# Impactean — Trust Center (full)
Last updated: 2026-05-19
Source: https://www.impactean.com/llms-full.txt
Index:  https://www.impactean.com/legal/index.json
Pack:   https://www.impactean.com/legal/source.json

This file contains the verbatim text of every Impactean trust document, intended for LLM ingestion. The canonical HTML is at /legal/<slug>; the markdown alternate is at /legal/<slug>.md.


---

## Privacy Policy
Source: https://www.impactean.com/legal/privacy
Markdown: https://www.impactean.com/legal/privacy.md
Version: 2026-05-19
sha256: 360f8ad99f800b9fc48e8fd5a4b9000852afbc4582581c25566a823b98959c87

# Privacy Policy

Last updated: 19 May 2026

## In short

- Your account, assessment data, AI coaching conversations, and uploaded files are stored in the European Union (Supabase, AWS Frankfurt, eu-central-1).
- Transactional emails are sent from Resend's EU region (Ireland, eu-west-1).
- We do **not** deploy behavioural‑advertising or cross‑site marketing analytics scripts—no Google Analytics, Meta Pixel, Hotjar‑style replay, TikTok/Microsoft advertising pixels, Reddit/LinkedIn ad tags, Segment marketing destinations, Rudderstack, Mixpanel dashboards, Heap, GA4 loaders, HubSpot trackers, Clearbit reveal, Datadog Session Replay storefronts. The only cookies we set are strictly-necessary authentication cookies.
- We never sell or share your personal data. Coaching conversations are never used to train external AI models.
- A **published retention and deletion schedule** (§9), inactive-account rules, and SOC 2–aligned security controls (Impactean is not independently certified — see /legal/security).
- A live list of every sub-processor we use is published at /legal/sub-processors with at least 30 days' notice before changes take effect.

- California / **US Comprehensive Laws** categorical summary begins at §15 (CPRA‑style) if US law applies to you.

## 1. Who we are

Impactean (“Impactean,” “we,” “us”) refers to the branded Services hosted at impactean.com and app.impactean.com. Those Services are legally operated by **VALENYR INFORMATION TECHNOLOGY CONSULTANTS - FZCO** (**Valenyr**), organised under UAE law and licensed with IFZA, Dubai Silicon Oasis.

For data-protection purposes, Valenyr typically acts as **data controller** for personal data relating to Impactean users unless your employer independently acts as controller or joint controller under a Business plan (described below).

**Registered office:** DSO-IFZA-72380, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates  \n**IFZA free-zone licence / company reference:** DSO-IFZA-72380.

Privacy contact: privacy@impactean.com · Security contact: security@impactean.com

If you use Impactean through an organisational (Business) plan provided by your employer, your employer may also act as a controller or joint controller for certain categories of organisational data (e.g. enrolment, programme participation). Their own privacy notice will also apply.

## 2. What we collect

(a) Identity Data — first name, last name, optional profile photo.
(b) Contact Data — email address.
(c) Account Data — username, password (stored as a bcrypt hash), preferences, subscription plan, billing status.
(d) Assessment Data — your responses to the Wheel of Impact™, your Impact Capacity Score, pillar and sub-dimension scores, and your personalised report content.
(e) Coaching Data — text and (optional) image messages exchanged with your AI Executive Coach, voice audio when you use voice features, goals, and session metadata.
(f) Commitment & Progress Data — weekly commitments, micro-actions, daily completions, reflections, scheduled check-ins.
(g) Uploaded Files — external assessments (DISC, Big Five, 360, etc.) you choose to upload, profile pictures.
(h) Payment Data — billing email, billing address, subscription tier, and the Stripe customer identifier. Card numbers, CVV, and bank details are handled directly by Stripe and never reach Impactean's servers.
(i) Usage & Technical Data — feature usage, IP address, user agent, session timestamps, error logs.
(j) Communications Data — support tickets, feedback, survey responses.
(k) Feedback Data — stakeholder invitations you send, ratings and comments reviewers submit about you, and related metadata.
(l) Collective Data — cohort discussion posts (which may be posted anonymously), reactions, challenge completions, and aggregated cohort insights.
(m) Journal & Planning Data — journal entries, action plans, and task progress you create in the app.
(n) Imported Memory — context you choose to paste from other AI assistants to personalise coaching.
(o) Notification Data — reminder preferences and transactional email delivery metadata.

We do not knowingly collect special categories of data (Article 9 GDPR). Please do not share medical, racial, religious, political, or biometric data inside coaching conversations. If you do, you authorise us to process it solely to deliver the coaching feature you requested, on the basis of your explicit consent (Art. 9(2)(a)).

## 3. Legal bases (Article 6 GDPR)

| Purpose | Data | Legal basis |
|---|---|---|
| Run your account, deliver the assessment and report, provide AI coaching, track commitments | Identity, Contact, Account, Assessment, Coaching, Commitment | Performance of a contract (Art. 6(1)(b)) |
| Process payments and fulfil tax/accounting obligations | Identity, Contact, Payment | Contract; legal obligation (Art. 6(1)(c)) |
| Send transactional and service emails (verification, receipts, reminders) | Identity, Contact, Commitment | Contract |
| Send product updates and marketing | Identity, Contact, Marketing preferences | Consent (Art. 6(1)(a)); legitimate interest for existing customers |
| Improve, debug, secure the Services | Usage, Technical, anonymised Assessment | Legitimate interest (Art. 6(1)(f)) |
| Aggregated team analytics for organisational customers | Aggregated Assessment, Usage | Contract (with the organisation); legitimate interest |
| Comply with law, defend legal claims, prevent fraud | As strictly necessary | Legal obligation; legitimate interest |
| Process sensitive content you voluntarily share in coaching | Coaching | Explicit consent (Art. 9(2)(a)) |

## 4. Where your data lives

| Layer | Service | Region | Role |
|---|---|---|---|
| Database, authentication, file storage, realtime channels | Supabase (AWS) | Frankfurt, Germany — eu-central-1 (EU/EEA) | Processor |
| Application hosting & API runtime | Vercel | Washington, D.C., USA | Processor |
| AI inference (text, voice, transcription, speech) | OpenAI | United States | Processor |
| Payments | Stripe Payments Europe, Ltd. | Ireland (EU) with global routing | Independent controller for fraud/AML; processor for payment instruction |
| Transactional email | Resend | Ireland — eu-west-1 (EU/EEA) | Processor |

We chose Supabase's Frankfurt region and Resend's Dublin region specifically so that the bulk of your personal data — including your assessment results and coaching content at rest — never leaves the European Union.

