Diapason AI

Privacy policy

Effective Date: August 14, 2025 Last Updated: August 14, 2025

1. Data controller information

Company: X42 SRL BCE/KBO Number: 0660 783 004 Registered Address: Rue Paul Devigne 72, 1030 Schaerbeek, Belgium Privacy Contact: privacy@diapasonai.com Website: diapasonai.com

2. Data we collect

2.1 Information You Provide

  • Account Information: Email address, name
  • Professional Information: Current role, company name, professional goals, team size and structure, management challenges, current tools and processes for team management, feedback on 1-on-1 meeting quality
  • Survey Data: Depending on your role (Manager, HR/Leadership, Team Member), we collect relevant professional context including team responsibilities, management practices, improvement suggestions, and feature preferences
  • Communication Data: Messages and interactions with our AI coaching system
  • Audio Recordings: When you explicitly consent to use voice transcription features, we temporarily process audio recordings to convert speech to text

2.2 Automatically Collected Information

  • Authentication Data: Magic link tokens (temporary)
  • Usage Data: App interactions, feature usage patterns, page views, navigation events
  • Analytics Data: User journey tracking, feature adoption metrics (processed by PostHog Inc., with opt-out available)
  • Technical Data: Device type, operating system, app version
  • Error and Performance Data: For authenticated users, we collect user ID and email address to link error reports and performance metrics to user accounts for debugging purposes (processed by Sentry Inc.)
  • Local Storage Data: Browser-stored preferences including voice transcription settings and in-progress survey data (stored locally on your device)

3. Legal basis for processing

We process your personal data based on:

  • Consent: For optional features and communications (Article 6(1)(a) GDPR)
  • Contract Performance: To provide our coaching services (Article 6(1)(b) GDPR)
  • Legitimate Interests: For service improvement and security (Article 6(1)(f) GDPR)

4. How we use your data

We use your information to:

  • Provide personalized professional coaching services
  • Authenticate your access to the app
  • Improve and optimize our AI coaching algorithms
  • Ensure the security and integrity of our services
  • Communicate service updates and important information

5. Data sharing and processors

5.1 Third-Party Processors

We use the following carefully selected processors:

Supabase Inc.

  • Purpose: Database hosting, authentication services, and edge computing
  • Location: EU servers
  • Security Standards:
    • SOC 2 Type 2 compliant
    • HIPAA compliant (with Business Associate Agreement available)
    • AES-256 encryption at rest
    • TLS encryption in transit
    • Daily backups and Point-in-Time Recovery
    • DDoS protection via Cloudflare
  • Data Protection: All customer data encrypted, role-based access control, regular penetration testing
  • Learn more: https://supabase.com/security

PostHog Inc.

  • Purpose: Product analytics, user experience optimization, and feature usage tracking
  • Data Collected:
    • User identification (user ID, email address for authenticated users)
    • Page views and navigation patterns
    • Feature usage events and interactions
    • Technical data (browser, device, operating system)
    • Session recordings (if enabled)
  • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) for product improvement and service optimization
  • Data Location: EU region (eu.i.posthog.com) - all data processed and stored within the European Union
  • Security Standards:
    • SOC 2 Type 2 certified
    • GDPR-compliant data processing
    • TLS encryption for data in transit
    • AES-256 encryption for data at rest
  • Data Protection:
    • Reverse proxy implementation to protect user privacy
    • Configurable data retention policies (default: 90 days)
    • No cross-site tracking or third-party data sharing
  • User Control: You can opt-out of analytics tracking via cookie settings. Opting out will not affect your ability to use Diapason AI.
  • Data Retention: 90 days for event data
  • Learn more: https://posthog.com/docs/privacy

AI Language Models (OpenAI, Google, Anthropic)

  • Purpose: AI language models powering our coaching conversations, personalized insights, and voice transcription features
  • Providers: We may use one or more of the following AI service providers:
    • OpenAI (including Whisper API for voice transcription)
    • Google Gemini (Generative AI)
    • Anthropic Claude (Conversational AI)
  • Data Processing:
    • Conversation content to generate personalized coaching recommendations
    • Audio recordings (with explicit consent) for speech-to-text transcription
    • User prompts and context to provide relevant suggestions
  • Data Retention: Per API provider terms, your data is not used to train AI models. Requests are processed in real-time and not permanently stored by AI providers beyond short-term caching (typically 30 days or less per provider policies).
  • Safety Measures:
    • Content filtering across multiple categories (harassment, hate speech, sexually explicit, dangerous content)
    • Configurable safety thresholds to block potentially unsafe content
    • Built-in protections for core harms including child safety
    • Voice transcription requires explicit user consent before activation
  • Data Location: AI providers may process data in various regions including the US and EU. We select providers with strong data protection commitments and appropriate safeguards.
  • Important: All AI-generated coaching suggestions are advisory only and do not constitute automated decision-making with legal effects
  • Learn more:

Sentry Inc.

