The short version: nothing identifies you.

• Your quiz answers. The 19 questions you answered (15 forced-choice + 4 Likert), stored against a random session token.
• Your computed scores. Your primary and secondary styles, your Connection Reach (Bridging Index), and a small number of internal research dimensions used only in the eventual report.
• The optional demographics block, if you choose to fill it in. Five multiple-choice fields plus an open-text box. Every field is optional.

• Your name, email, phone, or address. Ever. The form has no field for them.
• Your raw IP address. We hash your IP one-way (SHA-256 with a per-deployment salt) so we can rate-limit abuse. The raw IP never reaches storage and is never logged.
• Tracking cookies, ad pixels, third-party analytics. None.
• Your browser fingerprint. We record only your user-agent string for short-lived bot detection, and that's purged on a 30-day rolling job.

• Showing you your result. Your scores power your result page and your downloadable PDF field guide.
• Aggregate research. Across thousands of completions, the data describes what volunteers actually want, published as The State of Volunteer Service in late 2026. Aggregate only. Your individual row is not republished. We ask for your consent to this research use before the quiz begins, and record the version and time of that consent.

MyImpactStyle runs on Amazon Web Services in the United States region. The application servers run as containerized tasks on AWS Fargate inside a private VPC; only the public load balancer is reachable from the internet, and it terminates TLS 1.2+ before forwarding traffic onward. Your quiz answers and the computed scores live in a managed PostgreSQL database (RDS) in a private subnet. There's no public path to it. We don't ship your data to third-party analytics, advertising, or AI services. The framework and the assessment are open; the dataset stays anonymous.

Your trust matters to us, and we've built our security from the ground up to earn it. Here's what we have in place.

• Your connection is always encrypted. Every interaction between you and our platform runs over HTTPS using TLS 1.2 or 1.3. That protection doesn't stop at the front door. Traffic flowing between our internal systems stays encrypted too.
• Your data is secure at rest. Your information (including our database, cache, backups, and container registry) is encrypted using AWS Key Management Service (KMS). Even offline backup snapshots carry the same encryption, so there are no gaps.
• We never store your raw IP address. When we need an attribution marker for things like rate limiting and bot detection, we use a one-way SHA-256 hash combined with a rotating server-side salt. Once the salt rotates, old hashes can't be reversed, even by us. Your IP is never written to disk or logged.
• We enforce strict browser security policies. Every response from our platform includes a hardened set of security headers that block clickjacking, content sniffing, and unauthorized scripts. Our admin interface goes a step further with a nonce-driven policy that prevents any inline scripts from running.
• A firewall watches every request. AWS WAF v2 sits in front of our platform, screening for OWASP common attacks, known malicious payloads, and abusive IP patterns. Our application layer adds its own rate limits per IP and per session, backed by Redis, so abuse is caught early and doesn't come back.
• Automated bots don't get through. We use Cloudflare Turnstile to detect automated abuse: a privacy-respecting alternative to traditional CAPTCHAs that doesn't profile you or set tracking cookies.
• Admin access is locked down tight. Our administrative interface requires a password plus a second authentication factor (TOTP). Sessions are short-lived and can be revoked instantly. Every admin action is recorded in a tamper-evident audit log.
• Sensitive credentials never touch your browser. Database credentials, signing keys, and other secrets live exclusively in AWS Secrets Manager, encrypted with customer-managed KMS keys, and rotated on a documented schedule. They are never stored in our codebase.
• We back up your data and test our recovery process. Automated encrypted backups run continuously with point-in-time recovery. We regularly exercise our restore process to make sure recovery works when it counts. Not just in theory.
• We stay ahead of vulnerabilities. Our container image is rebuilt from a current base on every release. We continuously scan dependencies for known vulnerabilities, and runtime errors are monitored through a private error tool with sensitive content scrubbed before it ever leaves your server.

• Raw answers and demographics: 24 months from quiz completion. After that, the row-level data is deleted; only aggregate scores remain.
• Hashed IP and user-agent: 30 days for bot mitigation, then purged.
• Aggregate scores (no row-level identifiers): retained indefinitely for longitudinal research.

You can delete your individual session at any time. Go to myimpactstyle.com/delete and paste your result link or session token, or use the “Delete this result” link on your result page. The row, its answers, its score, and any demographics you submitted are removed in a single transaction.

Because we never collected an identifier in the first place, we cannot (and don't) process the usual subject-access request: there is nothing about you to disclose beyond the row attached to your token.

MyImpactStyle is funded by Better Impact, the volunteer-management platform used by 65,000+ companies worldwide. The project's findings and framework are governed independently and published openly.

• GDPR. The assessment itself processes no personal data, so most of the regulation does not apply by design. Where the optional demographics block is concerned, the lawful basis is your consent (Art. 6(1)(a)), and the right-to-deletion request (Art. 17) is implemented as a direct, self-service endpoint described under Your rights.
• OWASP Application Security Verification Standard. Security headers, input validation, authentication, and session-management decisions follow the OWASP Top 10 guidance and the OWASP Secure Headers Project.
• NIST SP 800-63 / 800-53 controls. Where they map to an anonymous public service: strong cryptography in transit and at rest, key management, multi-factor administrator access, audit logging, and tested backups.

MyImpactStyle does not currently hold a third-party security certification. We design and operate to the controls these frameworks describe but do not claim certification we do not hold.

MyImpactStyle uses a minimal set of third-party services. No third-party advertising networks, no Google Analytics, and no social tracking pixels are loaded on this site.

• Amazon Web Services (AWS). Compute (Fargate), database (RDS PostgreSQL), cache (ElastiCache Redis), load balancing (ALB), web application firewall (WAF v2), encryption keys (KMS), secrets (Secrets Manager), backups (AWS Backup), DNS (Route 53), and observability (CloudWatch). Hosting region: United States.
• Cloudflare Turnstile. Bot challenge on the quiz-start endpoint. Turnstile does not profile users and does not set tracking cookies; the only data exchanged is a short-lived challenge token that confirms the request is human-issued.
• Sentry. Application error monitoring. Reports may include technical metadata (browser type, page URL, stack trace) but never quiz answers or demographic content. That data is scrubbed server-side before any report is sent.
• Google Fonts. Fonts are loaded from Google's CDN. Your browser establishes a connection to Google's servers when the page renders; that connection is governed by Google's privacy policy.

MyImpactStyle is provided for personal, educational, and organizational development purposes. By using this site you agree to the following:

• You will not attempt to reverse-engineer, scrape, or systematically extract data from the platform.
• You will not use automated tools to submit quiz responses at volume.
• The quiz content, style profiles, and all associated written material are the intellectual property of Better Impact Inc. You may share your personal result for non-commercial purposes with attribution.
• The platform is provided "as is" without warranties of any kind. Better Impact is not liable for decisions made on the basis of quiz results.
• We may update these terms. Material changes are reflected in the LAST UPDATED date below.

This notice is plain-language on purpose. If something is unclear, write to privacy@betterimpact.com. For data-deletion requests, please include your session token. We aim to reply within 5 business days.