Last updated:
InsideRisk® ("we," "our," or "us") values your privacy. This Privacy Policy explains how we collect, use, and share information about you when you visit our website, insiderisk.com (the "Site").
1. Introduction
This policy explains how InsideRisk SA ("InsideRisk", "we", "us") collects, uses, and protects personal data across our services:
insiderisk.com — our website
platform.insiderisk.com — the assessment Platform, where participants complete immersive assessments
portal.insiderisk.com — the Reporting Portal, where reports are generated and delivered, and the entry point for our demo and self-serve experiences (such as the AI Integration experience)
It also explains our use of cookies. We comply with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and the ePrivacy Directive.
2. Who is responsible for your data
InsideRisk SA, Route du Lac 27, 1071 Saint-Saphorin, Switzerland, is the data controller for the processing described here, except where we act as a processor on behalf of a client organisation (see section 9). As we are based outside the EU, our representative in the EU under Article 27 GDPR is Adrian Stobbe, located in Spain [Spain address]. Contact us about privacy at contact@insiderisk.com.
3. The data we collect and why
Category | Where | Purpose | Legal basis |
|---|---|---|---|
Enquiry / demo-request details (name, email, phone, company, message) | Website | Respond to your request, arrange demos | Consent, or our legitimate interest in responding to enquiries |
Registration details for the AI Integration experience (name, email, phone) | Portal | Create and run your free experience, and follow up with you | Consent, and our legitimate interest in responding to your request |
Consent record (that you gave consent, and when) | Portal | Evidence and manage your consent | Legal obligation / our legitimate interest in demonstrating compliance |
Account and login data | Platform, Portal | Authenticate users, secure access | Performance of a contract / legitimate interest |
Assessment content — audio/voice, transcripts, and your responses | Platform | Run the assessment and produce the report | On behalf of the client organisation under their basis; where we are controller, your consent or our legitimate interest (see sections 5 and 9) |
A randomly generated session identifier | Platform | Operate the session and link diagnostics | Legitimate interest |
Participant name and email | Portal | Generate and deliver reports | Performance of a contract / legitimate interest |
Product-usage analytics and error diagnostics (events, anonymised IP, technical/device data) | Platform | Maintain, secure, and improve the service | Legitimate interest |
Email delivery data | Portal | Send reports and service communications | Performance of a contract / legitimate interest |
We do not use your personal data for advertising, profiling for marketing, or cross-site tracking.
4. Cookies and similar technologies
We keep our use of cookies and browser storage to the minimum needed to run our services.
Website (insiderisk.com): sets no cookies.
Platform and Portal: set only strictly-necessary cookies and browser storage — required to keep you logged in, to run your assessment reliably, and to keep the service secure — plus one consent-exempt session preference (your microphone choice). Under the ePrivacy Directive all of these are exempt from consent.
We set no analytics, advertising, or tracking cookies or storage anywhere. The only browser storage we use is either strictly necessary or a single consent-exempt session preference (your microphone choice), so we do not display a cookie consent banner — there is nothing requiring your consent.
Cookies and storage by category. We classify into the standard categories below. We use only strictly-necessary storage and one session-scoped functional preference (your microphone selection); we set nothing in the analytics or advertising categories.
Category | Used? | Consent required? |
|---|---|---|
Strictly necessary | Yes — authentication, reliable delivery of your assessment, and session UI state (see table below) | No (exempt under the ePrivacy Directive) |
Functional / preferences | Yes — your microphone selection only, kept for the browser session (see table below) | No — exempt as a session-limited preference you actively chose; discarded when you close the tab |
Analytics / performance | No analytics cookies or device storage (PostHog runs cookieless, and our video-player analytics run with cookies disabled — see below) | — |
Advertising / marketing | No | — |
What we set:
Name | Where | Provider | Type | Category | Purpose | Duration |
|---|---|---|---|---|---|---|
sb-<project>-auth-token (and refresh token) | Platform, Portal | Supabase | Cookie | Strictly necessary | Maintain your authenticated session on the Platform and Portal | Access token expires after ~1 hour; a refresh token keeps you signed in until you log out |
session-tracker-outbox-v1 | Platform | InsideRisk (first-party) | Local storage | Strictly necessary | Briefly buffers your assessment-progress events until they are saved, so your responses are not lost on a page reload or short network drop | Each entry is removed as soon as it is saved |
fullscreen-prompt-dismissed | Platform | InsideRisk (first-party) | Session storage | Strictly necessary | Remembers that you dismissed the full-screen prompt during this visit, so it is not shown again | Held for the current tab only; discarded when you close the tab |
preferred-audio-device | Platform | InsideRisk (first-party) | Session storage | Functional / preference (consent-exempt) | Remembers the microphone you selected so a page reload during your visit doesn't interrupt the voice assessment | Held for the current tab only; discarded when you close the tab |
The Website (insiderisk.com) sets no cookies or browser storage. The Portal sets only the authentication cookie; the local/session-storage items above are used only on the assessment Platform.
