1. Information We Collect

Personal Information

We may collect personally identifiable information such as:

• Contact Information: Name, email address
• Professional Information: Job title, company, industry, career goals
• Account Information: Username, password, profile preferences
• Assessment Data: Career assessment responses, skill evaluations, performance metrics

Usage Information

We automatically collect certain information about your device and use of our Service:

• Device Information: IP address, browser type, operating system
• Usage Data: Pages visited, time spent, features used, click patterns
• Performance Data: Assessment scores, progress tracking, improvement metrics

Data from Connected Integrations

If you connect a third-party service (e.g., Slack, Gmail, GitHub, Linear, or others), we collect activity data from that service on your behalf — only the events and metadata necessary for the features you've enabled. You authorize this collection through each service's OAuth consent flow and can stop it at any time by disconnecting the integration in Settings → Integrations.

Because activity streams may include content authored by other people (e.g., teammates' messages in channels you belong to, or email senders who write to you), we act as a processor of that third-party data on behalf of the connecting user and their organization. We do not create profiles of, nor independently contact, non-customer individuals whose content happens to appear in this stream. If you are a non-customer whose data has been ingested incidentally and you want it removed, contact privacy@product-sense.io.

2. How We Use Your Information

We use collected information for the following purposes:

Service Delivery

• Provide and maintain our Service
• Process career assessments and generate personalized recommendations
• Track your progress and performance improvements
• Deliver customer support and respond to your requests

Service Improvement

• Analyze usage patterns to improve our platform functionality
• Develop new features and enhance user experience
• Conduct research and analytics to optimize our services
• Perform quality assurance and testing

Communication

• Send you updates about our Service and new features
• Provide customer support and respond to inquiries
• Send administrative notices and policy updates
• Deliver marketing communications (with your consent), including:
  • Email newsletters about career development and platform updates
  • Promotional offers for premium features and services
  • Product announcements and feature releases
  • Educational content related to career growth and professional development
  • Survey requests and user research participation invitations

Consent Management

When we seek your consent for marketing communications:

• Freely Given: You have genuine choice and control over your decision
• Specific: We clearly identify what you're consenting to for each type of communication
• Informed: We provide clear information about the purpose and scope of communications
• Unambiguous: We require explicit opt-in action (no pre-ticked boxes)
• Granular Options: You may consent to specific types of communications separately:
  • Platform updates and service announcements
  • Educational newsletters and career guidance
  • Promotional offers and premium feature notifications
  • Research participation and feedback requests

3. Information Sharing and Disclosure

We Do Not Sell Your Personal Information

We do not sell, trade, or rent your personal information to third parties for their commercial purposes.

Service Providers

We may share your information with trusted third-party service providers who assist us in operating our Service:

• Cloud Infrastructure: AWS for secure data hosting and processing
• AI Services: OpenAI (via AWS Bedrock) and Google Vertex AI — used for large-language-model inference that powers activity enrichment, scoring, and the chat assistant
• Customer Support: Intercom for customer communication and support
• Analytics: Aggregated, anonymized data for performance analysis

We require all third-party service providers to:

• Maintain appropriate technical and organizational security measures
• Process personal data only for the specific purposes we authorize
• Comply with applicable data protection laws and regulations
• Implement contractual safeguards equivalent to those in this Privacy Policy
• Notify us immediately of any data security incidents or breaches
• Allow auditing and monitoring of their data protection practices

Authorized AI Client Access (MCP / OAuth)

Find Your Great offers a Model Context Protocol (MCP) server that lets you authorize third-party AI clients (for example Claude Desktop, ChatGPT, Cursor, Notion, Gemini) to read your data on your behalf. Connecting a client is opt-in: you complete an OAuth flow, see the requesting client's identity and a summary of what scopes it is requesting, and choose whether to approve. Nothing is shared until you approve.

• What you can grant: Read-only access to data within the scopes shown on the consent screen — your work activity (including decrypted content from connected platforms such as Slack, GitHub, Linear, Discord, and WhatsApp, plus meeting transcripts), career signals, patterns, plans and goals, impact updates, team / org structure, and AI-generated reasoning notes about your career episodes and impact updates.
• How data is delivered: When a connected client calls a tool, Find Your Great decrypts the relevant fields server-side and returns them over a TLS-protected channel to the client you authorized. The client receives the response in plaintext.
• Third-party handling: Once data is delivered to a connected AI client, it is governed by that client's own privacy policy and data-handling practices, which Find Your Great does not control. Review the privacy policy of any AI client before connecting it.
• Revocation: You can review every connected client and revoke any of them at any time at /settings/connections. Revocation takes effect immediately and prevents future access; it does not retrieve data the client already received.
• Scope of authorization: Each authorization is bound to a single organization. Connecting the same client to a different organization, or changing scopes, requires a new authorization through the consent flow.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Legal processes such as court orders or subpoenas
• Government requests or regulatory requirements
• Protection of our rights, property, or safety
• Investigation of fraud or security incidents

