Governance & DEI · Data Architecture

Data Boundary
Navigator

What belongs to the individual, what belongs to the organisation, and what requires explicit consent to share. GDPR-aligned. No data leaves this browser.

Ownership Boundary Matrix

Data Category Owner Org Visibility Consent Required
Birth chart (astro, HD, Mayan, Chinese)IndividualNever raw — only behavioral tags in aggregateExplicit, per-use
Gene Keys profile + shadow patternsIndividualAnonymous aggregate onlyExplicit, per-use
Personal assessment results (BFI, Enneagram)IndividualTeam aggregate without namesExplicit, per-use
Psychosocial health scores (COPSOQ, CBI)IndividualNever identifiable — anonymous org health index onlyExplicit, per-use
Biorhythm + daily readiness windowsIndividualOnly with scheduling opt-inPer-session consent
Team role assignments + capacity dataSharedVisible to team lead + org adminOnboarding consent
Elemental balance + team composition mapOrganisationVisible to org members (anonymised)Implied — no PII
Org-level diagnostic results (aggregates)OrganisationOrg dashboard, no individual traceImplied — no PII
Spiral Dynamics org assessmentOrganisationFull org visibilityImplied — org-level only
Decision architecture + governance mapOrganisationFull org visibilityImplied — org-level only
DEI scenario responses (Communication Compass)IndividualNever stored or sharedN/A — browser-local only
Name, email, subscription tierSharedOrg admin only (billing)Account creation consent

Consent Decision Tree

Work through these 4 gates before sharing any individual data at the organisational level.

1

Does this data directly identify the individual (name, email, birth date, or chart that can be traced back)?


GDPR Protocol Reference

🔒

Tier 1 — Browser-Local Only

Global Inclusion Markers, Communication Compass, Biomimicry Compass. Zero data transmitted. No server storage. Article 9 safe.

📋

Tier 2 — Authenticated, Individual

Birth charts, HD profiles, personal assessments. Stored in Supabase EU. User can delete at any time. Data never shared with org.

🏛️

Tier 3 — Anonymous Aggregate

Team resonance scans, elemental balance maps, psychosocial health indices. Individual responses stripped. Org sees patterns only.

📜

Tier 4 — Explicit Consent Required

Any individual-identifiable data shared with org. Per-use consent, logged, revocable. Must pass the 4-gate decision tree above.

🗑️

Right to Erasure (Art. 17)

Users can request full data deletion at any time. All Supabase records, auth session, and cached browser data removed within 30 days.

📦

Data Portability (Art. 20)

Users can export all personal data in machine-readable JSON. Includes charts, assessments, journey completions. Delivered within 30 days.