Privacy Policy

1. DEFINITIONS AND KEY TERMS

2. INTRODUCTION AND SCOPE

2.1 Policy Overview
This privacy policy explains how myIQ collects, uses, and protects your personal data. It provides detailed information about your privacy rights and how you can exercise them.

2.2 Policy Application
This policy applies to:

• All users of myIQ globally
• All data collection methods
• All service features and functionalities
• All platform versions and updates

2.3 Policy Updates

• We reserve the right to update this policy
• Material changes will be notified via email
• Continued use after changes constitutes acceptance

3. PERSONAL DATA COLLECTION

3.1 Account Information

Essential: email address (for authentication), name (collected during payment), last sign-in timestamp, unique account identifiers, IP addresses.

Optional: phone number (if provided via payment processors), user preferences and settings, communication preferences.

3.2 Service Usage Data

Test results: final IQ scores, completion timestamps, performance metrics. Individual test answers are processed in real time and are never stored.

Interaction data: features accessed, time spent on platform, navigation patterns, device information.

3.3 Payment Information

We only receive and store limited payment information: tokenized payment method identifiers, the last four and first six digits of payment cards, and card expiration dates.

3.4 Technical and Device Data

Device: operating system, browser type and version, screen resolution, device type and model, language preferences.

Connection: IP address, network information, connection type, geographic location (derived from IP), time zone.

Performance: load times, error messages, system performance metrics, network latency, application response times.

4. DATA PROCESSING AND USAGE

4.1 Primary Processing Purposes

Service provision: account creation and management, authentication and security, feature access and customization, customer support, service optimization.

Payment processing: subscription management, payment authorization, fraud prevention, transaction records, billing support.

Communication: service updates and notifications, security alerts, product information, support responses, legal notices.

4.2 Secondary Processing Purposes

Service improvement: usage pattern analysis, feature optimization, performance monitoring, user experience enhancement, bug identification and resolution.

Analytics and research: aggregate usage statistics, trend analysis, platform optimization, feature development, performance benchmarking.

4.3 Legal Bases for Processing

Contractual necessity: account management, service provision, payment processing, feature access, support services.

Legal obligations: tax compliance, financial records, legal requirements, regulatory compliance, safety and security.

Legitimate interests: service improvement, fraud prevention, security maintenance, technical optimization, business development.

Consent-based processing: marketing communications, optional features, third-party integrations, analytics participation, feature testing.

5. DATA STORAGE AND SECURITY

5.1 Storage Location and Data Transfers

All personal data is stored on secure servers located within the European Union, provided by leading cloud infrastructure providers, primarily Amazon Web Services (AWS). All data is transmitted over encrypted channels, and appropriate safeguards are applied to any international data transfers. We do not maintain our own data centers and rely on certified third-party providers that comply with applicable security and data protection standards.

5.2 Security Measures

Authentication and access: multi-factor authentication, passwordless email sign-in with single-use codes, automatic session termination, role-based access control, least-privilege principle, access logging and regular reviews.

Data protection: SOC2 Type 2 compliance, AES-256 encryption at rest, TLS in transit, regular security audits.

System security: DDoS protection via Cloudflare, intrusion detection, regular patching, infrastructure monitoring.

Payment security: PCI DSS compliant processing, tokenized storage, no access to complete card numbers, encrypted transmission, immediate incident response.

Backup and recovery: regular automated encrypted backups, disaster recovery planning, geographic redundancy, data restoration procedures.

Organizational security: incident response procedures and protocols, access control policies and enforcement, a security incident reporting framework, change management procedures.

Monitoring and maintenance: real-time system monitoring and security event logging, performance tracking and analysis, regular security reviews and assessments, continuous compliance monitoring, regular system updates, vulnerability assessments, security patch management.

5.3 Data Breach Notification Procedures

Definition and scope. A data breach is defined as unauthorized access to personal data, accidental loss or destruction of personal data, unauthorized disclosure of personal data, or any incident compromising data confidentiality, integrity, or availability.

Internal response. Upon discovering a potential breach, we will immediately initiate our incident response plan, assess the nature and scope of the breach, take immediate steps to contain it, document all aspects of the incident, and evaluate the risks to affected individuals.

User notification. We will notify affected users within 72 hours of breach confirmation, through email notification.

Notification content. Our breach notifications will include a description of the incident, the types of data affected, the potential impact on users, the steps we've taken to address the breach, recommended user actions, contact information for questions, and resources for additional support.

Regulatory compliance. Where required by law, we will notify relevant supervisory authorities, comply with jurisdiction-specific requirements, provide mandatory documentation, cooperate with investigations, and implement required remedial measures.

Post-breach measures. Following any breach, we will conduct a thorough investigation, implement additional security measures, update procedures as necessary, provide ongoing updates to affected users, and review and enhance security protocols.

6. ANALYTICS, ADVERTISING, AND THIRD-PARTY SERVICES

6.1 Analytics and Infrastructure Partners

Analytics services. We utilize the following services to monitor and improve our platform: Google Tag Manager (for managing analytics and marketing tags), Google Analytics (for user behavior analysis and service optimization), MixPanel (for user interaction tracking and feature usage analysis), Google BigQuery (for large-scale data analysis and reporting), Sentry (for error monitoring, performance tracking, and session recording), and Cloudflare (for performance analytics and security monitoring).

Session recording. Through Sentry, we implement session recording with the following safeguards: automatic masking of all user inputs, no collection of personally identifiable information, exclusion of all data entry fields, anonymization of all user interactions, and usage limited to bug investigation and performance optimization.

Data collection scope. These services may collect usage patterns, feature interaction data, performance metrics, error information, anonymized user flows, and aggregate statistics.

