What we collect, where it lives, and what we deliberately don’t do.

When you load any page on doctoralcompass.com, our server records: the path you visited (e.g. /en/framework), your locale (EN or FR), the page that referred you here (if your browser sent that), the country your request came from (a 2-letter code, derived by Vercel from your IP — we do not store the IP itself), a coarse device type (mobile / tablet / desktop, derived from your user-agent), and a random session identifier we set in a first-party cookie called pia_sid. The cookie expires after one year. You can clear it any time from your browser settings.

That is the entire list. No name, no email, no IP address stored, no cross-site identifier, no fingerprinting beyond the user-agent string used to coarsely classify your device.

To know which pages people actually read, which languages they use, and roughly where they are in the world. That tells us where to invest content effort and which translations need work. The data is owned by us, queried by us, and never shared with anyone.

We do not load Google Analytics, Plausible, PostHog, Hotjar, Facebook Pixel, LinkedIn Insight, or any third-party analytics or advertising script. There are zero third-party tracking cookies on this site.

We do not run advertising on the site, so there are no ad-targeting cookies and no audience-syndication scripts.

We do not sell, rent, or share data with third parties for marketing.

We do not store your IP address. Vercel sees it briefly to route the request and to derive a country code; that is the extent of it.

You can take the diagnostic without an account. If you choose to create one — required to unlock your personalized full report — we collect what you give us in the profile-completion form: first name, last name, email, PhD level (Year 1–6, not started, or finished), field of study (free text), and country (your home country, or wherever you primarily study).

We also store, linked to your account: your test responses (73 numeric answers per attempt), your resulting archetype and dimension scores, the validity flags from each attempt (whether attention checks passed, etc.), your generated reports, and timestamps for when you took the test and when you last signed in.

Your email is used for one purpose: sending you transactional emails — your account activation link, password-reset links if you request one, and (Week 4+) your report when it is ready. We do not put you on a marketing list automatically. If we ever introduce academy updates, it will be a separate explicit opt-in.

Two providers. (1) Google OAuth — when you click "Continue with Google", you are sent to Google to sign in; Google returns your email, name, and profile picture URL. We store all three; you can edit them later. We never see your Google password. (2) Email and password — you create your account with an email + password and confirm via an activation link we email you. We hash your password with bcrypt (12 rounds, plus a per-password salt) before storing it; we never store or log the plain text. If you forget your password, you request a reset link by email — links are valid for 1 hour and single-use.

Resend — the transactional email provider that sends your activation and password-reset links — receives only your email address and the rendered email content. Resend operates under standard EU/US transactional-email contract terms.

When you sign in, we set a second first-party cookie holding a signed JWT (the session). It is HTTP-only, Secure, SameSite=Lax, and expires when you sign out or after 30 days of inactivity. Signing out clears it.

We do not store any third-party authentication cookie or social-login cookie. The pia_sid analytics cookie continues to do its session-counting job, independently of your authentication state.

All data — page views today, account data later — is stored in a Postgres database hosted by Neon in eu-central-1 (Frankfurt, Germany). The database is encrypted at rest. Backups are managed by Neon under their standard terms. The application code that reads and writes the database is hosted on Vercel.

pia_sid — a random session ID, first-party, expires after one year. Used to count distinct sessions across page views without identifying you. Set on every visit, signed in or not.

authjs.session-token — set when you sign in. First-party, HTTP-only, Secure, SameSite=Lax, expires after 30 days of inactivity or when you sign out. Holds a signed JWT identifying your account.

No third-party cookies are set on this site.

You can sign out at any time from your dashboard, which clears your session cookie. Clearing the pia_sid cookie via your browser settings severs any link between your future visits and your past ones in our analytics.

Account-data export and account deletion are self-service. From your dashboard, "Download my data" produces a JSON file with everything we have on your account; "Delete my account" removes your account and every test response and report linked to it within seconds. If for any reason the self-service pages are unavailable, email tahar@doctoralcompass.com and we will action the request within 30 days as required by GDPR for users in the EU; we apply the same standard worldwide as a matter of policy.

For any privacy question or request: tahar@doctoralcompass.com.