Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, information we automatically collect when you use our Platform, and information from third-party services. The information we collect enables us to provide our team assessment services, improve our Platform, and communicate with you.

1.1 Information You Provide to Us

Account Information (Team Leads):

• Email address (required for authentication)
• Full name (optional)
• Account credentials (managed through Auth0)
• User role information (for access control)

Team Assessment Information:

• Team name
• Team leader name and email
• Company name and website
• Team member names and email addresses
• Assessment configuration (deadline, reminder schedule, results release preferences)
• Workshop interest indication

Survey Response Information:

• Responses to team effectiveness assessment questions
• Quantitative ratings on performance dimensions
• Qualitative comments and feedback (free-text responses)
• Survey completion timestamps

Payment Information:

• Billing information (processed by Stripe, not stored directly by us)
• Payment history and transaction records
• Subscription preferences and tier information

1.2 Information We Collect Automatically

Usage and Technical Information:

• IP addresses (in production logs only, not stored in database)
• Browser type and version
• Device information and operating system
• Page views and navigation patterns (sanitized to remove identifying information)
• Session information and authentication timestamps
• Request metadata for debugging and security monitoring

Email Engagement Information:

• Email delivery status (sent, delivered, bounced)
• Email open timestamps (first open only)
• Email interaction events (clicked, complained)

Cookies and Similar Technologies:

• Authentication session cookies (essential for service functionality)
• Analytics cookies (for understanding Platform usage)

See Section 8 (Cookies and Tracking Technologies) for detailed information.

1.3 Information from Third-Party Sources

Authentication Provider (Auth0):

• Email address and authentication status
• Login timestamps and authentication history
• User profile information

Payment Processor (Stripe):

• Customer identification numbers
• Payment and subscription status
• Transaction records and invoices

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide and Maintain Our Service

• Account Management: Create and manage user accounts, authenticate users, and maintain session security
• Team Assessment Functionality: Enable team leaders to create assessments, invite team members, collect survey responses, and generate reports
• Survey Delivery: Send survey invitations and reminders to team members
• Results Generation: Calculate team dimension scores, aggregate responses, and generate team performance reports
• Communication: Send transactional emails related to your use of the Platform

Legal Basis (GDPR): Performance of contract, legitimate interests

2.2 To Process Payments and Manage Subscriptions

• Process subscription payments and one-time purchases
• Manage free and paid subscription tiers
• Send payment receipts and invoices
• Track subscription status and billing periods
• Enforce subscription limits (e.g., team size restrictions)

Legal Basis (GDPR): Performance of contract

2.3 To Improve and Develop Our Platform

• Analytics: Understand how users interact with our Platform through privacy-focused analytics
• Product Development: Identify opportunities for new features and improvements
• Technical Optimization: Monitor system performance, identify and fix bugs, and optimize user experience
• Research: Conduct aggregate research on team effectiveness patterns (fully anonymized data only)

Legal Basis (GDPR): Legitimate interests

2.4 To Generate AI-Powered Insights

• Analyze team assessment data to generate qualitative insights and recommendations
• Identify patterns in team effectiveness across performance dimensions
• Provide personalized suggestions for team improvement

Legal Basis (GDPR): Legitimate interests

2.5 To Communicate with You

• Transactional Communications: Send survey invitations, assessment deadline reminders, results notifications, and payment receipts (you cannot opt-out of these as they are essential to the service)
• Marketing Communications: Send product updates, newsletters, and feature announcements (you can opt-out at any time)
• Workshop Inquiries: Follow up on workshop interest if you indicated interest during team creation
• Customer Support: Respond to your requests, questions, and feedback

Legal Basis (GDPR): Performance of contract (transactional), consent (marketing)

2.6 For Legal and Security Purposes

• Security: Detect, prevent, and respond to security incidents, fraud, and malicious activity
• Legal Compliance: Comply with applicable laws, regulations, and legal processes
• Rights Protection: Protect our rights, privacy, safety, or property, and that of our users and the public
• Business Continuity: Maintain backups for disaster recovery

Legal Basis (GDPR): Legal obligation, legitimate interests

3. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the limited circumstances described below.

