Privacy Policy | Culture Wheel

Last updated: February 2026

1. Introduction and Scope

This Privacy Policy describes how Culture Wheel, Inc. ("Culture Wheel," "we," "us," or "our") collects, uses, stores, and discloses personal information through our web-based platform and related services (collectively, the "Service"). Culture Wheel is a B2B SaaS platform that provides performance reviews, 360-degree feedback, peer recognition, eNPS surveys, DISC personality assessments, employee profiles, and company directory features to organizations ("Customers").

This policy applies to:

Customers— organizations that subscribe to Culture Wheel and their authorized administrators.
End Users— employees, managers, and other individuals whose accounts are provisioned by a Customer to use the Service.
Website Visitors— individuals who visit our marketing website at culturewheel.com.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are an End User, your employer (our Customer) has agreed to our Terms of Service on your behalf, including the data processing provisions described here.

2. Information We Collect

2.1 Account and Organization Information

When a Customer subscribes to Culture Wheel, we collect information necessary to create and manage the account:

Administrator name, email address, and job title
Company name, size, industry, and billing address
Payment information (processed by our third-party payment processor; we do not store full credit card numbers)
Single sign-on (SSO) configuration details, if applicable

2.2 Employee Data

Customers and their administrators provision End User accounts and may import employee data into the Service. This data may include:

Full name, work email address, and profile photo
Job title, department, team, and location
Manager and reporting relationships (organizational hierarchy)
Start date and employment status
Any additional profile fields configured by the Customer (e.g., pronouns, skills, interests)

2.3 Feedback and Assessment Data

The core of Culture Wheel involves collecting and managing sensitive HR feedback. This includes:

Performance Reviews— written evaluations, ratings, competency scores, goals, and self-assessments submitted during review cycles
360-Degree Feedback— anonymous or attributed feedback from peers, direct reports, managers, and external reviewers
Peer Recognition— recognition messages, company value tags, and acknowledgments shared between colleagues
eNPS Survey Responses— employee Net Promoter Score ratings and optional free-text comments
DISC Assessment Results— personality profile data, behavioral style indicators, and related assessment outputs

We recognize that feedback and assessment data is highly sensitive. We apply enhanced protections to this category of data, as described in Sections 6 and 7 below.

2.4 Usage Data

We automatically collect certain technical and usage information when you interact with the Service:

Log data (IP address, browser type and version, operating system, referring URL, pages visited, timestamps)
Device information (device type, screen resolution, language preference)
Feature usage analytics (which features are used, frequency of use, workflow patterns) collected in aggregate to improve the product
Error reports and performance diagnostics

2.5 Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and understand how the Service is used. Specifically:

Essential Cookies— required for authentication, session management, and security. These cannot be disabled.
Analytics Cookies— help us understand usage patterns and improve the Service. You may opt out of these via your browser settings or our cookie preference center.
Marketing Cookies— used on our marketing website only (not within the application) to measure advertising effectiveness. These can be declined.

We do not use tracking technologies within the application to monitor individual employee behavior for purposes unrelated to providing the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide and operate the Service— including managing accounts, facilitating performance reviews, delivering 360 feedback, processing survey responses, generating DISC assessment results, and powering the company directory
Improve and develop the Service— analyzing aggregated usage patterns to identify areas for improvement, develop new features, and optimize user experience
Customer support— responding to support requests, troubleshooting issues, and providing technical assistance
Security and fraud prevention— detecting, preventing, and responding to security incidents, unauthorized access, and other malicious activity
Communications— sending transactional emails (review cycle reminders, recognition notifications, survey invitations), account-related notices, and, with consent, product updates and marketing communications
Legal compliance— fulfilling our legal obligations, resolving disputes, and enforcing our agreements
Aggregated insights— generating anonymized, aggregated benchmarks and analytics that do not identify any individual (e.g., industry-level engagement trends)

We do not use employee feedback data, performance review content, or assessment results to train machine learning models or for any purpose unrelated to providing the Service to the applicable Customer.

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Performance of a contract— processing is necessary to fulfill our obligations under our agreement with the Customer, including providing the Service and related support
Legitimate interests— processing is necessary for our legitimate interests (or those of the Customer), such as improving the Service, ensuring security, and preventing fraud, provided these interests are not overridden by your data protection rights
Consent— where required by law, we obtain consent for specific processing activities, such as sending marketing communications or placing non-essential cookies. You may withdraw consent at any time
Legal obligation— processing may be necessary to comply with applicable laws, regulations, or legal proceedings

For Employee Data and Feedback Data, the Customer (as Data Controller) is responsible for establishing the appropriate legal basis for processing within their organization. Culture Wheel processes this data as a Data Processor on the Customer's behalf and in accordance with their instructions.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Sub-Processors

We use a limited number of trusted third-party service providers ("sub-processors") to help operate the Service. These include providers of:

Cloud hosting and infrastructure
Transactional email delivery
Payment processing
Analytics and error monitoring
Customer support tooling

Each sub-processor is contractually bound to process data only as instructed by us, maintain appropriate security measures, and comply with applicable data protection laws. A current list of sub-processors is available upon request by contacting privacy@culturewheel.com.

