WinnerScript

Privacy Policy

Effective date: 31 May 2026. This policy explains what personal data WinnerScript collects, why, how it is processed (including by AI), and how you can exercise your rights.

1. Controller and Contact

WinnerScript Platform ("WinnerScript," "we," "us") is the controller of personal data processed through the website and application.

Contact email: hello@winnerscript.ai
Data rights requests: use subject line "Data Request"
Response time: within 30 days of receiving a complete request

Full legal entity details are available on request for any regulatory or transactional matter.

2. Scope

This policy covers data processed when you visit our website, use the application, complete the questionnaire, receive reports, make purchases, or communicate with us. It does not cover third-party websites linked from our pages — those have their own policies.

3. Data We Collect and Process

3.1 Account Data

When you create an account:

Email address (used for login and communications)
Authentication identifiers (provided by our auth provider)
Account status (email verified, age verified)

3.2 Consent Records

Every consent you grant or revoke:

Type of consent (service, AI processing, data retention, marketing, analytics)
Timestamp of grant/revocation
IP address at time of consent (for accountability)
Consent version identifier

3.3 Assessment Data

When you complete the questionnaire:

Your responses to each question (Likert scale selections, ipsative pair choices)
Time taken per response
Session metadata (questionnaire version, session number, completion status)

The questionnaire does not collect free-text personal information, health data, or biographical details. All questions concern behavioral preferences and tendencies.

3.4 Derived Profile Data

Calculated from your responses by deterministic scoring algorithms:

48 instinct/sense scores
Element scores (per-element totals and per-phase breakdowns)
R.I.F.T. flow diagnostics
Social desirability indicator
Internal consistency score

3.5 AI-Generated Reports

Narrative text generated by AI (Anthropic Claude) based on your derived scores
Report metadata (generation date, model version, product type)
Reports are encrypted at rest using AES-256-GCM

3.6 Payment Data

Transaction metadata (product purchased, amount, discount code, date)
Stripe checkout session identifier
We do not store card numbers, CVV, or billing address — Stripe handles those directly

3.7 Technical and Security Data

Error logs and diagnostics (Sentry)
Rate limiting counters
CSRF tokens
Session replay data (LogRocket — only with your analytics consent)

3.8 Communication Data

Emails you send to our support address
Waitlist signups (email only, via Brevo)

4. Special Category Data (GDPR Article 9)

Your questionnaire responses and derived profile data may constitute special category personal data because they reveal information about psychological characteristics and behavioral tendencies. We process this data under Article 9(2)(a) GDPR — your explicit consent, which you provide before starting the assessment.

You may withdraw this consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal, but will prevent generation of new reports.

5. Purposes and Legal Bases

Purpose	Legal basis
Account creation and service access	Art. 6(1)(b) — contract performance
Questionnaire processing and scoring	Art. 6(1)(b) + Art. 9(2)(a) — explicit consent
AI report generation	Art. 6(1)(b) + Art. 9(2)(a) — explicit consent
Payment processing and accounting	Art. 6(1)(b) + Art. 6(1)(c) — legal obligation
Security, fraud prevention, service stability	Art. 6(1)(f) — legitimate interest
Analytics (session replay, usage patterns)	Art. 6(1)(a) — consent
Marketing communications	Art. 6(1)(a) — consent
Consent record-keeping	Art. 6(1)(c) + Art. 6(1)(f) — accountability

6. How AI Processes Your Data

This section explains exactly what happens when an AI report is generated:

Your questionnaire responses are scored by our deterministic algorithm (no AI involved in scoring).
The resulting numerical scores, element totals, R.I.F.T. diagnostics, social desirability sum, and consistency score are assembled into a data payload.
This payload — containing only numbers and diagnostic markers, never your email, name, or raw answers — is sent to Anthropic's Claude API along with our model documentation.
Claude generates a narrative essay interpreting the score patterns.
The generated text is checked for accidental personal data leakage, encrypted, and stored in your account.

Anthropic does not use data sent via API for model training (per their data usage policy). Your scores are not retained by Anthropic beyond the generation request.

We do not make solely automated decisions with legal or similarly significant effects based on your profile (GDPR Article 22). You may request human review of any report by contacting us.

