360PathFinder Logo

Privacy Policy

Vocational Guidance and Purpose Development Platform

Last updated: June 30, 2026

A product of 3LOX LLC
7791 NW 46th Street, Suite 219, Doral, FL 33166, United States

Privacy Summary

Data Controller: 3LOX LLC (USA) | EU Representative: designation in progress (Madrid, Spain) | Contact: legal@3lox.com

Purpose: Vocational guidance through psychometric assessments, generation of personalized reports, and AI assistance.

Data processed: Identification data, responses to vocational tests, technical browsing data, and cookies.

Legal basis: Consent, contract performance, legal obligation, and legitimate interest (Art. 6 GDPR).

Rights: Access, rectification, erasure, portability, objection, and restriction. Contact: legal@3lox.com

Minors (Spain): Users aged 14 and up may consent on their own behalf. Users under 14 require parental authorization.

Full information (second layer) below:

This Privacy Policy describes how 3LOX LLC (hereinafter, "3LOX," "we," or "our"), with registered address at 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States, collects, uses, protects, and shares the personal information obtained through the 360° PathFinder platform (the "Service").

For users in the European Union, 3LOX has designated an EU Representative under Article 27 of Regulation (EU) 2016/679 (GDPR), whose contact details are indicated in Section 15 of this Policy.

By accessing or using the Service, you represent that you have read, understood, and accepted the terms of this Policy and authorize the processing of your information as set out herein.

This Policy complements the Service's Terms and Conditions of Use and Cookie Policy.

1. Data Controller

The controller responsible for the processing of your personal data is:

  • 3LOX LLC
  • Address: 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States
  • Email: legal@3lox.com
  • Website: https://360pathfinder.com

When 3LOX acts as a data processor on behalf of an educational Institution or organization, that Institution will be the data controller and 3LOX will process the data in accordance with its instructions and the Data Processing Agreement (DPA) executed between the parties.

2. Who This Policy Applies To

This Policy applies to all users of the Service, which include the following profiles:

  • Explorers: secondary and high school students (age 14 and up) in the process of vocational self-discovery.
  • Validators: university students or recent graduates (19-24 years old) seeking to confirm or adjust their professional choice.
  • Renewers: experienced professionals (28-45 years old) undergoing reinvention or career transition.
  • Transcendents: senior professionals and leaders (45+ years old) focused on legacy, mentorship, and impact.
  • Educational institutions: schools, institutes, and universities that implement the Service for their students.
  • Companies and organizations: entities that use the Service for talent development, outplacement, or organizational well-being.
  • Families (Reference Contacts): parents, mothers, and guardians who participate as validators from the Explorer's environment.
  • Professional facilitators: vocational counselors, psychologists, coaches, and mentors who use the platform as a support tool.

3. Information We Collect

We collect the personal information that you or your Institution provide directly or indirectly, in accordance with the data minimization principle (Art. 5.1.c GDPR). The categories of data are:

3.1 Data provided directly by the User

  • Identification data: full name, email address, date of birth, country of residence, educational institution or employer, position or role.
  • Vocational and psychometric data: responses to the Service's 14 assessments (personality, interests, skills, values, IKIGAI, VCR), career preferences, motivations, and professional goals.
  • Communication data: support messages, contact forms, interactions with the AI assistant (K-AI), and information voluntarily submitted.
  • Reference Contact data: when third parties (parents, teachers, leaders) participate as validators, their responses about the Explorer.

3.2 Data collected automatically

  • Technical data: IP address, browser type, operating system, time zone, device, language, and browsing patterns.
  • Usage data: date and time of access, pages visited, features used, time spent, progress in assessments, and missions completed.
  • Cookie data: as described in our Cookie Policy (https://360pathfinder.com/politica-cookies).

3.3 Data provided by Institutions

  • Institutional data: name of the contracting institution, contact person, tax ID, billing information, and lists of authorized users.

3.4 Sensitive Data

We do not request or process special category data (racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or sexual orientation) unless the User voluntarily provides it in open-ended responses, in which case processing is based on the User's explicit consent (Art. 9.2.a GDPR).

4. Purposes of Processing

Personal data is collected and used exclusively for the following purposes:

  • Creating and managing the User's Account and authenticating their identity.
  • Providing the Service: administering the psychometric Assessments and generating vocational guidance Reports, 360° profiles, Possible Pathways Maps (PPM), and personalized Action Plans.
  • Personalizing the user experience, including recommendations from the AI assistant (K-AI) and content selection in the Vocational Resource Center.
  • Generating comparative 360° validation reports ("How you see yourself vs. How others see you") using Reference Contacts' assessments.
  • Fulfilling contractual obligations with educational Institutions, companies, or other clients.
  • Providing institutional Dashboards with aggregated, anonymized analytics.
  • Sending Service-related communications: technical support, updates, progress notifications, and security alerts.
  • Sending commercial and marketing communications, only with the User's prior, specific consent.
  • Complying with applicable legal, tax, accounting, or regulatory obligations.
  • Analyzing usage trends anonymously and in aggregate to improve the quality, accuracy, and effectiveness of the Service.
  • Preventing fraud, abuse, and threats to platform security.