## 5. International transfers

Where we transfer personal data outside the European Economic Area (currently to OpenAI L.L.C., Stripe Inc., and Vercel Inc. in the United States), we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor), supplemented by:

- TLS 1.2+ in transit and AES-256 at rest;
- pseudonymisation where feasible (we send only the data the feature requires);
- contractual purpose-limitation and onward-transfer restrictions;
- vendor-side certifications (each US sub-processor maintains SOC 2 Type 2 or equivalent).

A copy of the SCCs and our Transfer Impact Assessment is available on request to privacy@impactean.com.

## 6. Sub-processors

A complete, current list of every sub-processor we use — with purpose, region, and links to their DPAs — is published at impactean.com/legal/sub-processors. We commit to giving at least 30 days' written notice (by email or in-app) before adding or replacing a sub-processor that processes personal data, and you may object on reasonable data-protection grounds.

## 7. AI coaching, voice & assessment data

Because coaching is the heart of our product, we want to be specific about the AI safeguards.

- We use OpenAI's API to power the AI Executive Coach, voice coach, transcription, text-to-speech, and report generation. Specific models in use: gpt-5.1, gpt-4o, gpt-4o-mini, gpt-4o-mini-realtime-preview, gpt-4o-mini-transcribe, tts-1.
- Under OpenAI's standard API terms, content you send is **not used to train OpenAI's models**.
- OpenAI may retain API content for up to 30 days for abuse and misuse monitoring, after which it is deleted from their systems. We are migrating to OpenAI's Enterprise tier, which adds Zero Data Retention; until that is live, the 30-day window applies.
- Your coaching conversations are visible only to you. We do not share coaching chat transcripts with your employer. On Business plans, organisation administrators may receive programme-level analytics (such as assessment scores, commitment summaries, and engagement metrics) as described in our DPA — not your coaching messages.
- **Limits on confidentiality (AI coaching).** The AI Executive Coach is software, not a human practitioner. There is no live person monitoring your chats. We treat coaching content as confidential except where we may need to act or disclose because: (1) you authorise us in writing for a specific purpose; (2) disclosure is required by applicable law, regulation, or court order; (3) you describe activity we reasonably believe is unlawful; or (4) we reasonably believe there is a serious risk of harm to you or another person and disclosure is necessary and proportionate to reduce that risk, subject to mandatory law in your jurisdiction.
- **Not an emergency or crisis service.** Impactean does not provide therapy, medical care, or real-time crisis intervention. We do not monitor chats for self-harm or emergencies and are not responsible for actions you take outside the Services. If you are in immediate danger or thinking of harming yourself or someone else, contact local emergency services (for example **112** in the EU) or a qualified crisis helpline. Our AI is instructed to encourage professional help and emergency services when serious safety topics arise; OpenAI's API may also apply its own automated safety filters independently of Impactean.
- Our AI does not make legally significant or similarly significant automated decisions about you.
- Our coaching design follows ICF-aligned competencies and ethics and is reviewed periodically for accuracy and bias.

## 8. Sharing your data

We share personal data only with the sub-processors listed at /legal/sub-processors, with your employer to the limited extent described in Section 7 if you are on a Business plan, and with public authorities where strictly required by law. We do not sell personal data, do not share it for cross-context behavioural advertising, and do not run advertising on Impactean.

## 9. Retention and deletion

We apply the GDPR **storage-limitation** principle (Art. 5(1)(e)): personal data is kept no longer than necessary for the purposes in Section 3, except where law requires a longer period.

### How deletion works

1. **In-product** — You can delete individual AI coaching sessions from the coaching sessions list at any time.
2. **Account closure** — Email **privacy@impactean.com** from your registered address. We verify your identity, then delete or anonymise personal data within the timelines below.
3. **Data subject requests** — Access, export, correction, restriction, or objection: same inbox. We respond within **30 days** (extendable by up to two months for complex requests, with notice, per Art. 12 GDPR).

After verified account closure, production databases are purged on the schedule below. **Encrypted backups** may retain copies for up to **30 days** after deletion (disaster recovery), then roll off automatically under our backup retention settings (currently Supabase point-in-time recovery up to **7 days** for live restore — see /legal/security).

### Retention schedule

| Data category | Maximum retention | Notes |
|---|---|---|
| Account & identity | Active account; after **24 months** without sign-in, we email you and delete **30 days** later unless you sign in or contact us | Closure anytime via privacy@impactean.com; production purge within **30 days** of verified closure (backups per schedule below). |
| Assessment data & reports | Same as account | PDF export available from the report viewer. |
| AI coaching conversations | Same as account | Deletable per session in-app; removed within **30 days** of verified account closure. |
| Commitments, reflections, journals, action plans | Same as account | Deleted with account or when you remove the item. |
| Feedback & 360° invitations/responses | Same as account | Invitation links expire per product settings (typically up to **30 days** if no due date). |
| Collective posts & reactions | Same as account | Anonymous posts are not re-identified after deletion. |
| Imported AI memory | Same as account | Deletable in Settings → Memory. |
| Profile photos & uploaded files | Until you delete or account erasure | Stored in EU object storage. |
| Transactional email logs (Resend) | Up to **90 days** | Delivery metadata; content is transactional only. |
| Payment & billing (Stripe / our records) | Up to **7 years** after the transaction | Statutory accounting, tax, and fraud-prevention where applicable. |
| Application & security logs | Up to **30 days**, then aggregated or deleted | IP, user agent, error traces — used for security and debugging only. |
| Marketing consent records | Consent lifetime + **3 years** | Evidence of consent and opt-out. |
| Support tickets | **3 years** after ticket closure | Unless a longer period is required for a legal claim. |
| Sub-processor: OpenAI API | Up to **30 days** (standard API) | Abuse monitoring only; not used to train models. We are migrating to Enterprise tier with stricter retention where available. |

### Exceptions

We may retain specific data **beyond** the periods above when: (a) required by law (e.g. tax, litigation hold); (b) necessary to establish, exercise, or defend legal claims; or (c) you have requested a restriction of processing while we verify a dispute (Art. 18 GDPR).