7. Cookies and Similar Technologies

Strictly necessary (no consent required)

Session/auth cookies — maintain your login state
CSRF token — protect against cross-site request forgery
Locale preference (ws_app_locale) — remember your language choice
Consent state — remember your cookie preferences

Analytics (consent required)

LogRocket — session replay for debugging and UX improvement. Enabled only with your explicit analytics consent. Identifies you by email to correlate sessions.
Google Analytics 4 — aggregate page view statistics on the marketing site. IP anonymization enabled. Consent-gated via CookieYes.

You can change cookie preferences at any time through the cookie settings button in the website footer, or by revoking analytics consent in your account settings.

8. Data Recipients and Processors

We share personal data only with processors necessary for service delivery, under contractual data protection agreements:

Processor	Purpose	Data accessed	Location
Kinde	Authentication and identity	Email, auth tokens	Australia / US
Anthropic	AI report generation	Numerical scores only (no PII)	US
Stripe	Payment processing	Email, payment details	US / EU
Google Cloud Platform	Application hosting, database	All application data (encrypted)	EU (europe-west)
Cloudflare	CDN, DDoS protection, DNS	IP addresses, request metadata	Global edge network
Sentry	Error monitoring	Error context, stack traces	US
LogRocket	Session replay (consent-gated)	Email, session interactions	US
Brevo	Waitlist and marketing emails	Email address	EU (France)
CookieYes	Cookie consent management	Consent preferences, IP	UK

We do not sell personal data. We do not share data for third-party advertising purposes.

9. International Data Transfers

Some processors operate outside the European Economic Area (EEA). For such transfers, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where available
Additional technical measures (encryption in transit and at rest)

You may request information about the specific safeguards applied to transfers involving your data.

10. Data Retention

Category	Retention period
Account data	Duration of active account + deletion workflow
Assessment responses and scores	Duration of active account (deletable per-session)
Generated reports	Duration of active account (deletable individually)
Consent audit records	Duration of account + 3 years (accountability)
Payment/accounting records	5 years (Polish tax law requirement)
Security logs	7-90 days depending on log type
Marketing consent / waitlist	Until withdrawn or 2 years of inactivity

When you delete your account, we anonymize or erase personal data within 30 days, except where retention is required by law (tax records) or for legitimate defense of legal claims.

11. Your Rights Under GDPR

You can exercise the following rights at any time:

Access (Art. 15) — obtain a copy of your data. Available as JSON/CSV export in account settings.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17) — delete your data. Available per-session or full account deletion in settings.
Restriction (Art. 18) — pause processing while a dispute is resolved. Toggle available in settings.
Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
Objection (Art. 21) — object to processing based on legitimate interest.
Withdraw consent — revoke any optional consent at any time without affecting prior lawful processing.

Most rights can be exercised directly from your account settings without contacting us. For complex requests, email hello@winnerscript.ai.

You also have the right to lodge a complaint with your supervisory authority. In Poland: Prezes Urzędu Ochrony Danych Osobowych (UODO).

12. Data Security

All data in transit is encrypted via TLS 1.2+
AI-generated reports are encrypted at rest (AES-256-GCM)
Database access follows least-privilege principles
Authentication handled by dedicated identity provider (Kinde) — we do not store passwords
Consent and data access actions are logged for audit
Regular dependency updates and vulnerability monitoring

13. Children

WinnerScript is intended for users aged 18 and older. We do not knowingly collect data from anyone under 18. If we discover that data was collected from a minor, we will delete it promptly.

14. Automated Decision-Making and Profiling

WinnerScript performs profiling in the sense of GDPR Article 4(4) — it processes personal data to evaluate behavioral aspects. However:

No decisions with legal or similarly significant effects are made solely by automated means.
Reports are informational tools for personal reflection, not determinative assessments.
You may request human review of any automated output.
The profiling is based exclusively on your explicit consent (Art. 9(2)(a)).

15. Policy Updates

We update this policy when legal requirements, product features, or data processing practices change. Material changes will be communicated via email to registered users at least 14 days before taking effect. The "Effective date" at the top indicates the current version.

Previous versions are available on request.

Back to Landing