Impactean
Trust Center
Trust CenterPrivacy Policy

Privacy Policy

Last updated: 2026-05-19.md

UAE controller (Valenyr FZCO); EU-hosted primary stores; published retention schedule (§9) with inactive-account and backup rules; DPIA for AI coaching; account closure via privacy@impactean.com.

Last updated: 19 May 2026

  • Your account, assessment data, AI coaching conversations, and uploaded files are stored in the European Union (Supabase, AWS Frankfurt, eu-central-1).

  • Transactional emails are sent from Resend's EU region (Ireland, eu-west-1).

  • We do not deploy behavioural‑advertising or cross‑site marketing analytics scripts—no Google Analytics, Meta Pixel, Hotjar‑style replay, TikTok/Microsoft advertising pixels, Reddit/LinkedIn ad tags, Segment marketing destinations, Rudderstack, Mixpanel dashboards, Heap, GA4 loaders, HubSpot trackers, Clearbit reveal, Datadog Session Replay storefronts. The only cookies we set are strictly-necessary authentication cookies.

  • We never sell or share your personal data. Coaching conversations are never used to train external AI models.

  • A published retention and deletion schedule (§9), inactive-account rules, and SOC 2–aligned security controls (Impactean is not independently certified — see /legal/security).

  • A live list of every sub-processor we use is published at /legal/sub-processors with at least 30 days' notice before changes take effect.

  • California / US Comprehensive Laws categorical summary begins at §15 (CPRA‑style) if US law applies to you.

Impactean (“Impactean,” “we,” “us”) refers to the branded Services hosted at impactean.com and app.impactean.com. Those Services are legally operated by VALENYR INFORMATION TECHNOLOGY CONSULTANTS - FZCO (Valenyr), organised under UAE law and licensed with IFZA, Dubai Silicon Oasis.

For data-protection purposes, Valenyr typically acts as data controller for personal data relating to Impactean users unless your employer independently acts as controller or joint controller under a Business plan (described below).

Registered office: DSO-IFZA-72380, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates \nIFZA free-zone licence / company reference: DSO-IFZA-72380.

Privacy contact: privacy@impactean.com · Security contact: security@impactean.com

If you use Impactean through an organisational (Business) plan provided by your employer, your employer may also act as a controller or joint controller for certain categories of organisational data (e.g. enrolment, programme participation). Their own privacy notice will also apply.

(a) Identity Data — first name, last name, optional profile photo. (b) Contact Data — email address. (c) Account Data — username, password (stored as a bcrypt hash), preferences, subscription plan, billing status. (d) Assessment Data — your responses to the Wheel of Impact™, your Impact Capacity Score, pillar and sub-dimension scores, and your personalised report content. (e) Coaching Data — text and (optional) image messages exchanged with your AI Executive Coach, voice audio when you use voice features, goals, and session metadata. (f) Commitment & Progress Data — weekly commitments, micro-actions, daily completions, reflections, scheduled check-ins. (g) Uploaded Files — external assessments (DISC, Big Five, 360, etc.) you choose to upload, profile pictures. (h) Payment Data — billing email, billing address, subscription tier, and the Stripe customer identifier. Card numbers, CVV, and bank details are handled directly by Stripe and never reach Impactean's servers. (i) Usage & Technical Data — feature usage, IP address, user agent, session timestamps, error logs. (j) Communications Data — support tickets, feedback, survey responses. (k) Feedback Data — stakeholder invitations you send, ratings and comments reviewers submit about you, and related metadata. (l) Collective Data — cohort discussion posts (which may be posted anonymously), reactions, challenge completions, and aggregated cohort insights. (m) Journal & Planning Data — journal entries, action plans, and task progress you create in the app. (n) Imported Memory — context you choose to paste from other AI assistants to personalise coaching. (o) Notification Data — reminder preferences and transactional email delivery metadata.

We do not knowingly collect special categories of data (Article 9 GDPR). Please do not share medical, racial, religious, political, or biometric data inside coaching conversations. If you do, you authorise us to process it solely to deliver the coaching feature you requested, on the basis of your explicit consent (Art. 9(2)(a)).

