Last updated: March 2026
1. Information We Collect
When you use HEXACO Lab (the HEXACO Personality Test and the BrainType Intelligence Test), we collect the following information:
- Test Responses: Your answers to test questions
- Test Results: Calculated scores based on your responses, stored on our servers to generate shareable result pages
- Browser Locale: Your browser's language and region setting (e.g. "en-US", "ko-KR") for aggregated regional statistics
- Visitor Identifier: A randomly generated ID stored in your browser's localStorage to understand usage patterns such as returning visitors and cross-test participation. This ID is a pseudonymous identifier not linked to your real-world identity
- Usage Data: Anonymous, privacy-focused analytics data including page views and referral sources
2. Legal Basis for Processing
We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
- Consent (Art. 6(1)(a) GDPR): We process your test responses and personality/intelligence scores based on your explicit consent, which you provide by voluntarily taking the test
- Legitimate Interest (Art. 6(1)(f) GDPR): We process anonymous, aggregated analytics data (e.g. page views, participation counts) to improve our service. This processing poses minimal risk to your rights and freedoms
- Consent for Google Analytics: Google Analytics cookies are only activated after you provide explicit consent via the cookie settings banner, in accordance with ePrivacy and GDPR requirements
3. How We Use Your Information
We use the collected information to:
- Generate and display your test results
- Provide shareable result pages via unique URLs
- Understand usage patterns (e.g. returning visitors, test completion rates) to improve our service
- Display aggregated participation counts
4. Data Storage
Your test results and scores are stored on our servers to provide shareable result pages. Test progress and a reference to your latest result are also stored in your browser's localStorage for convenience. We do not collect your name, email address, or any other personally identifiable information unless you voluntarily provide a nickname for your result.
5. Data Retention
We retain your data according to the following schedule:
- Test Results: Retained indefinitely to maintain shareable result URLs. Upon request, test results will be deleted within 30 days
- Visitor Identifier: Stored in your browser only (localStorage). You can clear it at any time through your browser settings
- Google Analytics Data: Retained per Google Analytics 4 (GA4) default retention settings
- Umami Analytics Data: Aggregated anonymous data only. No personal data is retained by Umami
6. Cookies, Local Storage & Consent
We use the following browser storage:
- localStorage: To save test progress, recent results, and a randomly generated visitor identifier. localStorage operates under the strictly necessary exemption as it is required for the core functionality of the service. You can clear this data at any time through your browser settings
- Essential Cookies: Required for the website to function properly (e.g. locale preferences)
- Analytics Cookies: Google Analytics cookies to understand how visitors use our site. These are only enabled with your consent via the cookie settings banner. We implement Google Consent Mode v2 to ensure analytics tags respect your consent choices
We do not use advertising cookies or tracking pixels. Umami Analytics is entirely cookieless and does not require consent. You can manage your cookie preferences at any time through the cookie consent banner.
7. Third-Party Services
We use the following third-party services:
- Google Analytics: For website analytics, event tracking, and understanding user behavior. Google Analytics uses cookies and is subject to your cookie consent preferences. You can opt out via the cookie settings banner
- Umami Analytics: A privacy-focused, cookie-free analytics tool for additional site usage insights. Umami does not collect personal data or use cookies
- Vercel: For website hosting and deployment
8. International Data Transfers
Your data may be transferred to and processed in the United States through the following service providers:
- Vercel (US): Hosts our website and stores test result data
- Google (US): Processes analytics data through Google Analytics
For transfers of personal data from the EEA, UK, or Switzerland, these providers rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism to ensure adequate protection of your data.
9. Automated Decision-Making
Your personality and intelligence scores are calculated automatically based on your test responses using standardized scoring algorithms. These results are provided solely for informational and self-discovery purposes. No automated decision-making produces legal effects or similarly significant effects on you.
10. Your Rights
For EEA, UK, and Swiss Residents (GDPR)
Under the GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Restriction: Request that we restrict processing of your personal data
- Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing based on legitimate interest
- Right to Withdraw Consent: Withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority
We will respond to GDPR requests within 30 days.
For California Residents (CCPA)
Under the California Consumer Privacy Act (CCPA), California residents have the following rights:
- Right to Know: Request information about the categories and specific pieces of personal information we have collected about you
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out of Sale: We do NOT sell your personal information to third parties
- Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights
We will respond to CCPA requests within 45 days.
How to Exercise Your Rights
Since HEXACO Lab does not require account registration, please identify yourself by providing your result URL or visitor ID (found in your browser's localStorage) when submitting a request. Contact us at privacy@hexacolab.com to exercise any of the rights described above.
11. Do Not Track / Global Privacy Control
We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information (though we do not sell your data) and limit analytics data collection accordingly.
12. Data Controller
The data controller for HEXACO Lab is HEXACO Lab, operated by GRABA. For any data protection inquiries, you can reach us at: privacy@hexacolab.com
13. Data Security
We implement appropriate security measures to protect your information, including encrypted connections (HTTPS). However, no method of transmission over the Internet is 100% secure.
14. Children's Privacy
Our service is not directed to children under 16. In some jurisdictions, the minimum age may be lower (e.g. 13 in the United States under COPPA). We do not knowingly collect personal information from children under the applicable minimum age in their jurisdiction.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page with an updated date.
16. Contact Us
If you have questions about this Privacy Policy, please contact us at: privacy@hexacolab.com