Governance & DEI · Data Architecture
What belongs to the individual, what belongs to the organisation, and what requires explicit consent to share. GDPR-aligned. No data leaves this browser.
Ownership Boundary Matrix
| Data Category | Owner | Org Visibility | Consent Required |
|---|---|---|---|
| Birth chart (astro, HD, Mayan, Chinese) | Individual | Never raw — only behavioral tags in aggregate | Explicit, per-use |
| Gene Keys profile + shadow patterns | Individual | Anonymous aggregate only | Explicit, per-use |
| Personal assessment results (BFI, Enneagram) | Individual | Team aggregate without names | Explicit, per-use |
| Psychosocial health scores (COPSOQ, CBI) | Individual | Never identifiable — anonymous org health index only | Explicit, per-use |
| Biorhythm + daily readiness windows | Individual | Only with scheduling opt-in | Per-session consent |
| Team role assignments + capacity data | Shared | Visible to team lead + org admin | Onboarding consent |
| Elemental balance + team composition map | Organisation | Visible to org members (anonymised) | Implied — no PII |
| Org-level diagnostic results (aggregates) | Organisation | Org dashboard, no individual trace | Implied — no PII |
| Spiral Dynamics org assessment | Organisation | Full org visibility | Implied — org-level only |
| Decision architecture + governance map | Organisation | Full org visibility | Implied — org-level only |
| DEI scenario responses (Communication Compass) | Individual | Never stored or shared | N/A — browser-local only |
| Name, email, subscription tier | Shared | Org admin only (billing) | Account creation consent |
Consent Decision Tree
Work through these 4 gates before sharing any individual data at the organisational level.
Does this data directly identify the individual (name, email, birth date, or chart that can be traced back)?
GDPR Protocol Reference
Tier 1 — Browser-Local Only
Global Inclusion Markers, Communication Compass, Biomimicry Compass. Zero data transmitted. No server storage. Article 9 safe.
Tier 2 — Authenticated, Individual
Birth charts, HD profiles, personal assessments. Stored in Supabase EU. User can delete at any time. Data never shared with org.
Tier 3 — Anonymous Aggregate
Team resonance scans, elemental balance maps, psychosocial health indices. Individual responses stripped. Org sees patterns only.
Tier 4 — Explicit Consent Required
Any individual-identifiable data shared with org. Per-use consent, logged, revocable. Must pass the 4-gate decision tree above.
Right to Erasure (Art. 17)
Users can request full data deletion at any time. All Supabase records, auth session, and cached browser data removed within 30 days.
Data Portability (Art. 20)
Users can export all personal data in machine-readable JSON. Includes charts, assessments, journey completions. Delivered within 30 days.