Privacy Policy
Last Updated: 02.07.2025
1. Our Commitment to Your Privacy
Welcome to Sales Flair. This Privacy Policy is a cornerstone of our relationship with you. It explains in detail how Sales Flair Limited ("Company," "we," "us," or "our") collects, uses, discloses, and safeguards your information when you use our AI-powered sales coaching platform (the "Service").
Our philosophy is to be open, transparent, and respectful in how we handle your data. We believe you should have clear, comprehensive information about our practices so you can use our Service with confidence. This policy is designed to be read in conjunction with our Terms and Conditions and Cookie Policy, which together form our complete legal agreement with you. By using the Service, you agree to the collection and use of information in accordance with this policy.
2. Who We Are: The Data Controller
For the purposes of the General Data Protection Regulation (GDPR) and other relevant data protection laws, the data controller is Sales Flair Limited. This means we are the organization responsible for determining the purposes and means of processing your personal data.
3. The Data We Collect, Our Purpose, and Lawful Basis
We are committed to the principle of data minimization. We only collect personal data that is strictly necessary to provide, maintain, and improve our Service for you. Below, we detail the types of data we collect, explain our purpose for processing it, and clarify the lawful basis under which we do so.
3.1. Account Data
What we collect: When you sign up, we collect your name, email address, and a securely hashed (never plain text) version of your password.
Purpose of processing: This information is fundamental to the Service. We use it to create and manage your unique user account, to authenticate your identity for secure login, and to send you essential service-related communications, such as updates to our terms or notifications about your account status.
Lawful Basis (GDPR): Performance of a Contract. We need this information to fulfill our contractual obligation to provide you with a secure, personal account for the service you have requested.
3.2. Subscription and Usage Data
What we collect: We collect information about your chosen subscription tier (e.g., Free, Prowess, Mastery) and maintain aggregated data on your usage of the Service, such as the number of simulations you run each month.
Purpose of processing: This data is essential for delivering the correct service level. It allows us to enable the features and enforce the usage limits associated with your specific subscription tier. We also analyze this aggregated data to understand how our Service is used, which helps us make informed decisions about future improvements.
Lawful Basis (GDPR): Performance of a Contract. This processing is necessary to deliver the specific features and limits of the service level you have subscribed to.
3.3. Payment Data
What we collect: To be perfectly clear, we do not directly collect, process, or store your sensitive payment card details (like your full credit card number). When you purchase a subscription, you provide your payment information directly to our trusted Merchant of Record, Paddle. Paddle handles the secure transaction, and we only receive a confirmation from them that a payment has been successfully made, along with non-sensitive information like your subscription tier.
Purpose of processing: We use the payment confirmation from Paddle to manage your subscription status (e.g., active, cancelled, payment failed) and ensure you have access to the correct tier.
Lawful Basis (GDPR): Performance of a Contract.
3.4. Simulation Content Data (Transient Processing)
What we collect: This category includes all the information you provide to initiate and conduct a Simulation. This can include your stated sales goal, details about the prospect persona (e.g., industry, role), and the specific conversational messages you input during the interactive session.
Purpose of processing: This data is the lifeblood of the Service's core function. We collect it for the sole purpose of sending it to our AI sub-processor, which then generates the AI prospect's response and provides you with real-time performance feedback. This processing only occurs for the duration of an active session.
Lawful Basis (GDPR): Performance of a Contract. This processing is the fundamental purpose of the Service you are using.
CRITICAL PRIVACY COMMITMENT
All Simulation Content Data is processed transiently. It is used only for the duration of your active Simulation to generate a response. This data is not stored in our long-term database, is not used to train any AI models, and is not used for any other purpose. Once your session ends, this data is gone.
3.5. Analytics Data
What we collect: We may collect aggregated and fully anonymized information about how users interact with our website and Service, such as which pages are visited most frequently and which features are most popular.
Purpose of processing: This data helps us understand broad user behaviour so we can measure the performance of our Service and make data-driven decisions to improve its usability and features.
Lawful Basis (GDPR): Consent. We will only collect this data if you explicitly consent to the use of Performance Cookies via our cookie consent banner. You are in full control.
3.6. Service Usage Data
What we collect: An internal counter that tracks the number of Simulations you run each month.
Purpose of processing: To enforce the usage limits of your Subscription Tier as outlined in our Terms and Conditions.
Lawful Basis (GDPR): Performance of a Contract. This processing is necessary to manage the service level you have agreed to.
3.7. Communication Data
What we collect: Your email address and the content of your message if you contact our support team.
Purpose of processing: To respond to your inquiries, provide customer support, and resolve issues.
Lawful Basis (GDPR): Legitimate Interest. It is in our legitimate interest to be able to communicate with our users to provide effective support.
3.8. Voice Input Data
What we collect: If you use the microphone feature, your web browser's native speech recognition service processes audio input to convert it into text.
Purpose of processing: To enable voice-to-text interaction within the Simulation.
Lawful Basis (GDPR): Consent (granted via your browser permissions).
Important Third-Party Disclosure: This audio processing is performed by your browser vendor (e.g., Google for Chrome, Apple for Safari) and is subject to their respective privacy policies. Sales Flair receives only the text transcript; we do not access or store the raw audio recordings.