#3. Legal bases (Article 6 GDPR)

PurposeDataLegal basis
Run your account, deliver the assessment and report, provide AI coaching, track commitmentsIdentity, Contact, Account, Assessment, Coaching, CommitmentPerformance of a contract (Art. 6(1)(b))
Process payments and fulfil tax/accounting obligationsIdentity, Contact, PaymentContract; legal obligation (Art. 6(1)(c))
Send transactional and service emails (verification, receipts, reminders)Identity, Contact, CommitmentContract
Send product updates and marketingIdentity, Contact, Marketing preferencesConsent (Art. 6(1)(a)); legitimate interest for existing customers
Improve, debug, secure the ServicesUsage, Technical, anonymised AssessmentLegitimate interest (Art. 6(1)(f))
Aggregated team analytics for organisational customersAggregated Assessment, UsageContract (with the organisation); legitimate interest
Comply with law, defend legal claims, prevent fraudAs strictly necessaryLegal obligation; legitimate interest
Process sensitive content you voluntarily share in coachingCoachingExplicit consent (Art. 9(2)(a))
LayerServiceRegionRole
Database, authentication, file storage, realtime channelsSupabase (AWS)Frankfurt, Germany — eu-central-1 (EU/EEA)Processor
Application hosting & API runtimeVercelWashington, D.C., USAProcessor
AI inference (text, voice, transcription, speech)OpenAIUnited StatesProcessor
PaymentsStripe Payments Europe, Ltd.Ireland (EU) with global routingIndependent controller for fraud/AML; processor for payment instruction
Transactional emailResendIreland — eu-west-1 (EU/EEA)Processor

We chose Supabase's Frankfurt region and Resend's Dublin region specifically so that the bulk of your personal data — including your assessment results and coaching content at rest — never leaves the European Union.

Where we transfer personal data outside the European Economic Area (currently to OpenAI L.L.C., Stripe Inc., and Vercel Inc. in the United States), we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor), supplemented by:

  • TLS 1.2+ in transit and AES-256 at rest;
  • pseudonymisation where feasible (we send only the data the feature requires);
  • contractual purpose-limitation and onward-transfer restrictions;
  • vendor-side certifications (each US sub-processor maintains SOC 2 Type 2 or equivalent).

A copy of the SCCs and our Transfer Impact Assessment is available on request to privacy@impactean.com.

A complete, current list of every sub-processor we use — with purpose, region, and links to their DPAs — is published at impactean.com/legal/sub-processors. We commit to giving at least 30 days' written notice (by email or in-app) before adding or replacing a sub-processor that processes personal data, and you may object on reasonable data-protection grounds.

Because coaching is the heart of our product, we want to be specific about the AI safeguards.

  • We use OpenAI's API to power the AI Executive Coach, voice coach, transcription, text-to-speech, and report generation. Specific models in use: gpt-5.1, gpt-4o, gpt-4o-mini, gpt-4o-mini-realtime-preview, gpt-4o-mini-transcribe, tts-1.
  • Under OpenAI's standard API terms, content you send is not used to train OpenAI's models.
  • OpenAI may retain API content for up to 30 days for abuse and misuse monitoring, after which it is deleted from their systems. We are migrating to OpenAI's Enterprise tier, which adds Zero Data Retention; until that is live, the 30-day window applies.
  • Your coaching conversations are visible only to you. We do not share coaching chat transcripts with your employer. On Business plans, organisation administrators may receive programme-level analytics (such as assessment scores, commitment summaries, and engagement metrics) as described in our DPA — not your coaching messages.
  • Limits on confidentiality (AI coaching). The AI Executive Coach is software, not a human practitioner. There is no live person monitoring your chats. We treat coaching content as confidential except where we may need to act or disclose because: (1) you authorise us in writing for a specific purpose; (2) disclosure is required by applicable law, regulation, or court order; (3) you describe activity we reasonably believe is unlawful; or (4) we reasonably believe there is a serious risk of harm to you or another person and disclosure is necessary and proportionate to reduce that risk, subject to mandatory law in your jurisdiction.
  • Not an emergency or crisis service. Impactean does not provide therapy, medical care, or real-time crisis intervention. We do not monitor chats for self-harm or emergencies and are not responsible for actions you take outside the Services. If you are in immediate danger or thinking of harming yourself or someone else, contact local emergency services (for example 112 in the EU) or a qualified crisis helpline. Our AI is instructed to encourage professional help and emergency services when serious safety topics arise; OpenAI's API may also apply its own automated safety filters independently of Impactean.
  • Our AI does not make legally significant or similarly significant automated decisions about you.
  • Our coaching design follows ICF-aligned competencies and ethics and is reviewed periodically for accuracy and bias.

We share personal data only with the sub-processors listed at /legal/sub-processors, with your employer to the limited extent described in Section 7 if you are on a Business plan, and with public authorities where strictly required by law. We do not sell personal data, do not share it for cross-context behavioural advertising, and do not run advertising on Impactean.

We apply the GDPR storage-limitation principle (Art. 5(1)(e)): personal data is kept no longer than necessary for the purposes in Section 3, except where law requires a longer period.

