Privacy policy
This privacy policy describes how Profilia collects and uses data when you visit profilia.app.
Data controller
The data controller is Adrien Albuquerque, a French sole trader (micro-entrepreneur) registered under SIRET 980 175 475 00014, APE code 6201Z. Contact: [email protected].
Data Protection Officer (DPO): no DPO is designated. Under art. 37 GDPR this is not mandatory in our case (small business, no large-scale processing of sensitive data, no systematic monitoring at scale). For any privacy-related question, please contact the data controller directly.
Minimum age
Profilia is intended for users aged 15 and older, in line with art. 8 GDPR and the French Data Protection Act. If you are under 15, please obtain consent from a parent or legal guardian before using the site.
Data collected
Anonymous audience measurement
When you browse Profilia, start or complete a test, we record the following events in a strictly anonymous way:
- The page or quiz and the profile obtained
- Completion duration
- Device type (mobile, desktop, tablet)
- Scores
- Language (French or English)
- Country derived from the browser's Accept-Language header
- Language detection: on your first visit, we read your browser's Accept-Language header to automatically suggest the site in your language. This information is not stored — only your explicit choice (clicking the language switcher) is remembered via a functional
localecookie. - The domain of the page you arrived from (e.g. google.com, reddit.com) — domain name only, never the full URL or query parameters
We do NOT collect any individual marketing attribution (UTM, landing page, ref_code) on these tables. That information is persisted only at explicit conversion events (outbound share, comparison, account deletion) on a dedicated table with no link to your browsing journey.
Rotating session identifier
To group events from the same visit we compute a session identifier from a truncated IP address (last octets zeroed), a coarse User-Agent (browser and OS family only, no version) and a secret salt regenerated every day and immediately thrown away. This "rotating salt" technique guarantees it is impossible to link two visits from the same user across different days. The identifier is therefore genuinely anonymous under the CJEU C-413/23 P ruling of 4 September 2025 and the CNIL guidelines of 4 July 2025 on consent-exempted audience measurement.
Aggregated data
Individual data is aggregated into daily statistics (number of completions per quiz and per profile). These aggregated statistics contain no individual information.
User account (optional)
Profilia offers optional account creation. Tests remain accessible without registration. If you choose to create an account, the following data is collected:
- Email address: used solely for magic link authentication (no password is stored)
- Name: to personalize your dashboard
- Quiz history: completed quizzes, profiles obtained, scores, and dates are saved to allow you to track your evolution
You may sync quiz history completed before account creation (stored locally in your browser) to your account. This synchronization is voluntary.
Comparison sessions
The "Challenge a friend" feature creates a comparison session that allows you to compare your results with a friend's. These sessions:
- Are accessible via a unique link (UUID) that you share
- Contain participant scores and profiles (anonymous data)
- Automatically expire after 30 days
- Anyone with the link can view the results
Personality DNA sessions
The "My DNA" feature generates a cross-quiz personality profile. By default your DNA is computed entirely in your browser from your local history: nothing is sent to the server. A session is only persisted in our database if you explicitly click "Share". In that case:
- It is accessible via a unique link (UUID)
- It contains profiles and dimensions from your quizzes (anonymous data)
- It automatically expires after 30 days
Cookies and third-party trackers
Google AdSense
The website displays ads via Google AdSense. Google may place cookies to personalize ads based on your interests. Learn more: Google's advertising policy.
Google Tag Manager and Google Analytics
The website uses Google Tag Manager (GTM) to manage tracking scripts, and Google Analytics 4 (GA4) to measure website audience (page views, session duration, geographic origin). These tools are only activated after your consent via Cookiebot. Without consent, no analytics data is collected (Google Consent Mode v2 set to "denied" by default).
Cookiebot
The website uses Cookiebot to manage your cookie preferences. Cookiebot places a cookie necessary to remember your consent choice. This cookie is exempt from consent as it is strictly necessary for the operation of the website.