6.2 Advertising Partners and Data Sharing

Advertising partners. We work with various advertising partners, including Facebook, Google, SnapChat, TikTok, Taboola, Outbrain, AppLovin, and Pinterest.

Data sharing practices. These partners may receive anonymous identifiers, email addresses (for advertising purposes), usage data, device information, and interaction metrics.

Partner data usage. Our advertising partners may track user interactions, measure ad performance, optimize ad targeting, create audience segments, and analyze campaign effectiveness.

6.3 User Control Over Tracking

Tracking limitations. Users can limit tracking through browser cookie settings, ad-blocker extensions, device settings, and platform-specific controls.

Opt-out options. Available tools include the Digital Advertising Alliance (DAA) opt-out tools, the Network Advertising Initiative (NAI) opt-out platform, platform-specific advertising settings, and individual advertising partner opt-outs.

Impact of tracking limitations. Limiting tracking may affect platform functionality, service personalization, feature availability, and user experience. Core service features will remain functional.

7. YOUR RIGHTS AND CHOICES

7.1 Universal Rights

All users have the following basic rights: to access their personal data, correct inaccurate data, request data deletion (see Section 8.2 for procedures), object to processing, data portability, and to withdraw consent.

7.2 Regional Privacy Rights

European Union and UK residents (GDPR). Core rights include the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights regarding automated decision-making.

California residents (CCPA/CPRA). Additional rights include knowledge of personal information collection, knowledge of information sharing, deletion rights, correction rights, opt-out rights, non-discrimination rights, and portability rights.

Australian residents. Privacy Act rights include collection notification, access rights, correction rights, purpose specification, use limitation, and disclosure transparency.

Canadian residents. PIPEDA rights include access rights, accuracy rights, consent withdrawal, use transparency, and protection expectations.

7.3 How to Exercise Your Rights

Submission methods. All privacy rights requests can be submitted through any of our official contact channels listed in Section 12.2.

Verification process. To protect your privacy, we require initial verification through email verification and account authentication (if applicable), and identity documentation (if needed for sensitive requests). For sensitive requests or authorized agents, we may require a government-issued ID, proof of authority (for agents), and additional security checks as needed.

Response timelines. We follow these standard response times for all requests: initial acknowledgment within 72 hours, a standard response time of 30 days, a maximum extension period of 45 days (with notification), and appeal decisions within 30 days. California residents receive acknowledgment within 10 days per CCPA requirements.

Data delivery. All personal data will be provided in a machine-readable format (CSV or JSON), with a complete data inventory, via encrypted transmission.

Appeal process. If you're unsatisfied with our response, you may submit an appeal within 30 days, including your reason for appeal and any additional information, and you will receive a decision within 30 days.

8. DATA RETENTION AND DELETION

9. INTERNATIONAL DATA TRANSFERS AND LEGAL JURISDICTION

9.1 International Data Transfers

For users outside the European Union, we ensure appropriate data protection through standard contractual clauses for international data transfers, technical and organizational security measures, regular compliance monitoring and assessments, adherence to international data protection requirements, and continuous evaluation of data protection mechanisms.

9.2 Legal Jurisdiction and Dispute Resolution

Escalation process. Before pursuing legal action, users must follow our escalation procedure.

First-level escalation: submit to [email protected], including the reference number and prior communication history; a response is provided within 5 business days.

Second-level escalation: if unsatisfied, escalate to [email protected] for senior management review, with a final decision within 15 business days.

Informal dispute resolution: following the escalation process, parties will attempt informal resolution over a 30-day good-faith negotiation period through direct communication to resolve disputes.

Formal legal proceedings. If escalation and informal resolution are unsuccessful: this privacy policy is governed by the laws of the State of Delaware, United States; any legal proceedings shall be exclusively resolved through binding arbitration as detailed in Section 14 of our Terms and Conditions; arbitration shall be conducted by the American Arbitration Association; users expressly consent to the personal jurisdiction of Delaware courts for matters exempt from arbitration; and all claims must be brought within six months of the incident date. For complete dispute resolution procedures, including arbitration rules, exceptions, and the class action waiver, please refer to Section 14 of our Terms and Conditions.

10. CHILDREN'S PRIVACY

10.1 Age Restrictions

• Minimum age: 18 years
• No intentional collection from minors
• Account termination if underage discovered

11. CHANGES TO THIS POLICY

11.1 Modification Rights We reserve the right to modify this privacy policy at any time.

11.2 Types of Changes

Material changes. Changes that significantly affect your rights or our obligations include major changes to data sharing with third parties, fundamental changes to data processing purposes, and significant changes to user privacy rights.

Non-material changes. Changes that don't substantially affect your rights include, but are not limited to: updates to reflect current practices, adding new product features or services, changes to contact information, clarifications of existing terms, grammatical or formatting updates, security enhancements, technical documentation updates, service improvement descriptions, analytics and tracking updates, changes to advertising partners and analytics providers, updates to third-party integrations, and regional compliance updates.

11.3 Notice Requirements

Material changes. Email notification will be provided 5 days before implementation; changes are effective upon the notification date, and continued use constitutes acceptance.

Non-material changes. These may be implemented immediately with no advance notice required, and the updated policy will be posted on the website.

11.4 Your Options You may review the current privacy policy on our website, discontinue service use if you disagree with changes, or continue use, which indicates acceptance of changes.

12. LEGAL INFORMATION AND CONTACT DETAILS

12.1 Company Information

For all inquiries including privacy-related matters:

• Email: [email protected]
• Help Center: https://myiq.com/help
• Postal Address: 2093 Philadelphia Pike #3129, Claymont, DE 19703, United States

All inquiries will be handled according to the response timelines detailed in Section 7.3.3.