This notice explains how PeopleOS collects, uses, and protects your personal data. It applies to all users of the PeopleOS platform and to candidates who complete assessments.
PeopleOS is operated by MBU Intelligence. We are the data controller for personal data collected through this platform.
Contact: privacy@peopleos.health
For EU AI Act and GDPR enquiries, our Data Protection contact is available at the address above.
| Data category | Examples | Legal basis | Retention |
|---|---|---|---|
| Account data | Name, email address, Clerk user ID | Contract | Duration of account + 3 years |
| Assessment responses | Answers to OCEAN, EQ, Bias, Johari, Values, Leadership questions | Contract / Consent (Art. 9 GDPR for psychometric data) | 3 years from completion |
| Psychometric profiles | OCEAN scores, EQ scores, bias tendency scores, leadership style classification | Contract / Consent | 3 years from completion |
| AI conversation logs | Messages sent to and received from the AI Assistant when learning mode is enabled | Explicit consent (opt-in) | 12 months or until consent is withdrawn |
| Usage data | AI model used, token counts, cost, plan ID, request timestamps | Legitimate interest (service improvement, billing) | 24 months |
| Billing data | Stripe customer ID, subscription plan, billing cycle | Contract / Legal obligation | Duration of contract + 7 years (tax) |
| Notification logs | Record of notifications sent, event type, timestamp | Legitimate interest | 6 months |
| EU AI Act consent | Timestamp of Article 13 disclosure acknowledgement, assessment token, articles acknowledged | Legal obligation (EU AI Act Art.12) | 3 years |
Psychometric assessment results (OCEAN scores, personality profiles, EQ scores) constitute special-category personal data under GDPR Article 9 — specifically data revealing mental health or psychological characteristics.
We process this data under Article 9(2)(b) — processing necessary for employment-related obligations with appropriate safeguards — and/or Article 9(2)(a) — explicit consent.
You always have the right to withdraw consent and request deletion of psychometric data. Withdrawal does not affect the lawfulness of prior processing.
PeopleOS uses AI systems for psychometric assessments and an AI assistant. These systems are classified as high-risk AI under EU AI Act Annex III §4 (AI in employment decisions).
We comply with EU AI Act Chapter 2 obligations:
Article 9 — Risk management: we operate a risk management programme covering bias detection, accuracy monitoring, and residual risk documentation.
Article 10 — Data governance: assessment scoring is based on validated psychometric models. Your responses are never used to train AI models without explicit, separate consent.
Article 12 — Logging: each assessment session is automatically logged with model version, consent timestamp, and completion status.
Article 13 — Transparency: you receive a clear disclosure of AI use, data processing, and your rights before every assessment begins.
Article 14 — Human oversight: all assessment results are reviewed by HR professionals before being used in any employment decision. No decision is made solely on the basis of automated output.
Article 15 — Accuracy: scoring models are reviewed quarterly for accuracy and demographic fairness.
You have the right to request a human explanation of any automated result and the right to object to automated processing under GDPR Article 22.
| Sub-processor | Country | Purpose | Safeguard |
|---|---|---|---|
| Vercel Inc. | USA | Application hosting and serverless compute | Standard Contractual Clauses (SCCs) |
| Supabase Inc. | USA | Database storage and real-time services | SCCs / Data Processing Agreement |
| Clerk Inc. | USA | Authentication and user identity management | SCCs / DPA |
| Stripe Inc. | USA | Payment processing and subscription management | SCCs / DPA |
| Anthropic PBC | USA | AI language model inference (AI Assistant) | SCCs / Usage Policy |
To exercise any of these rights, use the Privacy Centre in your dashboard or email privacy@peopleos.health. We will respond within 30 days as required by GDPR Article 12.
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with your national data protection authority.
Request a copy of all personal data we hold about you.
Request deletion of your personal data ('right to be forgotten'). Exceptions apply where we have a legal obligation to retain data.
Receive your data in a structured, machine-readable format (JSON/CSV).
Request that we temporarily stop processing your data while a dispute is resolved.
Request correction of inaccurate or incomplete data.
Object to processing based on legitimate interest. You also have the right to object to automated decision-making under Art.22.
Withdraw any consent you have given at any time without affecting prior lawful processing.
PeopleOS is hosted in the European Union where possible. Some sub-processors operate in the United States. All international transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).
A list of sub-processors and their transfer mechanisms is maintained at /dpa.
We may update this privacy notice to reflect changes in our processing activities or legal requirements. Material changes will be communicated via email to account holders.
This notice was last updated: June 2026. Version: 1.0.