Privacy Policy
AI Native Transformation Platform app.ai-native-transformation.com Last updated: April 4, 2026
1. Introduction
This Privacy Policy describes how the AI Native Transformation platform ("Platform," "we," "us") collects, uses, stores, and shares personal information when you use our web application at app.ai-native-transformation.com.
This is a workplace tool deployed by your employer ("Organization"). Your Organization's administrators have access to your data within their account. If you have questions about how your employer uses this data, contact your Organization's privacy or HR team.
By using the Platform, you acknowledge that you have read and understood this policy.
2. Who We Are
The Platform is operated as a SaaS product provided to Organizations to help their employees complete an AI transformation program. Your personal data is processed both by us (as data controller) and by your Organization (as data controller for its employees).
3. Data We Collect
3.1 Identity (via Google Sign-In)
When you authenticate, we collect:
- Full name
- Work email address
- Profile image
Authentication is handled via Google OAuth using the openid, profile, and email scopes only. We do not access your Google Drive, Calendar, Contacts, or any other Google service.
Your session is maintained via a secure, HttpOnly, SameSite=Lax cookie that expires approximately every 30 days.
3.2 Employee Profile (admin-provided)
Your Organization's administrator may provide or import the following information about you:
- Job title and department
- Company name
- Reporting relationship (manager)
- Role definition (a description of your responsibilities)
- Language preference (English or French)
- Account status (active or inactive)
- GitHub username (optional, for developer metrics)
3.3 Content You Create
As you progress through the coaching program, the following content is collected and stored:
| Type | Description |
|---|---|
| Coaching messages | All messages exchanged between you and the AI coach |
| Step artifacts | Structured documents produced at each of the 6 coaching steps |
| AI maturity assessment | Your questionnaire responses and computed readiness scores |
| Workflow documentation | Descriptions of your work processes, including time estimates, tools, participants, and bottlenecks |
| Transition plan | Your AI transformation plan, subject to manager review and approval |
3.4 System Logs
The Platform automatically generates the following logs:
| Log type | What is recorded | Retention |
|---|---|---|
| Audit log | User actions (login, create, update, approve, anonymize), actor, target record, IP address, timestamp | Indefinite |
| AI usage log | Token counts per API call (organization, user, endpoint, model) | Indefinite |
| AI request log | Request timestamps per user (used for rate limiting) | Indefinite |
We currently have no automatic deletion policy. All data is retained until your Organization or you exercise a deletion or anonymization right (see Section 8).
4. How We Use Your Data
We use your personal data to:
- Authenticate and manage your account
- Deliver AI-coached sessions tailored to your role and responsibilities
- Generate and store your coaching artifacts, assessment results, and transition plan
- Enable your manager to review, score, and approve your transition plan
- Enable your Organization's administrators to track program progress across their workforce
- Enforce rate limits and prevent abuse
- Maintain an audit trail for security and compliance purposes
- Measure platform usage and improve the product (see PostHog, Section 5.4)
- Sync developer productivity metrics if GitHub is connected (see Section 5.3)
5. Data Sharing with Third Parties
5.1 Anthropic (Claude API) — Primary AI Processor
This is the most significant third-party data sharing on this platform.
To deliver AI coaching sessions, we send your personal and professional content to Anthropic's API. This includes:
- Your name, title, and role definition
- Your full coaching conversation history
- Your completed step artifacts (steps 1–5)
- Your workflow documentation (names, descriptions, time data, tools, participants, AI scores)
- Your assessment scores
For AI-powered scoring (triggered by your Organization's admin), the following is also sent:
- Your transition plan content
- Your workflow data
- Your step artifact content
Endpoint: https://api.anthropic.com
Model: Claude Sonnet 4 (or as configured by your Organization)
Region: Anthropic processes data under its own infrastructure terms.
A Data Processing Agreement (DPA) with Anthropic is required for enterprise use of this platform. Your Organization should confirm this agreement is in place.
Anthropic's privacy policy is available at: https://www.anthropic.com/legal/privacy
5.2 Google (Authentication Only)
We use Google OAuth solely for authentication. After login, we do not call any Google API. Your profile image is refreshed on each login from your Google profile.
5.3 GitHub (Optional, Admin-Configured)
If your Organization enables GitHub integration, we retrieve the following data from GitHub using a scoped GitHub App installation:
- Commits, pull requests, and code reviews attributed to your GitHub username
- Daily aggregates of lines of code added and removed
This data is visible to Organization admins and stored in the Platform. This is an optional integration enabled by your Organization. If you have questions about whether it is active, contact your admin.
5.4 PostHog (Analytics)
If enabled by the Platform operator, basic usage analytics are sent to PostHog, a US-based analytics service. This includes:
- Your email address and name (for user identification)
- Page views and page exit events
PostHog uses browser localStorage (not cookies) for client-side tracking.
If you are located in the EU or a jurisdiction requiring consent for analytics, your Organization should ensure appropriate notice or consent mechanisms are in place.
