Privacy Policy

1. Controller & Contact Information

The data controller responsible for processing your personal data is:

This policy applies to all users of the Aretea platform, including organization administrators, team members, and invited consultants.

2. Data We Collect

We collect different categories of personal data depending on how you interact with our platform.

2.1 Account Data

When you register and use the platform, we collect:

• Name and email address(es)
• Password (stored only as a cryptographic hash, never in plaintext)
• Job title and department (optional, provided during onboarding)
• Profile image/avatar
• Professional skills you select

2.2 Organization Data

Organization administrators provide:

• Organization name and logo
• Email addresses of invited members

2.3 Project Data

When managing projects, the following data is stored:

• Project name, description, and dates
• Team member assignments and roles
• Required project skills

2.4 Assessment & Feedback Data

When you submit project assessments, we collect:

• Rating responses (e.g., project success, collaboration quality)
• Multiple-choice selections (e.g., project challenges)
• Free-text feedback (optional reflection comments)
• Consultant-specific feedback (performance rating, standout qualities, willingness to collaborate again)

Transparency note: Assessments can be flagged as anonymous. When anonymous, your individual responses are never displayed to other users. However, your identity is stored internally for data integrity purposes (e.g., to prevent duplicate submissions). Only aggregated scores are visible to others.

2.5 Technical Data

We automatically collect certain technical data when you use the platform:

• IP address and browser user agent (stored with your session for security)
• Session tokens and authentication data
• Audit logs of significant actions (e.g., account changes, member management)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

Under the Swiss nFADP, processing is lawful unless it unlawfully violates the personality of the data subject. Justifications include consent, overriding private or public interest, and statutory provisions.

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing and maintaining the platform (account management, project tracking, assessments)
• Authenticating users and managing secure sessions
• Sending transactional emails (invitations, verification, password reset, feedback requests)
• Computing aggregated TEAM Scores from assessment data to help organizations identify top performers
• Security monitoring through audit logs
• Improving the platform through anonymized analytics
• Providing customer support via live chat

5. Data Sharing & Processors

We do not sell your personal data. We share data only with the following service providers (processors) who act on our behalf:

Note on fonts: We use Google Fonts (DM Sans, Space Grotesk), which are self-hosted via Next.js at build time. No requests are made to Google's servers when you use the platform.

6. International Data Transfers

All core data processors (Scalingo, Brevo, Crisp, PostHog, Hetzner) are located within the European Union. Your data is primarily stored and processed in France and Germany.

Our source code is hosted on GitHub (USA). No personal user data is stored in the code repository.

We may in the future use AI services (Anthropic, USA) for team suggestions and feedback analysis. If implemented, appropriate safeguards such as Standard Contractual Clauses (SCCs) will be in place, and this policy will be updated accordingly.

7. Cookies & Similar Technologies

We use the following cookies:

8. Data Retention

We retain your data for as long as necessary to provide the service and fulfill our legal obligations:

• Account data: Retained while your account is active. Deleted or anonymized upon account deletion.
• Session data: Automatically expires based on session timeout settings.
• Assessment data: Retained for the lifetime of the organization. If you delete your account, your assessor identity is removed but anonymous response data is preserved for aggregate scoring.
• Audit logs: Retained for security and compliance purposes. User identity is removed upon account deletion.
• Project data: Retained for the lifetime of the organization.

9. Account Deletion & Data Anonymization

You can delete your account at any time from Settings > Account. Account deletion requires password confirmation.

When you delete your account, we apply an anonymization approach to preserve the integrity of organizational data:

• Your assessment records are anonymized (your identity is removed, but the feedback data is retained for aggregate scoring)
• Your TEAM Scores are anonymized (your identity is removed from score records)
• Your project memberships and skills are deleted entirely
• Your audit log entries are anonymized (your identity is removed)
• Your user account, sessions, and authentication data are permanently deleted

Note: If you are the sole owner of an organization, you must transfer ownership before deleting your account.

10. Your Rights

Under the GDPR and Swiss nFADP, you have the following rights regarding your personal data:

Right of access

You can request a copy of the personal data we hold about you.

Right to rectification

You can correct your personal data at any time through your profile and account settings (name, email, job title, department, skills, avatar).

Right to erasure

You can delete your account, which triggers the anonymization process described above.

Right to restriction of processing

You can request that we restrict the processing of your data in certain circumstances.

Right to data portability

You can request your data in a commonly used, machine-readable format. Please contact us to arrange this.

Right to object

You can object to processing based on legitimate interest at any time.

To exercise any of these rights, please contact us at info@we-tcg.com. We will respond to your request within 30 days.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data is transmitted over HTTPS/TLS encryption
• Passwords are stored using bcrypt cryptographic hashing
• The database is hosted on managed infrastructure in France (Scalingo) with professional security measures
• Secure session-based authentication with token management
• Organization-scoped data isolation ensures your data is only accessible within your organization
• Role-based access controls (owner, admin, member) limit data access within organizations

12. Children's Data

Aretea is a B2B platform designed for professional use. It is not intended for use by children under the age of 16. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Changes will be posted on this page with an updated "Last updated" date.

For material changes, we will notify you via email or through an in-app notification.

14. Contact & Supervisory Authorities

If you have questions about this privacy policy or wish to exercise your rights, please contact us:

You also have the right to lodge a complaint with a supervisory authority:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
• EU: You may contact the data protection authority in your country of residence.