Privacy Policy

Vocational Guidance and Purpose Development Platform

Last updated: February 12, 2026

A product of 3LOX LLC
7791 NW 46th Street, Suite 219, Doral, FL 33166, United States

This Privacy Policy describes how 3LOX LLC (hereinafter, "3LOX", "we", "us", or "our"), located at 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States, collects, uses, protects, and shares the personal information obtained through the 360° PathFinder platform (the "Service").

For European Union users, 3LOX has appointed an EU Representative in accordance with Article 27 of Regulation (EU) 2016/679 (GDPR), whose contact details are provided in Section 14 of this Policy.

By accessing or using the Service, you declare that you have read, understood, and accepted the terms of this Policy, and you authorize the processing of your information as set forth herein.

This Policy complements the Terms and Conditions of Use and the Cookie Policy of the Service.

1. Data Controller

The controller of your personal data is:

• 3LOX LLC
• Address: 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States
• Email: legal@3lox.com
• Website: https://360pathfinder.com

When 3LOX acts as a data processor on behalf of an educational Institution or organization, such Institution will be the data controller, and 3LOX will process the data according to their instructions and the Data Processing Agreement (DPA) signed between the parties.

2. To Whom This Policy Applies

This Policy applies to all users of the Service, which include the following profiles:

• Explorers: high school students (from 14 years old) in the process of vocational discovery.
• Validators: university students or recent graduates (19-24 years old) seeking to confirm or adjust their professional choice.
• Renovators: experienced professionals (28-45 years old) in the process of reinvention or career transition.
• Transcendents: senior professionals and leaders (45+ years old) focused on legacy, mentoring, and impact.
• Educational institutions: schools, institutes, and universities that implement the Service for their students.
• Companies and organizations: entities that use the Service for talent development, outplacement, or organizational wellness.
• Families (Referents): fathers, mothers, and guardians participating as validators from the Explorer's environment.
• Professional facilitators: vocational counselors, psychologists, coaches, and mentors who use the platform as a support tool.

3. Information We Collect

We collect the personal information that you or your Institution provide directly or indirectly, in accordance with the principle of data minimization (Art. 5.1.c GDPR). The data categories are:

3.1 Data provided directly by the User

• Identification data: full name, email address, date of birth, country of residence, educational institution or employer, job title or role.
• Vocational and psychometric data: responses to the Service's 14 assessments (personality, interests, skills, values, IKIGAI, RCV), career preferences, motivations, and professional goals.
• Communication data: messages to support, contact forms, interactions with the AI assistant (K-AI), and information submitted voluntarily.
• Referent data: when third parties (parents, teachers, leaders) participate as validators, their responses about the Explorer.

3.2 Automatically collected data

• Technical data: IP address, browser type, operating system, time zone, device, language, and browsing patterns.
• Usage data: date and time of access, pages visited, features used, time spent, assessment progress, and completed missions.
• Cookie data: as described in our Cookie Policy (https://360pathfinder.com/politica-cookies).

3.3 Data provided by Institutions

• Institutional data: name of the contracting institution, contact person, Tax ID (NIF/CIF), billing data, and lists of authorized users.

3.4 Sensitive Data

We do not request or process special categories of data (racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or sexual orientation) unless the User provides them voluntarily in open-ended responses, in which case the processing is based on the User's explicit consent (Art. 9.2.a GDPR).

4. Purposes of Processing

Personal data is collected and used exclusively for the following purposes:

• To create and manage the User's Account and authenticate their identity.
• To provide the Service: administer the psychometric Assessments and generate vocational guidance Reports, 360° profiles, Possible Trajectories Maps (MTP), and personalized Action Plans.
• To personalize the user experience, including recommendations from the AI assistant (K-AI) and content selection from the Vocational Resource Center.
• To generate comparative 360° validation reports ("How you see yourself vs. How others see you") with the Referents' assessments.
• To fulfill contractual obligations with educational Institutions, companies, or other clients.
• To provide institutional Dashboards with aggregated and anonymized analytics.
• To send Service-related communications: technical support, updates, progress notifications, and security alerts.
• To send commercial and marketing communications, only with the User's prior and specific consent.
• To comply with applicable legal, tax, accounting, or regulatory obligations.
• To analyze usage trends anonymously and in aggregate to improve the quality, accuracy, and effectiveness of the Service.
• To prevent fraud, abuse, and threats to the platform's security.

5. Legal Basis for Processing

Data processing is carried out based on the following legal grounds, in accordance with Art. 6 of the GDPR:

Legal Basis	Associated Purposes
Explicit consent (Art. 6.1.a)	Registration, psychometric assessments, commercial communications, non-essential cookies.
Performance of a contract (Art. 6.1.b)	Provision of the Service, generation of Reports, Account management.
Legal obligation (Art. 6.1.c)	Compliance with tax, accounting, data protection, and child protection regulations.
Legitimate interest (Art. 6.1.f)	Improvement of the Service, security, fraud prevention, anonymized statistical analysis.