### Records and accountability

We maintain internal records of processing activities, sub-processor reviews, and data-protection impact assessments for high-risk processing (including AI coaching and organisational programmes), as required by GDPR Arts. 30 and 35. Summaries are available to enterprise customers under NDA on request to privacy@impactean.com.

## 10. Your rights

Under the GDPR (and equivalent rights in the UK, Switzerland, and US states with comprehensive privacy laws — California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, and others as they take effect), you have the right to:

- Access a copy of your personal data;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict or object to processing;
- Receive your data in a portable machine-readable format;
- Withdraw consent at any time without affecting prior lawful processing;
- Lodge a complaint with your local supervisory authority. In Finland, that is the Office of the Data Protection Ombudsman, https://tietosuoja.fi/en.

In the product today you can:
- Download your Impact Capacity Report as a PDF from the report viewer.
- Delete individual AI coaching sessions from the coaching sessions list.
- Update your profile from Settings → Profile.

For full account closure, data export, correction, or other requests not available in-app, email **privacy@impactean.com**. We respond within 30 days. Account closure triggers deletion of coaching conversations within 30 days, subject to backup retention described in Section 9.

## 11. Security

Operational and organisational measures are described at [/legal/security](/legal/security), including controls aligned with SOC 2 Trust Services Criteria (Impactean is **not** SOC 2 certified today; sub-processors maintain independent attestations).

- TLS 1.2+ in transit; AES-256 at rest.
- Bcrypt password hashing.
- Authentication via Supabase Auth with refresh-token rotation; HttpOnly Secure SameSite=Lax session cookies.
- Role-based access controls inside our team; least-privilege Supabase service-role usage; row-level security (RLS) on user-scoped tables.
- Stripe-hosted card capture (PCI-DSS L1).
- Quarterly internal security reviews and a public vulnerability disclosure inbox at security@impactean.com (PGP fingerprint at /legal/security).
- Detailed controls live at /legal/security.

## 12. Cookies

On impactean.com we store your cookie-banner choice in browser local storage (`impactean_cookie_consent`); it is not used for advertising. On app.impactean.com we set only strictly-necessary authentication cookies. We do not run analytics, marketing, or session-replay cookies. Full details and a complete cookie inventory are at /legal/cookies.

## 13. Children

Impactean is for adults aged **18 and over** only. We do not knowingly collect data from anyone under 18. Parents/guardians who believe their child has given us data should email privacy@impactean.com — we will delete it promptly.
## 14. Changes to this Policy

We will update the "Last updated" date when we make changes and notify you in-product or by email for material changes. Older versions are available on request.

## 15. United States privacy disclosures (California CPRA / CCPA‑style overview)

Impactean endeavours to honour the **California Consumer Privacy Act**, as amended, including CPRA substantive rules effective per the CPRA Regulations where they apply (**“CCPA/CPRA”**), alongside other **US Comprehensive State Privacy Laws** when factually triggered.

### CPRA categorical notice (prior 12 months)

The CPRA recognises statutory **categories** of personal information (**“PI categories”**) for California residents (**“consumers”**). The following cross‑walk links those categories with examples described in Sections 2 and 9 of this Policy. This table is illustrative; not every datum is collected about every visitor.

| CPRA statutory category reference | Typical examples appearing in Impactean | Typical sources | Operational / commercial purposes (summary) |
| --- | --- | --- | --- |
| **Identifiers** (Cal. Civ. Code § 1798.140(a)(Identifiers)) | Name; email handle; pseudonymous Supabase UID; ephemeral IP/User‑Agent routed through Vercel; Stripe customer surrogate IDs | Consumers; automated technical collection; Stripe when applicable | Account creation & authentication; service delivery & security telemetry; invoicing artefacts |
| **Personal information categories in Cal. Civ. Code § 1798.80(e)** | Telephone number typed into Hosted Checkout invoices; invoicing locality when supplied | Consumers; Stripe | Payment processing alignment & accounting |
| **Commercial information** (purchase records tendencies) | Purchase tier SKU; transactional amounts (via Stripe dashboards) without PCI PAN | Consumers | Contract performance; bookkeeping |
| **Internet or electronic network activity** | Feature usage breadcrumbs; ephemeral edge logs hardened per § 9 anonymisation window | Automated systems | Debugging; incident response; lawful service improvement |
| **Geolocation (non‑precise)** | Coarse locality derived from Stripe fraud metadata • never continuous GPS harvesting | Automated / Stripe enrichment | Fraud & abuse safeguards |
| **Inferences drawn** | Wheel‑of‑Impact™ scoring outputs personalised to you • AI coaching tonal adaptation | Algorithms / GPT inferencing constrained per § 7–8 | Rendering tailored coaching—not automated legal/financing significance |
| **Sensitive personal information (SPI)** as defined CPRA amendments | Impactean solicits minimal SPI proactively; unsolicited SPI inside coaching aligns with GDPR Article 9 carve‑outs & CPRA permissible processing windows | Consumers | Honour minimisation directives & erase per retention matrices |

Impactean acknowledges **potential employee/B2B** scenarios when your employer buys seats—we treat related records under signed Order Forms & DPA when applicable alongside this Policy where non‑conflicting.