  1. In-product — You can delete individual AI coaching sessions from the coaching sessions list at any time.
  2. Account closure — Email privacy@impactean.com from your registered address. We verify your identity, then delete or anonymise personal data within the timelines below.
  3. Data subject requests — Access, export, correction, restriction, or objection: same inbox. We respond within 30 days (extendable by up to two months for complex requests, with notice, per Art. 12 GDPR).

After verified account closure, production databases are purged on the schedule below. Encrypted backups may retain copies for up to 30 days after deletion (disaster recovery), then roll off automatically under our backup retention settings (currently Supabase point-in-time recovery up to 7 days for live restore — see /legal/security).

Data categoryMaximum retentionNotes
Account & identityActive account; after 24 months without sign-in, we email you and delete 30 days later unless you sign in or contact usClosure anytime via privacy@impactean.com; production purge within 30 days of verified closure (backups per schedule below).
Assessment data & reportsSame as accountPDF export available from the report viewer.
AI coaching conversationsSame as accountDeletable per session in-app; removed within 30 days of verified account closure.
Commitments, reflections, journals, action plansSame as accountDeleted with account or when you remove the item.
Feedback & 360° invitations/responsesSame as accountInvitation links expire per product settings (typically up to 30 days if no due date).
Collective posts & reactionsSame as accountAnonymous posts are not re-identified after deletion.
Imported AI memorySame as accountDeletable in Settings → Memory.
Profile photos & uploaded filesUntil you delete or account erasureStored in EU object storage.
Transactional email logs (Resend)Up to 90 daysDelivery metadata; content is transactional only.
Payment & billing (Stripe / our records)Up to 7 years after the transactionStatutory accounting, tax, and fraud-prevention where applicable.
Application & security logsUp to 30 days, then aggregated or deletedIP, user agent, error traces — used for security and debugging only.
Marketing consent recordsConsent lifetime + 3 yearsEvidence of consent and opt-out.
Support tickets3 years after ticket closureUnless a longer period is required for a legal claim.
Sub-processor: OpenAI APIUp to 30 days (standard API)Abuse monitoring only; not used to train models. We are migrating to Enterprise tier with stricter retention where available.

We may retain specific data beyond the periods above when: (a) required by law (e.g. tax, litigation hold); (b) necessary to establish, exercise, or defend legal claims; or (c) you have requested a restriction of processing while we verify a dispute (Art. 18 GDPR).

We maintain internal records of processing activities, sub-processor reviews, and data-protection impact assessments for high-risk processing (including AI coaching and organisational programmes), as required by GDPR Arts. 30 and 35. Summaries are available to enterprise customers under NDA on request to privacy@impactean.com.

Under the GDPR (and equivalent rights in the UK, Switzerland, and US states with comprehensive privacy laws — California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, and others as they take effect), you have the right to:

  • Access a copy of your personal data;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten");
  • Restrict or object to processing;
  • Receive your data in a portable machine-readable format;
  • Withdraw consent at any time without affecting prior lawful processing;
  • Lodge a complaint with your local supervisory authority. In Finland, that is the Office of the Data Protection Ombudsman, https://tietosuoja.fi/en.

In the product today you can:

  • Download your Impact Capacity Report as a PDF from the report viewer.
  • Delete individual AI coaching sessions from the coaching sessions list.
  • Update your profile from Settings → Profile.

For full account closure, data export, correction, or other requests not available in-app, email privacy@impactean.com. We respond within 30 days. Account closure triggers deletion of coaching conversations within 30 days, subject to backup retention described in Section 9.

Operational and organisational measures are described at /legal/security, including controls aligned with SOC 2 Trust Services Criteria (Impactean is not SOC 2 certified today; sub-processors maintain independent attestations).

  • TLS 1.2+ in transit; AES-256 at rest.
  • Bcrypt password hashing.
  • Authentication via Supabase Auth with refresh-token rotation; HttpOnly Secure SameSite=Lax session cookies.
  • Role-based access controls inside our team; least-privilege Supabase service-role usage; row-level security (RLS) on user-scoped tables.
  • Stripe-hosted card capture (PCI-DSS L1).
  • Quarterly internal security reviews and a public vulnerability disclosure inbox at security@impactean.com (PGP fingerprint at /legal/security).
  • Detailed controls live at /legal/security.

On impactean.com we store your cookie-banner choice in browser local storage (impactean_cookie_consent); it is not used for advertising. On app.impactean.com we set only strictly-necessary authentication cookies. We do not run analytics, marketing, or session-replay cookies. Full details and a complete cookie inventory are at /legal/cookies.

Impactean is for adults aged 18 and over only. We do not knowingly collect data from anyone under 18. Parents/guardians who believe their child has given us data should email privacy@impactean.com — we will delete it promptly.

We will update the "Last updated" date when we make changes and notify you in-product or by email for material changes. Older versions are available on request.

