Legal

Privacy Policy

This page explains how Deep Tech Institute (“DTI”, “we”, “us”) processes personal data when you use our website, complete the Deep Tech Maturity Index (DTMI) assessment, contact us, or use staff tools. It is written to align with the EU General Data Protection Regulation (GDPR) and the ePrivacy rules on cookies and similar technologies.

Last updated: 3 April 2026

1. Data controller

The data controller for personal data collected through this website and the DTMI is Deep Tech Institute. For questions about this policy or your rights, contact us using the details on our contact page (or the email address published there).

For our full legal entity name, registered address, and any EU representative details, use the contact page; we provide what you need for data protection and procurement enquiries.

2. What personal data we process

Depending on how you interact with us, we may process:

  • DTMI assessment & results: questionnaire responses; derived scores and maturity band; professional email address; first and last name; optional role, organisation, sector, size, and country; technical identifiers such as an assessment session token (UUID) to resume progress and attribute results.
  • Consent records: whether you accepted the privacy terms required to view results, and whether you opted in to optional marketing (e.g. research updates and event invitations).
  • Contact & briefing requests: name, email, organisation, message content, and related fields submitted via forms.
  • Staff & administration: account credentials and activity for authorised users of the staff console.
  • Server-side analytics log (internal): pseudonymous events (e.g. assessment milestones) linked where relevant to assessment session UUIDs, not to marketing profiles. Event properties are designed to minimise personal data.
  • Security & operations: standard server logs (IP address, user agent, timestamps, URLs) for security and troubleshooting.

3. Purposes and lawful bases (GDPR Article 6)

Purpose Typical lawful basis
Deliver the DTMI, compute scores, show your results, send transactional emails (e.g. results copy) Performance of a contract / steps prior to a contract at your request (Art. 6(1)(b))
Record mandatory consent to terms before showing results Consent (Art. 6(1)(a))
Optional marketing (research updates, events) when you tick the separate checkbox Consent (Art. 6(1)(a))
Respond to contact/briefing enquiries Legitimate interests (Art. 6(1)(f)) and/or steps prior to contract (Art. 6(1)(b))
Internal funnel metrics, product improvement, aggregated benchmarking Legitimate interests (Art. 6(1)(f)), with minimisation and aggregation where appropriate
Security, abuse prevention, legal claims Legitimate interests (Art. 6(1)(f)) and/or legal obligation (Art. 6(1)(c))
Staff authentication and audit Legitimate interests / performance of contract with staff (Art. 6(1)(b)/(f))

Where we rely on legitimate interests, we balance our interests against your rights; you may object in certain cases (see section 7).

4. Cookies and similar technologies (ePrivacy)

Under the EU ePrivacy Directive (implemented nationally) and the emerging ePrivacy Regulation debate, storage or access on your device generally requires informed consent unless the cookie (or equivalent) is strictly necessary to provide a service explicitly requested by you.

When you use this site, our application may set the following first-party cookies:

Cookie / mechanism Role Legal basis under ePrivacy
csrftoken CSRF protection for POST forms (security). Strictly necessary; no consent required.
sessionid Maintains session state (for example staff sign-in, or an anonymous session so forms and the assessment can work securely). Strictly necessary for authenticated areas; for anonymous visitors, used only as required to operate secure forms.

Optional analytics / marketing tags: The site may load a small first-party script (dti-analytics.js) that can forward events to Google Tag Manager or Plausible only if those tools are included on the page. If you enable GTM, GA4, Meta pixels, or similar tags, they may set additional cookies or read device storage; those are typically not strictly necessary and normally require a consent banner in line with EU practice (GDPR + ePrivacy). Cookie-free or first-party analytics configurations reduce compliance surface area.

We do not use third-party advertising cookies in the default configuration. If that changes, we will update this policy and the consent experience accordingly.

5. Recipients and processors

We use infrastructure and service providers (for example hosting, email delivery) who process data on our instructions (GDPR Article 28 processors). We keep a list of sub-processors for our operations and provide it on request where required by contract or law.

6. International transfers

If personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as required by GDPR Chapter V.

7. Your rights

Subject to GDPR conditions, you may have the right to: access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time (without affecting prior lawful processing). You may also lodge a complaint with your supervisory authority.

To exercise rights, contact us via the contact page.

8. Retention

We keep personal data only as long as needed for the purposes above (e.g. assessment records for analysis and client delivery, legal claims, or statutory retention). Aggregated or anonymised statistics may be kept without time limit.

9. Automated scoring

DTMI scores are computed algorithmically from your answers. This does not produce legal or similarly significant effects in the GDPR Article 22 sense, but if you have questions about how scores are derived, see our methodology page.

10. Changes

We may update this policy from time to time. Material changes will be reflected by updating this page and the “Last updated” date.