5. Legal Basis for Processing

Data processing is carried out in accordance with the following legal bases, as set out in Art. 6 of the GDPR:

Legal Basis Associated Purposes
Express consent (Art. 6.1.a) Registration, psychometric assessments, commercial communications, non-essential cookies.
Contract performance (Art. 6.1.b) Provision of the Service, generation of Reports, Account management.
Legal obligation (Art. 6.1.c) Compliance with tax, accounting, data protection, and child protection regulations.
Legitimate interest (Art. 6.1.f) Service improvement, security, fraud prevention, anonymized statistical analysis.

For users in Colombia, the legal basis includes the data subject's prior, express, and informed authorization under Law 1581 of 2012. For users in the United States, the legal bases of COPPA and CCPA/CPRA apply as relevant.

6. Data of Minors

6.1 Minimum Age and Consent

The Service may be used by individuals age 14 and up. Consent requirements vary by jurisdiction:

Jurisdiction-specific requirements:

  • Spain: users aged 14 to 17 may consent to the processing of their data on their own behalf under Art. 7 of the LOPDGDD. Users under 14 require the consent of the holder of parental authority or guardianship. When access takes place through an educational Institution, that Institution will act as data controller and manage consents in accordance with applicable regulations.
  • Other EU countries: parental consent is required below the minimum age set by each Member State (between 13 and 16, Art. 8 GDPR). Users who exceed their country's minimum age may consent on their own behalf.
  • United States: verifiable parental consent for users under 13 in accordance with COPPA. Users aged 13 to 17 may access the Service with parental or institutional consent.
  • Colombia: authorization from the legal representative under Law 1581 of 2012.
  • Other countries: local laws on the protection of minors will apply. Where local legislation does not regulate this, users under 18 will require parental or institutional authorization.

6.2 Consent Verification

Parental consent must be verifiable, with the following recorded: date, method used, identity of the person granting consent, and, where feasible, IP address, in accordance with COPPA and the GDPR.

6.3 Enhanced Protective Measures

  • Automatic deactivation of marketing and advertising tracking cookies.
  • Only strictly necessary cookies and anonymized analytics cookies are used.
  • Minimization principle: only the data strictly necessary for educational purposes is collected.
  • Parents or guardians may request access to, rectification of, or deletion of data at any time by writing to legal@3lox.com.
  • Maximum retention of 24 months from the last activity.
  • No personalized advertising is shown to minors.

7. Data Retention

Personal data will be retained only for as long as necessary to fulfill the purposes established, in accordance with the storage limitation principle (Art. 5.1.e GDPR):

User Category Retention Period
Students (minors) 24 months from the last activity.
Individual users (adults) Up to 5 years from the last activity.
Institutional users Contract term + 24 months.
Billing and tax data As required by applicable tax law (generally 5-7 years).
Anonymized data Indefinitely (no longer personal data).
Consent records For the duration of the relationship + legal statute-of-limitations period.

When data is no longer necessary, it will be deleted or anonymized securely and irreversibly.

8. User Rights

Under the GDPR (Arts. 15-22), the LOPDGDD, the CCPA/CPRA, and Colombia's Law 1581 of 2012, you may exercise the following rights:

  • Access (Art. 15 GDPR): know what personal data we process about you and obtain a copy.
  • Rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data.
  • Erasure / Right to be Forgotten (Art. 17 GDPR): request deletion of your data when it is no longer necessary or you withdraw your consent.
  • Restriction of processing (Art. 18 GDPR): restrict processing under certain circumstances.
  • Portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller.
  • Objection (Art. 21 GDPR): object to processing based on legitimate interest or direct marketing.
  • Not to be subject to automated decisions (Art. 22 GDPR): the right not to be subject to decisions based solely on automated processing that produce legal effects.
  • Withdrawal of consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.
  • CCPA/CPRA rights (California residents): the right to know, delete, and opt out of the sale of personal data. 3LOX does not sell personal data.

To exercise these rights, write to: legal@3lox.com with the subject "Privacy Rights Request – PathFinder," indicating your name, registered email address, and the right you wish to exercise. We will respond within a maximum of 30 days (GDPR) or 45 days (CCPA).

Users in the European Union: may file a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or the data protection authority of their country of residence.