Impactean endeavours to honour the California Consumer Privacy Act, as amended, including CPRA substantive rules effective per the CPRA Regulations where they apply (“CCPA/CPRA”), alongside other US Comprehensive State Privacy Laws when factually triggered.

The CPRA recognises statutory categories of personal information (“PI categories”) for California residents (“consumers”). The following cross‑walk links those categories with examples described in Sections 2 and 9 of this Policy. This table is illustrative; not every datum is collected about every visitor.

CPRA statutory category referenceTypical examples appearing in ImpacteanTypical sourcesOperational / commercial purposes (summary)
Identifiers (Cal. Civ. Code § 1798.140(a)(Identifiers))Name; email handle; pseudonymous Supabase UID; ephemeral IP/User‑Agent routed through Vercel; Stripe customer surrogate IDsConsumers; automated technical collection; Stripe when applicableAccount creation & authentication; service delivery & security telemetry; invoicing artefacts
Personal information categories in Cal. Civ. Code § 1798.80(e)Telephone number typed into Hosted Checkout invoices; invoicing locality when suppliedConsumers; StripePayment processing alignment & accounting
Commercial information (purchase records tendencies)Purchase tier SKU; transactional amounts (via Stripe dashboards) without PCI PANConsumersContract performance; bookkeeping
Internet or electronic network activityFeature usage breadcrumbs; ephemeral edge logs hardened per § 9 anonymisation windowAutomated systemsDebugging; incident response; lawful service improvement
Geolocation (non‑precise)Coarse locality derived from Stripe fraud metadata • never continuous GPS harvestingAutomated / Stripe enrichmentFraud & abuse safeguards
Inferences drawnWheel‑of‑Impact™ scoring outputs personalised to you • AI coaching tonal adaptationAlgorithms / GPT inferencing constrained per § 7–8Rendering tailored coaching—not automated legal/financing significance
Sensitive personal information (SPI) as defined CPRA amendmentsImpactean solicits minimal SPI proactively; unsolicited SPI inside coaching aligns with GDPR Article 9 carve‑outs & CPRA permissible processing windowsConsumersHonour minimisation directives & erase per retention matrices

Impactean acknowledges potential employee/B2B scenarios when your employer buys seats—we treat related records under signed Order Forms & DPA when applicable alongside this Policy where non‑conflicting.

Impactean transmits categories strictly to vendors enumerated at /legal/sub-processors subject to contractual processing obligations. Copies of Standard Contractual Clauses are available pursuant to GDPR § 46 transfers.

Outside compelled legal process Impactean avoids standalone “sale environments.”

Impactean asserts:

Does not sell PI for monetary/value consideration interpreting CCPA/CPRA operative definitions narrowly.

Does not disclose PI for CPRA‑defined cross‑context behavioural advertising / “sharing”.

Therefore interactive Limit the Use / Do Not Sell routes—while surfaced for transparency parity—normally confirm nothing new to toggle absent future product diversification.

Sensitive PI limit requests honoured consistent with permissible processing boundaries.

Residents of California may initiate (verification & fraud checks apply):

Access & portability (specific PI / categories); Correction; Erasure consistent with exemptions; Shine‑the‑Light marketing disclosure (currently nil supplemental marketing reseller routing); Automated decision opt‑outs not material here (coach not legally/financing binding); Non‑retaliatory commerce treatment.

Submit via authenticated in‑product controls wherever possible—or privacy@impactean.com with subject line “US Privacy Request”. Authorized agents furnish statutory attestations unless narrow household exceptions evolve.

Unresolved denials qualify for escalation / appeal timelines under CPRA.

Validated technical signals aligning with CPRA regs are honoured when deterministic in our CDN configuration; pragmatic gaps handled manually—notify privacy@impactean.com.

Residents of adopting states—including Virginia, Colorado, Connecticut, Delaware, Montana, Nebraska, Utah, Iowa, Kentucky, Maine, Tennessee, Indiana, New Hampshire (where effective), Rhode Island regimes, Maryland digital advertising proposals, Minnesota consumer data laws forthcoming, Oregon (OCPA)—may exercise materially parallel rights contingent on applicability & conflict doctrines. Harmonised workflows route through privacy@impactean.com.

When statutory aggregate posting thresholds dictate, CPRA volumetric disclosures will augment this section; meanwhile enterprise security reviews may summarise redacted metrics privately.

Privacy enquiries: privacy@impactean.com

Security coordinated disclosure inbox: security@impactean.com

Customer support: support@impactean.com

Registered office telephone (UAE): +971 50 718 2271

Operational privacy inbox (global): privacy@impactean.com (statutory Article 37 GDPR DPO designation not universally maintained) — include your account email and the nature of your request.