Privacy Policy

1. Who we are

OTA Media Ltd (“OTA Media”, “we”, “us”) is the data controller for personal data processed through the OTA Media Leadership Index at index.otamediagroup.com and The Fifty at fifty.otamediagroup.com.

Registered office: Unit 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE
Contact: info@otamediagroup.com
ICO registration: Registered with the UK Information Commissioner's Office

2. What data we collect

When you use the Leadership Index, we may collect the following categories of personal data:

Account data: your name, email address, and authentication credentials when you create an account. If you sign in with Google, we receive your name and email from Google. We do not receive or store your Google password.

Assessment data: your responses to the psychometric assessment questions, your computed dimension scores, normalised scores, and your assigned leadership archetype. This is the core data generated through the Leadership Index.

Organisation data: if you join an organisation on the platform (for example, via a team invite), we store your membership of that organisation, your role within it, and your invitation status.

Payment data: if you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never see or store your card number, bank details, or billing address.

Usage data: we collect anonymised analytics data including pages viewed, features used, and session duration through PostHog. This data is used to improve the product and is not linked to your identity.

Technical data: standard server logs including your IP address, browser type, and operating system. These are retained for security and debugging purposes.

3. How we use your data

We process your personal data for the following purposes:

To deliver the assessment: calculating your leadership scores, determining your archetype, and displaying your results. The lawful basis is performance of a contract (you request the assessment and we deliver it).

To manage your account: authenticating your identity, storing your assessment history, and enabling access to your dashboard. The lawful basis is performance of a contract.

To enable team features: if your organisation administrator invites you, we share your name, archetype, and aggregated scores with the organisation's admin dashboard. The lawful basis is legitimate interest (enabling the team functionality you opted into by accepting the invitation).

To produce The Fifty rankings: if you are a nominated participant in The Fifty, your assessment data contributes to the ranking methodology. Your individual responses are never published. Only your archetype and aggregated profile appear in the rankings. The lawful basis is legitimate interest.

To communicate with you: sending invitation emails, assessment confirmations, and product updates. The lawful basis is legitimate interest for transactional emails and consent for marketing emails. Every email includes an unsubscribe option.

To improve the platform: analysing anonymised usage patterns to improve the assessment experience. The lawful basis is legitimate interest.

4. How we protect your data

We take the security of your data seriously, particularly given the sensitive nature of psychometric assessment results. The following measures are in place:

Encryption: all data in transit is protected by 256-bit TLS encryption. Data at rest in our database is encrypted using AES-256.

Row-level security: every database table enforces row-level security policies. Your assessment data can only be accessed by you and, where applicable, your organisation's administrator. No other user can query, view, or export your individual responses or scores.

SOC 2 certified infrastructure: our database and authentication are hosted on Supabase, and the application is deployed on Vercel. Both providers hold SOC 2 Type II certification, meaning their security controls are independently audited.

Rate limiting and audit logging: all API endpoints are protected by rate limiting to prevent abuse. Sensitive operations (viewing results, sending invitations, accessing team data) are logged with an audit trail.

Input validation: all data submitted to the platform is validated server-side before processing, preventing injection attacks and malformed data.

5. Who we share your data with

We share personal data only with the following categories of recipients, and only to the extent necessary:

Supabase (database and authentication hosting). Your account data and assessment data are stored on Supabase's infrastructure in the EU. Supabase acts as a data processor on our behalf.

Vercel (application hosting). Serves the application and processes requests. Vercel acts as a data processor.

Stripe (payment processing). If you subscribe to a paid plan, Stripe processes your payment as an independent data controller under their own privacy policy.

Resend (email delivery). Transactional emails (invitations, confirmations) are delivered via Resend, who acts as a data processor.

PostHog (analytics). Anonymised usage data is processed by PostHog to help us improve the platform.

Your organisation administrator: if you accept a team invitation, your administrator can see your name, archetype, and dimension scores through the team dashboard. They cannot see your individual question responses.

We do not sell your personal data. We do not share your data with advertisers. We do not use your assessment responses to train AI models.

6. International data transfers

Our primary database is hosted by Supabase in the EU. Some of our processors (Vercel, Resend, PostHog) may process data in the United States. Where data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner.

7. How long we keep your data

Assessment data: retained for as long as your account is active, so you can track your leadership development over time. If you delete your account, your assessment data is permanently deleted within 30 days.

Account data: retained for as long as your account exists. You can request deletion at any time.

Server logs: retained for up to 90 days for security and debugging purposes, then automatically deleted.

Analytics data: anonymised and retained indefinitely as it cannot be linked back to you.

8. Your rights

Under UK GDPR, you have the following rights. To exercise any of them, email us at info@otamediagroup.com.

Right of access: request a copy of the personal data we hold about you.

Right to rectification: ask us to correct inaccurate personal data.

Right to erasure: ask us to delete your personal data. We will do so unless we have a lawful reason to retain it.

Right to restrict processing: ask us to limit how we use your data while a concern is being resolved.

Right to data portability: request your data in a structured, machine-readable format.

Right to object: object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue.

We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.

9. Cookies

The Leadership Index uses essential cookies for authentication (keeping you signed in) and session management. These are strictly necessary for the platform to function and do not require consent.

We use PostHog for anonymised product analytics. PostHog sets a cookie to distinguish unique visitors. This data is not used for advertising and is not shared with third parties.

We do not use advertising cookies, tracking pixels, or third-party marketing tools.

10. Children

The Leadership Index is designed for professionals and is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a notice on the platform. The “last updated” date at the top of this page indicates when the policy was most recently revised.