One Species Limited is the data controller responsible for your personal data. We operate the O!Sapiens brand, the SapiensOS HealthSpan platform, and the osapiens.expert website and tools.
| Detail | Information |
|---|---|
| Legal entity | One Species Limited |
| Registered jurisdiction | Cyprus (EU member state) |
| Primary contact | hi@osapiens.expert |
| Website | osapiens.expert |
| Supervisory authority | Office of the Commissioner for Personal Data Protection, Cyprus |
As a Cyprus-registered entity, we are subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Cyprus Personal Data Protection Law 125(I)/2018, which transposed the GDPR into national law.
We collect data through two primary touchpoints: the Inner OS Assessment tool and 1-on-1 coaching sessions. Below is a plain-language summary of each category.
When you complete the Inner OS Assessment at osapiens.expert, you answer 10 questions about your current state across the Sapiens OS pillars — Sleep, Nutrition, Movement, Stress Regulation, Social Connection, Light & Darkness, Agency, Meaning, Rest, and Curiosity. Your answers produce a numerical score for each pillar (0–100).
We also collect the following choices you make during the assessment:
If you choose to submit your email address, we collect your first name (optional) and email address. Submission is always voluntary — you may view a summary of your assessment results without providing contact details.
When you submit your email, we generate a personalised spider graph image of your pillar scores using a third-party charting service (QuickChart.io). The chart URL is stored on your contact record in our email platform so we can include it in your follow-up email.
If you book a 1-on-1 coaching session via Google Calendar, Google collects your name, email, and the details you provide when booking. During the session, the coach (Vladislav Andreev) may take notes. These notes are held by the coach and are not processed by automated systems.
Our website is hosted on Netlify. Standard server logs may include your IP address, browser type, and page URLs for security and performance purposes. We do not use these logs for profiling or marketing.
We rely on the following legal bases under GDPR Article 6 (and Article 9 for health-adjacent data — see Section 4):
| Activity | Legal basis | Detail |
|---|---|---|
| Processing assessment scores and submitting to our systems | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) | You check a consent box before submitting. Consent is granular, freely given, and recorded. |
| Sending your protocol and personalised follow-up emails | Consent (Art. 6(1)(a)) | Covered by the same consent box. You can unsubscribe at any time via the link in every email. |
| Delivering 1-on-1 coaching | Contract (Art. 6(1)(b)) | Processing is necessary to deliver the service you have engaged us for. |
| Anonymised assessment research (no email link) | Legitimate interests (Art. 6(1)(f)) | Aggregated, anonymised score data (session ID only, no name or email) is used to improve our framework. This data cannot identify you and carries minimal privacy risk. |
| Security and server logs | Legitimate interests (Art. 6(1)(f)) | Necessary to maintain the security and integrity of our services. |
Where we rely on legitimate interests, we have assessed that our interest does not override your fundamental rights and freedoms. You may object to legitimate-interest processing at any time (see Section 8).
GDPR Article 9 places stricter rules on the processing of certain "special categories" of personal data, including data concerning health. Our assessment asks about sleep quality, stress levels, energy, and other wellbeing indicators. While our service is educational coaching — not clinical healthcare — we treat this data as health-adjacent and apply Article 9 safeguards as a matter of principle.
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw, email us at hi@osapiens.expert and we will delete your personal data from our systems within 30 days.
We use a small number of carefully selected third-party services to operate our platform. Each is engaged as a data processor under a written agreement (Data Processing Agreement or equivalent) and may only process your data as we instruct.
| Processor | Role | Data shared | Location |
|---|---|---|---|
| Brevo (Sendinblue) | Email marketing and contact management | Name, email, consent record, assessment attributes (scores, focus pillars, support preference, commitment level, keystone practice) | EU (Paris, France) |
| Google LLC | Apps Script (server-side relay), Google Sheets (research log), Google Calendar (session booking) | Assessment scores, session ID, email (relay only — not stored in Sheets), booking details | US (see Section 6) |
| QuickChart.io | Spider graph image generation | Pillar scores (sent as chart parameters in a URL — no name or email transmitted) | US (see Section 6) |
| Netlify, Inc. | Website hosting | Standard server logs (IP address, page URLs) | US (see Section 6) |
| Stripe, Inc. | Payment processing (coaching sessions) | Payment details (card number is never seen by O!Sapiens — Stripe is the processor) | US (see Section 6) |
We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.