5.2 Customer Administrators

Customer administrators have access to Employee Data and certain Feedback Data within their organization's account, as configured by their administrator permissions. Culture Wheel does not control or determine the scope of administrator access; this is managed by the Customer.

5.3 Legal Requirements

We may disclose personal information if required to do so by law, regulation, legal process, or enforceable governmental request. We will notify the affected Customer of such a request unless prohibited by law from doing so, and we will challenge overly broad requests where appropriate.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify Customers in advance and ensure that the receiving entity is bound by commitments at least as protective as those in this Privacy Policy.

6. Anonymity and Confidentiality Protections

Culture Wheel processes sensitive HR feedback data, and we take special measures to protect the confidentiality and, where applicable, anonymity of respondents.

6.1 360-Degree Feedback Anonymity

When a 360 review cycle is configured as anonymous, the identities of individual reviewers are not disclosed to the review subject or their manager. Culture Wheel enforces this at the platform level:

Anonymous feedback is aggregated and presented without attribution
We apply minimum response thresholds — feedback from a reviewer category (e.g., peers, direct reports) is only displayed when sufficient responses have been collected to prevent identification of individual respondents
Customer administrators cannot access individual anonymous responses through the platform interface, API, or data exports

6.2 eNPS Survey Anonymity

eNPS survey responses are anonymous by default. We apply anonymity thresholds to protect respondents:

Results for any segment (department, team, location) are only displayed when the group meets the minimum response threshold
Free-text comments are presented without identifying information and are not linked to individual scores in any reports visible to administrators
Individual survey responses cannot be exported or accessed by Customer administrators

6.3 Peer Recognition Visibility

Unlike anonymous feedback, peer recognition is designed to be visible within the organization. When an employee gives recognition to a colleague, the sender's name, the recipient, the recognition message, and any associated company values are visible to other members of the organization as configured by the Customer administrator. Employees should be aware that recognition activity is not anonymous.

7. DISC Assessment Data

DISC personality assessments generate behavioral profile data that we classify as sensitive personal information. We apply the following protections:

Purpose limitation— DISC results are used solely to facilitate team collaboration, communication improvement, and professional development within the Customer's organization. They are never used for hiring decisions, termination determinations, or any form of automated decision-making with legal or similarly significant effects.
Access controls— DISC profiles are visible to the individual employee and, based on Customer configuration, to their manager and/or team members. Visibility settings are controlled by the Customer administrator.
No external sharing— individual DISC results are never shared with third parties, including recruiters, background check services, or other employers.
Deletion rights— employees may request deletion of their DISC assessment data through their organization's administrator or by contacting us directly.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Active accounts— all Customer and Employee Data is retained for the duration of the Customer's active subscription
Account termination— upon termination or expiration of a Customer's subscription, we provide a 30-day window for the Customer to export their data. After this export period, all Customer Data, Employee Data, and Feedback Data is permanently deleted from our production systems within 90 days
Backups— data may persist in encrypted backups for up to an additional 90 days following deletion from production systems, after which backups are rotated and the data is permanently removed
Anonymized aggregates— we may retain fully anonymized, aggregated data (which cannot be used to identify any individual) indefinitely for the purpose of generating industry benchmarks and improving the Service
Free trial data— if a Customer does not convert to a paid subscription after the 14-day free trial, all data associated with the trial account is deleted within 30 days of trial expiration

9. Data Security

We implement comprehensive technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

Encryption— all data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption
Access controls— internal access to Customer data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication
Infrastructure security— our infrastructure is hosted in SOC 2 Type II certified data centers with physical security controls, redundancy, and disaster recovery capabilities
SOC 2 compliance— Culture Wheel is pursuing SOC 2 Type II certification and has implemented controls aligned with the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy
Vulnerability management— we conduct regular security assessments, penetration testing, and vulnerability scanning of our systems
Incident response— we maintain an incident response plan and will notify affected Customers of any confirmed data breach without undue delay, and in any event within 72 hours of becoming aware of the breach, as required by applicable law
Employee training— all Culture Wheel employees receive security awareness training and are bound by confidentiality obligations

10. Your Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information. Because Culture Wheel processes Employee Data on behalf of our Customers (see Section 14), End Users should direct most data rights requests to their employer in the first instance. We will assist our Customers in fulfilling these requests.