  • Purpose: Error tracking, performance monitoring, and application stability
  • Data Collected:
    • User identification data (user ID, email address) for authenticated users
    • Error traces and stack traces
    • Performance metrics and transaction data
    • Technical data (browser, device, OS)
    • Application logs
  • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) for error tracking and service improvement
  • Data Location: EU region (Germany) - all data processed and stored within the European Union on Google Cloud Platform
  • Security Standards:
    • SOC 2 certified
    • ISO 27001 certified
    • AES-256 encryption for data in transit and at rest
    • Annual third-party penetration testing
  • Data Protection:
    • Hourly encrypted backups within EU regions
    • Proactive data filtering for sensitive information
    • Two-factor authenticated infrastructure access
    • Data retention: 90 days for error events and performance data
  • Learn more: https://sentry.io/security/ and https://sentry.io/legal/dpa/

Resend

  • Purpose: Transactional email delivery for authentication, notifications, and service communications
  • Data Collected:
    • Email addresses (recipients and senders)
    • Email content (authentication links, notifications, user submissions)
    • Delivery status and engagement metrics
  • Legal Basis: Contract performance (Article 6(1)(b) GDPR) for authentication emails; Legitimate interests (Article 6(1)(f) GDPR) for service notifications
  • Data Location: United States with Standard Contractual Clauses (SCCs) for international data transfers
  • Security Standards:
    • TLS encryption for data in transit
    • Industry-standard email security protocols (SPF, DKIM, DMARC)
    • Secure API authentication
  • Data Protection:
    • Data Processing Agreement in place
    • Emails sent only for transactional purposes (no marketing)
    • Automatic bounce and complaint handling
  • Data Retention: Email metadata retained per Resend's standard retention policy; content not permanently stored
  • Learn more: https://resend.com/legal/privacy-policy

5.2 Data Transfers

Services within the European Union:

  • Database and Authentication (Supabase): EU servers
  • Error Tracking and Performance Monitoring (Sentry): EU region (Germany)
  • Product Analytics (PostHog): EU region (eu.i.posthog.com)

Services with International Data Transfers:

  • Email Delivery (Resend): United States - protected by Standard Contractual Clauses (SCCs) and covered by Data Processing Agreement
  • AI Processing (OpenAI, Google, Anthropic): May process data in US and other regions - we select providers with strong data protection commitments and appropriate safeguards including SCCs where applicable

For all international data transfers, we implement appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses approved by the European Commission.

6. Data retention

During beta testing, we retain your data for the duration of your participation. Post-launch retention periods will be:

  • Active Accounts: Duration of account plus 30 days after deletion
  • Authentication Logs: 90 days
  • Support Communications: 2 years

7. Data security

We implement appropriate technical and organizational measures including:

  • Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
  • Access Control: Row-level security and role-based access
  • Authentication: Secure magic link authentication
  • Infrastructure: SOC 2 compliant hosting infrastructure

8. Your rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data (Article 15)
    • Currently available via email request; self-service export coming soon
  • Rectification: Correct inaccurate data (Article 16)
    • Available now: Update your profile information directly in your account settings
  • Erasure: Request deletion of your data (Article 17)
    • Currently available via email request; self-service account deletion coming soon
  • Restriction: Limit processing of your data (Article 18)
  • Portability: Receive your data in a portable format (Article 20)
    • Currently available via email request; self-service export in machine-readable format (JSON) coming soon
  • Object: Object to certain processing activities (Article 21)
    • Analytics opt-out available via cookie settings
  • Withdraw Consent: Where processing is based on consent
    • Voice transcription consent can be withdrawn at any time via settings

To exercise these rights, contact: privacy@diapasonai.com

We will respond to all requests within 30 days as required by GDPR Article 12.

9. Cookies and tracking

We use the following types of cookies:

Essential Cookies (No Consent Required)

  • Authentication: Maintaining your logged-in session (Supabase session cookies)
  • Security: Preventing unauthorized access and CSRF protection

Analytics Cookies (Opt-Out Available)

  • PostHog Analytics: Product analytics, page views, feature usage tracking, and user journey analysis
    • Purpose: To understand how users interact with our platform and improve the user experience
    • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR)
    • Data Stored: Session identifiers, page view timestamps, feature interaction events
    • Retention: 90 days
    • Your Control: You can opt-out of analytics cookies at any time via cookie settings. Opting out will not affect your ability to use Diapason AI.

We do not use marketing, advertising, or third-party tracking cookies. All analytics data is processed within the EU and used solely for product improvement purposes.

10. Children's privacy

Diapason AI is intended for professional use. We do not knowingly collect data from individuals under 16 years of age. Users must be at least 16 years old to use our services.

11. Automated decision-making

Our AI coaching system, powered by AI language models (OpenAI, Google Gemini, Anthropic Claude), provides personalized recommendations but does not make automated decisions with legal or similarly significant effects. All coaching suggestions are advisory only and subject to content safety filtering.

11.1 Voice Recording and Transcription

When you choose to use voice transcription features:

  • Audio recordings are processed via AI speech-to-text services (including OpenAI Whisper API)
  • Explicit consent required: You must provide explicit consent before activating voice transcription features
  • Data minimization: Recordings are transmitted securely and processed in real-time
  • No permanent storage by Diapason: Audio files are not stored on our servers; only the transcribed text is retained
  • Provider retention: AI providers may temporarily cache audio per their API terms (typically 30 days or less)
  • Withdrawal of consent: You can disable voice transcription at any time via your settings, and consent is requested each time the feature is activated
  • Local alternative available: A local speech-to-text option is available that processes audio entirely on your device without transmitting to external services

12. Complaints

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Autorité de protection des données (APD) Rue de la Presse 35, 1000 Brussels contact@apd-gba.be +32 2 274 48 00

13. Changes to this policy

We will notify you of any material changes to this Privacy Policy via email or in-app notification. Continued use after notification constitutes acceptance of the updated policy.

14. Contact us

For any privacy-related questions or concerns: Email: privacy@diapasonai.com Address: X42 SRL, Rue Paul Devigne 72, 1030 Schaerbeek, Belgium

This Privacy Policy is available in French and Dutch upon request.