Privacy Policy

The Flourishing Assessment (the “Service”) is operated by Rhodium Ventures, a Georgia limited liability company. References to “we”, “us”, or “our” in this Privacy Policy mean Rhodium Ventures. If you have questions about this policy, contact jared@flourishingassessment.com.

We collect the following categories of information:

• Assessment responses. Your answers to questions drawn from 18 validated screening instruments: PHQ-9 (depression), GAD-7 (anxiety), ACE-10 (adverse childhood experiences), PEG-3 (pain), IPAQ-SF (physical activity), AUDIT-C (alcohol consumption), REAP-S (eating), and the v2 indices SPI-8 (stress perception), RSI-14 (restorative sleep), SAI-2 (substance awareness), ARI-6 (adaptive resilience), WBI-5 (wellbeing), BCI-8 (belonging and connection), DVI-6 (daily vitality), RLI-6 (rhythm and light), RQI-6 (relational quality), PMI-8 (purpose and meaning), and GYI-9 (Yield Index, our proprietary 9-item instrument). These responses are sensitive personal information.
• Demographic information. Your biological sex (female, male, or prefer-not-to-say) and age range (one of five brackets). Both are required so we can tailor scoring and recommendations.
• Contact information. The first name, last name (optional), and email address you provide when you request your results PDF.
• Consent records. Whether you opted into newsletter or marketing communications, and the date of your consent.
• Technical metadata. IP-address-derived coarse geographic region (city or country level only; not precise geolocation), a one-way hash of your IP and user-agent for abuse prevention, timestamps, and the route you took through the assessment. We do not collect precise geolocation (within 1,850 feet) as defined by California CCPA/CPRA.
• Derived results. The scores we compute from your responses, including per-pillar percentages, the overall Flourishing Score, and tiered crisis-event codes (see Section 15 for how crisis-response data is handled). Crisis triggers are recorded as short codes (for example, PHQ9_ITEM9_GTE_1) rather than storing identifiable underlying response values in the crisis log.

We use your information to:

• Score your assessment and generate your personalized report.
• Send you the results PDF and a confirmation email to the address you provide.
• Display in-app crisis resources in real time if your responses indicate elevated risk of self-harm.
• Provide newsletter or product communications, but only if you expressly opted in.
• Improve the Service by analyzing aggregate, de-identified usage patterns.
• Comply with legal obligations, defend our legal rights, and prevent fraud or abuse.

We do not sell your personal information. We do not use your individual assessment responses for advertising or to train machine-learning models on identifiable data.

Where applicable law (such as the EU GDPR, UK GDPR, Washington MHMDA, Nevada SB 370, Connecticut SB 3, California CPRA, and comparable consumer-health-data and privacy laws) requires a legal basis for processing, we rely on:

• Your explicit, affirmative consent for collecting and processing your sensitive health-and-wellbeing responses. Consent is captured at two points: an active confirmation on the “Before you begin” screen (before any assessment questions are presented), and a second set of active confirmations on the results-delivery screen (agreement to our Terms and this Privacy Policy; consent to sharing your results with our email and CRM providers). Each confirmation is recorded as an immutable, timestamped, hashed event so the document version you agreed to is reproducible. Withdrawal of consent is recorded the same way.
• Performance of a contract to deliver the Service you have requested.
• Legitimate interests in operating, securing, and improving the Service, in ways that do not override your fundamental rights.
• Vital interests and legal obligations when responding to genuine safety concerns or as required by law.

You may withdraw consent at any time by contacting us. Withdrawal does not affect processing carried out before the withdrawal. Withdrawal is recorded as a consent event in the same immutable log.

We share your information only with service providers that operate the Service on our behalf, under contractual confidentiality obligations, and only to the extent necessary to deliver the Service. Our principal service providers are:

• Vercel (United States): web application hosting.
• Supabase (United States): database hosting, including your assessment responses and contact information.
• Resend (United States): transactional email delivery for the results email and PDF link.
• GoHighLevel (GHL) (United States): customer-relationship management. Currently inactive: no data is transmitted to GHL today. If this integration is re-enabled, GHL would receive only your name, email, and marketing-consent flag, never your assessment responses or results, and we would update this policy first.

