How ThoughtCraft Protects Your Assessment Data & Privacy

1. What Data ThoughtCraft Collects

What We Collect

• Assessment responses: Your answers to the 20-minute ThoughtCraft assessment questionnaire
• Profile information: Name, email, phone number, organization (if applicable)
• Computed results: Your AI-generated cognitive profile, insights, and personalized recommendations
• Usage data: Login timestamps, assessment completion status, and interactions with Evalyn, our AI guide
• Optional: Contact preferences and communication consents

Where It Comes From

• Directly from you during assessment completion at assessment.thoughtcraft.ai
• From profile setup and account management
• From your interactions with Evalyn, our AI guide

What We Don’t Collect

• Payment card information, which is processed by PCI-compliant third-party payment processors
• Audio or video recordings without explicit consent
• Biometric data
• Location data beyond general IP geolocation used for security purposes

We do not sell your data.

2. How Long We Keep Your Data

Retention Policy

• Active assessments: Retained for the duration of your account unless you request deletion
• Inactive accounts: If your account is inactive for 24+ months, we may archive your data
• Backup copies: Retained for up to 90 days for disaster recovery purposes
• Compliance holds: If required by law, data may be retained longer per legal hold requests

Your data is yours. You can request full data deletion at any time.

Data Deletion — Your Right to Be Forgotten

• Email info@thoughtcraft.ai to request full deletion of your account and all associated data
• We will delete your personal data, assessment responses, and computed results within 30 days
• Deletion is permanent — archived backup copies are purged within 90 days
• Aggregated or anonymized data used for research may be retained, but it cannot identify you

3. Who Can Access Your Data

Role-Based Access

Role	Access	Capabilities
Respondent (You)	Own data only	View assessment results, export data, manage account, communicate with Evalyn
Reviewer (Admin/Manager)	Team members’ data (with consent)	View reports, track completion, access bulk analytics
ThoughtCraft Admin	All data (service operations only)	System monitoring, security response, compliance audits, technical support

Access Logging

• All data access is logged with timestamp, user, and action
• Admin access follows role-based access and the principle of least privilege
• Unauthorized access attempts are flagged and investigated

Third-Party Access — What We Share and What We Don’t

• Subprocessors have limited access only for specific service functions
• No assessment data or personal data is sold to third parties
• All subprocessor agreements include data protection clauses

4. How We Encrypt and Secure Your Data

In Transit (Network Security)

• TLS 1.2 / TLS 1.3: All connections to thoughtcraft.ai are encrypted
• Cloudflare Protection: Assessment platform and marketing site are proxied through Cloudflare
• Certificate Authority: Valid SSL certificates from trusted CAs
• HSTS: HTTP Strict Transport Security enabled to prevent downgrade attacks

At Rest (Data Storage)

• Database Encryption: Assessment data stored in an encrypted database
• Field-Level Encryption: Sensitive fields encrypted with AES-256
• Backup Encryption: All backups encrypted with AES-256 before storage
• Key Management: Encryption keys stored separately from encrypted data

Transport Security Details

• Secure WebSocket connections (WSS) for real-time Evalyn AI interactions
• No sensitive assessment data is intentionally logged in plaintext
• Security controls are reviewed regularly as part of our ongoing compliance process

5. Your Privacy Rights — GDPR & CCPA

If you are located in the European Union, United Kingdom, California, or another jurisdiction with privacy rights, you may have the right to access, correct, export, object to, or delete your personal information.

• You may request access to the personal data ThoughtCraft holds about you
• You may request corrections to inaccurate or outdated information
• You may request full data deletion where legally permitted
• You may request a portable copy of your assessment data
• You may opt out of non-essential communications at any time

6. Contact Us About Your Data

For privacy, security, GDPR, CCPA, or data deletion requests, contact us at info@thoughtcraft.ai.

Please include the email address associated with your ThoughtCraft account so we can verify and process your request.

7. Compliance Posture

GDPR (General Data Protection Regulation)

• Applicability: If you are located in the EU or your data is processed in the EU
• Your Rights: Access, correction, deletion, data portability, and objection
• Data Requests: Contact info@thoughtcraft.ai
• Data Processing Agreement: Available upon request for B2B customers

SOC 2 Compliance

• Current Status: SOC 2 Type II audit in progress (target completion: Q3 2026)
• What This Means: Independent verification of security controls, availability, integrity, and confidentiality
• Timeline: Once completed, certification valid for 12-month periods with annual re-audits

Other Standards

• Data Residency: All data stored in secure data centers
• Subprocessors List:
• Forge (hosting & server management)
• Cloudflare (CDN, DDoS protection, DNS)
• Additional subprocessors may be added as our platform evolves

Certifications Roadmap

• ✅ GDPR compliant
• 🔄 SOC 2 Type II (in progress, Q3 2026)
• 📋 ISO 27001 (planned 2026/2027)

8. Customer Controls

Data Export

• Download your assessment results as PDF
• Export request available in account settings or by contacting us
• Delivered within 7 business days where technically feasible
• Includes all personal data, assessment responses, and computed insights

Data Deletion

• Initiate deletion request through account settings or via email to info@thoughtcraft.ai
• Processed within 30 days
• Confirmation sent upon completion

Audit Logs (B2B)

• Enterprise customers can request access to audit logs showing:
• Who accessed your data and when
• What actions were performed
• Any changes to sharing or permission settings
• Available upon request, provided within 14 business days where applicable

Consent Management

• Update email preferences and communication settings anytime
• Opt out of non-essential communications
• Marketing materials require explicit opt-in where required by law

9. Incident Response & Security Commitment

Breach Notification

• Assessment: Any suspected breach is investigated promptly
• Notification Timeline: If a breach is confirmed and personal data is affected, you will be notified as required by applicable law
• What You’ll Receive:
• Description of what happened
• Data affected
• Steps you should take
• ThoughtCraft remediation actions
• Contact for questions

Security Practices

• Security reviews and vulnerability management
• Employee security training
• Incident response planning and testing
• Ongoing improvement of privacy and security controls

Responsible Disclosure

• Found a security vulnerability? Email info@thoughtcraft.ai
• We aim to acknowledge reports within 48 hours and prioritize remediation based on severity

Questions or Concerns?

• Email: info@thoughtcraft.ai
• Data Privacy Inquiries: info@thoughtcraft.ai

Last updated: May 11, 2026
This policy may be updated. Please check back for changes.