### Disclosures — business purposes / processors / contractors

Impactean transmits categories **strictly** to vendors enumerated at [/legal/sub-processors](/legal/sub-processors) subject to contractual processing obligations. Copies of Standard Contractual Clauses are available pursuant to GDPR § 46 transfers.

Outside compelled legal process Impactean avoids **standalone “sale environments.”**

### CPRA § 1798.115 baseline — neither “sale” nor “sharing.”

Impactean asserts:

• **Does not sell PI for monetary/value consideration** interpreting CCPA/CPRA operative definitions narrowly.

• **Does not disclose PI for CPRA‑defined cross‑context behavioural advertising / “sharing”.**

Therefore interactive **Limit the Use / Do Not Sell** routes—while surfaced for transparency parity—normally confirm **nothing new to toggle** absent future product diversification.

Sensitive PI **limit requests** honoured consistent with permissible processing boundaries.

### Exercising US privacy rights — California roadmap

Residents of California may initiate (verification & fraud checks apply):  

Access & portability (specific PI / categories); Correction; Erasure consistent with exemptions; Shine‑the‑Light marketing disclosure (currently **nil** supplemental marketing reseller routing); Automated decision opt‑outs not material here (coach not legally/financing binding); Non‑retaliatory commerce treatment.

Submit via **authenticated in‑product controls** wherever possible—or **privacy@impactean.com** with subject line **“US Privacy Request”.** Authorized agents furnish statutory attestations unless narrow household exceptions evolve.

Unresolved denials qualify for escalation / appeal timelines under CPRA.

### Global Privacy Control & universal opt‑out signals

Validated technical signals aligning with CPRA regs are honoured when deterministic in our CDN configuration; pragmatic gaps handled manually—notify **privacy@impactean.com**.

### Comparable US Comprehensive Laws acknowledgement

Residents of adopting states—including Virginia, Colorado, Connecticut, Delaware, Montana, Nebraska, Utah, Iowa, Kentucky, Maine, Tennessee, Indiana, New Hampshire (where effective), Rhode Island regimes, Maryland digital advertising proposals, Minnesota consumer data laws forthcoming, Oregon (OCPA)—may exercise materially parallel rights contingent on applicability & conflict doctrines. Harmonised workflows route through privacy@impactean.com.

### Annual metrics (CPRA § 1798.185(m))

When statutory aggregate posting thresholds dictate, CPRA volumetric disclosures will augment this section; meanwhile enterprise security reviews may summarise redacted metrics privately.


## 16. Contact

Privacy enquiries: privacy@impactean.com

Security coordinated disclosure inbox: security@impactean.com

Customer support: support@impactean.com

Registered office telephone (UAE): **+971 50 718 2271**

Operational privacy inbox (global): privacy@impactean.com (**statutory Article 37 GDPR DPO designation not universally maintained**) — include your account email and the nature of your request.


---

## Terms of Service
Source: https://www.impactean.com/legal/terms
Markdown: https://www.impactean.com/legal/terms.md
Version: 2026-05-19
sha256: 45cea5da3ea097fcad2ce6e8512d5e40e86ec69ae046383451bfa68deab7b2eb

# Terms of Service

Last updated: 19 May 2026

## 1. About these Terms

These Terms of Service form a binding agreement between you and **VALENYR INFORMATION TECHNOLOGY CONSULTANTS - FZCO** ("Valenyr"), which operates the **Impactean** service. Registered office: **DSO-IFZA-72380, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates**. IFZA free-zone licence / company reference: **DSO-IFZA-72380**. Throughout these Terms "Impactean," "we," "us," or "our" refer to Valenyr in its operation of Impactean. These Terms govern your use of impactean.com, app.impactean.com, and any related products and services (collectively, the "Services").

If you do not agree, please do not use the Services.

## 2. The Services

Impactean offers (a) the Wheel of Impact™ assessment, (b) a personalised Impact Capacity Report, (c) AI Executive Coaching, (d) commitment tracking, and (e) related individual and organisational features. The Services are personal-development tools and are not therapy, medical advice, financial advice, legal advice, crisis intervention, or a substitute for professional care.

## 3. Eligibility

You must be at least 18 years old, have legal capacity to enter into a contract, and use the Services in compliance with applicable laws.

## 4. Your account

You are responsible for keeping your credentials confidential and for activity under your account. Notify security@impactean.com immediately if you suspect unauthorised access. We may suspend accounts that show signs of compromise to protect you and other users.

## 5. Acceptable use

You agree not to:
- Violate applicable law or third-party rights;
- Reverse-engineer, decompile, or scrape the Services beyond what applicable law permits;
- Probe, attack, or interfere with our systems (we welcome coordinated disclosure at security@impactean.com);
- Upload malware, illegal content, or content that infringes third-party rights;
- Share your account credentials, resell access, or use the Services to build a competing product;
- Use the AI Coach to attempt prompt injection, jailbreaks, or to generate content that violates OpenAI's usage policies (https://openai.com/policies/usage-policies).

## 6. Subscriptions, payments, and renewals

- Prices, plans, and one-time purchase fees are listed on impactean.com/pricing and shown at checkout.
- Payments are processed by Stripe Payments Europe, Ltd. (Ireland) and routed via Stripe Inc. (USA) under EU SCCs. By purchasing, you also agree to Stripe's terms.
- Subscriptions auto-renew at the end of each billing period at the then-current price unless you cancel before renewal by emailing support@impactean.com.
- We will email you a receipt for each payment.
- Prices may change with at least 30 days' written notice (email or in-product). Continued use after the change constitutes acceptance; otherwise you may cancel.

## 7. Refunds and EU/UK right of withdrawal

- One-time purchases (e.g. Personal Impact Profile, Professional Impact Profile): if you are an EU/UK consumer, you have a 14-day right of withdrawal under EU Directive 2011/83/EU. By starting the assessment or accessing your report inside the 14-day period, you expressly consent to immediate performance of digital content and **lose the right of withdrawal** (Art. 16(m)). If you have not started the assessment, contact support@impactean.com within 14 days for a full refund.
- Subscriptions: cancel any time. Cancellation stops the next renewal; you keep access through the end of the paid period. We do not pro-rate partial months.
- We may grant goodwill refunds at our discretion.

