Privacy Policy

We collect personal information at three points during your FFi experience.

Before you start the diagnostic

When you register via the form on our home page, we collect:

• Your first name, last name, and email address
• A consent record, including the timestamp and IP address at the point of form submission

This information is stored in our database and linked to the diagnostic session that follows.

During the diagnostic

We collect:

• Organisation type, career stage, responsibility, function, and geography
• Your responses to the diagnostic questionnaire (9-dimension assessment)
• Any free-text notes you choose to enter (for example, in response to “what prompted you to take this?”)
• Your calculated dimension scores and overall Future Fluency profile
• Date and time of diagnostic completion

We also collect anonymous usage analytics: page views, drop-off points, active time on page (tab-visible time only), and browser and device type. This data cannot be used to identify you.

Please note that some of this information is used to generate an AI-assisted interpretation of your results. See Section 4 for exactly what is and isn’t shared, and please avoid entering identifying details (such as names or contact information) in free-text fields.

After completion

Your scorecard report is automatically sent to the email address you provided at registration. If you separately opt in to receive follow-up content (“field notes”), that is a distinct, explicit choice and does not affect delivery of your scorecard.

We collect only the information necessary to deliver your results, run aggregated research to improve the FFi framework, and communicate with you where you have given consent to do so.

Sensitive information. We do not ask for, and do not intend to collect, sensitive or special-category information (such as health, racial or ethnic origin, religious or political beliefs, or sexual orientation). Please do not enter information of this kind in any free-text field.

Age. FFi is intended for adults. It is not directed at anyone under 18, and we do not knowingly collect personal information from children. If you believe someone under 18 has provided us with personal information, please contact us and we will delete it.

Under the Australian Privacy Act 1988, we collect your information with your informed consent (APP 3, APP 5).

If you are located in the European Economic Area or United Kingdom, our lawful basis for processing is your explicit consent under GDPR Article 6(1)(a). Where we deliver the results you have requested, that processing is also necessary to provide the service to you.

Consent is captured at the point of registration, before you begin the diagnostic, via the form on our home page. By submitting that form, you consent to:

• Receiving your scorecard report by email upon completion of the diagnostic
• Your responses being processed (including by our AI interpretation provider, as described in Section 4) to generate that report
• Your de-identified, aggregated responses being used for research to improve the FFi framework

If you separately opt in to receive follow-up content (“field notes”), that is a distinct consent event and is not a condition of accessing your results.

You may withdraw consent at any time by contacting us at hello@futurefluencyindex.com. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

We use your personal information for the following purposes:

• To generate and deliver your FFi diagnostic results and report, including AI-assisted interpretation (see Section 4)
• To conduct a debrief session with you, if you have requested one
• To contact you regarding your results or relevant follow-up content, if you have opted in to receive such communications
• To conduct aggregated, de-identified research to improve the FFi framework and its validity
• To maintain records of your consent

We will not use your personal information for any other purpose without your explicit consent.

Your results include a written interpretation generated with the assistance of artificial intelligence. We use the Anthropic Claude API to help produce this interpretation.

What we send to the AI service to generate your interpretation:

• Your first name only
• De-identified categories: business model/organisation type, career stage, sector, function, and geography
• Your numerical scores (composite, dimension scores, percentile, and tier)
• Cohort benchmark aggregates (such as averages and cohort size)
• Derived behavioural flags (calculated indicators that contain no personal identifiers)
• Any free-text notes you entered during the diagnostic

What we never send: your email address, last name, account or user identifiers, assessment identifiers, or organisation name.

The AI provider processes this information solely to generate and return your interpretation. Your data is not used to train the provider’s AI models. The provider retains the information only for a limited period (currently up to 30 days) for security and abuse-monitoring purposes, after which it is deleted. It may be retained longer only where required to investigate misuse or to meet a legal obligation.

Because any free-text notes you enter are included in the information sent for interpretation, please do not include names, contact details, or other identifying information in those fields.

This interpretation supports your reflection and development. We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (see Section 10).

Access to your personal information within FFi is strictly limited to authorised members of the FFi team. Other than the third-party processors listed in Section 6 (who act only on our instructions and only as needed to deliver the service), no third party will receive your identifiable personal information without your explicit consent.

Where we engage enterprise organisations to deliver FFi diagnostics to their teams, we will share only aggregated, de-identified cohort results with that organisation, never individual-level data without the explicit consent of the individual participant. Where a cohort is small enough that aggregated results could identify an individual, we suppress or withhold those results to protect participant privacy.

Our role when an employer commissions a cohort. When you take the diagnostic on your own, FFi is the data controller for your personal information. When an employer or other organisation commissions a cohort and invites you to take part, that organisation is the data controller and FFi acts as its data processor, handling your information only as needed to deliver the service it has commissioned. In that situation, requests to access, correct, or delete your data are directed to that organisation, and we will support them in responding. We still only ever share aggregated, de-identified results with the commissioning organisation, as described above.