3.1 With Service Providers

We share information with third-party service providers who perform services on our behalf:

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.2 Within Our Organization

• Team Leaders can view aggregated team scores, anonymized individual dimension scores, and qualitative comments
• Team Members can view their own individual dimension scores and personal performance report
• Administrators can access the platform question library and system health metrics but do not have routine access to individual user data

3.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, legal proceedings)
• Government or regulatory authority requests
• Law enforcement inquiries (with appropriate legal basis)
• Protection of our rights, property, or safety, or that of others

3.4 In Connection with Business Transfers

If The Impact Target is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership or control of your personal information, and you will have the opportunity to exercise your data rights before the transfer is completed.

3.5 With Your Consent

We may share your information in other circumstances with your explicit consent or at your direction.

3.6 No Sale of Personal Information

4. Data Security

We take the security of your personal information seriously and implement industry-standard security measures to protect your data.

4.1 Encryption

Encryption at Rest:

• All sensitive personal information is encrypted using AES-256-GCM encryption before being stored in our database
• This includes: team names, leader names and emails, company information, team member names and emails, survey responses, and qualitative comments
• We use context-specific key derivation with unique nonces for each encryption operation
• Encryption keys are stored securely using Doppler secrets management and are never hardcoded

Encryption in Transit:

• All data transmitted to and from our Platform is encrypted using TLS/HTTPS
• Session cookies are marked as secure and httpOnly
• Webhook communications use signature verification

4.2 Access Controls

• Authentication through Auth0 with session-based access control
• Role-based permissions (team leads, team members, administrators)
• CSRF (Cross-Site Request Forgery) token validation for all state-changing operations
• Rate limiting to prevent brute-force attacks
• Multi-layer authentication validation (middleware, layout, component, API)

4.3 Additional Security Measures

• Content Security Policy (CSP) headers to prevent cross-site scripting attacks
• Cryptographically secure random token generation
• Webhook signature verification (Stripe and Resend)
• Idempotency tracking to prevent duplicate processing
• Timestamp replay protection for webhook events
• Structured logging with no personally identifiable information
• Request ID tracing for security incident investigation

4.4 Your Responsibility

While we implement strong security measures, please note:

• Keep your account credentials confidential and secure
• Use a strong, unique password for your account
• Log out of your account when using shared devices
• Report any suspected security breaches to [email protected] immediately

4.5 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you as required by applicable law. Notifications will be sent via email to your registered email address and may also be posted on our Platform.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Retention Periods

Active Accounts and Assessments:

• User account information: Retained while your account is active
• Team assessments: Retained indefinitely for historical reporting and analysis
• Survey responses: Retained indefinitely to enable long-term reporting
• Payment records: Retained for 7 years for tax and accounting compliance

Logs and Technical Data:

• Rate limiting logs: Automatically deleted after 24 hours
• Email event logs: Retained for operational purposes (no automatic deletion)
• Stripe webhook events: Retained indefinitely for audit trail
• Server logs: Retained per hosting provider policy (typically 30 days)

Session Data:

• Authentication sessions: Expire after 7 days of inactivity (Auth0 default)

5.2 Inactive Accounts

While we currently retain inactive accounts indefinitely, we may implement an inactive account deletion policy in the future. If we do, we will notify affected users before deletion.

5.3 Deletion Upon Request

You have the right to request deletion of your personal information at any time. See Section 6 (Your Privacy Rights) for details on how to exercise this right.

5.4 Backup Retention

Deleted data may remain in backup copies for up to 30 days (our backup retention period) before being permanently removed.

6. Your Privacy Rights

You have certain rights regarding your personal information. The specific rights available to you depend on your location, but we strive to honor all reasonable privacy requests regardless of jurisdiction.

6.1 Access and Data Portability

Right to Access: You have the right to access the personal information we hold about you.

How to Exercise:

• Visit /api/user/data-export while logged into your account
• You will receive a JSON file containing all your personal data
• Includes: Account information, team assessments (decrypted), survey responses, payment history

Response Time: Immediate (automated export)

6.2 Correction and Update

Right to Correction: You have the right to correct inaccurate or incomplete personal information.

How to Exercise:

• Update your name and email through your Auth0 account settings
• Contact [email protected] for assistance with other information
• Team leaders can update team assessment details before survey activation

Response Time: Immediate (self-service), or within 30 days for manual requests

6.3 Deletion and Erasure

Right to Deletion: You have the right to request deletion of your personal information (also known as the "right to be forgotten" under GDPR).