## 8. Your content

You retain ownership of everything you submit to the Services — assessment responses, coaching messages, commitments, uploaded files. You grant Valenyr a worldwide, non-exclusive, royalty-free licence to host, process, and display your content solely to operate, maintain, and improve the Services for you. We will not use your content to train third-party AI models, and we will not sell or share it for marketing purposes.

You can download your Impact Capacity Report as a PDF from the report viewer, delete individual AI coaching sessions from the coaching sessions list, and request a full data export or account closure by emailing privacy@impactean.com.

## 9. Our intellectual property

The Wheel of Impact™ framework, assessment methodology, model, prompts, code, designs, and trademarks are owned by Valenyr (“Impactean” brand) or our licensors. We grant you a personal, limited, non-transferable, non-sublicensable, revocable licence to use the Services as offered. Nothing in these Terms transfers any IP to you.

## 10. AI Coach disclaimer

The AI Executive Coach generates outputs probabilistically and may produce inaccurate, incomplete, or unsuitable suggestions. Use professional judgement. Do not rely on the AI Coach for medical, mental-health, legal, financial, or safety decisions. If you are in crisis, contact local emergency services. In the EU, dial 112. In Finland, the Mental Health Crisis Line is 09 2525 0111.

## 11. Service availability

We aim for high availability but do not guarantee uninterrupted operation. We may schedule maintenance, deploy updates, and modify features. We will give reasonable notice of material adverse changes for paying customers.

## 12. Suspension and termination

We may suspend or terminate your account if you breach these Terms, if required by law, or to protect the integrity or security of the Services. We will notify you when we can lawfully do so. You may close your account at any time by emailing privacy@impactean.com.

On termination: your licence ends; we delete or anonymise your personal data in line with our Privacy Policy retention schedule; you may export your data for a 30-day grace period.

## 13. Disclaimers

To the maximum extent permitted by law, the Services are provided "as is" and "as available". We disclaim all implied warranties (including merchantability, fitness for a particular purpose, and non-infringement) except those that cannot be lawfully disclaimed. This does not affect non-waivable consumer rights you have under EU/UK law.

## 14. Limitation of liability

To the maximum extent permitted by law, Valenyr's aggregate liability for any claim arising out of or relating to these Terms or the Services is limited to the greater of (a) the amounts you paid us in the 12 months preceding the claim or (b) EUR 100. We are not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, lost profits, lost revenue, lost data, or lost goodwill.

Nothing in these Terms limits liability for fraud, gross negligence, wilful misconduct, death or personal injury caused by negligence, or any other liability that cannot be limited under applicable law (including mandatory consumer-protection laws applicable where you ordinarily reside).

## 15. Indemnity

You will indemnify Valenyr against third-party claims arising from your unlawful use of the Services or your breach of Sections 5, 7, or 8. We will indemnify you against third-party claims that the unmodified Services, when used as permitted, infringe a third party's IP rights, capped at the same limit as Section 14.

## 16. Changes to these Terms

We may update these Terms. For material changes we will notify you at least 30 days in advance by email or in-product. Continued use after the effective date constitutes acceptance.

## 17. Governing law and dispute resolution

These Terms are governed by **the federal laws of the United Arab Emirates**, without prejudice to **mandatory** consumer-protection, digital-content, data-protection or other provisions that cannot be contractually waived in your country or region of ordinary residence.
Subject to those mandatory carve-outs (including, where applicable, rights of EU/EEA consumers to sue in their home courts), disputes arising from these Terms are submitted to the **exclusive jurisdiction of the courts seated in Dubai, United Arab Emirates**.

EU consumers may use the European Commission's Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr/. We are not obliged to participate in ADR but will consider it in good faith.

## 18. General

(a) Entire agreement. These Terms, the Privacy Policy, the Cookie Policy, the DPA (where applicable), and any order form between us are the entire agreement.
(b) Severability. If any provision is unenforceable, the rest remain in effect.
(c) No waiver. Our failure to enforce a provision is not a waiver.
(d) Assignment. You may not assign these Terms; we may assign them in connection with a merger, acquisition, or asset sale.
(e) Notices. To us: legal@impactean.com. To you: the email on your account.
(f) Force majeure. Neither party is liable for failures caused by events beyond reasonable control.

## 19. Contact

legal@impactean.com · support@impactean.com · privacy@impactean.com · Telephone (UAE office): **+971 50 718 2271"


---

## Cookie Policy
Source: https://www.impactean.com/legal/cookies
Markdown: https://www.impactean.com/legal/cookies.md
Version: 2026-05-19
sha256: ef0307a1032832641919b1e7042e75cf82cdd04a776b43d6abbda5cfd55eb6ed

# Cookie Policy

Last updated: 19 May 2026

Impactean is unusual among SaaS products: we run no third-party analytics, marketing, or session-replay cookies. The only cookies we set are strictly-necessary cookies that keep you signed in. This page is short by design.

## What we set

| Cookie | Set by | Purpose | Duration | Necessary? |
|---|---|---|---|---|
| sb-vqlqmscprojpkfkszabh-auth-token | Impactean (via Supabase Auth) | Keeps you signed in to app.impactean.com | Refresh-rotated; expires 7 days after last activity | Yes |
| sb-vqlqmscprojpkfkszabh-auth-token-code-verifier | Impactean (via Supabase Auth) | OAuth/PKCE flow for password reset and magic link | Single-use, ~5 minutes | Yes |
| Stripe Checkout cookies | Stripe (only on /checkout while you pay) | Fraud prevention during payment | Per Stripe's policy | Yes for the duration of payment |

All cookies above are HttpOnly, Secure, and SameSite=Lax. Strictly-necessary cookies do not require consent under EU ePrivacy and the German TTDSG.

