Privacy Policy

Last updated: May 24, 2026

1. Who we are

Metryval is operated by Metryval Pte Ltd, a Singapore private limited company. The public operator byline on Substack, X (@metryval), and editor correspondence is Tomas Cantor— a locked pseudonym disclosed openly here so the operator’s byline is portable across surfaces without conflating with any individual person’s public identity.

For data-handling questions in this document, “we” means Metryval Pte Ltd. The full controller-of-record on any future cross-border data-transfer agreement is the same Pte Ltd entity.

2. What we collect

When you take the Metryval assessment, we collect:

  • Assessment responses — your answers to the approximately 370 assessment items
  • Computed results — your nearest reference pattern, dimension scores, and orbital patterns
  • Session data — device type, browser language, timezone, and screen resolution
  • Response timing — how long you spend on each question (used for quality calibration and validity scales, never surfaced as a behavioral score)
  • Email address — only if you choose to create an account or purchase a product

3. How we use your data

  • To deliver your results — computing your nearest reference pattern and personalized read
  • To improve the assessment — we use de-identified response patterns (with all personal identifiers removed) to calibrate item accuracy and develop population norms
  • To deliver purchased products — Blueprints, Pulse drops, and subscription features
  • To send account communications — purchase receipts, assessment updates (only if you provide your email)

4. We never sell your data

We do not sell, rent, or share your personal information with third parties for their marketing purposes. Period. Your assessment data is never used for advertising targeting and never used to train third-party AI systems.

5. De-identified research data

For scientific calibration and norming, we create de-identified datasets that contain only dimension vectors, item responses, and timing patterns — with all personal identifiers (user IDs, email addresses, IP addresses, and device fingerprints) permanently removed. This de-identified data cannot be linked back to you and may be used for research, calibration, and academic publication.

6. AI regulations and use restrictions

Three AI-regulation disclosures live alongside this privacy policy. Each has its own canonical page; this section is the index.

  • EU AI Act Annex III item 4 (non-applicability). The EU AI Act classifies AI systems used for employment, worker management, and access to self-employment as high-risk under Annex III item 4. Metryval is not such a system. The architecture is consumer self-understanding; B2B selection, hiring, and personnel use cases are structurally excluded across all surfaces (consumer Lite, paid Blueprint, Couples Pack, Connected, F500, future Discord and Slack bots, and the Personality OS API). That exclusion is locked policy and binding on every paid plan and integration. See /methodology/policy for the full Policy Decisions Ledger entry (P-01).
  • California AB 2013 (training-data disclosure). AB 2013 requires public disclosure of training-data summaries for AI systems offered in California. Metryval’s scoring engine is deterministic and not LLM-based, so the training-data concept maps differently here than for generative AI. The published training-data summary is the Framework Reception Ledger at /methodology/frameworks with the canonical narrative at /methodology/transparency.
  • California SB 942 (latent watermarking). SB 942 applies to generative AI image and video outputs. The Blueprint and Lite Resonogram are not generative AI outputs in the SB 942 sense (text is structured rendering from a framework-governed substrate, not generative). The Resonogram Social Card (v1.1 deferred surface) will ship under SB 942 latent-watermarking requirements when AI-fusion is activated, per the scope spec.

7. Your rights

Specific rights depend on which jurisdiction you reside in. Across all three regimes below, the request channel is the same email address; we will route the request to the correct procedure.

If you are a California or US resident (CCPA). You have the right to:

  • Know what personal information we have collected about you
  • Delete your personal information (we will respond within 45 days)
  • Opt-out of any sale of personal information (we do not sell data, so this does not apply)
  • Non-discrimination — we will not treat you differently for exercising your rights

If you are an EU / EEA / UK resident (GDPR + UK GDPR). You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure (right to be forgotten) — request deletion
  • Restrict processing — pause processing while a request is open
  • Data portability — receive your data in a machine-readable format
  • Object to processing based on legitimate interests
  • Lodge a complaint with your national supervisory authority

If you are a Singapore resident (PDPA). You have the right to:

  • Access personal data we hold about you
  • Correct inaccurate or incomplete data
  • Withdraw consent for processing
  • Complain to the Personal Data Protection Commission (PDPC)

To exercise any of these rights, email privacy@metryval.com. We respond to verified requests within the regime’s required window (45 days CCPA, 30 days GDPR, 30 days PDPA).

8. Data security and storage region

Your data is stored in Supabase (US East region) with row-level security policies. All data in transit uses TLS encryption. We implement technical safeguards to prevent re-identification of de-identified research datasets.

For EU / UK users, US storage is a cross-border transfer under GDPR. We rely on the EU–US Data Privacy Framework where applicable; for users outside that framework’s scope, we use Standard Contractual Clauses (SCCs) as the transfer mechanism.

9. Cookies

We use a single essential cookie (metryval_uid) to maintain your session and link your assessment results to your account. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We use server-side first-party analytics only; no IP addresses are stored alongside event data.

10. Children

Metryval is not directed to children under 16. If you are under 16, do not create an account or submit assessment responses. If we learn that we have collected personal data from a child under 16, we will delete that data promptly.

11. Changes to this policy

Material changes are announced via the “Last updated” date at the top of this page and (where you have provided an email address) via an email notice at least 30 days before the change takes effect. Continued use of Metryval after the effective date constitutes acceptance.

12. Contact

Privacy questions: privacy@metryval.com

Operator correspondence: tomascantor@metryval.com

Legal entity: Metryval Pte Ltd, Singapore. ACRA UEN available on request.

Terms of Service · Policy Decisions Ledger · Transparency · Back to Metryval