Back to Home

Privacy Policy

Last updated: May 31, 2026

GDPR Compliant

Our Privacy Commitment

Your privacy matters. ImprovoMagic is built with privacy-first principles. We collect only what's necessary, never sell your data, and give you full control.

What Information We Collect

Information You Provide:

  • Account Information: Name, email address, password (encrypted)
  • Team Data: Team names, member names, roles
  • Assessment Data: Your responses to assessment questions
  • Payment Information: Handled securely by PayPal (we never see your payment details)

Information We Collect Automatically:

  • Usage Data: Pages visited, features used, time spent
  • Device Information: Browser type, operating system, IP address
  • Cookies: Session cookies for authentication (essential only)

How We Use Your Information

We use your data to:

  • Provide the Service: Run assessments, generate reports, track progress
  • AI Insights: Power personalized recommendations using AI
  • Improve ImprovoMagic: Understand how features are used, fix bugs
  • Communication: Send account emails, product updates (you can opt out)
  • Security: Detect fraud, prevent abuse, protect user accounts

How We Share Your Information

We DO NOT sell your data. Ever.

We share data only in these limited cases:

  • Service Providers: Supabase (database), Vercel (hosting), Resend (emails), PayPal (payments) - all under strict contracts
  • AI Processing: Claude by Anthropic for generating insights (anonymized when possible, no training on your data)
  • Legal Requirements: If required by law or to protect rights/safety
  • With Your Consent: Any other sharing requires your explicit permission

Your Privacy Rights (GDPR)

You have these rights:

  • Access: See all data we have about you
  • Export: Download your data in JSON or CSV format
  • Correction: Update incorrect information
  • Deletion: Request account and data deletion (30-day grace period)
  • Portability: Transfer your data to another service
  • Object: Object to certain data processing
  • Withdraw Consent: Change your mind about data usage

Exercise these rights from your Privacy Settings page.

Data Security

We protect your data with:

  • Encryption: HTTPS for all traffic, bcrypt for passwords
  • Access Controls: Role-based permissions, admin-only sensitive operations
  • Regular Security Audits: Ongoing monitoring and updates
  • Secure Infrastructure: Hosted on enterprise-grade platforms (Supabase, Vercel)

Data Retention

  • Active Accounts: We keep your data as long as your account is active
  • Deleted Accounts: 30-day grace period, then permanent deletion
  • Backups: Encrypted backups retained for 90 days for disaster recovery
  • Legal Holds: Data may be retained longer if required by law

Cookies & Tracking

ImprovoMagic uses only strictly necessary cookies β€” the ones required to log you in, keep you logged in, and (if you choose to enable it) remember a trusted device for two-factor authentication. We do not use analytics, marketing, or advertising cookies. No Google Analytics, no Meta Pixel, no LinkedIn Insight Tag, no third-party trackers of any kind.

Under the EU ePrivacy Directive (Article 5(3)) and UK PECR, strictly necessary cookies are exempt from the consent requirement. We still disclose them in full below so you know exactly what we set and why.

Cookies we set

NamePurposeRetentionCategory
next-auth.session-tokenKeeps you signed in after login.30 daysStrictly necessary
next-auth.csrf-tokenProtects the sign-in form from cross-site request forgery.SessionStrictly necessary
next-auth.callback-urlRemembers where you wanted to go before signing in, so we can return you there.SessionStrictly necessary
mfa_passedConfirms you just passed a two-factor challenge so the sign-in completes.5 minutesStrictly necessary
2fa_trustedSet only if you tick "Remember this device" during two-factor sign-in. Lets you skip the 6-digit code on this browser.30 daysStrictly necessary (you opt in)

All cookies above are first-party, marked HttpOnly and SameSite=Lax, and (in production) Secure. They cannot be read by JavaScript on other sites.

Legal basis (GDPR Art. 6): Authentication cookies are processed under Art. 6(1)(b) β€” performance of the contract you entered into when you created an account. The optional 2fa_trusted cookie is processed under Art. 6(1)(a) β€” your explicit consent via the "Remember this device" checkbox β€” which you can withdraw at any time from Security Settings by revoking the device.

Cloudflare Turnstile: Optional bot protection (privacy-first, no cookies).

If this ever changes: if we add analytics or any non-essential cookie in the future, we will update this section, raise a consent prompt before setting it, and give you per-category controls.

Children's Privacy

ImprovoMagic is not intended for users under 18. We don't knowingly collect data from children. If you believe a child has created an account, contact us immediately.

International Data Transfers

Your data is primarily stored in EU data centers (Supabase EU region). If you're outside the EU, your data may be transferred internationally. We ensure adequate protections through standard contractual clauses.

Changes to This Policy

We may update this privacy policy occasionally. We'll notify you of significant changes via email. Continued use after changes means you accept the updated policy.

Contact Us

Questions about your privacy? Contact us:

  • Email: ludvig.ahlin@gmail.com
  • Data Protection: We take privacy seriously - expect a response within 48 hours
  • Location: Sweden πŸ‡ΈπŸ‡ͺ (EU GDPR applies)

Privacy First, Always πŸ”’

ImprovoMagic was built with privacy as a core principle. We believe you should own your data, understand how it's used, and have complete control. No dark patterns, no hidden tracking, no data selling. Just honest, transparent service.

Built with passion, fueled by Swedish coffee, shared with purpose πŸš€

Terms of ServiceBack to Home