Data Ethics
Five commitments that govern every byte of data we touch.
Independence and transparency are the whole point of the arqmetrica AI Maturity Index. The five principles below are how we keep that promise operationally — not as policy theatre, but as code, infrastructure choices, and one-click controls a respondent can exercise without writing to us first.
01
Anonymisation by default
Index responses are stored unattributed. Email is opt-in only — we ask for it solely so we can send a PDF copy of the result and an invitation to the quarterly State of European Mid-Market AI report. When given, the email lives in a separate database table (
assessments_email) so it can be erased independently of the underlying assessment record, in line with GDPR Article 17 (right to erasure).02
No AI to classify or score individuals
The Index scores companies. Never people. We do not deploy any AI system that classifies, ranks, or makes decisions about individuals on behalf of clients — neither inside the Index, nor in any consulting engagement that follows. This is the one line we do not cross.
03
Right to erasure
One-click data deletion is available via the
/api/data/delete endpoint. It removes the email and the email-linked assessment record. Aggregate, anonymised cohort statistics — used to compute peer benchmarks — are preserved, because by construction they contain no personally identifying information and there is nothing left to erase.04
Public methodology
The scoring formula, dimension weights, and the full 24-question rubric live as plain TypeScript code at github.com/BlinkyPT/arqmetrica-website, under
src/index/. Anyone — auditor, regulator, competitor, or sceptical board chair — can read the exact arithmetic that produced any given score. There are no hidden adjustments and no proprietary multipliers.05
EU data residency
All infrastructure is EU-resident. Hosting on Vercel Frankfurt (
fra1), database on Supabase eu-central-1, transactional email via Resend's EU sending region. No data leaves the European Union, and no sub-processor outside the EU has access to it.Sub-processors
These third parties process data on our behalf. Each is contractually bound by GDPR-compliant terms; the table lists the exact data shared and a link to the provider's own privacy policy.
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Plausible Analytics | Aggregate page-view counts (no cookies, EU-hosted) | URL paths, referrer, country, device type | plausible.io/privacy |
| Cal.com | Meeting bookings | Calendar event details + visitor email when a booking is made | cal.com/privacy |
| Resend | Transactional + broadcast email delivery | Email addresses and message content | resend.com/legal/privacy-policy |
| Supabase | Assessment database (EU region) | Index responses, scores, optional email | supabase.com/privacy |
| Vercel | Hosting + edge logs | Request URLs, IP (truncated), edge logs | vercel.com/legal/privacy-policy |
| Google Ads | Conversion tracking (only when consent given) | Conversion event + visitor click ID | policies.google.com/privacy |
| LinkedIn Insight Tag | Conversion tracking (only when consent given) | Conversion event + LinkedIn member ID (when authenticated) | linkedin.com/legal/privacy-policy |
These commitments are how we build trust. If something here is unclear, or you want a copy of all data we hold about you, write to hello@arqmetrica.com — we reply within two working days.