We do not share your information with advertisers, data brokers, or social media platforms. We do not allow third-party tracking scripts to access your assessment responses. If we ever transfer data to a new service provider, we will update this list.

We may disclose information if required by valid legal process or to protect the rights, property, or safety of any person. If ownership of the Service ever changes (for example, through merger or acquisition), your information may transfer to the successor under the same protections this policy describes.

The Service collects responses from validated clinical screening instruments. We treat this information as sensitive personal information adjacent to protected health information (PHI), even though we are not currently a HIPAA-covered entity. We maintain technical safeguards typical of healthcare technology:

• Row-level security on the database so individual responses are isolated by session.
• Server-side writes only; the public web application cannot read other users’ responses.
• Transport-layer encryption (HTTPS / TLS) for all data in transit, and at-rest encryption provided by our database host.
• A token-based access model so individual results pages are reachable only via a unique URL we issue to you.
• A logging discipline that prohibits writing identifiable response values to server logs.

We are working toward formal HIPAA compliance as we expand into paid clinical services. Until then, we hold ourselves to these technical safeguards and to the substance of the HIPAA Security Rule, without claiming formal HIPAA certification.

We use industry-standard technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, and destruction. No method of transmission over the internet or method of electronic storage is one hundred percent secure, and we cannot guarantee absolute security. In the event of a security incident affecting your information, we will notify you and the appropriate authorities as required by applicable law. The substance of any notification is described in Section 16.

The specific retention periods below are pending review by retained counsel. Treat as a working draft.

We retain your assessment responses for as long as we operate the Service or until you ask us to delete them, whichever comes first. This retention supports the 90-day retake feature that compares your current assessment against your earlier ones. We do not currently auto-delete responses on a fixed schedule, but we will honor deletion requests within the timeframes required by applicable law (45 days under Washington MHMDA; 30 days otherwise).

Marketing communications opt-ins are retained for as long as your subscription is active and for a reasonable period after unsubscribe to honor the unsubscribe request and demonstrate compliance.

De-identified aggregate statistics derived from many users may be retained indefinitely. By their nature, those statistics cannot be linked back to an individual.

Multi-state coverage of these rights is pending review by retained counsel. The rights described here apply to all users; additional state-specific rights are described in Section 12 and in our separate Consumer Health Data Privacy Policy (Washington MHMDA, Nevada, Connecticut, Maryland).

You have the following rights with respect to your information:

• Access. Request a copy of the information we hold about you.
• Correction. Ask us to correct information that is inaccurate or incomplete.
• Deletion. Ask us to delete your information. We will honor requests within thirty (30) days, except for information we are legally required to retain.
• Portability. Receive a machine-readable copy of your responses and scores.
• Objection. Object to certain processing of your information.
• Withdrawal of consent. Withdraw a consent you previously granted.

To exercise these rights, contact jared@flourishingassessment.com. We will respond within a reasonable time and in any case within the timeframes required by applicable law.

The Service is for adults aged 18 or older. Before any assessment questions are presented, you must actively confirm that you meet this age requirement (a single click on the “Before you begin” screen). The Service is not designed to attract individuals under the age of 18, and we do not knowingly collect personal information from children under 13.

The Service includes questions that ask adults to reflect on experiences from before age 18; those questions are intended for retrospective reporting by adults and are not directed at children. If you believe we may have collected information from a child under 13, or from a minor between 13 and 17, contact us and we will delete it promptly.

EU/UK GDPR Article 27 representative requirements are pending review by retained counsel. The Service is currently intended for users in the United States; we are evaluating whether to appoint an EU/UK representative or to geo-limit access from those jurisdictions.

The Service is operated from and our service providers are primarily located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States. The data-protection laws of the United States may differ from those of your country of residence. By using the Service, you consent to this transfer.

Multi-state expansion of this section is pending review by retained counsel. Residents of Washington, Nevada, Connecticut, and Maryland have additional rights described in our separate Consumer Health Data Privacy Policy. Residents of Virginia, Colorado, Texas, Oregon, and other states with comprehensive privacy laws have rights that substantially mirror the California rights below; contact us to exercise them.