For users in Colombia, the legal basis includes the prior, explicit, and informed authorization of the data subject in accordance with Law 1581 of 2012. For users in the United States, COPPA and CCPA/CPRA legal bases apply as appropriate.

6. Data of Minors

6.1 Minimum Age and Consent

The Service may be used by individuals aged 14 and over. Consent requirements vary by jurisdiction:

Specific requirements by jurisdiction:

• Spain: users aged 14 to 17 can consent to the processing of their data themselves in accordance with Art. 7 of the LOPDGDD. Minors under 14 require the consent of the holder of parental authority or guardianship. When access is provided through an educational Institution, it will act as the data controller and manage consents according to applicable regulations.
• Other EU countries: parental consent will be required below the minimum age set by each Member State (between 13 and 16 years, Art. 8 GDPR). Users above their country's minimum age can consent for themselves.
• United States: verifiable parental consent is required for children under 13 under COPPA. Users aged 13 to 17 can access with parental or institutional consent.
• Colombia: authorization from the legal representative according to Law 1581 of 2012.
• Other countries: local child protection laws will apply. Where local legislation does not regulate this, minors under 18 will require parental or institutional authorization.

6.2 Verification of Consent

Parental consent must be verifiable, recording: date, medium used, identity of the granting party, and, when feasible, IP address, in accordance with COPPA and the GDPR.

6.3 Enhanced Protective Measures

• Automatic deactivation of marketing and advertising tracking cookies.
• Only strictly necessary cookies and anonymized analytics are used.
• Data minimization principle: only strictly necessary data for educational purposes is collected.
• Parents or guardians may request access, rectification, or deletion of data at any time by writing to legal@3lox.com.
• Maximum retention of 24 months since the last activity.
• Personalized advertising is not shown to minors.

7. Data Retention

Personal data will be retained only for the time necessary to fulfill the established purposes, according to the principle of storage limitation (Art. 5.1.e GDPR):

User Category	Retention Period
Students (minors)	24 months from the last activity.
Individual users (adults)	Up to 5 years from the last activity.
Institutional users	Term of the contract + 24 months.
Billing and tax data	According to applicable tax legislation (generally 5-7 years).
Anonymized data	Indefinitely (they are no longer personal data).
Consent data	For the duration of the relationship + legal statute of limitations.

When the data is no longer necessary, it will be securely and irreversibly deleted or anonymized.

8. User Rights

In accordance with the GDPR (Arts. 15-22), the LOPDGDD, the CCPA/CPRA, and Law 1581 of 2012 of Colombia, you may exercise the following rights:

• Access (Art. 15 GDPR): to know what personal data we process about you and to obtain a copy.
• Rectification (Art. 16 GDPR): to request the correction of inaccurate or incomplete data.
• Erasure / Right to be Forgotten (Art. 17 GDPR): to request the deletion of your data when it is no longer necessary or if you withdraw your consent.
• Restriction of processing (Art. 18 GDPR): to restrict processing in certain circumstances.
• Portability (Art. 20 GDPR): to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Objection (Art. 21 GDPR): to object to processing based on legitimate interest or direct marketing.
• Not to be subject to automated decisions (Art. 22 GDPR): the right not to be subject to decisions based solely on automated processing that produce legal effects.
• Withdrawal of consent: to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• CCPA/CPRA Rights (California residents): the right to know, delete, and opt-out of the sale of personal data. 3LOX does not sell personal data.

To exercise these rights, please write to: legal@3lox.com with the subject "Privacy Rights Request – PathFinder", indicating your name, registered email, and the right you wish to exercise. We will respond within a maximum of 30 days (GDPR) or 45 days (CCPA).

European Union Users: may file a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or the data protection authority of their country of residence.

Colombian Users: may file complaints with the Superintendency of Industry and Commerce (SIC).

9. International Data Transfer

Your data may be transferred to and hosted on servers located outside your country of residence, including the United States and Germany, operated by providers such as Amazon Web Services (AWS).

To ensure an adequate level of protection, 3LOX applies the following safeguards:

• Standard Contractual Clauses (SCCs): approved by the European Commission through Implementing Decision (EU) 2021/914, for transfers from the EEA.
• Transfer Impact Assessment (TIA): analysis of the legal framework of the destination country to confirm equivalent protection.
• Supplementary technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization when feasible, and strict access controls.
• Data Processing Addendum (DPA): data processing agreements with all providers who access personal data.

For users in Colombia, transfers are made in accordance with the transfer and transmission regime of Law 1581 of 2012 and the Sole Circular of the SIC.

10. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with our Cookie Policy, available at https://360pathfinder.com/politica-cookies.

Main categories of cookies:

• Strictly necessary: authentication, security, basic preferences. They cannot be rejected.
• Analytics: Google Analytics, Hotjar. They can be rejected.
• Marketing: Meta Pixel, Google Ads, Clientify. They can be rejected.
• Functional: theme preferences, language, time zone. They can be rejected.

Protection of minors: when the Service detects that a user is a minor, all marketing and advertising tracking cookies are automatically disabled, using only strictly necessary cookies and anonymized analytics. This complies with COPPA and the GDPR.