How to Exercise:

• Send a DELETE request to /api/user/delete-account (CSRF-protected)
• Or contact [email protected] with your deletion request

What Gets Deleted:

• Your user account record
• All team assessments you created
• All survey invitations and responses associated with your assessments
• Team member records linked to your assessments

Exceptions (what we must retain):

• Payment records (required for tax and accounting compliance)
• Aggregated analytics data (fully anonymized, cannot be linked back to you)
• Backup copies (permanently deleted within 30 days)

Response Time: Immediate account deletion, with confirmation of deleted record count

6.4 Marketing Opt-Out

Right to Opt-Out: You can opt-out of marketing communications at any time.

How to Exercise:

• Click the "Unsubscribe" link in any marketing email
• Update your email preferences in account settings
• Contact [email protected]

Important: You cannot opt-out of transactional emails (survey invitations, payment receipts, security notifications) as these are essential to the service.

6.5 Object to Processing

Right to Object: You have the right to object to certain types of processing, particularly processing based on legitimate interests.

How to Exercise: Contact [email protected] with details about which processing you wish to object to.

6.6 Restrict Processing

Right to Restrict: You have the right to request that we restrict processing of your personal information in certain circumstances.

How to Exercise: Contact [email protected] with details about which processing you wish to restrict and why.

6.7 Withdraw Consent

Right to Withdraw: Where we process your information based on consent, you have the right to withdraw that consent at any time.

How to Exercise:

• For marketing: Use unsubscribe links or update preferences
• For other consent-based processing: Contact [email protected]

6.8 Lodge a Complaint

Right to Complain: You have the right to lodge a complaint with a data protection supervisory authority.

We encourage you to contact us first ([email protected]) so we can address your concerns directly.

6.9 Exercising Your Rights

• No Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, service quality, or feature access based on exercising your rights.
• Verification: We may need to verify your identity before fulfilling your request to protect your information from unauthorized access.
• Response Time: We aim to respond to all privacy requests within 30 days. For complex requests, we may extend this by an additional 30 days and will notify you of the extension.
• No Fees: We do not charge fees for exercising your privacy rights unless your request is manifestly unfounded or excessive.

7. International Data Transfers

The Impact Target is based in Australia, but we work with service providers located around the world, particularly in the United States. This means your personal information may be transferred to, stored in, and processed in countries other than your own.

7.1 Data Transfer Locations

Your information may be transferred to and processed in:

• Australia: Our primary business location and initial data collection point
• United States: Where most of our service providers are located (Auth0, Stripe, Resend, OpenAI, Vercel)
• Multiple Regions: CockroachDB operates a distributed database across multiple geographic regions

7.2 Safeguards for International Transfers

For Transfers from Australia:

• We comply with the Australian Privacy Principles (APPs), particularly APP 8.1
• We take reasonable steps to ensure overseas recipients handle personal information consistently with Australian privacy standards
• We enter into contractual arrangements with service providers requiring appropriate data protection

For Transfers from the EU:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• Our service providers have appropriate data transfer mechanisms in place
• Additional safeguards include encryption in transit and at rest, access controls, and security monitoring

For Transfers from California/USA:

• Transfers within the United States are not subject to additional transfer restrictions
• We require service providers to maintain CCPA-compliant data protection standards

7.3 Your Rights Regarding International Transfers

If you are located in the EU or Australia, you have the right to obtain information about the safeguards we use for international data transfers. Contact [email protected] for more details about our data transfer mechanisms.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, maintain, and improve our Platform. This section explains what cookies we use and how you can control them.

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and understand how you use the site.

8.2 Cookies We Use

Essential Cookies (Cannot Be Disabled):

Analytics Cookies (Privacy-Focused):

8.3 What We Do NOT Use

• No Third-Party Advertising Cookies: We do not use cookies for advertising or remarketing
• No Social Media Tracking Pixels: We do not use Facebook Pixel, Google Analytics, or similar tracking tools
• No Cross-Site Tracking: Our analytics do not track you across other websites

8.4 Email Tracking

When we send you emails, we may track:

• Delivery Status: Whether the email was successfully delivered
• Open Events: Whether you opened the email (first open only via an invisible tracking pixel)
• Bounce Events: If the email bounced and cannot be delivered

This tracking helps us ensure reliable email delivery and understand engagement with important notifications.