We use the following third-party services to operate FFi. Each acts as a data processor under our instruction, and we have a data protection agreement in place with each.

Some of these processors are located outside Australia: in the United States (Vercel, Resend, Cal.com, Anthropic) and South Korea (Supabase). Where personal data is transferred overseas, we take reasonable steps to ensure each recipient handles it consistently with the Australian Privacy Principles (APP 8). For users in the EEA or UK, such transfers are protected by an appropriate safeguard under GDPR: an adequacy decision (which both the EU and UK recognise for South Korea) or Standard Contractual Clauses (for the United States). See Section 10.

We retain all personal data for a period of 24 months from the date of collection, after which it is securely deleted. This applies to:

• Diagnostic responses, free-text notes, and dimension scores
• Name, email address, and organisation information
• Consent records and timestamps

De-identified, aggregated research data may be retained indefinitely as it cannot be used to identify you.

You may request deletion of your data at any time prior to the end of the retention period. See Section 9 below.

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• All data stored in Supabase is encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Data sent to our processors, including for AI interpretation, is transmitted over encrypted connections
• Row-level security policies restrict data access to authorised accounts only
• The diagnostic tool is hosted over HTTPS; all form submissions are encrypted in transit
• No diagnostic data is stored in browser storage, email inboxes, or shared drives

If a data breach occurs. We maintain an incident-response process. If a breach is likely to result in serious harm, we will notify the individuals affected and the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme, together with any equivalent obligations to EEA or UK authorities, as soon as reasonably practicable.

You have the following rights regarding your personal information:

To exercise any of these rights, please contact hello@futurefluencyindex.com. We will acknowledge your request within 5 business days and respond in full within 30 days.

If you are located in the European Economic Area or the United Kingdom, the following additional information applies to you under the EU and UK GDPR.

Lawful basis: We process your personal data on the basis of your explicit consent (Article 6(1)(a)), and, where we deliver the results you requested, because processing is necessary to provide that service.

International transfers: As set out in Section 6, some processing occurs outside the EEA/UK. These transfers are protected by an appropriate safeguard: an adequacy decision (which both the EU and UK recognise for South Korea) or Standard Contractual Clauses (for transfers to the United States).

Automated decision-making: Your results are produced with the assistance of AI, but we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Article 22). The interpretation is developmental and is reviewed within the context of FFi’s coaching and debrief practice.

Right to complain: You have the right to lodge a complaint with your local data protection supervisory authority.

Separately from diagnostic participants, we hold limited personal information about people we communicate with in the course of running FFi: prospective clients, partners, executive coaches, suppliers, and other business contacts.

What we collect: name, job title, organisation, work email address and other professional contact details, and a record of our correspondence with you. We collect this directly from you, from your professional or public profiles, or from your organisation’s website.

Why we use it, and our lawful basis: to contact you about FFi, respond to enquiries, and develop business relationships. Under the Australian Privacy Act this is collected for the purpose of our business relationship. For contacts in the EEA or UK, our lawful basis is our legitimate interests in business-to-business communication (GDPR Article 6(1)(f)), balanced against your rights and limited to professional contact details used in a business context.

Your choices: you can ask us to stop contacting you at any time, and we will. Marketing emails always include an unsubscribe option, and you can opt out of any outreach by replying to us or contacting hello@futurefluencyindex.com. You have the same rights of access, correction, and deletion set out in Section 9.

Retention: we keep business contact information only for as long as the relationship or prospect is active, and remove it on request or when it is no longer needed.

If you believe we have not handled your personal information appropriately, we encourage you to contact us first at hello@futurefluencyindex.com. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you remain unsatisfied after contacting us, you may escalate to the relevant authority:

• Australia: Office of the Australian Information Commissioner - www.oaic.gov.au
• European Union / UK: Your local Data Protection Authority

We may update this Privacy Policy from time to time. Where changes are material, we will notify participants by email or via a prominent notice in the diagnostic tool. The version number and effective date at the top of this document will always reflect the most recent version.

The FFi website is designed to minimise data collection on your device. We do not use advertising cookies, retargeting pixels, or any third-party tracking tools such as Google Analytics, Meta Pixel, or similar.

Essential cookies: A small functional cookie or local storage entry is set to remember your response to the site notice banner. This is required for the site to function correctly and does not contain personally identifiable information.

Cookieless analytics: We use Vercel Analytics to collect anonymised, aggregate data about page views and site usage. Vercel Analytics is cookieless by design - no cookies are set on your device and no personally identifiable information is collected or stored. Visitor metrics are derived from anonymised, server-side signals that cannot be used to identify you.

What this means for you: Because we do not set analytics cookies, no cookie consent is required for analytics under the GDPR or the Australian Privacy Act. We display a site notice as a matter of transparency, not legal obligation.