Analytics without cookies. Our product analytics (PostHog, hosted in the EU) runs in a cookieless configuration: it stores no analytics cookies or local storage on your device. Any identifiers it uses are held in your browser's memory only, for the duration of your visit, and are discarded when you close the tab.
Session identifier. To run an assessment and to link analytics and error-diagnostic events to a single visit, we assign a randomly generated session identifier and associate events with it. This identifier is held in memory, is not a stored profile, and cannot be used to identify you across other websites.
Your microphone choice. If you select a specific microphone during a voice assessment, that choice is kept in your browser's session storage so a page reload during your visit doesn't lose it. It is discarded when you close the tab, is not stored across visits, and is never shared.
You can block cookies and storage in your browser settings; blocking the authentication cookie may prevent you from logging in, and blocking the progress buffer may make your session less resilient to interruptions.
5. Analytics and AI processing
Analytics: we use PostHog (EU-hosted) for privacy-respectful product analytics and error monitoring. IP addresses are anonymised; the data is not used to identify you personally or track you across other sites. Our video player (Mux) also collects playback-quality and error telemetry to keep video working reliably; this is sent to Mux as our processor, and we run it with analytics cookies disabled.
AI processing: to deliver assessments and reports, assessment content (such as audio and transcripts) is processed by trusted providers for speech-to-text, voice, and language processing. They act as our processors and do not use your data to train their own models.
Review by our team. Where you take part in one of our own (non-commissioned) experiences — for example the free AI Integration experience you sign up for directly — members of the InsideRisk team may review your responses and the resulting report. We do this to operate and support the experience and to analyse and improve our service. We rely on your consent, which you give by ticking the box before you start, and we limit access to staff who need it. You can withdraw this consent at any time (see section 10). Where an organisation has commissioned the assessment, section 9 applies instead.
6. Who we share data with
We share personal data only with service providers ("processors") who help us run our services, under contracts requiring them to protect it. We do not sell personal data. The categories of recipients are:
Cloud hosting and database providers — to host the applications and store data.
AI / ML processing providers — for speech-to-text, voice, and language-model processing of assessment content.
Email-delivery providers — to send reports and service messages.
Product-analytics providers — for usage analytics and error monitoring.
Content and video providers — to serve assessment content and media.
A current, named list of our sub-processors — including each provider's location and the safeguard used for any transfer — is available on request at contact@insiderisk.com. We may also disclose data where required by law or to protect our legal rights.
7. International transfers
We are based in Switzerland, which the European Commission recognises as providing an adequate level of data protection. Where personal data is transferred to providers outside Switzerland or the EEA (for example, to US-based providers), we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses, with the Swiss addendum where relevant. You can request details of the providers involved and the safeguards applied via contact@insiderisk.com.
8. How long we keep data
We keep personal data only as long as necessary for the purposes above, after which we delete it or irreversibly anonymise it. Where we cannot give a fixed period, we use the following criteria:
Assessment audio, transcripts, and responses: deleted or anonymised within 60 days of the assessment.
Reports and participant records (Portal): kept for the duration of the client engagement and a limited period afterwards.
Free-experience registration and consent records: kept for the duration of the experience and a limited period afterwards; consent records are retained as long as needed to evidence the consent, then deleted.
Analytics and error diagnostics: retained for a limited period in line with our analytics provider's standard settings, then deleted or aggregated.
Account data: for the life of the account and a limited period afterwards.
Enquiry / marketing data: until your request is resolved and a limited period afterwards, or until you object.
9. When the client organisation is the controller
Many assessments are commissioned by an organisation (for example your employer or a client of ours). In those cases that organisation is the data controller and InsideRisk acts as its processor, handling your data on its documented instructions; the organisation's own privacy notice governs why your data is collected and on what basis. Where you sign up for one of our free experiences directly (rather than through an organisation), InsideRisk is the controller and the consent you give at sign-up governs that processing. If you're unsure who arranged your assessment, contact them or us and we'll help direct your request.
10. Your rights
Subject to applicable law, you have the right to: access your data; have inaccurate data corrected; request erasure; restrict or object to processing based on legitimate interests (including our analytics); request portability; and withdraw consent where processing is based on consent, without affecting prior processing. Where you have taken part in a free experience, you can withdraw your consent to our team's review of your data at any time by contacting us; we will then stop that processing and delete the associated free-experience data. To exercise these rights, contact contact@insiderisk.com. Where the client organisation is the controller, we may forward your request to them. You may also lodge a complaint with the data protection authority in your country, or with the Swiss Federal Data Protection and Information Commissioner (FDPIC).
11. Security
We use appropriate technical and organisational measures, including encryption in transit, access controls, EU-region hosting where feasible, anonymisation of analytics IPs, and limited retention.
12. Children
Our services are intended for adults. We do not knowingly collect data from children below the applicable age of consent.
13. Changes to this policy
We may update this policy from time to time. We will post the updated version here and revise the "last updated" date; material changes will be communicated where appropriate.
14. Contact
InsideRisk SA — Route du Lac 27, 1071 Saint-Saphorin, Switzerland — contact@insiderisk.com.