Privacy policy.

Privacy policy.

Last updated:

InsideRisk® ("we," "our," or "us") values your privacy. This Privacy Policy explains how we collect, use, and share information about you when you visit our website, insiderisk.com (the "Site").

1. Introduction

This policy explains how InsideRisk SA ("InsideRisk", "we", "us") collects, uses, and protects personal data across our services:

  • insiderisk.com — our website

  • platform.insiderisk.com — the assessment Platform, where participants complete immersive assessments

  • portal.insiderisk.com — the Reporting Portal, where reports are generated and delivered, and the entry point for our demo and self-serve experiences (such as the AI Integration experience)

It also explains our use of cookies. We comply with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and the ePrivacy Directive.

2. Who is responsible for your data

InsideRisk SA, Route du Lac 27, 1071 Saint-Saphorin, Switzerland, is the data controller for the processing described here, except where we act as a processor on behalf of a client organisation (see section 9). As we are based outside the EU, our representative in the EU under Article 27 GDPR is Adrian Stobbe, located in Spain [Spain address]. Contact us about privacy at contact@insiderisk.com.

3. The data we collect and why

Category

Where

Purpose

Legal basis

Enquiry / demo-request details (name, email, phone, company, message)

Website

Respond to your request, arrange demos

Consent, or our legitimate interest in responding to enquiries

Registration details for the AI Integration experience (name, email, phone)

Portal

Create and run your free experience, and follow up with you

Consent, and our legitimate interest in responding to your request

Consent record (that you gave consent, and when)

Portal

Evidence and manage your consent

Legal obligation / our legitimate interest in demonstrating compliance

Account and login data

Platform, Portal

Authenticate users, secure access

Performance of a contract / legitimate interest

Assessment content — audio/voice, transcripts, and your responses

Platform

Run the assessment and produce the report

On behalf of the client organisation under their basis; where we are controller, your consent or our legitimate interest (see sections 5 and 9)

A randomly generated session identifier

Platform

Operate the session and link diagnostics

Legitimate interest

Participant name and email

Portal

Generate and deliver reports

Performance of a contract / legitimate interest

Product-usage analytics and error diagnostics (events, anonymised IP, technical/device data)

Platform

Maintain, secure, and improve the service

Legitimate interest

Email delivery data

Portal

Send reports and service communications

Performance of a contract / legitimate interest

We do not use your personal data for advertising, profiling for marketing, or cross-site tracking.

4. Cookies and similar technologies

We keep our use of cookies and browser storage to the minimum needed to run our services.

  • Website (insiderisk.com): sets no cookies.

  • Platform and Portal: set only strictly-necessary cookies and browser storage — required to keep you logged in, to run your assessment reliably, and to keep the service secure — plus one consent-exempt session preference (your microphone choice). Under the ePrivacy Directive all of these are exempt from consent.

We set no analytics, advertising, or tracking cookies or storage anywhere. The only browser storage we use is either strictly necessary or a single consent-exempt session preference (your microphone choice), so we do not display a cookie consent banner — there is nothing requiring your consent.

Cookies and storage by category. We classify into the standard categories below. We use only strictly-necessary storage and one session-scoped functional preference (your microphone selection); we set nothing in the analytics or advertising categories.

Category

Used?

Consent required?

Strictly necessary

Yes — authentication, reliable delivery of your assessment, and session UI state (see table below)

No (exempt under the ePrivacy Directive)

Functional / preferences

Yes — your microphone selection only, kept for the browser session (see table below)

No — exempt as a session-limited preference you actively chose; discarded when you close the tab

Analytics / performance

No analytics cookies or device storage (PostHog runs cookieless, and our video-player analytics run with cookies disabled — see below)

Advertising / marketing

No

What we set:

Name

Where

Provider

Type

Category

Purpose

Duration

sb-<project>-auth-token (and refresh token)

Platform, Portal

Supabase

Cookie

Strictly necessary

Maintain your authenticated session on the Platform and Portal

Access token expires after ~1 hour; a refresh token keeps you signed in until you log out

session-tracker-outbox-v1

Platform

InsideRisk (first-party)

Local storage

Strictly necessary

Briefly buffers your assessment-progress events until they are saved, so your responses are not lost on a page reload or short network drop

Each entry is removed as soon as it is saved

fullscreen-prompt-dismissed

Platform

InsideRisk (first-party)

Session storage

Strictly necessary

Remembers that you dismissed the full-screen prompt during this visit, so it is not shown again

Held for the current tab only; discarded when you close the tab

preferred-audio-device

Platform

InsideRisk (first-party)

Session storage

Functional / preference (consent-exempt)

Remembers the microphone you selected so a page reload during your visit doesn't interrupt the voice assessment

Held for the current tab only; discarded when you close the tab

The Website (insiderisk.com) sets no cookies or browser storage. The Portal sets only the authentication cookie; the local/session-storage items above are used only on the assessment Platform.

Analytics without cookies. Our product analytics (PostHog, hosted in the EU) runs in a cookieless configuration: it stores no analytics cookies or local storage on your device. Any identifiers it uses are held in your browser's memory only, for the duration of your visit, and are discarded when you close the tab.