## Hosted Impactean web surfaces (tracker posture)

| Host surface | Behavioural advertising / invasive cross‑site analytics scripts |
|---|---|
| `www.impactean.com` *(marketing)* | No third‑party trackers intentionally shipped from our repository builds. |
| `app.impactean.com` *(product SPA)* | No third‑party trackers; strictly necessary authentication cookies enumerated above. |
| `*.impactean.com` Impactean‑operated editorial blog instances | Intended **parity** upon theme merges—promptly report regressions via privacy@impactean.com. |

## What we do NOT set

- No Google Analytics, Google Tag Manager, or Google Ads cookies.
- No Meta (Facebook) Pixel.
- No Mixpanel, PostHog, Segment, Heap, Amplitude, FullStory, Hotjar, Clarity, or LogRocket.
- No advertising or behavioural-tracking cookies.

If we ever introduce optional analytics, we will deploy a category-based consent banner and load nothing non-essential before you opt in.

## Managing cookies

You can clear or block cookies in your browser settings. Blocking strictly-necessary cookies will sign you out and prevent you from using app.impactean.com.

## Local storage (marketing site only)

| Key | Set by | Purpose | Duration |
|---|---|---|---|
| impactean_cookie_consent | impactean.com | Remembers your cookie-banner choice | 365 days |

This is not an advertising cookie. It does not track you across other websites.

## Contact

privacy@impactean.com


---

## Sub-processors
Source: https://www.impactean.com/legal/sub-processors
Markdown: https://www.impactean.com/legal/sub-processors.md
Version: 2026-05-19
sha256: a037a658b8417be6f895f959123747c9741fd3b8c41959da173cbf4ff2e52e87

# Sub-processors

Last updated: 18 May 2026

A sub-processor is a third party that processes personal data on our behalf. We commit to:

1. Vetting every sub-processor for security, reliability, and GDPR compliance;
2. Executing a written data-processing agreement (or relying on each vendor's published DPA) before any personal data is shared;
3. Publishing the up-to-date list below;
4. Giving customers at least 30 days' written notice (email or in-product) before adding or replacing any sub-processor that processes personal data, so customers may reasonably object.

## Active sub-processors

| Sub-processor | Purpose | Data categories | Hosting region | Transfer safeguard | Vendor links |
|---|---|---|---|---|---|
| Supabase, Inc. | Postgres database, authentication, file storage, realtime | All Account, Identity, Contact, Assessment, Coaching, Uploaded file, Usage data | AWS Frankfurt — eu-central-1 (EU/EEA) | Stays in EU; SCCs for any vendor support access from outside EEA | https://supabase.com/legal/dpa · https://supabase.com/legal/subprocessors · SOC 2 Type 2, HIPAA-ready |
| Vercel, Inc. | Application hosting, serverless functions, edge middleware | All HTTP request/response data; runtime logs (no persistent user content) | Washington, D.C., USA | EU SCCs in Vercel's DPA | https://vercel.com/legal/dpa · https://vercel.com/legal/subprocessors · SOC 2 Type 2, ISO 27001 |
| OpenAI, L.L.C. | AI Executive Coach (chat, voice, transcription, TTS), report generation, content extraction from uploaded assessments | Coaching messages, assessment context, voice audio, uploaded file content (text/image) | United States | EU SCCs in OpenAI DPA. API content is not used to train models. Up to 30 days retention for abuse monitoring on standard API; we will move to OpenAI Enterprise (Zero Data Retention) and update this page when complete | https://openai.com/policies/data-processing-addendum · https://trust.openai.com · SOC 2 Type 2 |
| Stripe Payments Europe, Ltd. | Payment processing, subscription management, invoicing | Email, billing address, transaction history, Stripe customer ID. Card numbers and CVV are handled directly by Stripe and never reach Impactean | Ireland (EU) with global routing to Stripe, Inc. (USA) | Intra-Stripe SCCs; PCI-DSS Level 1 | https://stripe.com/legal/dpa · https://stripe.com/privacy · PCI-DSS L1, SOC 1 + 2 Type 2, ISO 27001 |
| Resend, Inc. | Transactional email (verification, receipts, reminders, check-ins) | Recipient email, recipient first name, email subject and body, send/delivery metadata | Ireland — eu-west-1 (EU/EEA) | Stays in EU; SCCs for any vendor support access from outside EEA | https://resend.com/legal/dpa · https://resend.com/legal/security · SOC 2 Type 2 |

## Subscribe to changes

Email privacy@impactean.com with subject "Sub-processor updates" to be added to the change-notification list.


---

## Data Processing Addendum (DPA)
Source: https://www.impactean.com/legal/dpa
Markdown: https://www.impactean.com/legal/dpa.md
Version: 2026-05-19
sha256: a1aa55d331981be32e762c1dd95209d10936c9d6ecb8df992f949be051b9004e

# Data Processing Addendum (DPA)

Last updated: 19 May 2026

If you use Impactean to process personal data on behalf of an organisation — for example, employees on a Business plan — you (the customer) act as the data controller and Valenyr (Impactean brand) acts as the data processor under Article 28 GDPR. This page summarises our DPA. Once agreed in writing between the parties, it forms part of the agreement between us.

## Quick summary

- Subject matter: provision of the Impactean Services as described in our Order Form / online subscription.
- Duration: while the agreement is in force, plus the retention and deletion schedule in our Privacy Policy §9 (including inactive-account and backup windows).
- Nature and purpose: hosting an account, delivering the assessment, generating reports, providing AI coaching, tracking commitments, sending transactional email, billing.
- Data subjects: customer's authorised users (employees, members, programme participants).
- Data categories: as listed in the Privacy Policy, Section 2.
- Sub-processors: as listed at /legal/sub-processors. Customer authorises the use of all sub-processors listed there. We will give 30 days' written notice of additions or replacements.
- International transfers: governed by EU Standard Contractual Clauses (Module 2) where applicable, plus our Transfer Impact Assessment.
- Security measures: as described at /security.
- Audits: customer may audit no more than once per 12 months on 30 days' notice, or accept the audit reports of our sub-processors (SOC 2, ISO 27001).
- Data subject requests: we will assist customer in responding to data subject requests within statutory timeframes.
- Data breach notification: we will notify customer without undue delay and within 72 hours of becoming aware.
- Return / deletion: on termination, customer may export data for 30 days; thereafter we delete or anonymise per Privacy Policy §9, except where law requires retention. Sub-processor deletion aligned with /legal/sub-processors.