Some of our processors are based in the United States, which is outside the European Economic Area (EEA). The EU has not issued an adequacy decision for the US as a whole, which means we must put in place appropriate safeguards before transferring personal data there.
For transfers to US-based processors, we rely on one or more of the following mechanisms:
You may request a copy of the relevant transfer safeguards by contacting us at hi@osapiens.expert.
| Data type | Retention period | Reason |
|---|---|---|
| Email address and name | Until you unsubscribe or request deletion | Required to deliver the service you have subscribed to |
| Assessment attributes in Brevo (scores, focus pillars, preferences) | Linked to your contact record — deleted when your contact is deleted | Personalisation of communications |
| Anonymised research log (Google Sheets — session ID + scores, no email) | Up to 3 years, then reviewed for deletion | Framework improvement and pattern analysis |
| Coaching session notes | Duration of coaching relationship + 1 year | Continuity of care; deleted on request |
| Payment records | 7 years | Legal obligation (accounting and tax law) |
| Server logs (Netlify) | 30 days | Security monitoring — standard log rotation |
When data reaches the end of its retention period, it is deleted or anonymised so it can no longer be linked to you. You may also request early deletion at any time (see Section 8).
As a data subject under the GDPR, you have the following rights. These rights apply to all personal data we hold about you as a data controller.
You may request a copy of all personal data we hold about you, together with information about how we use it.
You may ask us to correct inaccurate data or complete incomplete data we hold about you.
You may ask us to delete your personal data. We will comply unless we are required by law to retain it.
You may ask us to pause processing of your data while a dispute about accuracy or lawfulness is resolved.
Where processing is based on consent or contract, you may receive your data in a machine-readable format.
You may object to processing based on legitimate interests at any time. We must stop unless we have compelling grounds to continue.
You may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
We do not make solely automated decisions that produce legal or similarly significant effects about you.
Email us at hi@osapiens.expert with the subject line "GDPR Request" and describe your request. We will respond within 30 days. We may need to verify your identity before acting on a request.
Exercising your rights is always free of charge. In exceptional cases where requests are manifestly unfounded or repetitive, we may charge a reasonable administrative fee or decline to act — we will notify you if this applies.
The Inner OS Assessment tool is a single-file HTML application that runs entirely in your browser. It does not set cookies, and it does not use third-party analytics or tracking pixels.
The main osapiens.expert website may use cookies for basic functionality (such as remembering your language preference). We do not currently use advertising cookies, retargeting pixels, or behavioural tracking services such as Google Analytics.
If we introduce any cookies beyond strictly necessary functionality in future, we will update this policy and present an appropriate consent mechanism before placing them.
Our services are directed at adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. The Inner OS Assessment is designed for senior professionals and adults engaged in personal development.
If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to us, please contact us at hi@osapiens.expert.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you directly by email.
We encourage you to review this policy periodically. Your continued use of our services after a material update constitutes acceptance of the revised policy, unless we are required by law to obtain fresh consent.
For any question about how we use your data, to exercise a right, or to raise a concern, contact us directly first. We aim to respond within 30 days and to resolve concerns informally wherever possible.
If you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority. You may contact the authority in the EU member state where you live, work, or where the alleged infringement took place.
| Authority | Jurisdiction | Contact |
|---|---|---|
| Office of the Commissioner for Personal Data Protection | Cyprus (our registered jurisdiction) | dataprotection.gov.cy |
| Agencia Española de Protección de Datos (AEPD) | Spain (where our operations are based) | aepd.es |
You may also contact the supervisory authority in your own country if you reside in a different EU/EEA member state.