Legal

Privacy Policy

Last updated: March 2026

Your data is yours. This policy explains exactly what we collect, why, how long we keep it, and what rights you have over it. We do not sell data. We do not advertise. We never will.

1. Data Controller

The entity responsible for processing your personal data is:

2. Information We Collect

We collect only what is strictly necessary to operate the service:

• Account data — first name, email address, city of residence
• Profile data — your rank, archetype, behavioral dimensions, score, and daily journal entries
• Authentication data — OAuth identifiers if you sign in via Google or Discord
• Connection data — IP address, browser type, pages visited (via Vercel infrastructure)
• Location data — city-level only, derived from your IP address for the live map feature. No precise GPS data is ever collected without your explicit consent
• Verification data — if you voluntarily connect LinkedIn, bank records, or social profiles to obtain a verified tier

3. How We Use Your Information

Your data is used exclusively to:

• Create and manage your account
• Calculate and display your rank and archetype
• Display your profile on the member map (city-level, with your consent)
• Send transactional notifications related to your account activity
• Analyse your daily journal entries to assign trajectory points
• Detect and prevent fraudulent behavior and system manipulation
• Improve the service based on aggregated, anonymised usage data

We do not use your data for advertising, profiling for third parties, or any purpose not listed above.

4. Legal Basis for Processing

• Performance of a contract — to provide the platform features you signed up for (Art. 6(1)(b) GDPR)
• Consent — for location display on the map, and for any marketing communications (Art. 6(1)(a) GDPR). Consent may be withdrawn at any time without affecting the lawfulness of prior processing
• Legitimate interest — for security, fraud detection, and service improvement (Art. 6(1)(f) GDPR). You may object to this processing at any time
• Legal obligation — where required by applicable law (Art. 6(1)(c) GDPR)

5. Automated Processing

Your daily journal entries are analysed automatically to evaluate consistency and assign trajectory points. This processing contributes to your rank calculation, which is a profile feature of the platform.

In accordance with Article 22 of the GDPR, you have the right to:

• Request human review of any automated rank or score result
• Express your point of view regarding the output
• Contest any result you believe to be inaccurate or unfair

To exercise any of these rights, contact us at contact@thehierarchy.eu. We will respond within 30 days.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following infrastructure providers, strictly for service operation:

• Supabase — database and authentication, hosted in the European Union. No transfer outside the EEA
• Vercel — web hosting, United States. Transfers are governed by the European Commission Standard Contractual Clauses (SCCs, Decision 2021/914), incorporated into our Data Processing Agreement with Vercel
• Mapbox — map rendering, United States. Transfers are governed by the European Commission Standard Contractual Clauses (SCCs, Decision 2021/914), incorporated into our Data Processing Agreement with Mapbox
• Resend — transactional emails, United States. Only your email address is transmitted. Transfers are governed by the European Commission Standard Contractual Clauses (SCCs, Decision 2021/914)
• ipapi.co — city-level IP geolocation for map display. No personal identifiers are transmitted beyond the originating IP address, which is not stored by this provider

All third-party providers are bound by data processing agreements. No provider receives data beyond what is strictly necessary for their function.

7. Data Retention

• Account data — retained while your account is active, then permanently deleted within 30 days of account deletion
• Daily journal entries — retained for 2 years, or until account deletion, whichever comes first
• Connection logs — retained for 90 days
• Waitlist emails — retained until the application launch or upon your request

8. Your Rights Under GDPR

As a resident of the European Union, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at contact@thehierarchy.eu. We will respond within 30 days. You also have the right to lodge a complaint with the CNIL (French Data Protection Authority) or your local supervisory authority.

9. Security

We implement appropriate technical and organisational measures to protect your data: encryption in transit (HTTPS/TLS), secure authentication, strict database access controls, and monitoring for suspicious activity. No transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay.

10. Cookies

We use only strictly necessary cookies to maintain your authenticated session. We do not use advertising cookies, analytics cookies, or any third-party tracking. No cookie consent banner is required because no non-essential cookies are placed.

11. Changes to This Policy

We may update this policy from time to time. In the event of a material change, we will notify you by email at least 15 days in advance and request your active confirmation before the changes take effect. The date at the top of this document always reflects the most recent revision.

For minor or clarifying changes that do not affect your rights, continued use of the service after the effective date constitutes acceptance of the updated policy.