## How to execute

Email **legal@impactean.com** from your organisation's authorised signatory to request a countersigned DPA. We typically respond within 5 business days. Enterprise customers may request reasonable redlines.

## Standard Contractual Clauses

Where personal data is transferred outside the EEA, the EU Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor), are incorporated by reference. The clauses prevail over any conflicting term.

## Enterprise safeguarding (Business plans)

For organisational customers, the following applies in addition to the Privacy Policy:

- **Prohibited uses:** Impactean is for leadership and personal development. It must not be used as occupational-health screening, clinical mental-health treatment, or automated employment decisions.
- **Coaching confidentiality:** Employee coaching chat transcripts are not available to customer administrators. Programme-level analytics (e.g. assessment scores, commitment text summaries, session counts) may be available as described in the order form and DPA.
- **Crisis and safeguarding:** Impactean is not an emergency or crisis service and does not provide real-time human monitoring. Customer administrators remain responsible for their own workplace safeguarding policies. Users in immediate danger should be directed to local emergency services and qualified crisis helplines.
- **Escalation:** If a customer becomes aware of a credible imminent risk of serious harm involving a user, contact **privacy@impactean.com** and **support@impactean.com** promptly. We will act in line with applicable law and the confidentiality limits in our Privacy Policy.
- **Local resources:** Customers should communicate appropriate local emergency numbers and employee-assistance resources to their workforce.

## Contact

legal@impactean.com


---

## Trust & Security
Source: https://www.impactean.com/legal/security
Markdown: https://www.impactean.com/legal/security.md
Version: 2026-05-19
sha256: bbd6afdf98ac83f8c897549d2c62def08fd3932bf84a9f1fe9f71eda53aa77ac

# Trust & Security

Last updated: 19 May 2026

## Our security posture in one paragraph

Impactean is built on EU-resident infrastructure (Supabase Postgres in AWS Frankfurt, Resend email in AWS Dublin). Application compute runs on Vercel in Washington, D.C. under EU Standard Contractual Clauses. AI inference runs on OpenAI under SCCs and a no-training contractual commitment. Card data is processed only by Stripe (PCI-DSS Level 1) and never touches our servers. We run no third-party analytics, marketing, or session-replay tools. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). The full list of sub-processors is at /legal/sub-processors.

## Data protection

- **At rest** — AES-256 across Supabase Postgres, Supabase Storage, Resend, Stripe, and OpenAI.
- **In transit** — TLS 1.2 minimum on every public endpoint; HSTS enabled.
- **Passwords** — bcrypt; never logged, never stored in plaintext.
- **Backups** — Supabase Pro point-in-time recovery up to 7 days. Migration to Supabase Enterprise (28+ days PITR, dedicated infrastructure) is planned.
- **Data residency** — Account data, assessment results, coaching conversations, and uploaded files are stored in Frankfurt (EU). Transactional emails are sent from Dublin (EU). Application compute and AI inference run in the US under SCCs.

## Application security

- Supabase Auth with refresh-token rotation; HttpOnly, Secure, SameSite=Lax cookies.
- Postgres Row-Level Security (RLS) on every user-scoped table.
- Service-role database access is restricted to server-side code paths and is audited.
- Stripe Checkout (hosted) for all card capture — we never receive PAN/CVV.
- Webhook signature verification on every Stripe event.
- No third-party JavaScript trackers loaded in the app.
- HTTP security headers: HSTS, X-Content-Type-Options, X-Frame-Options/frame-ancestors, Referrer-Policy, Permissions-Policy, and a Content Security Policy. (See https://securityheaders.com)

## Tracker & scripted telemetry governance

- Internal release checklist blocks marketing tag managers & third‑party session replay consoles across **marketing** (`impactean.com`) and **`app`** bundles.
- Subdomains such as **`blog`** are held to parity when Impactean retains theme/source control.

## Operational security

- **Business continuity** — Backups and restore procedures documented; RPO/RTO aligned with Supabase PITR capabilities.
- **Personnel** — Production access limited to named staff; confidentiality obligations for anyone handling personal data.
- Least-privilege access to production systems; SSO + MFA on all vendor consoles.
- Quarterly internal security reviews.
- Dependency scanning and `npm audit` on every release.
- Production secrets stored only in Vercel and Supabase; never committed to Git.
- Incident response process with a 72-hour GDPR notification commitment.

## AI safety

- We use OpenAI's API for inference. API content is not used to train OpenAI models.
- Standard API: up to 30 days retention by OpenAI for abuse monitoring; we are migrating to OpenAI Enterprise with Zero Data Retention.
- Coaching chat transcripts are not shared with employers. Business plans may receive programme-level analytics (scores, commitment summaries, engagement metrics) under the DPA — not coaching messages.
- Our coaching prompts are reviewed against ICF coaching ethics and refreshed periodically.
- We do not use coaching content for any purpose other than operating the coaching feature for that user.
- The AI Coach is not a therapist or crisis service. We do not monitor chats in real time or provide emergency intervention; users in crisis should contact local emergency services.

