Privacy Policy.

Innersights B.V. (“Innersights,” “we,” “us”) provides a B2B platform that lets practitioners build branded AI assessments and twins for the people they work with. This Privacy Policy explains how we collect and use personal data when you use the Innersights platform at innersights.ioor any associated surface (the “Service”).

This Policy applies worldwide and is written to align with the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and equivalent regimes. Where local law gives you stronger rights, we honour those.

Innersights is a multi-tenant platform with two kinds of user, and our role under data-protection law differs depending on whose data we're handling and why.

Practitioner

A coach, therapist, consultant, educator, or similar professional who creates a workspace on Innersights to deliver assessments, twins, and reports to the people they work with.

Client

An individual who completes an assessment, receives a report, or chats with a Twin inside a Practitioner's workspace.

Website visitor

Anyone who browses our marketing site at innersights.io without signing in or completing an assessment.

Three distinct relationships follow:

• Account data (we are controller). When a Practitioner or a Client signs up to use Innersights — names, email addresses, authentication credentials, profile information, the workspace they create, billing data once we charge — we are the controller. This Policy applies directly to that processing.
• Practitioner's Client data (we are processor). When a Practitioner uses Innersights to collect, store, and process information from their Clients (assessment answers, chats with the Twin, knowledge a Practitioner uploads about a Client), the Practitioner is the controller and Innersights is the processor acting on the Practitioner's instructions, under a Data Processing Agreement (DPA). Clients with questions about that data should contact the Practitioner whose workspace they used; we will help where we can.
• Website-visitor data (we are controller). When someone browses our marketing site without an account, we are the controller for any cookies, analytics, or contact-form submissions collected there. The authenticated app and the assessment flow are separate from this and run with no third-party analytics or advertising trackers (Section 14).

4.1 Account information

Email address, password (hashed), display name, profile picture if provided, OAuth identifiers if you sign in with Google, and the workspace slug created from your name.

4.2 Practitioner workspace data

Assessment definitions you create, twin instructions and tone settings, knowledge-base documents you upload, member invitations, and submissions/reports retained inside your workspace.

4.3 Client assessment data

When you complete an assessment, we collect the data the Practitioner asked for, which typically includes:

• Your first name and email address (so the Practitioner can identify you and we can deliver your report).
• Your written or transcribed-voice answers to each question.
• Any feedback you give on a category or report.
• The consent records you agreed to before submitting.

4.4 Twin chat data

Messages you send to a Twin and the AI responses you receive, retained so the conversation persists across sessions and so Practitioners can review chat history when their workspace is configured for that.

4.5 Voice recordings

When you answer a question by voice, the audio is sent to OpenAI Whisper for transcription, then discarded — only the resulting text is stored as your answer. Audio is not retained on our servers.

4.6 Technical data

IP address, user-agent, device and browser information, language and time-zone preferences, and basic usage telemetry (which page you opened, when, and how the Service responded). We do not run third-party advertising or analytics trackers inside the authenticated app.

4.7 Communications

Emails you send to our support addresses, and emails we send you (transactional confirmations, reports, and waitlist replies via Resend).

Innersights does not require Practitioners to collect health data, and we do not infer it. When a Practitioner builds an assessment, it is the Practitioner's responsibility to:

• Decide whether their assessment will collect special-category data.
• Establish the lawful basis for that processing under Article 9 GDPR (typically the Client's explicit consent).
• Communicate that to the Client clearly before they submit.

As Clients submitting an assessment, we ask you to confirm consent before your answers are sent. You can withdraw that consent later by contacting the Practitioner whose workspace you used, or by deleting your Innersights account (Section 13).

Where we are the controller (Section 3), we rely on the following GDPR Article 6 legal bases:

Contract (Art. 6(1)(b))

Creating and maintaining your account, providing the Service, processing your assessments, delivering your report, and operating your workspace.

Legitimate interests (Art. 6(1)(f))

Keeping the Service secure, preventing abuse, debugging, improving how the Service works, and limited transactional communications. We balance these interests against your privacy and you can object at any time.

Consent (Art. 6(1)(a) and 9(2)(a))

Special-category data submitted via assessments, optional marketing communications, and any feature that explicitly asks for it.

Legal obligation (Art. 6(1)(c))

Tax, accounting, fraud prevention, and responses to lawful requests from authorities.

7.1 Provide the Service

• Authenticate you and serve the right workspace.
• Run assessments end-to-end: questions, voice transcription, AI follow-up checks, AI report generation, email delivery.
• Power Twin chat with retrieval over the Practitioner's knowledge base.
• Show Practitioners their workspace's submissions, reports, and members.

7.2 Communicate

• Send transactional emails (account confirmation, password reset, report delivery, member invitations).
• Reply to support requests and operational notices.
• Send updates about new features or product changes (you can opt out).

7.3 Operate, secure, and improve

• Detect and respond to abuse or fraud.
• Diagnose and fix bugs, monitor uptime, and maintain backups.
• Improve the Service via aggregate, de-identified usage signals — we do not use your content to train AI models (Section 8).

8.1 What we use AI for

The Service uses AI to:

• Generate the personalised report from your assessment answers (Anthropic Claude).
• Decide whether a follow-up question would deepen your reflection (OpenAI GPT-4o).
• Transcribe voice answers (OpenAI Whisper).
• Power Twin chat with retrieval over the Practitioner's knowledge base, using vector embeddings of that knowledge base (OpenAI embeddings) and chat completion (Anthropic Claude).

8.2 No training on your data

8.3 Human oversight and limits

AI prompts, frameworks, and safety guardrails are designed and maintained by humans. AI output may be wrong, incomplete, or out-of-date — see Section 15 of our Terms of Service.

