ImpactGrowth Academy
Last updated: April 2025

Privacy Policy

Impact Growth Academy is committed to protecting your personal data. This policy explains what we collect, why, and how you can control it. Written in plain language because we believe you deserve to understand it.

Section 01

Who we are

Impact Growth Academy SL ("Impact", "we", "us", or "our") is a Spanish company registered in Madrid, Spain. We operate the Impact Growth Academy platform — a leadership operating system that combines business intelligence, team culture, and whole-self wellbeing for founders and executives.

For the purposes of the EU General Data Protection Regulation (GDPR), Impact Growth Academy SL is the data controller of any personal data you share with us. Our registered office is in Madrid, Spain.

Data Protection Officer: privacy@impactgrowth.eu

Section 02

What data we collect (and why)

We collect only the data we genuinely need to operate the service. Here is everything, organised by purpose:

Account data

  • Full name, email address, password hash
  • Optional: company name, role, profile photo, timezone

Business data you enter

  • Company financial metrics (MRR, ARR, burn, runway, custom KPIs)
  • CRM pipeline data when you connect HubSpot, Salesforce, Pipedrive, or Notion
  • Calendar events when you connect Google, Outlook, or iCloud

Wellbeing data (special category — see Section 3)

  • Cycle tracking entries you choose to log
  • Energy and mood ratings, symptom tags, private notes

Team pulse data

  • Anonymous survey responses from your team (cryptographically hashed — we cannot link them to individuals)

Technical data

  • IP address, browser type, device type (used for security and fraud prevention)
  • Session logs (kept for 30 days for debugging and security)
Section 03

Health data — special protections

Cycle tracking, energy, mood, and symptom data are classified as special category personal data under Article 9 of the GDPR. We treat them with extra care:

  • Encrypted at rest using AES-256 on EU servers in Frankfurt, Germany
  • Encrypted in transit via TLS 1.3
  • Never analysed for advertising — we don't run ads, ever
  • Hidden from your team — anyone you invite to your workspace cannot see your wellbeing data
  • Never shared with third parties for marketing, research, or analytics
  • Processed only with your explicit consent, which you give during onboarding and can withdraw at any time

You can delete all wellbeing data with one click in Settings → Privacy. Deletion is immediate and irreversible.

Section 04

How we use your data

We process your data only for these purposes:

  • Provide the service: show you your dashboard, sync your integrations, deliver IF briefings
  • Improve the product: aggregated, anonymised usage analytics (no health data, ever)
  • Customer support: reply to your questions and troubleshoot issues
  • Billing: process subscription payments via Stripe (we never store your card details)
  • Security: detect fraud, abuse, and unauthorised access
  • Legal compliance: respond to valid legal requests where required

Our legal bases under GDPR Article 6 are: performance of contract (to provide the service), legitimate interests (security, product improvement), consent (for health data and marketing emails), and legal obligation (tax, accounting).

Section 05

Who we share data with (spoiler: almost no one)

We do not sell your data. We do not share it with advertisers or data brokers. The only third parties that touch your data are essential subprocessors that help us run the service:

  • Supabase (EU region, Frankfurt): database, authentication, file storage
  • Stripe: payment processing (PCI-DSS Level 1)
  • Resend / Postmark: transactional email delivery
  • Google / Microsoft / Apple: only if you connect calendars or CRMs — and only the data scopes you authorise
  • OpenAI / Anthropic / Google AI: for IF responses (see Section 9)

Each subprocessor is bound by a Data Processing Agreement compliant with GDPR Article 28. A full, up-to-date list is available at privacy@impactgrowth.eu on request.

Section 06

Where your data is stored

All your data is stored in the European Union — specifically, in Frankfurt, Germany, on Supabase's EU infrastructure (which runs on AWS eu-central-1).

We do not transfer personal data outside the European Economic Area (EEA) except in two narrow cases, both governed by Standard Contractual Clauses (SCCs):

  • AI inference for IF responses (US-based providers — see Section 9)
  • Stripe payment processing (some routing may transit the US)

Backups are also stored in EU regions and retained for 30 days.

Section 07

Your GDPR rights

Your GDPR rights at a glance
Under GDPR, you have the right to: access your data, correct inaccurate data, delete your data, export your data, and object to processing. To exercise any of these rights, email privacy@impactgrowth.eu. We respond within 72 hours.

In detail, you have the right to:

  • Access (Art. 15): request a copy of all data we hold about you
  • Rectification (Art. 16): correct inaccurate or incomplete data
  • Erasure / "right to be forgotten" (Art. 17): delete your account and all associated data
  • Portability (Art. 20): export your data in a structured, machine-readable format (JSON / CSV)
  • Objection (Art. 21): object to processing based on legitimate interests
  • Restriction (Art. 18): ask us to stop processing while a dispute is resolved
  • Withdraw consent: at any time, for any consent-based processing

You also have the right to lodge a complaint with your local data protection authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD).

Section 08

Cookies and tracking

We use the absolute minimum number of cookies. We do not use advertising cookies, social pixels, or third-party tracking scripts.

Essential cookies (no consent needed)

  • Session cookies for authentication
  • CSRF protection tokens
  • Theme preference (light / dark)

Analytics (consent-based)

We use a privacy-first, EU-hosted analytics provider (Plausible or similar) that does not set cookies and does not track individuals across sites. You can opt out in Settings → Privacy.

Section 09

AI and your data (IF conversations)

IF, our AI agent, uses large language models from OpenAI, Anthropic, and Google. When you chat with IF, the relevant context (your business metrics, calendar, and team pulse — but never your raw health data) is sent to the model provider for inference.

We have configured these integrations as follows:

  • Zero-retention mode: model providers do not store or train on your conversations
  • No PII in prompts: personally identifying details of your team members are stripped before sending
  • EU endpoints where available: we use EU-region API endpoints whenever the provider offers them
  • Standard Contractual Clauses: govern any unavoidable US data transfer

You can disable IF entirely in Settings → AI Preferences. Your account will continue to work without AI features.

Section 10

Contact our DPO

For any privacy-related question, request, or concern, contact our Data Protection Officer:

We respond to all GDPR requests within 72 hours and resolve them within 30 days, as required by Article 12.

Section 11

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last updated" date at the top of this page
  • Email all active users at least 30 days before material changes take effect
  • Maintain a public changelog of policy revisions

For material changes that affect how we process your data, we will ask for renewed consent where legally required.

This policy is provided as a placeholder and should be reviewed by a qualified data protection lawyer before publication.

Questions about this document? Email legal@impactgrowth.eu — a real human will reply.