Users in Colombia: may file complaints with the Superintendence of Industry and Commerce (SIC).

9. International Data Transfers

Your data may be transferred to and hosted on servers located outside your country of residence, including in the United States and Germany, operated by providers such as Amazon Web Services (AWS).

To ensure an adequate level of protection, 3LOX applies the following safeguards:

  • Standard Contractual Clauses (SCCs): approved by the European Commission through Implementing Decision (EU) 2021/914, for transfers from the EEA.
  • Transfer Impact Assessment (TIA): analysis of the destination country's legal framework to confirm equivalent protection.
  • Supplementary technical measures: encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization where feasible, and strict access controls.
  • Data Processing Addendum (DPA): data processing agreements with all providers that access personal data.

For users in Colombia, transfers are carried out in accordance with the transfer and transmission regime under Law 1581 of 2012 and the SIC's Single Circular.

10. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with our Cookie Policy, available at https://360pathfinder.com/politica-cookies.

Main cookie categories:

  • Strictly necessary: authentication, security, basic preferences. Cannot be rejected.
  • Analytics: Google Analytics, Hotjar. Can be rejected.
  • Marketing: Meta Pixel, Google Ads, Clientify. Can be rejected.
  • Functional: theme, language, and time zone preferences. Can be rejected.

Protection of minors: when the Service detects that a user is a minor, all marketing and advertising tracking cookies are automatically disabled, using only strictly necessary cookies and anonymized analytics cookies. This complies with COPPA and the GDPR.

You can manage your cookie preferences from the consent banner or the "Cookie Preferences" button in the footer.

11. Information Security

3LOX LLC implements appropriate technical and organizational measures to protect personal data in accordance with Art. 32 of the GDPR, including:

  • Encryption: TLS 1.3 for data in transit and AES-256 for data at rest.
  • Access control: multi-factor authentication, the principle of least privilege, and role management.
  • Infrastructure: servers on AWS with SOC 2, ISO 27001 certifications and GDPR compliance.
  • Backups: encrypted backups with retention and disaster-recovery policies.
  • Monitoring: intrusion detection systems, continuous monitoring, and audit logs.
  • Incident response: documented protocol for responding to security breaches.

11.1 Data Breach Notification

In the event of a security breach that poses a risk to users' rights and freedoms, 3LOX will:

  • Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR).
  • Communicate with affected users without undue delay when the breach poses a high risk to their rights (Art. 34 GDPR).
  • Document the nature of the breach, its consequences, and the measures taken.

No digital system is completely secure. The User acknowledges and accepts the inherent risk of using online services.

12. Relationship with Educational Institutions and Third Parties

12.1 Data Processing Agreement (DPA)

When 3LOX acts as a data processor for educational Institutions or organizations, a Data Processing Agreement (DPA) will be formalized in accordance with Article 28 of the GDPR, establishing:

  • The subject matter, duration, nature, and purpose of the processing.
  • The categories of data and data subjects.
  • The obligations and rights of the controller.
  • The applicable security measures.
  • The conditions for sub-processing.

12.2 No Sale of Data

3LOX does not sell, rent, or trade users' personal data. Data is shared only with:

  • Certified service providers that act as data processors under 3LOX's instructions and with adequate contractual guarantees.
  • Artificial intelligence infrastructure providers (see Section 14), which receive only the already-calculated numerical results of the Assessments — not the User's open-ended responses — in order to generate the narrative content of the Reports and of K-AI.
  • Competent authorities when legally required (court order, administrative request).
  • The contracting Institution, within the scope of its contractual relationship, and to the extent necessary to provide the Service.

13. Advisory Nature of the Results

IMPORTANT NOTICE: The Reports, recommendations, and results generated by 360° PathFinder are exclusively advisory and informational in nature.

They are the result of algorithmic processing of the responses provided by the User; the narrative content of the Reports and of interactions with K-AI is generated using artificial intelligence, as detailed in Section 14. None of these results constitute medical or psychological diagnoses, nor binding professional advice. 3LOX expressly recommends that results be supplemented with the guidance of a qualified professional (vocational counselor, educational psychologist, career coach) for a comprehensive and personalized interpretation.

3LOX is not responsible for academic, professional, or personal decisions made based on the generated Reports. The quality of the results depends directly on the truthfulness and completeness of the User's responses.

14. Use of Artificial Intelligence and Transparency (Article 50 of the AI Act)

14.1 How AI-Generated Content Is Produced

The personality, competency, pathway, and other narrative Reports produced by the Service, as well as K-AI's ("Kai's") responses, are generated using artificial intelligence in an automated manner. The AI model does not directly receive the User's open-ended responses to the Assessments; rather, it receives the numerical results already calculated by 3LOX's proprietary algorithms (psychometric profiles, IKIGAI scores, VCR, among others), from which it generates the personalized narrative.