You can manage your cookie preferences from the consent banner or the "Cookie Preferences" button in the footer.

11. Information Security

3LOX LLC implements appropriate technical and organizational measures to protect personal data in accordance with Art. 32 of the GDPR, including:

• Encryption: TLS 1.3 for data in transit and AES-256 for data at rest.
• Access control: multi-factor authentication, principle of least privilege, and role management.
• Infrastructure: AWS servers with SOC 2, ISO 27001 certifications, and GDPR compliance.
• Backups: encrypted backups with retention policies and disaster recovery.
• Monitoring: intrusion detection systems, continuous monitoring, and audit logs.
• Incident response: documented response protocol for security breaches.

11.1 Data Breach Notification

In the event of a security breach that poses a risk to the rights and freedoms of users, 3LOX will:

• Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR).
• Communicate the breach to affected users without undue delay when it poses a high risk to their rights (Art. 34 GDPR).
• Document the nature of the breach, its consequences, and the measures taken.

No digital system is completely secure. The user acknowledges and accepts the inherent risk of using online services.

12. Relationship with Educational Institutions and Third Parties

12.1 Data Processing Agreement (DPA)

When 3LOX acts as a data processor for educational Institutions or organizations, a Data Processing Agreement (DPA) will be formalized in accordance with Article 28 of the GDPR, which will establish:

• The subject-matter, duration, nature, and purpose of the processing.
• The types of personal data and categories of data subjects.
• The obligations and rights of the controller.
• The applicable security measures.
• The conditions for engaging sub-processors.

12.2 No Sale of Data

3LOX does not sell, rent, or trade the personal data of its users. Data is shared only with:

• Certified service providers acting as data processors under instructions from 3LOX and with adequate contractual guarantees.
• Competent authorities when legally required (court order, administrative request).
• The contracting Institution, within the scope of its contractual relationship, and to the extent necessary for the provision of the Service.

13. Guiding Nature of the Results

IMPORTANT NOTICE: The Reports, recommendations, and results generated by 360° PathFinder are strictly of a guiding and informational nature.

They are the result of algorithmic processing of the responses provided by the User and do not constitute medical or psychological diagnoses, nor binding professional advice. 3LOX expressly recommends that the results be complemented with the accompaniment of a qualified professional (vocational counselor, educational psychologist, career coach) for a comprehensive and personalized interpretation.

3LOX is not responsible for academic, professional, or personal decisions made based on the generated Reports. The quality of the results depends directly on the truthfulness and completeness of the User's responses.

14. Contact and European Union Representative

14.1 Data Controller

3LOX LLC – Legal Department – 360° PathFinder
Address: 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States
Email: legal@3lox.com
Website: https://360pathfinder.com

14.2 European Union Representative (Art. 27 GDPR)

In accordance with Article 27 of the GDPR, 3LOX is in the process of formally designating a representative in the European Union with a physical address in Spain, who will act as a point of contact for data protection authorities and data subjects.

While this designation is completed, any communication related to the processing of personal data under the GDPR can be addressed to:

• Email: legal@3lox.com
• Subject: "EU Representative – 360° PathFinder"

3LOX is committed to publishing the full details of the designated representative (name, physical address, and contact details) in this same Policy and at https://360pathfinder.com/politica-privacidad as soon as the designation is effective. The estimated timeframe for formalization is 30 days from the publication of this version.

14.3 Regarding the Data Protection Officer (DPO)

3LOX LLC, as a company established outside the European Union whose core activities do not consist of the large-scale processing of special categories of data or the regular and systematic monitoring of data subjects, is not obligated to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR.

However, 3LOX maintains a specialized internal legal team in data protection and privacy that oversees regulatory compliance and addresses all user inquiries and requests. You can contact this team at legal@3lox.com.

3LOX commits to designating a DPO if, in the future, the conditions of its activity require it under applicable regulations.

15. Links to Third-Party Sites and Services

The Service may contain links to third-party websites, platforms, or services. 3LOX does not control or assume responsibility for the privacy, security, or content practices of third parties. We recommend reviewing the privacy policies of each external site before sharing personal information.

16. Changes to this Policy

3LOX may update this Privacy Policy periodically to reflect changes in our data processing practices, applicable legislation, or Service features. Modifications will be published at https://360pathfinder.com/politica-privacidad indicating the date of the last update.

For material changes that affect your rights, we will notify you by email or through a notice within the platform at least 15 days in advance. Continued use of the Service after the publication of changes constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Service.

17. Applicable Law and Jurisdiction

This Policy is governed by:

• European Union Users: Regulation (EU) 2016/679 (GDPR) and the national legislation of the user's country of residence (including the LOPDGDD in Spain). Consumers may resort to the courts of their domicile.
• Colombian Users: Law 1581 of 2012, Decree 1377 of 2013, and the regulations of the SIC.
• Users from other Latin American countries: the applicable national data protection laws in each jurisdiction.
• Users in the United States and other countries: the laws of the State of Florida, USA. Competent courts: Miami-Dade County, Florida.

© 2026 3LOX LLC – All rights reserved.
Transforming lives through vocational data science.