LEGAL
Privacy Policy &
Fair Processing Notice
Last updated: 21 May 2026
This document covers both our consumer platform (the REZO app) and our institutional services (corporate belonging programmes and university roommate matching). If you are an employee or student who received an invite from your organisation, the institutional section (Part B) applies to you in addition to Part A.
PART A
Consumer Platform
Applies to all users of the REZO app and website
1. Who we are
REZO is operated by REZO Group Ltd, a company incorporated in England and Wales ("we", "us", "our"). We are a psychometric belonging platform that connects adults through deep compatibility matching.
Data Controller: REZO Group Ltd
Contact: hello@rezo-nate.com
ICO Registration:
We are registered with the Information Commissioner's Office (ICO) as required under the UK Data Protection Act 2018.
2. What data we collect
We collect the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Email, date of birth, name, hometown | Account creation and authentication |
| Psychometric data | 83-question quiz responses, nine normalised DNA scores, archetype label | Compatibility matching (special category — see §3) |
| Profile data | Avatar, life motto, Spotify track ID | Profile display and personalisation |
| Connection data | Resonance actions, message content in Synthesis channels, linkup data | Facilitating connections between matched users |
| Usage data | Page views, feature interactions, session metadata | Platform improvement and analytics |
| Device data | Browser, OS, IP address, device identifiers | Security, fraud prevention, session management |
3. Special category data
Important notice
Your psychometric quiz responses may reveal information about your cultural identity, emotional patterns, and belonging needs. Under UK GDPR Article 9, some of this may constitute special category data. We process it only with your explicit consent.
Your explicit consent is collected at the point you begin the quiz. You may withdraw this consent at any time by deleting your account. Withdrawal will not affect the lawfulness of processing before withdrawal.
We do not use your psychometric data to make employment decisions, clinical assessments, or any other legally significant automated decision about you. Your archetype profile is assistive and descriptive — not diagnostic.
4. Legal basis for processing
| Processing Activity | Legal Basis |
|---|---|
| Providing the matching service and populating your Vault | Performance of contract (Art. 6(1)(b)) |
| Processing psychometric quiz responses | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) |
| Sending notifications about resonance activity | Performance of contract (Art. 6(1)(b)) |
| Improving our compatibility model using your data | Legitimate interests (Art. 6(1)(f)) — you may opt out |
| Security logging and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
5. How long we keep your data
| Data Type | Retention Period |
|---|---|
| Account and profile data (active account) | Duration of account |
| Account and profile data (after deletion) | Deleted within 30 days of account closure |
| Psychometric quiz responses (raw) | Duration of account; deleted within 30 days of account closure |
| Message content (Synthesis channels) | 12 months from creation, then deleted |
| Connection and resonance data | Duration of account; deleted within 30 days of account closure |
| Security and audit logs | 12 months |
| Anonymised aggregate statistics | Indefinitely (not re-identifiable) |
6. Who we share your data with
We do not sell your data. We do not share your data with advertisers. We share data only with the following categories of processor, each under a Data Processing Agreement:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU / UK |
| Amazon Web Services | Infrastructure (via Supabase) | EU / UK |
| Vercel | Hosting and edge infrastructure | EU / UK / US (SCCs in place) |
| Anthropic | AI inference for compatibility prompts (no identifiers sent) | US (SCCs in place) |
| Spotify | Track embed display only — no user data shared | N/A |
7. International data transfers
Where data is transferred outside the UK or EEA (for example to Vercel or Anthropic infrastructure in the United States), we ensure appropriate safeguards are in place including the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) as applicable.
8. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
| Right | What it means |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Request deletion of your account and associated data |
| Restriction | Ask us to limit how we use your data while a dispute is resolved |
| Portability | Receive your data in a machine-readable format (JSON or CSV) |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent for special category processing at any time |
To exercise any right, email hello@rezo-nate.com. We will respond within 30 days. There is no charge for exercising your rights.
9. Security
We protect your data using:
— TLS 1.3 encryption in transit
— AES-256 encryption at rest
— Row-level security (RLS) on all database tables
— Role-based access controls
— Audit logging
— Regular security reviews
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO without undue delay and within 72 hours of becoming aware.
10. Automated decision-making and profiling
REZO uses algorithmic compatibility modelling to generate match suggestions and resonance scores. This constitutes profiling under UK GDPR Article 4(4).
However, REZO does not make solely automated decisions that produce legal or similarly significant effects within the meaning of Article 22 UK GDPR. Our outputs are assistive and recommendatory — we surface suggestions, but no decision affecting your rights or status is taken by the algorithm alone.
Your archetype profile is not a psychological diagnosis. It is a descriptive compatibility tool. You may request human review of any compatibility output by contacting hello@rezo-nate.com.
11. Cookies
We use cookies for session management and analytics. See our Cookie Policy for full details.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified via email and an in-app banner at least 14 days before they take effect. Continued use of REZO after notification constitutes acceptance of the updated policy.