10.1 Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

Right of access— request a copy of the personal data we hold about you
Right to rectification— request correction of inaccurate or incomplete personal data
Right to erasure— request deletion of your personal data, subject to legal and contractual retention requirements
Right to data portability— receive your personal data in a structured, commonly used, machine-readable format
Right to restrict processing— request that we limit how we process your data in certain circumstances
Right to object— object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent— where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing performed prior to withdrawal
Right to lodge a complaint— file a complaint with your local supervisory authority if you believe your rights have been violated

10.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to know— request disclosure of the categories and specific pieces of personal information we have collected, the sources of that information, and the purposes for which it is used
Right to delete— request deletion of your personal information, subject to certain exceptions
Right to correct— request correction of inaccurate personal information
Right to opt-out of sale or sharing— we do not sell or share (as defined by the CCPA/CPRA) your personal information, so no opt-out is necessary. We do not and will not sell your data.
Right to non-discrimination— we will not discriminate against you for exercising any of your CCPA/CPRA rights
Right to limit use of sensitive personal information— you may request that we limit the use of sensitive personal information to purposes necessary to provide the Service

10.3 How to Exercise Your Rights

To exercise any of the rights described above:

End Users:contact your organization's Culture Wheel administrator in the first instance. If you are unable to resolve your request through your employer, you may contact us directly.
Customer administrators: submit requests via the in-app support channel or email privacy@culturewheel.com.
All individuals: you may email privacy@culturewheel.com with your request. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.

11. International Data Transfers

Culture Wheel is based in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States and potentially other jurisdictions where our sub-processors operate.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries that have not received an adequacy determination, we rely on the following safeguards:

Standard Contractual Clauses (SCCs)— we enter into EU-approved Standard Contractual Clauses with our Customers and sub-processors to ensure an adequate level of protection for personal data transferred internationally
UK International Data Transfer Addendum— for transfers from the United Kingdom, we use the UK addendum to the EU SCCs as approved by the UK Information Commissioner's Office
Supplementary measures— we implement additional technical and organizational safeguards, including encryption and access controls, to protect data during and after transfer

Copies of the applicable Standard Contractual Clauses are available upon request.

12. Children's Privacy

Culture Wheel is a workplace platform designed for use by adults in a professional context. The Service is not intended for, nor directed to, individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us at privacy@culturewheel.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes:

We will update the "Last updated" date at the top of this page
For material changes, we will provide at least 30 days' advance notice via email to Customer administrators and/or a prominent notice within the Service
Material changes include modifications to the categories of data collected, new purposes for processing, changes to data sharing practices, or reductions in your rights
Continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes

We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Data Controller and Data Processor Roles

Understanding the respective roles of Culture Wheel and our Customers is important for clarity on data governance responsibilities:

Culture Wheel as Data Processor (or Service Provider) — with respect to Employee Data, Feedback Data, and Assessment Data entered into the Service by or on behalf of a Customer, Culture Wheel acts as a Data Processor (under GDPR) or Service Provider (under CCPA/CPRA). We process this data solely on the Customer's behalf and in accordance with their instructions as set forth in our Data Processing Agreement.
The Customer as Data Controller (or Business) — the subscribing organization is the Data Controller (or Business under CCPA/CPRA) for the personal data of its employees that is processed through the Service. The Customer is responsible for ensuring a lawful basis for collecting and processing its employees' data, providing appropriate privacy notices to its employees, and responding to data subject requests (with our assistance).
Culture Wheel as Data Controller — Culture Wheel acts as a Data Controller for data we collect independently, such as Customer administrator account information, billing data, website visitor data, and usage data collected for our own operational purposes.

We offer a Data Processing Agreement (DPA) to Customers who require one to comply with their data protection obligations. Our DPA includes the Standard Contractual Clauses and specifies the scope, nature, and purpose of processing, as well as the types of personal data and categories of data subjects. To request a DPA, contact privacy@culturewheel.com.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@culturewheel.com
Data Protection Officer: dpo@culturewheel.com
Mailing address: Culture Wheel, Inc., Attn: Privacy Team, 123 Main Street, Suite 400, San Francisco, CA 94105, United States

We aim to respond to all privacy-related inquiries within 30 days. For data subject access requests under GDPR, we will respond within one month of receiving the request, with the possibility of a two-month extension for complex or numerous requests, as permitted by law.