Session identifier. To run an assessment and to link analytics and error-diagnostic events to a single visit, we assign a randomly generated session identifier and associate events with it. This identifier is held in memory, is not a stored profile, and cannot be used to identify you across other websites.

Your microphone choice. If you select a specific microphone during a voice assessment, that choice is kept in your browser's session storage so a page reload during your visit doesn't lose it. It is discarded when you close the tab, is not stored across visits, and is never shared.

You can block cookies and storage in your browser settings; blocking the authentication cookie may prevent you from logging in, and blocking the progress buffer may make your session less resilient to interruptions.

5. Analytics and AI processing

Analytics: we use PostHog (EU-hosted) for privacy-respectful product analytics and error monitoring. IP addresses are anonymised; the data is not used to identify you personally or track you across other sites. Our video player (Mux) also collects playback-quality and error telemetry to keep video working reliably; this is sent to Mux as our processor, and we run it with analytics cookies disabled.

AI processing: to deliver assessments and reports, assessment content (such as audio and transcripts) is processed by trusted providers for speech-to-text, voice, and language processing. They act as our processors and do not use your data to train their own models.

Review by our team. Where you take part in one of our own (non-commissioned) experiences — for example the free AI Integration experience you sign up for directly — members of the InsideRisk team may review your responses and the resulting report. We do this to operate and support the experience and to analyse and improve our service. We rely on your consent, which you give by ticking the box before you start, and we limit access to staff who need it. You can withdraw this consent at any time (see section 10). Where an organisation has commissioned the assessment, section 9 applies instead.

6. Who we share data with

We share personal data only with service providers ("processors") who help us run our services, under contracts requiring them to protect it. We do not sell personal data. The categories of recipients are:

  • Cloud hosting and database providers — to host the applications and store data.

  • AI / ML processing providers — for speech-to-text, voice, and language-model processing of assessment content.

  • Email-delivery providers — to send reports and service messages.

  • Product-analytics providers — for usage analytics and error monitoring.

  • Content and video providers — to serve assessment content and media.

A current, named list of our sub-processors — including each provider's location and the safeguard used for any transfer — is available on request at contact@insiderisk.com. We may also disclose data where required by law or to protect our legal rights.

7. International transfers

We are based in Switzerland, which the European Commission recognises as providing an adequate level of data protection. Where personal data is transferred to providers outside Switzerland or the EEA (for example, to US-based providers), we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses, with the Swiss addendum where relevant. You can request details of the providers involved and the safeguards applied via contact@insiderisk.com.

8. How long we keep data

We keep personal data only as long as necessary for the purposes above, after which we delete it or irreversibly anonymise it. Where we cannot give a fixed period, we use the following criteria:

  • Assessment audio, transcripts, and responses: deleted or anonymised within 60 days of the assessment.

  • Reports and participant records (Portal): kept for the duration of the client engagement and a limited period afterwards.

  • Free-experience registration and consent records: kept for the duration of the experience and a limited period afterwards; consent records are retained as long as needed to evidence the consent, then deleted.

  • Analytics and error diagnostics: retained for a limited period in line with our analytics provider's standard settings, then deleted or aggregated.

  • Account data: for the life of the account and a limited period afterwards.

  • Enquiry / marketing data: until your request is resolved and a limited period afterwards, or until you object.

9. When the client organisation is the controller

Many assessments are commissioned by an organisation (for example your employer or a client of ours). In those cases that organisation is the data controller and InsideRisk acts as its processor, handling your data on its documented instructions; the organisation's own privacy notice governs why your data is collected and on what basis. Where you sign up for one of our free experiences directly (rather than through an organisation), InsideRisk is the controller and the consent you give at sign-up governs that processing. If you're unsure who arranged your assessment, contact them or us and we'll help direct your request.

10. Your rights

Subject to applicable law, you have the right to: access your data; have inaccurate data corrected; request erasure; restrict or object to processing based on legitimate interests (including our analytics); request portability; and withdraw consent where processing is based on consent, without affecting prior processing. Where you have taken part in a free experience, you can withdraw your consent to our team's review of your data at any time by contacting us; we will then stop that processing and delete the associated free-experience data. To exercise these rights, contact contact@insiderisk.com. Where the client organisation is the controller, we may forward your request to them. You may also lodge a complaint with the data protection authority in your country, or with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

11. Security

We use appropriate technical and organisational measures, including encryption in transit, access controls, EU-region hosting where feasible, anonymisation of analytics IPs, and limited retention.

12. Children

Our services are intended for adults. We do not knowingly collect data from children below the applicable age of consent.

13. Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the "last updated" date; material changes will be communicated where appropriate.

14. Contact

InsideRisk SA — Route du Lac 27, 1071 Saint-Saphorin, Switzerland — contact@insiderisk.com.

Contact us.

Let us show you how our experiences can be tailored to your needs.

Contact us.

Let us show you how our experiences can be tailored to your needs.

Contact us.

Let us show you how our experiences can be tailored to your needs.