If you are a California resident, the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) give you additional rights:

• The right to know what categories of personal information we collect, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• The right to request deletion of personal information we have collected about you.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information. We do not sell your information.
• The right to limit the use of sensitive personal information, which under CCPA includes precise geolocation, health information, and demographic categories. We use your sensitive personal information only to provide the Service you have requested.
• The right to non-discrimination for exercising any of these rights.

To exercise CCPA rights, contact us at jared@flourishingassessment.com. You may also designate an authorized agent to make a request on your behalf, subject to identity verification.

We send you the results email automatically because it is the product you requested. Newsletter and other marketing communications are separate: we send those only if you explicitly opted in on the email-capture step. You can unsubscribe at any time through the unsubscribe link in any marketing email or by contacting us. Transactional emails (such as the results email itself, or security notices) cannot be unsubscribed from without ending your use of the Service.

The Service uses a minimal set of first-party cookies and browser-storage entries necessary for the assessment to function, including a session token kept in your browser’s local storage so you can resume an in-progress assessment.

We do not use third-party advertising or social-media tracking cookies. We may, in the future, use a privacy-respecting analytics provider (such as PostHog) to understand aggregate usage patterns. If we do, this policy will be updated, and the analytics provider will be configured to respect do-not-track-style preferences and to mask sensitive response data.

The Service surfaces crisis-line references at three levels of prominence on the results screen, calibrated to what your responses suggest:

• Tier 0 (baseline). A persistent inline reference to 988 on every results view, so the resource is always one tap away. No additional data is collected.
• Tier 1 (elevated). A non-dismissable callout placed above your score when your responses suggest you have been struggling recently. The callout links to 988 and to a provider-finder page.
• Tier 2 (active risk). A full-screen interstitial that gates your results when your responses include indicators of active risk (for example, a non-zero answer to the PHQ-9 item assessing thoughts of self-harm). Crisis-line buttons are the primary actions; a “Continue to results” option is present so the choice remains yours.

What we log, and what we don’t. When a Tier 1 or Tier 2 surface fires, we record an event in our crisis log containing only short trigger codes (for example, PHQ9_ITEM9_GTE_1), the tier that fired, the rules-version active at the time, and request metadata (IP, user-agent, timestamp). We do not store the underlying individual response values in the crisis log: the raw scores stay in the standard assessment-responses tables under the same access controls as the rest of your data, and the crisis log records what happened in the moment, not the content of your answers.

What we do not do. The Service is not a crisis service, not a clinical service, and not a substitute for emergency care. It does not monitor your responses in real time, does not contact emergency services on your behalf, and does not have clinicians on call. We do not send notifications to founders, staff, or any third party when a crisis tier is triggered. We are not staffed or licensed to act on individual crisis disclosures. If you are in crisis, please use the resources on our Crisis Resources page, or call or text 988, text HOME to 741741, or call 911 if you are in immediate danger.

The crisis-event log is insert-only and access-controlled. Aggregate counts of how often each tier fires may be retained indefinitely as part of our service-improvement analytics; the per-event records honor deletion alongside the rest of your data.

In the event of a personal-data breach that creates a risk to your rights and freedoms, we will notify you and the appropriate supervisory authorities as required by applicable law (for example, within 72 hours of becoming aware of the breach under the EU GDPR; under the FTC Health Breach Notification Rule for consumer-health data; and under applicable US state breach-notification statutes). Our notification will describe the nature of the breach, the information affected, the steps we have taken to address it, and the steps you can take to mitigate possible harms.

We may update this Privacy Policy from time to time. Each version is recorded with an effective date and a content hash. When a material change takes effect, the next assessment session you begin will re-prompt you for the relevant agreements before any new data is collected. Prior versions remain available on request.

For non-material changes we post the new policy on this page and update the “Effective” date at the top.

Addition of a postal address is pending business decision and counsel review.

For any questions, concerns, or requests about your information or this Privacy Policy, contact jared@flourishingassessment.com.