14.2 Third-Party AI Provider

Currently, the language model that powers K-AI is provided by OpenAI, which acts as a data processor (sub-processor) under 3LOX's instructions and with adequate contractual guarantees, including Standard Contractual Clauses where applicable. As indicated in Section 14.1, this provider receives only the numerical results derived from the Assessments, not the User's original open-ended responses. 3LOX may change AI providers in the future; any material change will be reflected in this Policy.

14.3 Profiling

The Service carries out vocational and psychometric profiling in accordance with Art. 4.4 of the GDPR, processing the User's responses to generate scores, categories, and personalized recommendations. This profiling is exclusively advisory in purpose and does not produce automated decisions with legal effects, as described in Section 13.

14.4 Emotion Recognition

K-AI does not perform emotion recognition or analysis of the User's emotional state, whether from text or voice. Kai interprets only the already-calculated numerical results of the Assessments in order to generate the guidance narrative.

14.5 Transparency Under the AI Act

In compliance with Article 50 of Regulation (EU) 2024/1689 (AI Act), 3LOX identifies Kai as an artificial intelligence system through clear, visible notices within the platform from the first point of contact, and the Reports indicate that their narrative content is AI-generated. These in-product notices constitute the primary disclosure mechanism required by Article 50(5); this Policy and the Terms and Conditions of Use (Section 10.4) constitute complementary contractual confirmation, without replacing that in-product disclosure.

15. Contact and European Union Representative

15.1 Data Controller

3LOX LLC – Legal Department – 360° PathFinder
Address: 7791 NW 46th Street, Suite 219, Doral, FL 33166, United States
Email: legal@3lox.com
Website: https://360pathfinder.com

15.2 European Union Representative (Art. 27 GDPR)

Under Article 27 of the GDPR, 3LOX is in the process of formally designating a representative in the European Union with a physical address in Spain, who will act as a point of contact for data protection authorities and data subjects.

While this designation is being completed, any communication relating to the processing of personal data under the GDPR may be directed to:

  • Email: legal@3lox.com
  • Subject line: "EU Representative – 360° PathFinder"

3LOX undertakes to publish the full details of the designated representative (name, physical address, and contact information) in this same Policy and at https://360pathfinder.com/politica-privacidad as soon as the designation becomes effective. The estimated timeframe for formalization is 30 days from the publication of this version.

15.3 On the Data Protection Officer (DPO)

3LOX LLC, as a company established outside the European Union whose core activity does not consist of large-scale processing of special categories of data or regular and systematic monitoring of data subjects, is not required to designate a Data Protection Officer (DPO) under Article 37 of the GDPR.

Nevertheless, 3LOX maintains an internal legal team specializing in data protection and privacy that oversees regulatory compliance and handles all user inquiries and requests. You may contact this team at legal@3lox.com.

3LOX undertakes to designate a DPO if the conditions of its activities require it in the future under applicable regulations.

16. Links to Third-Party Sites and Services

The Service may contain links to third-party websites, platforms, or services. 3LOX does not control or assume responsibility for the privacy practices, security, or content of third parties. We recommend reviewing the privacy policies of each external site before sharing personal information.

17. Changes to This Policy

3LOX may periodically update this Privacy Policy to reflect changes in our data processing practices, applicable legislation, or Service features. Modifications will be published at https://360pathfinder.com/politica-privacidad with an indication of the last-updated date.

For material changes affecting your rights, we will notify you by email or through a notice within the platform at least 15 days in advance. Continued use of the Service after the changes are published constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Service.

18. Governing Law and Jurisdiction

This Policy is governed by:

  • Users in the European Union: Regulation (EU) 2016/679 (GDPR) and the national legislation of the user's country of residence (including the LOPDGDD in Spain). Consumers may bring claims before the courts of their domicile.
  • Users in Colombia: Law 1581 of 2012, Decree 1377 of 2013, and SIC regulations.
  • Users in other Latin American countries: the national data protection laws applicable in each jurisdiction.
  • Users in the United States and other countries: the laws of the State of Florida, USA. Competent courts: Miami-Dade County, Florida.

© 2026 3LOX LLC – All rights reserved.
Transforming lives through vocational data science.

Product

  • Features
  • Methodology
  • Pricing

Company

  • About Us
  • Blog
  • Careers
  • Contact

Legal

  • Privacy Policy
  • Terms and Conditions
  • Cookies
  • Cookie Preferences

Contact

  • kai@360pathfinder.com

© 2026 360PathFinder. Transforming lives through vocational data science.