Privacy Policy
Last updated: 4 July 2026. How we handle the data you give us when you use the Treethree assessment.
1. Who we are
Treethree ApS, Islands Brygge 50, 2300 Copenhagen, Denmark, is the data controller for the personal data described here. You can reach us at tcfl@pm.me.
2. What we collect
- Account details: your name, email, and a hashed password.
- Assessment answers: the questionnaire and calibration answers you provide about your business.
- Payment data: handled by Stripe. We receive confirmation of payment and limited billing metadata, but we do not see or store your full card details.
- Technical data: basic logs needed to run and secure the service.
- Usage analytics: cookieless, aggregate analytics about how the site and assessment are used (which pages are viewed, where people drop off). No personal data, no cookies, no cross-site tracking. See our Cookie Policy.
3. How we use it, and the legal basis
- To create and manage your account and to generate and deliver your reports (performance of our contract with you).
- To take payment for paid reports (performance of contract).
- To operate, secure, and improve the service, including understanding usage through cookieless analytics (our legitimate interests).
- To meet legal and accounting obligations.
We do not sell your data, and we do not use it to train AI models.
4. Who we share it with
- Anthropic: your assessment answers are sent to Anthropic to generate your report. Anthropic processes them as our service provider, and under its commercial API terms these inputs are not used to train Anthropic's models.
- Stripe: processes payments.
- Resend: sends our transactional email (account verification, password reset, and report notifications). It processes your email address and name to deliver these messages on our behalf.
- Vercel: hosts the service and provides the cookieless usage analytics described above.
- Supabase: provides the managed (EU-region) database that stores your account, orders, and reports on our behalf.
Some pages also load a web font from Google Fonts, which means your browser fetches it from Google and Google may receive your IP address; no cookie is set. We are moving to self-hosted fonts to remove this. See our Cookie Policy for the full picture.
We share only what is needed, and these providers act as processors under our instructions.
5. International transfers
Some providers may process data outside the EU or EEA. Where that happens, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.
6. How long we keep it
We keep your account and reports for as long as your account is active and as needed to meet legal obligations. You can ask us to delete your data (see below); some records may be retained where the law requires it.
7. Your rights
Under EU data protection law you can ask to access, correct, delete, or export your data, object to or restrict certain processing, and withdraw consent where processing is based on consent. To exercise any of these, email tcfl@pm.me. You also have the right to complain to your local data protection authority. In Denmark this is Datatilsynet.
8. Security
We use reasonable technical and organisational measures to protect your data, including hashed passwords and access controls. No system is perfectly secure, so we cannot guarantee absolute security.
9. Changes
We may update this policy. The current version always lives on this page, with the date shown above.