3.9. Local Device Data (Notes & Drafts)
What we collect: Data entered into the "Notes" feature or "Draft" setup forms is stored locally on your device using browser Local Storage.
Purpose of processing: To prevent data loss during your session and allow you to download your own notes.
Lawful Basis (GDPR): Legitimate Interest. We have a legitimate interest in providing a seamless user experience that preserves your work-in-progress during a session.
Privacy Note: This data resides solely on your device. We do not transmit, sync, or view this data on our servers. You can clear it at any time using the "Clear" button in the interface.
4. Our Use of AI and Data Sub-Processors
To provide a modern, reliable service, we rely on a small number of trusted third-party service providers who act as our Data Processors. We have legally binding Data Processing Agreements (DPAs) in place with these providers where required, ensuring they are contractually obligated to meet high standards of data protection and security.
- Render: Render is our cloud infrastructure provider. They host our application and our database on their secure servers. All of your Account Data and Subscription & Usage Data is stored in this secure environment.
- Google: We use two of Google's services in distinct ways:
- Firebase Authentication: This service manages the critical function of user login and account security, ensuring your account is protected.
- Generative Language API (Gemini): This is the powerful AI engine that provides the core functionality for our Simulations. As per our Critical Privacy Commitment, we send your transient Simulation Content to this API for processing during a live session. We operate under Google's standard API data processing terms, which contractually prohibit Google from using this data for their own purposes, such as training their models.
- Paddle: Paddle is our official Merchant of Record and authorized reseller. As noted above, Paddle securely handles all payment processing, so we never have to touch your sensitive financial details.
- Google Analytics: This service is used for aggregated website and service analytics, but only if you provide your explicit consent.
5. Summary of Data Processing Activities (GDPR Article 30)
For maximum transparency, this table provides a concise overview of our data processing activities.
| Data Category | Purpose of Processing | Lawful Basis (GDPR) | Retention Period | Third-Party Sub-processor(s) |
|---|---|---|---|---|
| Account Data (Email, Hashed Password) | Account creation, authentication, security | Performance of a Contract | While account is active | Google (Firebase Auth), Render (Database), Paddle (for paying users) |
| Subscription Data (Tier, Status) | To provide correct service level | Performance of a Contract | While account is active | Render (Database) |
| Usage Data (Simulation Counter) | To enforce tier limits | Performance of a Contract | While account is active | Render (Database) |
| Payment Data (Transaction ID, Status) | To confirm subscription purchase | Performance of a Contract | Per Paddle's policy | Paddle |
| Simulation Content (User inputs) | To generate AI response & feedback | Performance of a Contract | Transient only (not stored) | Google (Generative Language API) |
| Analytics Data (Aggregated usage) | To improve the Service | Consent | Per Google Analytics policy | Google (Analytics) |
| Communications Data (Support emails) | To provide user support | Legitimate Interest | 2 years after last contact | Private Email (Support email services) |
6. Your Data Protection Rights (GDPR)
We fully respect your rights over your personal data. Under the GDPR, you have certain rights regarding the information we hold about you. Subject to any exemptions provided by law, you have the right to:
- The right to Access: You can request a copy of the personal data we hold about you.
- The right to Rectification: You can request that we correct any inaccurate or incomplete personal data.
- The right to Erasure ("Right to be Forgotten"): You can request that we delete your personal data.
- The right to Restrict Processing: You can request that we limit the way we use your personal data.
- The right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- The right to Object to Processing: You have the right to object to our processing of your personal data.
- The right to Withdraw Consent: Where we are relying on your consent to process data, you have the right to withdraw that consent at any time.
To exercise any of these rights, please contact us using the details provided at the end of this policy. We will respond to your request in accordance with applicable data protection laws.
7. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate and improve our Service. Our separate Cookie Policy provides detailed information on the types of cookies we use, why we use them, and how you can manage your cookie preferences. As stated in that policy, we will not place non-essential (e.g., Performance/Analytics) cookies on your device without your explicit consent, which you can grant or deny via our cookie consent banner.
8. Data Security and Retention
We take the security of your data very seriously.
Security: We implement and maintain appropriate technical and organizational security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. Our application and database are hosted on the Render platform, which provides a secure, managed infrastructure. We also conduct periodic security reviews of our application to identify and mitigate potential vulnerabilities. However, no method of transmission over the Internet or method of electronic storage is 100% secure.
Retention: We only retain your personal data for as long as necessary to fulfill the purposes for which we collected it.
- Account, Subscription, and Usage Data is retained for as long as your Account remains active.
- Simulation Content Data is not retained and is processed only transiently.
- Communications Data is retained for up to two years after our last contact to ensure we have a history of our support interactions.
9. International Data Transfers
Your information, including personal data, may be transferred to—and maintained on—computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ. Our primary data hosting is within the EU (Frankfurt, Germany) via Render. However, our sub-processors, such as Google, may process data in the United States or other locations. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. Any international transfers of personal data will be protected by appropriate legal mechanisms as required by GDPR, such as the use of Standard Contractual Clauses (SCCs) or reliance on an Adequacy Decision.
10. Children's Privacy
Our Service is not intended for or directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.
11. Changes to This Privacy Policy
The digital world is constantly evolving, and so is our Service. We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically for any changes.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us.