Third-party services
Resend (transactional emails)
Login emails (magic links) are sent via the Resend service. Your email address is transmitted to Resend solely for sending the authentication email. Learn more: Resend's privacy policy.
Sentry (error tracking)
The website uses Sentry to detect and fix technical errors. Sentry collects technical diagnostic data: error messages, execution traces, browser type and version, URL visited at the time of the error, and IP address. IP addresses are automatically anonymized by Sentry and are not used for identification purposes. No other personal data (name, email, etc.) is transmitted. This processing is based on our legitimate interest in ensuring service stability. Learn more: Sentry's privacy policy.
Legal basis
- Legitimate interest: anonymous quiz tracking allows us to improve the service (usage statistics, abandon rates, profile distribution). Technical error tracking (Sentry) also falls under legitimate interest.
- Consent: third-party advertising cookies (AdSense) and analytics cookies (Google Analytics) rely on your consent via Cookiebot.
- Performance of contract: collecting your email during account creation is necessary to provide the authentication and quiz history service.
Data retention
- Anonymous audience measurement data (quiz completions, starts, page views): retained for up to 25 months, then purged automatically (CNIL maximum for consent-exempted audience measurement).
- Attributed conversion data (shares, signups with UTM): retained for up to 13 months.
- User account data: retained as long as your account is active. When you delete your account, a 30-day grace period lets you cancel via an email link; after that, all of your personal data (account, email, sessions, badges) is permanently erased and your quiz results are detached from your identity (kept for aggregate statistics only).
- Magic link authentication tokens: valid for 15 minutes, then purged hourly.
- Comparison sessions: automatically deleted after 30 days.
- Shared DNA sessions: automatically deleted after 30 days.
- Server access logs (nginx): IP addresses are truncated (/24 for IPv4, /48 for IPv6) before being written.
- Aggregated statistics (DailyStat): retained indefinitely as they cannot be linked to any individual.
Sub-processors and non-EU transfers
Profilia relies on a limited set of sub-processors. Each is covered by a Data Processing Agreement and, for US vendors, by the EU-US Data Privacy Framework:
- Hetzner Online GmbH (Germany) — servers and database hosting. No non-EU transfer.
- Resend (United States, DPF) — sending magic link and account deletion emails.
- Sentry (United States, DPF) — technical error monitoring, IPs anonymised at source.
- Google LLC (United States, DPF) — Google Tag Manager, Google Analytics 4, AdSense. Only activated after your consent via Cookiebot.
- Cloudflare (United States, DPF) — CDN and anti-DDoS protection, processes anonymised technical logs.
- Cybot A/S (Cookiebot) (Denmark) — cookie consent management. No non-EU transfer.
Your rights
Under the GDPR, you have the following rights:
- Right of access: know what data concerns you
- Right to rectification: have inaccurate data corrected
- Right to erasure: request the deletion of your data
- Right to object: object to the processing of your data
- Right to data portability: receive your data in a structured format
If you have an account: you can export all of your personal data as JSON from the "Data & privacy" section of your settings, and trigger account deletion with a 30-day grace period from the same screen.
Anonymous audience measurement data: thanks to the daily rotating salt, it is technically impossible for us to identify your visits among aggregate data. We cannot honour an individual erasure request on these tables, but they are purged automatically after 25 months at the latest.
Right to object to tracking: our internal audience measurement is exempt from consent because it is genuinely anonymous, so there is nothing to "disable" on our side. Third-party marketing cookies (Google Analytics, AdSense) are managed via the Cookiebot banner, which you can reopen at any time via the "My cookie preferences" link in the footer.
Right to complain: if you believe your rights are not respected, you may lodge a complaint with the French data protection authority (CNIL).
For any questions or requests, contact us at: [email protected].
Changes
This policy may be updated at any time. The date of the last modification is indicated below.
Cookie declaration
The list below details the cookies used on this site. You can change your preferences at any time.
Last updated: April 9, 2026