Privacy Policy

1. OUR ROLE AND YOUR DATA

Innersights serves two types of users, and our data protection role depends on which type you are:

1.1 If You Are a Practitioner (Coach, Therapist, Consultant)

When you create a practitioner account and use the platform to manage your practice, Innersights is the Data Controller for your account data. We decide how your account information is used and are directly responsible for protecting it.

1.2 If You Are a Client (Completing an Assessment)

When you complete an assessment as a client of a practitioner, your Practitioner is the Data Controller for your assessment data. They decide why and how your data is collected and used. Innersights acts as a Data Processor, handling the technical side on your Practitioner's behalf under a formal Data Processing Agreement.

This distinction matters because it determines who is primarily responsible for your data and who you should contact with questions about how your data is used.

1.3 Website Visitors

When you browse our website without completing an assessment or creating an account, Innersights is the Data Controller for any data collected through cookies and analytics.

Contact Information:

Email: info@innersights.io

Website: innersights.io

2. PERSONAL DATA WE COLLECT

We collect personal data that you provide to us and that is generated through your use of our Service.

2.1 Data You Provide Directly

Practitioner Account Information:

• Name
• Email address
• Password (encrypted)
• Business name and details
• Date of account creation

Client Assessment Data:

• Name
• Email address
• Responses to assessment questions (text)
• Voice recordings (if you choose to speak your responses; see Section 2.2)
• Personal experiences and reflections shared during the assessment
• Any other information you choose to share

Communication Data:

• Messages you send to us
• Feedback and testimonials
• Support requests

2.2 Voice Recordings

If you choose to speak your responses instead of typing:

• Your audio is transmitted securely to a transcription service (currently OpenAI Whisper) via encrypted API connection.
• The audio is processed solely to convert your speech into text.
• Audio recordings are not stored by Innersights after transcription is complete.
• The resulting text transcription is treated as an assessment response.

2.3 Special Categories of Personal Data

The nature of our Service means that you may choose to share information relating to your physical or mental health, psychological wellbeing, personal history, or other sensitive topics. Under GDPR, this is considered special category data and requires additional protection.

Before completing an assessment that may involve such disclosures, you will be asked to provide explicit consent. You are always free to share only what you are comfortable with. You can skip any question. There are no right or wrong answers.

Your Practitioner (as Data Controller) is responsible for how they use the insights from your assessment within your therapeutic or coaching relationship.

2.4 Data Collected Automatically

Technical Data:

• IP address
• Browser type and version
• Device information (type, operating system)
• Time zone setting
• Browser plug-in types and versions

Usage Data:

• Pages visited and features used
• Time spent on pages
• Assessment completion data
• Interaction with emails we send

Analytics and Marketing Data (website visitors only):

• Google Analytics data
• PostHog analytics data
• Meta Pixel data (Facebook/Instagram)

Important note for Clients completing assessments: Analytics and marketing tracking (Google Analytics, PostHog, Meta Pixel) operates on the Innersights marketing website. The assessment experience itself is designed to minimise third-party tracking. Essential cookies required for the assessment to function are the only cookies used during the assessment process.

3. HOW WE USE YOUR PERSONAL DATA

3.1 Primary Purposes

Providing the Service:

• Process your assessment responses
• Transcribe voice responses into text
• Generate your personalised report using AI technology
• Send your assessment results via email
• Enable Practitioners to deliver assessments to their clients

AI Processing:

• We use large language model APIs (currently Anthropic Claude and OpenAI) to analyse assessment responses and generate personalised reports.
• Your responses are processed to identify patterns and generate narrative insights based on your Practitioner's methodology.
• We do NOT train any AI models with your data.
• We do NOT use your personal data for machine learning training purposes.
• Your data is used solely to generate your personalised report.
• AI providers do not gain ownership of any content submitted or generated.

Customer Support:

• Respond to your enquiries
• Provide technical support

Platform Operations:

• Send transactional emails about your account and assessments
• Maintain and improve platform reliability and performance
• Ensure security and prevent fraud
• Monitor service quality (using anonymised, aggregated data only)

3.2 Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: To provide the Service you or your Practitioner have requested
• Explicit Consent: For processing special category data (health, wellbeing information) within assessments
• Consent: For marketing communications and non-essential cookies
• Legitimate Interests: For improving platform reliability, security, and fraud prevention (using anonymised data)
• Legal Obligations: To comply with applicable laws

3.3 Marketing and Communications

With your consent, we may use your data to:

• Send promotional emails about our Service
• Provide updates about new features
• Share relevant content and resources

You can opt-out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly.

We do not use Client assessment data for marketing purposes. Marketing communications are limited to Practitioners and website visitors who have opted in.

4. DATA SHARING AND DISCLOSURE

We share your personal data only in the following circumstances:

4.1 Service Providers

We share data with third-party service providers that help us operate our Service:

Core Service Providers:

• Supabase: Database hosting (EU (Frankfurt)). Assessment responses, reports, account data
• Vercel: Application hosting (EU (with global CDN)). Platform delivery, no persistent data storage
• Anthropic: AI report generation (USA (with SCCs)). Assessment responses (for report generation)
• OpenAI: AI report generation & voice transcription (USA (with SCCs)). Assessment responses, voice audio (for transcription)
• Resend: Transactional email delivery (USA (with SCCs)). Email addresses, report delivery
• Langfuse: Prompt quality monitoring (EU). Anonymised prompt/response pairs for quality assurance

Analytics and Marketing (website only, not during assessments):

• Google Analytics: Website analytics (USA (with SCCs))
• PostHog: Product analytics (EU)
• Meta (Facebook): Advertising measurement (USA (with SCCs))

All service providers are bound by data protection obligations equivalent to those in our Data Processing Agreements.

