privacy

Privacy policy.

What we collect, why we collect it, how long we keep it, and the choices you have.

Last updated · 26 May 2026

The short version

We collect what we need to give you a what-world-way test and a personal portrait — your answers, your result, and (if you sign up or buy unlocked content) an email address. Payments are handled by Stripe; we don’t see your card details. We don’t use Google Analytics or any other third-party analytics service. We don’t set tracking cookies. We don’t share your data with advertisers. If you just browse our site without starting a test, we don’t even know you were here. You can delete your account at any time and we’ll erase it.

data controller

Potentialisation Ltd, registered in England & Wales. See Company details.

data-protection contact

privacy@whatworldway.com

What we collect

Test answers and results

Your responses to the What, World, and Way questionnaires, the scores derived from them, and the resulting archetype / world / way assignments. These are the core of the service.

Account information

If you create an account: your email address, a hashed password (we never store the plain text), and the date you joined. Optional: a display name. We don’t require any other personal information.

Guest data

If you take the test without signing up, an anonymous “guest” account is created for you on our servers when you start your first test. Your answers and result are stored against that guest account, identified only by an internal ID — no email, no name, nothing else attached. If you later provide an email to save your results, the same account becomes a full account with your email on it. If you sign in instead to an existing account from a previous visit, the guest account’s data is merged into your existing account and the guest record is removed.

If you visit our site without starting a test, no account is created and no record of your visit is kept.

Payment information

If you buy paid content, payment is processed by Stripe, which handles your card details directly under its own privacy policy. We receive only a confirmation that the payment succeeded, the amount, and a Stripe transaction reference — we don’t see your full card number, CVC, or billing address. We store the transaction reference, the date, the amount, and what was unlocked against your account, for accounting and customer-service purposes.

Technical data

Standard server logs (IP address, user-agent, request path and timestamp) are kept for security and debugging, retained for 30 days, and not used for any analytics or marketing purpose.

We do not use Google Analytics or any other third-party analytics service. No tracking cookies are set on your device. No tracking pixels load from third-party domains. We do not share any data about your visit with advertisers, analytics providers, or anyone else.

Usage events on your own account

Once you start a test, we record a small number of usage events — test starts and completions, combo page views, feedback clicks, share clicks — tied to your user account (whether you’re a guest or a registered user). We use these solely to understand how the product is being used so we can improve it. These events are stored on our own servers, retained for 90 days as individual rows, and then rolled into anonymous daily aggregates that we keep indefinitely. They are not shared with anyone outside Potentialisation Ltd. Our legal basis is legitimate interest in improving the service; the assessment is documented in our internal Legitimate Interest Assessment.

Anonymous channel attribution

Links to our site that we publish on social media, in newsletters, or in shared documents may include a short tag in the URL — for example ?src=fb-launch. When you land on a page carrying such a tag, our server increments an anonymous counter so we can see how many people each channel sent us. The counter does not identify you, store anything in your browser, or link to any other data. We are simply counting the link clicks.

How we use your data

  • To compute and display your what-world-way result.
  • To save your account and let you return to your portrait.
  • To send service emails (sign-in, password reset).
  • To process payments for unlocked content (via Stripe) and to keep a record of what you’ve bought.
  • To improve the test — anonymised, aggregated patterns across many users help us refine wording and validation.
  • To understand how people are using the product — which combinations land well, where people drop off, how long people spend reading their portrait — so we can improve it. We don’t use this data for marketing or to make decisions that affect you individually.
  • To meet legal obligations (e.g. responding to lawful requests from authorities).

What we don’t do

  • We don’t sell your data to third parties.
  • We don’t share your individual results with employers, insurers, or marketers.
  • We don’t use your answers to train external AI models.

Legal basis (UK GDPR / EU GDPR)

We process your data on these bases:

  • Performance of a contract — to deliver the test you asked for.
  • Legitimate interests — for security, fraud-prevention, server-side usage analytics, and aggregated product improvement, balanced against your rights and freedoms. Our Legitimate Interest Assessment for usage analytics is documented internally and available on request.
  • Legal obligation — to keep accounting records for the period required by UK tax law.

Retention

Data typeRetention
Account informationUntil account deletion (you can delete at any time)
Test answers and resultsUntil account deletion
Server logs30 days
Usage events (individual)90 days
Usage events (anonymous aggregates)Indefinitely
Anonymous source-hit countersIndefinitely (already aggregate, never tied to a person)
Payment records (transaction reference, amount, date, what was unlocked)7 years (UK accounting / HMRC requirement)

Inactive accounts (no sign-in for 24 months) are flagged for deletion and erased after a 30-day grace period.

Your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you, including your test answers and results, any saved profile information, and a list of usage events tied to your account from the last 90 days. Email privacy@whatworldway.com from the address attached to your account.
  • Correct it if it’s inaccurate.
  • Erasure — delete your account at any time from your account settings, or email us. All personal data, test results, and usage events are removed within 30 days. Anonymous aggregates that contained your data before deletion remain in our statistics, but they no longer link to anything identifying you.
  • Receive a portable copy.
  • Object to processing based on legitimate interests.
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

To exercise any of these, email privacy@whatworldway.com. We’ll respond within 30 days.

Cookies

We use only strictly necessary cookies (sign-in session, guest identity, security tokens). We do not set analytics cookies, marketing cookies, or any other non-essential cookie. Because we don’t use non-essential cookies, we don’t need a cookie banner. See our cookie notice for the full list.

International transfers

Our infrastructure is hosted in the EU/UK. We do not transfer personal data outside the UK or EEA for analytics or marketing purposes.

Children and under-18s

what-world-way is intended for adults and is not intended for anyone under 18. We do not knowingly collect personal data from people under 18. If you believe someone under 18 has signed up, contact privacy@whatworldway.com and we’ll delete the account.

Changes to this policy

We may update this policy from time to time. The “last updated” date at the top of this page reflects the most recent change. For material changes affecting how we process your data, we’ll notify account holders by email.