What We Collect

When you use Leadership OS, we collect:

Account info — name, email address
Leadership data — briefings, priorities, energy scores, decisions, shutdown reflections
Brain profile — AI-generated observations about your leadership patterns, derived from your usage
Usage data — login times, feature usage, streaks

How We Use It

To provide personalized AI coaching
To build and refine your leadership brain profile
To send you coaching nudges and weekly digests (you can opt out)
To improve the Service

AI Processing

Your data is processed by AI models (via Groq) to generate coaching insights. Your conversations with AI coaches are used to build your brain profile within the Service. We do not use your data to train AI models. Your data is not shared with AI providers for their training purposes.

Voice Dictation

When you tap the microphone button next to a text field, the audio is processed by your browser's built-in speech-recognition service. On Safari (iPhone, iPad, Mac), audio is processed by Apple Inc.'s on-device or cloud speech service. On Chrome, Edge, and other Chromium-based browsers, audio is processed by Google LLC's speech service. Leadership OS never sees the audio — only the resulting text transcript is sent to our servers, where it is stored exactly as if you had typed it.

If your browser does not support native speech recognition (for example, Firefox), the audio is transmitted to Groq Inc. (United States) for transcription via OpenAI's Whisper model. In that case, audio is processed in memory and is not retained by Leadership OS or by Groq beyond the transcription request.

Voice dictation is optional — you can always type instead.

Data Storage

Your data is stored securely on Supabase (hosted on AWS). All data is encrypted in transit (TLS) and at rest. We use Row Level Security to ensure you can only access your own data.

Sub-processors

We use the following third-party service providers to operate the Service. Each is engaged under a Data Processing Agreement and only processes the data necessary for the listed purpose. All providers below process data in the United States; transfers from the EU/UK are safeguarded by Standard Contractual Clauses (SCCs) under GDPR Article 46:

Supabase (United States, hosted on AWS) — database, authentication, file storage
Vercel (United States) — application hosting + edge network
Groq (United States) — large language model inference (text generation) and Whisper voice transcription
Cerebras (United States) — large language model inference fallback
Stripe (United States) — payment processing for paid plans
Resend (United States) — transactional email delivery
Sentry (United States) — error reporting (request bodies and PII are stripped before send)
Cloudflare (United States) — off-site backup mirror via R2 object storage

Legal Basis (GDPR Art. 6)

Performance of contract — for paid users, processing is necessary to provide the Service you've subscribed to.
Legitimate interest — for trial users, processing is based on our legitimate interest in delivering and improving the leadership tool you signed up for; this interest is balanced against your rights and you can object at any time.
Consent — for optional features such as voice dictation and product email digests; you can withdraw consent in settings or by emailing us.

Data Retention

Account data (decisions, briefings, energy logs, brain profile, tasks) — retained while your account is active; deleted within 30 days of account deletion.
Voice audio — never persisted. Discarded immediately after transcription.
Off-site backups (Cloudflare R2) — retained 90 days for disaster recovery, then automatically deleted.
Error reports (Sentry) — retained 90 days; request bodies and PII are stripped before send.
Billing records (Stripe) — retained as required by tax and accounting law (typically 7 years).

Automated Processing

The Service uses AI models to generate coaching insights, daily briefings, and reflection prompts. These outputs are advisory, not automated decisions producing legal or similarly significant effects within the meaning of GDPR Article 22. You remain in control of every decision and can ignore, edit, or delete any AI-generated content.

What We Don't Do

We don't sell your data
We don't share your data with third parties for marketing
We don't use your data to train AI models
We don't track you across other websites

Shared Content

When you share a decision via a public link, only the shared content is visible. Your brain profile, energy data, and other personal data are never included in shared pages.

Your Rights

Access — request a copy of your data
Delete — request deletion of your account and all data
Export — request your data in a portable format
Rectify — correct inaccurate data, or edit it directly in the app
Restrict / object — pause or object to specific processing
Withdraw consent — for any processing based on consent (voice dictation, marketing email)
Opt out — disable email notifications in settings
Lodge a complaint — with your local supervisory authority (for EU/UK users); the relevant authority for our establishment is the data protection authority of the country where you reside

Cookies

Strictly necessary — we use essential cookies for authentication and security. These are required for the site to work and are exempt from consent.

Analytics — with your consent, we use PostHog to understand how visitors use HandClap (which pages and features get used) so we can improve it. These analytics cookies are off by default and are only set after you choose “Accept” in our cookie banner. If you choose “Necessary only,” no analytics cookies are set and no analytics data is collected. You can withdraw or change your choice at any time by clearing the cookie-consent preference stored in your browser. PostHog processes this data on our behalf as a processor; some processing may take place in the United States.

Contact

Questions about your data? Email info@handclap.io

Privacy Policy