13. Contact & complaints
For any privacy question or to exercise your rights: hello@rezo-nate.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113
PART B
Institutional Fair Processing Notice
Applies to employees, contractors, and students whose organisation uses REZO
This notice is required by UK GDPR Article 13
If you have received an invite to REZO from your employer or university, this notice explains how your data will be processed in that institutional context. Read it before accepting your invite.
B1. Who controls your data
In the institutional context, two parties process your data:
Your organisation (the Controller) — your employer or university — determines the purposes for which your institutional profile is created and instructs REZO to process it. They are responsible for establishing a lawful basis for processing and for obtaining your explicit consent where required.
REZO Group Ltd (the Processor) — processes your data on behalf of your organisation under a Data Processing Agreement. REZO acts as an independent Controller only with respect to the separate consumer platform, if you choose to activate it.
B2. What data is processed
| Category | Detail |
|---|---|
| Identity data | Name, email address, institutional identifier |
| Organisational metadata | Department, cohort, residence hall, team |
| Psychometric profile data | DNA scores (nine normalised compatibility vectors) and archetype label — derived from your quiz responses |
| Consent records | Timestamped log of what you consented to and when |
| Belonging health indicators | Periodic aggregate belonging scores (used only at cohort level — never individually identified to your employer or university) |
| Connection metadata | Whether you have formed connections through the platform (aggregate only — not the identity of your connections) |
B3. Purpose and legal basis
| Purpose | Legal Basis |
|---|---|
| Generating your institutional compatibility profile | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a) UK GDPR) |
| Matching you with compatible colleagues or housemates | Explicit consent (collected at invite redemption) |
| Aggregate cohort belonging analytics for your organisation | Legitimate interests of your organisation (Art. 6(1)(f)) — individual data is never exposed |
| Maintaining consent and audit records | Legal obligation (Art. 6(1)(c)) |
B4. What your organisation can and cannot see
VISIBLE TO YOUR ORG
✓ Your archetype label (e.g. Grounded Builder)
✓ Aggregate cohort belonging scores
✓ Aggregate risk counts (numbers only — no names)
✓ Whether you have been matched (not with whom)
NEVER VISIBLE TO YOUR ORG
✗ Your individual quiz answers
✗ Your raw DNA scores
✗ Who you have been matched with
✗ Your messages or conversations
✗ Your consumer REZO activity (if activated)
B5. Participation is voluntary
Your rights are protected
Participation in REZO is entirely voluntary. Your decision not to participate, or to withdraw at any time, will not be communicated to your employer or university and will not affect your employment, academic standing, housing eligibility, or any other entitlement. Refusal or withdrawal does not trigger any notification to your organisation.
B6. The Consumer Bridge (optional)
At the point of accepting your institutional invite, you may optionally choose to also activate a personal REZO consumer account. This is called the Consumer Bridge. It is entirely optional.
If you activate the Consumer Bridge: your DNA scores are copied once to your consumer profile at that moment. After that, the two profiles are completely independent. Your employer or university will never see your consumer activity, connections, or messages — this is enforced technically, not just by policy.
If you do not activate the Consumer Bridge, your institutional profile remains entirely within your organisation's environment.
B7. How long we keep your institutional data
| Data Type | Retention Period |
|---|---|
| Institutional profile and DNA scores | Duration of your organisation's contract with REZO, then deleted within 30 days |
| Consent records | 6 years from date of consent (legal compliance requirement) |
| Belonging snapshots | Duration of contract, then deleted within 30 days |
| Security and audit logs | 12 months |
| Anonymised aggregate analytics | Indefinitely (not re-identifiable to you) |
B8. Your rights in the institutional context
You have the same rights as described in §8 above (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).
To withdraw from the institutional programme: You may do so at any time by contacting hello@rezo-nate.com. Your institutional profile will be deactivated and your organisation will not be notified.
To request erasure: Contact us at the same address. Your institutional profile will be permanently deleted within 30 days. Erasure of your institutional profile does not affect your consumer profile (if you have one) and vice versa.
Minimum cohort thresholds: To protect your privacy, aggregate analytics are never generated from a cohort of fewer than 5 individuals. If your team has fewer than 5 members, no aggregate data is surfaced to your organisation.
B9. Students under 18
If you are under 18, the processing of your psychometric data requires additional consent under the UK Children's Code and UK GDPR Article 8. Your institution is responsible for ensuring appropriate parental or guardian consent is obtained before you are invited to use REZO.
If you believe you have been invited without appropriate consent being obtained, please contact us immediately at hello@rezo-nate.com.
B10. Contact
For any question about how your institutional data is processed: hello@rezo-nate.com
You may also contact your organisation's Data Protection Officer (DPO) or equivalent, or lodge a complaint with the ICO at ico.org.uk.