PostHog's privacy policy: https://posthog.com/privacy
5.5 Infrastructure Providers
Your data is hosted on the following US-based infrastructure:
| Provider | Role | Region |
|---|---|---|
| Vercel | Application hosting (serverless) | United States |
| Supabase (AWS) | Database (PostgreSQL) | AWS US-West-2 |
If your Organization is located in the EU or another jurisdiction with data transfer restrictions, you should review whether these hosting arrangements satisfy applicable transfer mechanisms (e.g., EU Standard Contractual Clauses).
6. Who Can Access Your Data
You
You can access and edit your own coaching sessions, artifacts, assessment, workflows, and transition plan. You cannot access other employees' data.
Your Manager
Your manager can read, score, add notes to, and approve or reject your transition plan. They cannot access your coaching conversations, step artifacts, assessment responses, or workflow details.
You will be informed before submitting your transition plan that it becomes visible to your manager.
Your Organization's Administrators
Administrators within your Organization have full read access to all employee data in their account, including coaching sessions, artifacts, assessments, workflows, plans, audit logs, and usage metrics. They can also export your data and trigger anonymization.
Platform Operator (Super-Admin)
The Platform operator has cross-organization administrative access for operational and support purposes. This access is logged.
7. Cookies
| Cookie | Purpose | Type | Expiry |
|---|---|---|---|
__Secure-next-auth.session-token | Authentication session | HttpOnly, Secure, SameSite=Lax | ~30 days |
We do not use advertising cookies or third-party tracking cookies. PostHog analytics use browser localStorage.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — Request a copy of all data held about you
- Correction — Request corrections to inaccurate data
- Erasure / Anonymization — Request that your personal data be removed or anonymized
- Portability — Request your data in a structured, machine-readable format
- Objection — Object to certain processing activities
How to Exercise Your Rights
Your Organization's admin can export your full data or trigger anonymization through the admin panel.
Data export produces a complete JSON file of your profile, assessments, coaching sessions and messages, step artifacts, transition plan and revisions, workflows, and audit log entries.
Anonymization is irreversible and removes all personal identifiers from the system. Your name is replaced with "Anonymized User," your email is removed, and the content of your coaching messages, artifacts, and plan is cleared. Aggregate scores may be retained for organizational reporting.
To exercise your rights, contact your Organization's administrator or reach out to us at the contact address in Section 15.
9. Data Retention
We do not currently apply automatic data deletion or time-to-live policies. All data is retained for the duration of your Organization's account unless manually anonymized or deleted.
We recommend Organizations establish a retention policy aligned with their employment practices, such as retaining data for the duration of employment plus a defined period (e.g., 12 months).
10. Security
We implement the following technical measures to protect your data:
- CSRF protection via Origin header validation on all state-changing requests
- Per-user rate limiting on AI endpoints (20 requests per hour)
- Concurrent request locking (one AI request at a time per user)
- Multi-tenant data isolation: all records are scoped by
orgIdwith enforced foreign key constraints - Plugin credentials encrypted at rest using AES-256-GCM
- Domain-based login restriction: only pre-approved email domains can authenticate
- Audit logging of all significant user and admin actions, including IP address
11. Governing Law and Applicable Regulations
This Privacy Policy is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein.
The Platform's data practices are designed to comply with:
- Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information, in force since September 2023), including:
- The right to access, correct, and request deletion of personal information
- The requirement to publish and maintain an accessible privacy policy
- Privacy impact assessment (PIA) obligations for systems that collect personal information, including AI-processing systems
- Breach notification obligations to the Commission d'accès à l'information (CAI) and affected individuals
- PIPEDA (Personal Information Protection and Electronic Documents Act) — applicable to federally regulated activities and cross-border data flows
- CASL (Canada's Anti-Spam Legislation) — applicable to any electronic communications sent through the Platform
Cross-border transfers: Your data is processed on US-based infrastructure (Vercel, Supabase/AWS) and sent to US-based third parties (Anthropic, PostHog, and optionally GitHub). Under Quebec Law 25, transfers of personal information outside Quebec require a Privacy Impact Assessment confirming that the receiving jurisdiction offers adequate protection comparable to Quebec standards. Organizations deploying this Platform are responsible for conducting or obtaining this assessment before use by Quebec-resident employees.
Supervisory authority: The regulatory authority for privacy matters in Quebec is the Commission d'accès à l'information (CAI): www.cai.gouv.qc.ca
13. Children's Data
This Platform is a professional workplace tool intended for use by adults in an employment context. We do not knowingly collect personal information from individuals under the age of 16.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this document. For material changes, we will notify users or Organizations through the Platform or by email.
15. Contact
For privacy-related questions or to exercise your data rights, contact:
AI Native Transformation privacy@ai-native-transformation.com
If your inquiry relates to how your employer uses your data within the Platform, please contact your Organization directly.