4. Data Security and Protection

Security Measures

We implement appropriate technical and organizational measures to protect your information:

• Encryption: AES-256 encryption for data at rest, TLS 1.2+ for data in transit
• Access Controls: Strict access limitations based on business need
• Monitoring: Real-time security monitoring and incident detection
• Compliance: SOC 2 and GDPR compliance frameworks

Data Retention

• Active Accounts: Data retained while your account is active
• Inactive Accounts: Data deleted within 60 days of account termination
• Legal Requirements: Some data may be retained longer to comply with legal obligations
• Support Records: Customer support communications retained for 3 years
• Security Logs: Access and security logs retained for 1 year
• Analytics Data: Anonymized usage data retained for 2 years for service improvement
• Connected Integration Data: Activity data collected from connected third-party integrations follows the same retention tiers above. Disconnecting an integration stops new data collection immediately; previously-ingested activity data is subject to the active/inactive account retention schedule, or earlier deletion upon erasure request.

Data Breach Notification

In the event of a personal data breach, we are committed to transparent and timely communication:

• Immediate (0-2 hours): Breach detection and initial containment
• Within 24 hours: Internal incident response team activation and impact assessment
• Within 24 hours: Customer/Company notification for data breaches
• Within 72 hours: Supervisory authority notification (if required by GDPR)

5. Your Rights and Choices

Access and Control

You have the right to:

• Access: Request a copy of your personal information
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion of your personal information
• Portability: Receive your data in a machine-readable format
• Restrict Processing: Limit how we process your information
• Object: Object to processing based on legitimate interests

Communication Preferences

You can control communications from us by:

• Updating your account settings and preferences
• Following unsubscribe instructions in marketing emails
• Contacting us directly with your preferences

Withdrawing Consent

You have the right to withdraw your consent for marketing communications at any time:

• How to Withdraw: Use unsubscribe links in emails, update account preferences, or contact privacy@product-sense.io
• Effect of Withdrawal: We will stop sending marketing communications immediately (within 48 hours)
• No Penalty: Withdrawing consent will not affect your access to our core services
• Separate Consents: You may withdraw consent for specific types of communications while maintaining others
• Reconfirmation: We will never re-subscribe you without explicit new consent

Account Deletion

You may delete your account at any time by:

• Using the account deletion feature in your profile settings
• Contacting our support team at support@product-sense.io
• All associated data will be deleted within 30 days (GDPR compliant)

6. International Data Transfers

Cross-Border Processing

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers:

• Adequate Protection: We transfer data to countries with European Commission adequacy decisions, including the United States (EU-U.S. Data Privacy Framework (DPF))
• Standard Contractual Clauses: We use the 2021 European Commission Standard Contractual Clauses (SCCs) for transfers to countries without adequacy decisions
• Ongoing Monitoring: Regular assessment of transfer mechanisms and requirements

Specific Transfer Safeguards

• United States: Transfers based on adequacy decision (EU-U.S. Data Privacy Framework (DPF)) for AWS, OpenAI, Google Cloud (Vertex AI), and Intercom
• Other Countries: Standard Contractual Clauses (2021 SCCs) with additional technical and organizational measures
• Transfer Impact Assessments: Regular evaluation of transfer mechanisms and third-country legal frameworks
• Alternative Measures: Implementation of additional safeguards when standard mechanisms may be insufficient

7. Children's Privacy

Our Service is not intended for individuals under the age of 16 (or under 13 in the United States). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without proper parental consent, we will take steps to remove that information from our servers promptly.

If you believe we may have collected information from a child, please contact us immediately at privacy@product-sense.io.

8. Cookies and Tracking Technologies

What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies to:

• Remember your preferences and settings
• Analyze site usage and performance
• Provide personalized content and recommendations
• Ensure security and prevent fraud

Types of Cookies We Use

• Essential Cookies: Required for basic site functionality
• Performance Cookies: Help us understand how visitors use our site
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Provide insights into site usage and performance

Managing Cookies

You can control cookies through your browser settings:

• Block all cookies or only third-party cookies
• Delete existing cookies from your device
• Receive notifications when cookies are being used
• Note that disabling cookies may affect site functionality

9. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Providing in-app notifications about policy changes
• The effective date at the top of this policy indicates when it was last revised