## SOC 2 readiness (not yet certified)

Impactean **does not currently hold a SOC 2 Type I or Type II report**, and we are **not** in an active SOC 2 or ISO 27001 certification audit. We design and operate controls to align with the AICPA Trust Services Criteria (security, availability, and confidentiality). Customers may rely on:

| Control area | Our current practice | SOC 2 TSC alignment (informative) |
|---|---|---|
| Access control | SSO + MFA on production vendors; least-privilege; RLS on user data; no shared production passwords | CC6 |
| Encryption | TLS 1.2+ in transit; AES-256 at rest on primary stores; bcrypt passwords; Stripe-hosted payments | CC6 |
| Change management | Git-based releases; dependency scanning; staged deploys on Vercel | CC8 |
| Vendor management | Published sub-processors; DPAs; 30-day change notice | CC9 |
| Logging & monitoring | Application and security logs; retention per Privacy Policy §9 | CC7 |
| Incident response | Documented IR process; 72-hour GDPR breach notification to controllers | CC7 |
| Backup & recovery | Supabase PITR (up to 7 days); tested restore procedures | A1 |
| Data retention & deletion | Published schedule; verified DSR workflow via privacy@impactean.com | C1 |
| Privacy | GDPR-aligned Privacy Policy, DPA, SCCs, DPIA for AI coaching | P-series (privacy criteria where applicable) |

Enterprise customers may request our security questionnaire or control narrative at security@impactean.com.

## Vendor compliance (inherited)

| Vendor | Attestation |
|---|---|
| Supabase | SOC 2 Type 2, HIPAA-ready |
| Vercel | SOC 2 Type 2, ISO 27001 |
| OpenAI | SOC 2 Type 2, CSA STAR |
| Stripe | PCI-DSS Level 1, SOC 1 + 2 Type 2, ISO 27001 |
| Resend | SOC 2 Type 2 |

Impactean does not currently hold its own SOC 2 or ISO 27001 attestation. We may pursue formal attestation in future; if we obtain one, we will update this page.

## GDPR & privacy

- EU/EEA data residency for primary data stores (Frankfurt).
- EU Standard Contractual Clauses (Module 2) for transfers to the United States (OpenAI, Vercel, Stripe Inc.).
- Published retention and deletion schedule at [/legal/privacy](/legal/privacy) §9.
- Data Protection Impact Assessment (DPIA) maintained for AI coaching and organisational programme features — summary available to enterprise customers on request.
- Records of processing activities (Art. 30) and data-subject request handling within 30 days.
- In-product: delete individual coaching sessions; download report PDF. Full account closure and data export: **privacy@impactean.com**.
- Sub-processor change notifications with 30 days' notice.
- Signed customer DPA available at [/legal/dpa](/legal/dpa).

## Vulnerability disclosure

We welcome coordinated disclosure of security issues. Email security@impactean.com. We commit to:

- Acknowledge within 48 hours;
- Triage within 5 business days;
- Credit researchers (with consent) when a fix ships.

For encrypted disclosure, email security@impactean.com and we will provide a PGP key on request.

## Contact

security@impactean.com · privacy@impactean.com


---

## AI and Your Data
Source: https://www.impactean.com/legal/ai
Markdown: https://www.impactean.com/legal/ai.md
Version: 2026-05-19
sha256: 1150713fc8e177b761ffef088a5eacc00da2b93689e3a1b017d389c44cd16fca

# AI and Your Data

Last updated: 19 May 2026

We built Impactean's AI coach because behavioural change is hard and a great coach is rare. We're aware that "AI coach" raises legitimate concerns about privacy, accuracy, and dependency. Here's exactly how we handle them.

## Where the AI runs

OpenAI's API in the United States. Models in use: gpt-5.1 (primary coaching), gpt-4o (file extraction), gpt-4o-mini (commitment generation, summaries), gpt-4o-mini-realtime-preview (voice), gpt-4o-mini-transcribe (speech-to-text), tts-1 (text-to-speech).

Transfers out of the EEA are governed by EU Standard Contractual Clauses.

## What is sent

When you chat with the coach, we send:
- the message you just wrote,
- prior messages in the same session and short summaries of recent prior sessions,
- a structured summary of your assessment results and coaching goals,
- (optional) any image you attach,
- a system prompt describing the coaching style for your tier.

We do not send your password, payment information, or other users' data.

## What is not done with it

- Your inputs and outputs are not used to train OpenAI's models, by contract.
- We do not use your coaching content to train any other model.
- We do not share coaching chat transcripts with your employer. Business plans may receive programme-level analytics under the DPA — not your messages.
- We do not sell or rent your data.

## Retention at OpenAI

Today we use OpenAI's standard API. OpenAI may retain inputs and outputs for up to 30 days for abuse monitoring, after which they are deleted. We are upgrading to OpenAI Enterprise with Zero Data Retention; this page will update on the day the upgrade is live.

## Our own retention

Coaching conversations are stored in Supabase (Frankfurt, EU). They are visible only to you, accessible to a small subset of Impactean engineers under audit only when necessary for support or security. You can delete individual sessions in the app; full account closure is requested via privacy@impactean.com (see Privacy Policy retention).

## Decision-making

Our AI does not make legally significant or similarly significant automated decisions about you. The AI Coach is a development tool. It will not score you for a promotion, deny you a job, set your insurance premium, or unlock or restrict any feature on its own.

## Quality, bias, and safety

- Our prompts and behaviour are reviewed by humans against ICF coaching ethics.
- We test for bias on protected categories before shipping prompt changes.
- The coach is instructed not to provide medical, mental-health, legal, or financial advice and to encourage qualified professionals when those topics arise.
- **Not a crisis service.** We do not monitor chats in real time, operate a hotline, or take responsibility for actions you take outside the app. If you are in immediate danger, contact local emergency services (e.g. **112** in the EU). OpenAI's API may apply its own automated safety filters to prompts and responses.
- **Limits on confidentiality** match our Privacy Policy: we may disclose where required by law or where we reasonably believe there is a serious risk of harm to you or others, subject to applicable law.

## Your controls

- Delete individual coaching sessions from the coaching sessions list in the app.
- Download your Impact Capacity Report as a PDF from the report viewer.
- Email **privacy@impactean.com** for full account closure, data export, or other privacy requests.