8.5 How to Manage Cookies

Browser Settings:

Most browsers allow you to refuse cookies or delete existing cookies:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Privacy > Cookies

Do Not Track:

• Our analytics provider (Umami) respects Do Not Track (DNT) browser settings
• To enable DNT: Check your browser's privacy settings

Impact of Blocking Cookies:

• Blocking Essential Cookies: Will prevent you from logging in and using the Platform
• Blocking Analytics Cookies: Will not affect Platform functionality

9. AI and Automated Processing

We use artificial intelligence (AI) to enhance our Platform by generating insights and recommendations based on team assessment data.

9.1 How We Use AI

AI Provider: OpenAI (via their API)

Purpose:

• Generate qualitative analysis of team assessment results
• Provide personalized recommendations for team improvement
• Identify patterns in team effectiveness across performance dimensions
• Create natural language summaries of team scores

9.2 What Data Is Sent to OpenAI

De-Identified Data: We remove direct identifiers before sending data to OpenAI, including:

• Names (team leader names, team member names)
• Email addresses
• Company names and website

Data We Do Send (de-identified):

• Team dimension scores (aggregated metrics)
• Anonymized qualitative comments from survey responses
• Assessment question context
• General performance patterns

9.3 OpenAI's Use of Data

Training Data: OpenAI's data usage policies may change over time. As of this policy's effective date:

• Data sent via OpenAI's API may be used to improve their models unless enterprise zero-retention agreements are in place
• We currently use OpenAI's standard API (not enterprise tier)
• OpenAI maintains their own privacy policy: openai.com/privacy

Data Retention: OpenAI may retain data sent via their API per their retention policies. We do not control OpenAI's retention practices.

9.4 Your Control Over AI Processing

Future Enhancement: We plan to implement an opt-out mechanism that will allow you to:

• Generate reports without AI-powered insights
• Use only statistical aggregation for team scores
• Receive basic reporting without OpenAI processing

9.5 No Automated Decision-Making

9.6 Your Rights Regarding AI Processing

If you are located in the EU, you have the right under GDPR Article 22 to not be subject to solely automated decision-making with significant effects. Since our AI processing is informational only and does not make automated decisions, these rights are not directly applicable. However, if you have concerns about AI processing, please contact [email protected].

10. Third-Party Links and Services

Our Platform may contain links to third-party websites, services, and resources that are not operated by us.

10.1 External Links

We are not responsible for the privacy practices or content of third-party sites. When you click on an external link:

• You will leave The Impact Target Platform
• You will be subject to that site's privacy policy and terms of service
• We do not control or endorse third-party sites

Our Recommendation: Review the privacy policies of any third-party sites you visit.

10.2 Third-Party Services We Use

While we integrate with third-party services (Auth0, Stripe, Resend, etc.), these integrations are covered in Section 3 (How We Share Your Information). Those service providers are contractually obligated to protect your data.

10.3 Social Media

We do not currently have social media integration or sharing features. If we add these in the future, we will update this Privacy Policy accordingly.

11. Children's Privacy

The Impact Target is a business-focused platform designed for team performance assessment in professional contexts. Our Platform is not intended for use by individuals under 18 years of age.

11.1 No Intentional Collection from Children

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information as quickly as possible.

11.2 Parental Notice

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at [email protected] so we can delete the information.

11.3 Age Verification

We do not have active age verification mechanisms. By using the Platform, you represent that you are at least 18 years old.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

12.1 How We Notify You

• Email Notification: We will notify you of any material changes to this Privacy Policy by sending an email to the email address associated with your account.
• Effective Date: Changes will become effective 30 days after we send the email notification (for material changes) or immediately upon posting (for minor changes).
• Platform Notice: We will also update the "Last Updated" date at the top of this Privacy Policy.

12.2 Material Changes

Material changes include:

• Changes to the categories of personal information we collect
• New purposes for which we use personal information
• New categories of recipients with whom we share information
• Changes to your rights or how to exercise them
• Changes to data retention periods

12.3 Your Acceptance

• Continued Use: Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy.
• Objection: If you do not agree with changes, you should discontinue use of the Platform and may request deletion of your account and data per Section 6 (Your Privacy Rights).