11. Data Protection Officer (DPO) Framework

Responsibilities

• Monitor compliance with GDPR and other privacy regulations
• Conduct privacy impact assessments and risk evaluations
• Serve as point of contact for supervisory authorities
• Provide guidance on data protection matters to staff and management
• Maintain data processing register and documentation
• Review and approve data protection policies and procedures

Authority and Independence

• Direct reporting to executive leadership on privacy matters
• Authority to halt processing activities that pose high privacy risks
• Access to all personal data processing activities and systems
• Budget authority for privacy compliance tools and external counsel
• Supervisory authorities have direct access to DPO
• External counsel consultation for complex privacy matters
• Industry privacy professional network engagement

12. Privacy Impact Assessment (PIA) Process

PIA Trigger Criteria

Privacy Impact Assessments are required for processing activities that are likely to result in high risk to individuals:

• Systematic and extensive evaluation of personal aspects (automated decision-making)
• Large-scale processing of special categories of personal data
• Systematic monitoring of publicly accessible areas
• New technologies or innovative processing methods
• Processing that prevents individuals from exercising rights or accessing services

Assessment Process

Step 1: Initial Privacy Risk Screening

Step 2: Detailed Impact Assessment - Describe processing activity, purpose, legal basis, and evaluate necessity

Step 3: Risk Mitigation Planning - Implement privacy-by-design and privacy-by-default principles

EU Representative and Supervisory Authority

EU Representative

Supervisory Authority

EU residents have the right to lodge a complaint with their local supervisory authority if they believe we have not addressed their privacy concerns adequately.

GDPR Compliance Summary

Data Processing Register

We maintain a comprehensive register of all processing activities as required by GDPR Article 30:

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights with respect to your personal information:

• Right to know: What personal information we collect about you, how we use it, who we disclose it to, and the purposes for processing it
• Right to delete: Request deletion of personal information we have collected (subject to legal exceptions)
• Right to correct: Request correction of inaccurate personal information we hold about you
• Right to opt out of sale or sharing: We do not sell personal information, and we do not share personal information for cross-context behavioral advertising
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond providing our service
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights

How to Exercise Your Rights

California residents may submit a verifiable consumer request through either of two designated methods:

• Email: privacy@product-sense.io
• Web form: findyourgreat.com/docs/support (no account required)

We verify your identity before fulfilling requests. We respond within 45 days, with a possible 45-day extension upon written notice when reasonably necessary.

Authorized Agents

California residents may designate an authorized agent to make a request on their behalf. We will require written verification of the agent's authorization before fulfilling the request.

How We Use AI/LLMs

Find Your Great processes activity content through large language models to provide its core functionality. We commit to the following:

• Models and providers: We use LLMs hosted by AWS Bedrock (OpenAI's open-weight models) and Google Cloud Vertex AI. Each is a sub-processor under our DPA.
• Purposes: Enrichment of activity events, scoring against evaluation dimensions, episode construction, and chat-assistant responses about your own work.
• No training on your data: Our LLM sub-processors are contractually prohibited from training their foundation models on your data. This is enforced through AWS Bedrock's and Google Cloud Vertex AI's enterprise terms.
• Data residency: All customer data is currently stored in AWS us-east-2 (United States). LLM inference runs in the same region as the stored data.
• Zero retention: Prompts and completions are not retained by the model providers beyond the inference call, per their zero-retention configuration.
• Tenant isolation: Each inference call is isolated; we do not share prompts, completions, or embeddings across customer organizations.

Automated Decision-Making

Find Your Great uses automated systems to enrich activity data, score work against evaluation dimensions, recommend levels and ratings, and surface performance signals to managers. We disclose the following in alignment with GDPR Article 22 and CPRA's Automated Decision-Making Technology rules (§7220–7222):

• Decision-support, not decisions: All outputs are decision-support. Managers and customer-organization administrators review and can override any recommendation before it affects employment outcomes. Find Your Great does not produce final decisions about hiring, promotion, compensation, or termination — those decisions remain with the customer organization.
• Logic and significance: Scoring uses rule-based evaluation frameworks configured by your organization, combined with LLM-assisted interpretation of activity data. The significance of these outputs depends on how your employer uses them; ask your employer for their internal policy.
• Your rights: You have the right to (1) obtain human review of any score or recommendation, (2) contest it, and (3) receive an explanation of how it was generated. Email privacy@product-sense.io or use the support form at findyourgreat.com/docs/support.
• California ADMT rights: California residents may request to access information about, and opt out of, significant automated decision-making as defined by CPRA §7220–7222.

Questions or Concerns

If you have questions about this Privacy Policy or how we handle your personal data, please contact us: