1. Introduction
This Privacy Policy explains how Optimas Organisasjonspsykologi AS ("Optimas", "we") collects and uses personal data through the OnlineJTI platform. It applies to Practitioners, Respondents, and visitors to onlinejti.com.
We process personal data in line with Regulation (EU) 2016/679 (the GDPR), the Norwegian Personal Data Act, and applicable EEA national rules. Our internal Data Protection Policy (DPP-001) sets out the technical and organisational measures behind this Policy and is available on request.
If you only want a quick summary, the most important points are: we collect what is necessary to deliver the Assessment and Reports; we host data in Germany; we share data only with the sub-processors listed in section 8; you can export and delete your personal data at any time.
2. Our role: controller and processor
OnlineJTI serves two distinct types of users, and our role under the GDPR depends on the type of data:
- Respondent assessment data: The Practitioner's organisation is the data controller. Optimas processes the data on the Practitioner's behalf as a data processor under a Data Processing Agreement.
- Practitioner accounts, billing, platform telemetry: Optimas is the data controller.
- Public website and marketing communications: Optimas is the data controller.
If you are a Respondent and want to exercise rights over your assessment data (for example to obtain a copy or to have it deleted), please contact your Practitioner first; you may also contact us directly using the details in section 18 and we will route the request as needed.
3. Personal data we collect
What we collect depends on how you use the Service.
From Practitioners
- name, email, phone number (optional), preferred language, profile photo (optional);
- the organisation, Distributor and team you belong to, and your role within them;
- JTI certification status;
- account credentials (password stored as a salted bcrypt hash) and authentication tokens;
- credit balance, purchase history and invoices;
- free-text notes, team-context information and chat messages you submit to AI features;
- logs of activity inside the platform, IP address and browser metadata for security and abuse prevention;
- communications you send us through email, in-app messages and support requests.
From Respondents
- name, email, and (optional) age, gender, occupation, education level, language;
- your 56 answers to the JTI questionnaire (each stored as A or B), the calculated personality type and the eight dimension scores (E/I, S/N, T/F, J/P);
- the timestamp at which you completed the Assessment and the last time your record was accessed;
- any reflection answers, journal entries or chat messages you submit to AI features in the course or coaching modules;
- any team allocation chosen by your Practitioner;
- delivery records of emails or SMS messages we send to you (without the message content after delivery).
From visitors to onlinejti.com
- essential cookies for session, security and language preference (see our Cookie Policy);
- server logs (IP, browser, referrer) for the period needed to operate the site securely.
We do not collect special-category data (such as health, religion or political opinion) within the meaning of Article 9 of the GDPR. JTI personality results are not Article 9 data, but we treat them as sensitive and limit access accordingly.
4. How we use personal data
We use personal data to:
- deliver the Service: invite Respondents, score the Assessment, generate Reports, host course and coaching content;
- manage Practitioner accounts, balances and invoicing;
- communicate with you about Assessments, Reports, account changes and security notices;
- operate AI features (type insights, team analysis, course coach) by sending the necessary inputs to our AI sub-processors as described in section 7;
- secure the Service against fraud, abuse, account takeover and excessive load;
- improve the Service through aggregated and anonymised statistics;
- comply with legal obligations including tax, accounting and incident-reporting duties;
- send marketing emails to Practitioners who have opted in (Respondents do not receive marketing).
5. Legal bases for processing
We process personal data under the following legal bases (GDPR Article 6):
- Performance of a contract (Article 6(1)(b)) for delivering the Service to Practitioners and to Respondents who have accepted an invitation;
- Legitimate interests (Article 6(1)(f)) for security, fraud prevention, abuse prevention, internal administration, and aggregated product improvement; we have weighed these interests against your rights and concluded the processing is necessary and proportionate;
- Compliance with legal obligations (Article 6(1)(c)) such as accounting, tax and incident notification;
- Consent (Article 6(1)(a)) for marketing communications and any optional features that say they require consent. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
6. Sensitive data
JTI Assessment results describe psychological preferences and are not health data or other special-category data under Article 9 of the GDPR. Even so, we treat them as sensitive: access is restricted to your Practitioner and to the small number of Optimas staff who need access for support and security purposes, and we apply the data-minimisation, retention and security measures set out in this Policy.
7. AI-assisted features and data sent to AI providers
OnlineJTI uses Anthropic (Claude), OpenAI and Groq to generate the text shown in our type insights, team analysis and course coach features. We use these providers under signed Data Processing Agreements that include the EU Standard Contractual Clauses for transfers outside the European Economic Area, and we instruct each provider not to retain inputs and not to use them to train their models.
What we send to AI providers (depending on the feature you use):
- your personality type code and dimension scores;
- first names of team members in team analysis;
- free-text content you submit, such as practitioner notes, team-context information, reflection answers and chat messages;
- course and module context required to answer your question.
What we do not send:
- email addresses, phone numbers or postal addresses;
- passwords, authentication tokens or payment data;
- your full set of 56 raw assessment answers;
- national-identification numbers.
All AI calls are made server-to-server from our backend; AI provider keys are not exposed to the browser. Conversation and analysis history is stored in our own database for as long as your account is active or until you delete a session, whichever comes first.
AI features do not produce automated decisions that have legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. A qualified Practitioner remains in the loop for any decision based on AI output.
8. Sub-processors
We engage the following sub-processors to operate the Service. Each is bound by a written agreement that incorporates GDPR-compliant terms.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hetzner Online GmbH | Primary infrastructure hosting (servers, database) | Germany (EU) | Data Processing Agreement; no transfer outside the EEA |
| GitHub (Microsoft) | Source code, container registry, CI/CD logs | United States | Data Processing Addendum with EU Standard Contractual Clauses |
| Resend | Transactional email (invitations, results notifications, security alerts) | United States | Data Processing Agreement with EU Standard Contractual Clauses |
| Vonage (Ericsson) | SMS delivery (two-factor authentication, notifications) | EU processing | Data Processing Agreement |
| Anthropic | AI text generation (Claude) | United States | Data Processing Agreement with Standard Contractual Clauses; zero retention configured |
| OpenAI | AI text generation | United States | Data Processing Agreement with Standard Contractual Clauses; zero retention configured |
| Groq | AI inference fallback | United States | Data Processing Agreement with Standard Contractual Clauses; zero retention configured |
We perform due diligence on each sub-processor before engagement. The current list is also published in our internal Data Protection Policy. We will give Practitioners reasonable advance notice of material changes to this list.
9. International data transfers
Primary processing takes place inside the European Economic Area (Hetzner, Germany). Some sub-processors are based in the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) included in the relevant Data Processing Agreement, supplemented where necessary by additional technical safeguards such as encryption in transit and at rest.
You may request a copy of the SCCs in force for any specific sub-processor by emailing privacy@onlinejti.com.
10. Retention and anonymisation
We keep personal data only for as long as necessary for the purposes set out in this Policy.
| Data category | Retention period | End-of-life treatment |
|---|---|---|
| Assessment responses, computed type, scores | Until anonymisation triggered (request, dormancy or contract end) | Anonymisation: name and email removed; type and scores retained for aggregate statistics only |
| Generated PDF Reports | Until anonymisation triggered | Deleted from all storage paths |
| Practitioner account data | Duration of contract plus 12 months | Account deactivation and data minimisation |
| System and security logs | 90 days | Automated rotation and deletion |
| Anonymisation audit trail | 7 years | Retained for compliance; contains no personal data |
| Invoices and accounting records | 5 years | Retained as required by Norwegian bookkeeping law |
We operate automated dormancy-based anonymisation of Respondent assessment data. There is a minimum 90-day safety period before any record can be auto-anonymised. Respondents and Practitioners receive a warning email before scheduled anonymisation and can postpone it using a signed link.
You can also request immediate deletion of your assessment data at any time, as set out in section 14.
13. Marketing communications
We send marketing emails only to Practitioners who have opted in. Each marketing email includes an unsubscribe link, and you can also withdraw consent by contacting privacy@onlinejti.com.
Respondents do not receive marketing communications. Service emails (such as invitations and results notifications) are sent on the lawful basis of contract performance and cannot be unsubscribed from while you have an active Assessment record.
14. Your rights
Under the GDPR you have the following rights regarding your personal data. We respond to verified requests within 30 days.
- Right of access (Article 15) — obtain confirmation of processing and a copy of your personal data.
- Right to rectification (Article 16) — correct inaccurate or incomplete data. Assessment responses themselves cannot be edited after completion (this is a data-integrity requirement of the JTI methodology), but the surrounding identity data can be corrected by your Practitioner.
- Right to erasure (Article 17) — request deletion of your personal data. We implement this through anonymisation that removes identifying fields while retaining the type and scores in non-identifiable form for aggregate statistics.
- Right to restriction of processing (Article 18) — pause processing in defined circumstances.
- Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format. Respondents can self-serve a JSON export from the account page.
- Right to object (Article 21) — object to processing based on legitimate interests, including profiling.
- Right to withdraw consent — at any time and without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making with legal or similarly significant effects (Article 22) — we do not carry out such decision-making.
Self-service
Respondents can export their data and request immediate deletion from the privacy section of the account page (/account). The deletion runs through our AnonymizationService and is irreversible.
How to exercise your rights
For data tied to an Assessment, contact your Practitioner first; they are the data controller. You may also contact us directly at privacy@onlinejti.com and we will route the request to the right party.
Right to lodge a complaint
If you believe we have not handled your personal data correctly, you can complain to a supervisory authority. The lead supervisory authority for Optimas is the Norwegian Data Protection Authority (Datatilsynet), Postboks 458 Sentrum, 0105 Oslo, Norway, post@datatilsynet.no, https://www.datatilsynet.no.
15. Security
We use technical and organisational measures appropriate to the risk, including:
- TLS 1.2 or higher for all data in transit;
- encryption at rest for our databases and backups;
- salted bcrypt password hashing and JWT-based authentication;
- two-factor authentication via SMS for sensitive accounts;
- role-based access control and multi-tenant isolation per Distributor;
- vulnerability management, dependency monitoring and routine patching;
- an Incident Response Plan with breach-notification commitments to supervisory authorities within 72 hours and to affected users without undue delay where required by law.
No security measure is perfect. If you discover a vulnerability, please report it to security@onlinejti.com.
16. Children
The Service is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you become aware that a child has provided personal data to the Service, please contact privacy@onlinejti.com so we can remove it.
17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The current version is shown at the top of this page. When we make material changes, we update the version reference and prompt you to re-accept inside the application before your next use of the Service.
18. Contact and supervisory authority
Optimas Organisasjonspsykologi AS is the controller of personal data described in this Policy except where stated otherwise.
Optimas Organisasjonspsykologi AS
[[REGISTERED_ADDRESS]]
Norwegian organisation number: [[NO_ORG_NUMBER]]
Privacy and data-subject requests: privacy@onlinejti.com
Legal and DPA requests: legal@onlinejti.com
Security issues: security@onlinejti.com
You may also contact the Norwegian Data Protection Authority (Datatilsynet) at post@datatilsynet.no.
Questions about this policy? Sign in to your account dashboard or contact your administrator.