12.4 Review Cadence

We review this Privacy Policy at least annually to ensure it remains accurate and compliant with applicable laws.

13. Contact Information

We welcome your questions, comments, and concerns about this Privacy Policy and our privacy practices.

13.1 Privacy Contact

13.2 Business Address

The Impact Target
Sydney, Australia

13.3 Data Protection Officer

For GDPR-related inquiries, you may contact our privacy team using the email address above. We will designate a Data Protection Officer as required if and when we meet the GDPR threshold requirements.

13.4 Complaints and Concerns

If you have a complaint about our privacy practices, please contact us first at [email protected]. We take privacy concerns seriously and will work with you to resolve any issues.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority (see Section 6.8 for contact information).

14. Region-Specific Disclosures

This section provides additional information for users in specific jurisdictions.

14.1 For European Union Users (GDPR)

Legal Basis for Processing:

Our legal bases for processing your personal information include:

• Contract: Processing necessary to perform our contract with you (account management, service delivery, payment processing)
• Legitimate Interests: Processing necessary for our legitimate business interests (analytics, product improvement, security, fraud prevention)
• Consent: Processing based on your explicit consent (marketing communications, optional features)
• Legal Obligation: Processing required to comply with legal obligations (tax records, law enforcement requests)

Data Controller: The Impact Target is the data controller for your personal information.

International Transfers: We transfer data from the EU to the United States and other countries using Standard Contractual Clauses and other appropriate safeguards (see Section 7).

Your Rights:

You have the rights described in Section 6, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right not to be subject to automated decision-making (Article 22)

Supervisory Authority: You can lodge a complaint with your local Data Protection Authority. Find your authority: EDPB Members

14.2 For California Residents (CCPA/CPRA)

California Consumer Privacy Act (CCPA) Disclosures:

Categories of Personal Information Collected (in the last 12 months):

• Identifiers (name, email address, IP address, unique identifiers)
• Commercial information (subscription status, payment history)
• Internet activity (page views, interactions with Platform)
• Professional information (team membership, company affiliation, performance assessment data)

Business Purpose for Collection:

• Providing our team assessment service
• Payment processing
• Communicating with you
• Security and fraud prevention
• Analytics and product improvement

Categories of Third Parties We Share With:

• Service providers (see Section 3.1)
• Professional advisors (legal, accounting)
• Government entities (when legally required)

Your California Rights:

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: Not applicable (we do not sell information)
• Right to Non-Discrimination: Exercise your rights without discriminatory treatment
• Right to Correct: Request correction of inaccurate personal information (CPRA)
• Right to Limit Use of Sensitive Personal Information: Request limits on use of sensitive personal information (CPRA)

How to Exercise Rights: See Section 6 or contact [email protected]

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authorization.

Shine the Light Law: We do not share personal information with third parties for their direct marketing purposes.

14.3 For Australian Users (Privacy Act)

Australian Privacy Principles (APPs) Compliance:

The Impact Target complies with the 13 Australian Privacy Principles under the Privacy Act 1988 (Cth).

• APP 1 (Open and Transparent Management): This Privacy Policy describes our privacy management practices.
• APP 5 (Notification of Collection): We notify you of collection through this Privacy Policy and at the point of collection.
• APP 6 (Use or Disclosure): We use and disclose personal information only for the purposes described in Section 2.
• APP 8 (Cross-Border Disclosure): We transfer personal information overseas (primarily to the United States). Our service providers are contractually required to handle your information consistently with the APPs.
• APP 11 (Security): We implement reasonable security measures to protect personal information (see Section 4).
• APP 12 (Access to Personal Information): You can access your personal information via data export (Section 6.1).
• APP 13 (Correction of Personal Information): You can correct your personal information (Section 6.2).

Complaints:

You can complain to us ([email protected]) or to the Office of the Australian Information Commissioner:

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: [email protected]

14.4 For Users in Other Jurisdictions

If you are located in a jurisdiction not specifically addressed above, the general provisions of this Privacy Policy apply. We will comply with local data protection laws applicable to our processing of your personal information.

If you have questions about how local laws apply to your use of The Impact Target, please contact [email protected].