18, parental or guardian consent may be required depending on applicable national law.
12. AI & Automated Decision-Making
PathFinder uses AI to generate career recommendations. We want to be transparent about how this works:
- Your assessment responses are sent to Anthropic's Claude API to generate career pathways.
- The AI output is a recommendation, not a deterministic classification. A human (you) always makes the final career decision.
- We do not use your data for solely automated decisions that produce legal or similarly significant effects (GDPR Art. 22).
- Anthropic does not use API call inputs to train their foundation models.
- We do not share identifiable psychometric data with third parties for marketing, profiling, or AI training purposes.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and/or a prominent notice within the Service at least 15 days before the changes take effect.
The "Last Updated" date at the top of this page reflects the date of the most recent revision. We encourage you to review this Policy periodically.
Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.
14. Contact & Data Protection
For any privacy-related inquiries, requests, or complaints:
- Data Protection: privacy@pathfinder.app
- General Support: support@pathfinder.app
- Company: ZIYON SAS, France (EU)
- Supervisory Authority (FR): Commission Nationale de l'Informatique et des Libertés — cnil.fr
- Supervisory Authority (CH): Federal Data Protection and Information Commissioner — edoeb.admin.ch
© 2026 ZIYON SAS · PathFinder · privacy@pathfinder.app