4.2 Practitioners

If you complete an assessment, your responses and generated report are shared with the Practitioner who invited you. This is the core purpose of the Service.

4.3 Legal Requirements

We may disclose your data if required by law or in response to valid requests by public authorities.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify affected users before any such transfer and ensure equivalent data protection obligations are maintained.

4.5 Aggregated Data

We may use aggregated, anonymised data that cannot identify you personally for platform improvement and reporting purposes.

4.6 What We Never Do

• We never sell your personal data
• We never use assessment data for advertising or profiling
• We never share assessment data with third parties for their own marketing purposes
• We never use your data to train AI models

5. INTERNATIONAL DATA TRANSFERS

Your data is primarily stored within the European Union. Where data is transferred outside the EU/EEA (specifically to AI providers and certain infrastructure services in the USA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Verification that service providers maintain adequate data protection measures
• Data Processing Agreements with all subprocessors

6. DATA SECURITY

We implement appropriate technical and organisational measures to protect your personal data, including:

• EU-based database hosting (Supabase, Frankfurt)
• Encryption of data in transit (HTTPS/TLS 1.2+) and at rest
• Row-Level Security ensuring strict data isolation between Practitioners and their Clients
• Role-based access controls
• Separation of production and testing environments
• Limited production database access (restricted to authorised personnel only)
• Secure API communication with AI providers
• Logging and monitoring of system activity
• Incident response procedures
• Regular review of security measures

While we take extensive measures to protect your data, no method of transmission over the internet is 100% secure. If you become aware of any security issue, please contact us immediately.

7. DATA RETENTION

We retain your personal data only as long as necessary:

• Practitioner Account Data: For as long as the account is active, plus 30 days after termination
• Client Assessment Data: For the duration of the Practitioner's active account, unless earlier deletion is requested
• Voice Recordings: Not retained after transcription is complete
• Marketing Data: Until you opt-out or request deletion
• Analytics Data: In accordance with each analytics provider's retention policy (typically anonymised)

Deletion

Clients can request deletion of their data at any time by contacting their Practitioner or emailing us directly at info@innersights.io. Data will be permanently removed within 14 days of the request being confirmed.

Practitioners can request deletion of their account and all associated data. All data will be permanently removed within 30 days, unless the Practitioner requests their client data be returned to them first.

8. YOUR PRIVACY RIGHTS

8.1 Rights for All Users

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Opt-out of marketing communications
• Receive a copy of your assessment results and report

8.2 Additional Rights for EU/EEA Residents (GDPR)

• Data Portability: Receive your data in a machine-readable format
• Restrict Processing: Limit how we use your data
• Object to Processing: Object to certain uses of your data
• Withdraw Consent: Where we rely on consent for processing
• Lodge a Complaint: With your local data protection authority

8.3 Additional Rights for California Residents (CCPA)

• Right to know what personal information we collect
• Right to know if we sell or share personal information (we do not sell your data)
• Right to opt-out of sale of personal information
• Right to non-discrimination for exercising privacy rights

8.4 Exercising Your Rights

If you are a Client: Contact your Practitioner in the first instance. They are the Data Controller for your assessment data and will work with us to action your request. You can also contact us directly at info@innersights.io.

If you are a Practitioner or website visitor: Contact us directly at info@innersights.io.

We will respond within the timeframes required by applicable law (generally within 30 days).

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.

Key points:

• Essential cookies are used during assessments for functionality only
• Analytics and marketing cookies operate on the marketing website
• You can manage your cookie preferences at any time

10. THIRD-PARTY LINKS

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.

11. CHILDREN'S PRIVACY

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from someone under 18, we will take steps to delete it promptly.

12. AI AND AUTOMATED DECISION-MAKING

12.1 How AI Is Used

We use AI technology to:

• Transcribe voice responses into text
• Analyse assessment responses based on the Practitioner's methodology
• Generate a personalised narrative report

12.2 No Training on Your Data

We do NOT use your personal data to train any AI models. Your assessment responses are processed through AI APIs solely to generate your personalised report. AI providers (currently Anthropic and OpenAI) do not use submitted data for model training. We have opted into zero-data-retention configurations where available.

12.3 Oversight

The assessment frameworks and questions are designed by qualified Practitioners. AI is used as an analytical tool within those frameworks, not as an autonomous decision-maker. If you have questions or concerns about your report, please speak with your Practitioner.

12.4 No Automated Legal Decisions

We do not use automated processing for decisions that have legal or similarly significant effects on you. Reports are reflective and informational in nature.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website with a revised "Last Updated" date
• Sending an email notification to Practitioners with active accounts
• Where legally required, requesting acknowledgment of significant changes

14. CONTACT US

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Innersights

Email: info@innersights.io

Website: innersights.io

For EU/EEA residents: You have the right to lodge a complaint with your local supervisory authority if you believe we have not adequately addressed your concerns. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

By using Innersights, you acknowledge that you have read and understood this Privacy Policy.