8.4 No automated decisions with legal effect

The Service does not make decisions about you that produce legal effects or similarly significant effects within the meaning of GDPR Article 22. AI outputs are reflective material; any decision is made by you or by your Practitioner.

We share personal data with a small number of vendors that operate parts of the Service for us (“subprocessors”). Each is bound by a data-processing agreement and is allowed to process data only as instructed by us.

9.1 What we never do

9.2 Other disclosures

• We may disclose personal data to comply with valid legal process or to protect our rights, your safety, or the safety of others.
• If we are involved in a merger, acquisition, or asset sale, personal data may transfer as part of that transaction; we will notify you and ensure the new entity is bound by terms at least as protective as this Policy.
• We may publish anonymised, aggregated metrics that cannot identify any individual.

Some of our subprocessors are based outside the EU/EEA, including in the United States. When we transfer personal data internationally we rely on:

• EU-US Data Privacy Framework (DPF) where the recipient is certified.
• EU Standard Contractual Clauses (SCCs) for transfers to other countries that lack an adequacy decision.
• Supplementary measures, including encryption in transit (TLS) and at rest, and contractual prohibitions on training and onward transfers.

You can request a copy of the relevant transfer mechanism from privacy@innersights.io.

We take security seriously and apply technical and organisational measures appropriate to the risk, including:

• TLS encryption for data in transit and at-rest encryption for the database, file storage, and backups.
• Row-level security (RLS) on every workspace data table, so a workspace's content is only accessible to that workspace's members.
• Hashed passwords (industry-standard algorithms via Supabase Auth).
• Role-based access controls for staff, audit logging, and least-privilege service-role keys.
• Continuous dependency, runtime, and vulnerability monitoring.
• Subprocessor due diligence and contractual security obligations.

No system is perfectly secure. If we become aware of a personal-data breach that creates risk for you, we will notify the relevant authorities and affected users as required by law.

Account profile data

While your account is active, then deleted within 30 days of account deletion (subject to legal-hold exceptions below).

Assessment submissions and reports

While the owning workspace exists. Practitioners can delete individual submissions; Clients can request deletion through us or the Practitioner.

Twin chat history

Until you delete it, or until the workspace is deleted.

Knowledge-base documents and embeddings

Until the Practitioner deletes them or the workspace is deleted.

Voice audio

Not stored. Used only for transcription and discarded immediately afterwards.

Email logs (Resend)

Standard provider retention windows for delivery analytics.

Authentication logs

Up to 12 months for security and abuse-detection purposes.

Tax / accounting records

As long as required by applicable law (typically 7 years in the EU).

Where law requires us to keep specific records, we limit access to those records and delete them as soon as the legal obligation expires.

12.1 Deletion timelines

• Client deletion request. A Client can ask their Practitioner or email us at privacy@innersights.io to delete their submission and account. Confirmed deletions are permanent within 14 days.
• Practitioner deletion request. A Practitioner can request deletion of their account and workspace. We will first offer to export their workspace data; the account and any remaining data are then permanently removed within 30 days, subject to legal-hold exceptions.

Where we are the controller, you have the following rights, subject to local-law conditions:

Access

Get a copy of the personal data we hold about you.

Rectification

Correct inaccurate or incomplete data.

Erasure (right to be forgotten)

Ask us to delete your personal data, subject to limited exceptions.

Portability

Receive your data in a structured, machine-readable format.

Restriction

Limit how we use your data while a question about it is being resolved.

Objection

Object to processing based on legitimate interests, including any limited operational analytics.

Withdraw consent

Withdraw consent for processing based on consent, without affecting the lawfulness of earlier processing.

Right not to be subject to automated decisions

We do not make automated decisions with legal effect (Section 8.4).

13.1 How to exercise your rights

• Use account settings to update your profile, delete chats, or delete your account.
• Email us at privacy@innersights.io and we will respond within 30 days (extendable by 60 days for complex requests). We may need to verify your identity.
• If your data is held inside a Practitioner's workspace and they are the controller, we will help route your request to that Practitioner.

13.2 California residents (CCPA / CPRA)

If you are a California resident, you also have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell.
• Confirm we do not sell or share personal information for cross-context behavioural advertising — we don't.
• Opt out of any future sale or sharing of personal information.
• Request correction of inaccurate personal information.
• Be free from discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@innersights.io.

13.3 Right to complain

You can lodge a complaint with your local supervisory authority. In the Netherlands, that is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), autoriteitpersoonsgegevens.nl.

We use only what we need to run the Service. There are no advertising or social-media trackers inside the authenticated app.

Essential

Authentication cookies (managed by Supabase Auth), session cookies, sidebar-state cookie, and theme cookie. Cannot be disabled without breaking the Service.

Local storage

Used to persist UI preferences and partial assessment state across page reloads.

Bot protection

Cloudflare Turnstile may set a short-lived cookie to verify a browser is not automated.

We do not currently run analytics on the marketing site or inside the app. If we add analytics in the future, we will update this Policy and surface the choice clearly.

The Service is intended for people aged 18 and over. We do not knowingly collect personal data from individuals under 16, and a Practitioner who runs assessments with anyone under 18 is responsible for obtaining parental or guardian consent under their own regulatory framework. If you believe a minor has provided us personal data, contact privacy@innersights.io and we will delete it.

We may update this Policy as the Service evolves or the law changes. We will:

• Update the date at the top of this page.
• For material changes affecting account holders, send notice via the Service or email at least 14 days before the change takes effect.
• Where new processing requires it, ask for your consent before relying on it.