Privacy Policy
Last updated: March 29, 2026
1. Data Controller
The data controller responsible for this website and service is:
[Company Legal Name]
[Street Address]
[Postal Code] [City], Spain
Email: [contact@masterhumanbehavior.com]
VAT ID (NIF-IVA): [ES B12345678]
For full contact details, see our Imprint.
If you have questions about data protection, contact us at: [privacy@masterhumanbehavior.com]
2. Data We Collect
2.1 Account Data
When you register, we collect: name, email address, and password (stored as a cryptographic hash). If you register via Google, Facebook, LinkedIn, or Microsoft OAuth, we receive your name and email from the provider.
2.2 Payment Data
Payments are processed by Stripe, Inc. We store your Stripe customer ID and subscription ID. We do not store credit card numbers, CVVs, or bank account details — Stripe handles all payment data under their own PCI-DSS compliance. See Stripe's Privacy Policy.
2.3 Voice & Audio Data
During voice practice sessions, your microphone audio is transmitted in real-time to our AI voice providers (Google Gemini Live API or ElevenLabs) for conversation processing. We do not permanently store raw audio recordings. Audio is processed in real-time and discarded after the session ends.
What we do retain:
- Conversation transcripts — text transcriptions of what you and the AI said, used for session debriefs and performance evaluation
- Performance scores — AI-generated evaluation scores and feedback
- Session metadata — duration, mode (voice/video/chat), timestamp
Important: We do not create voiceprints, speaker identification profiles, or any biometric templates from your voice. Your audio is used solely for real-time conversation — never for identification purposes.
2.4 Training & Progress Data
We store your scenario completion history, scores, XP points, level progression, and any feedback you provide about sessions.
2.5 Technical Data
We automatically collect: IP address, browser type and version, device type, operating system, pages visited, and session cookies. See our Cookie Policy for details.
2.6 Uploaded Content
If you upload resumes or documents for custom scenario generation, we store the file and extracted text for the duration described in Section 7 (Retention).
3. Purpose & Legal Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Providing the training platform | Contract performance | Art. 6(1)(b) |
| Processing voice during sessions | Consent (obtained before first session) | Art. 6(1)(a) |
| Payment processing via Stripe | Contract performance | Art. 6(1)(b) |
| Email communication (account, billing) | Contract performance | Art. 6(1)(b) |
| Platform security & fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Analytics & service improvement | Legitimate interest / Consent | Art. 6(1)(f) / (a) |
| Legal obligations (tax, retention) | Legal obligation | Art. 6(1)(c) |
4. Automated Decision-Making & AI Evaluation
As required by GDPR Article 13(2)(f) and the EU AI Act Article 50, we disclose the following:
- AI-powered scoring: After each training session, an AI model evaluates your performance and generates a score (0–100) across multiple behavioral axes. This scoring is fully automated.
- How it works: The AI analyzes your conversation transcript against the scenario's learning objectives and behavioral criteria. It evaluates factors like technique usage, empathy, communication clarity, and adaptability.
- Impact: Scores determine your XP progression and level advancement within the platform. They do not affect your access to the service, your subscription, or any real-world outcomes.
- Limitations: AI evaluations are for educational purposes only. They are not infallible and should not be treated as professional assessments.
- Human review: You may request a human review of any AI-generated evaluation by contacting us.
5. Third-Party Services & Sub-Processors
We share data with the following third parties, each under a Data Processing Agreement (GDPR Art. 28):
| Service | Purpose | Location |
|---|---|---|
| Google (Gemini Live API) | Real-time voice conversation processing | USA (EU-US DPF) |
| ElevenLabs | Voice conversation processing | USA (EU-US DPF) |
| Anthropic (Claude) | AI evaluation & grading | USA (EU-US DPF) |
| Stripe, Inc. | Payment processing | USA (EU-US DPF) |
| Amazon Web Services (AWS) | Hosting, email delivery (SES), file storage (S3) | EU (Frankfurt) |
| Google (OAuth) | Social login authentication | USA (EU-US DPF) |
6. International Data Transfers
Some of our sub-processors are based in the United States. These transfers are protected by:
- The EU-US Data Privacy Framework (DPF) adequacy decision (European Commission, July 2023) for certified US companies
- Standard Contractual Clauses (SCCs) as a supplementary safeguard where applicable
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Voice/audio | Not stored — processed in real-time only |
| Session transcripts & scores | Duration of account + 30 days after deletion |
| Payment records | 7 years (Spanish tax law, Ley General Tributaria, Art. 66) |
| Uploaded resumes/documents | Until user deletes or account deletion + 30 days |
| Server logs (IP, technical) | 90 days |
8. Your Rights Under GDPR
If you are in the European Economic Area (EEA), you have the following rights:
- Access (Art. 15) — Request a copy of all personal data we hold about you
- Rectification (Art. 16) — Correct inaccurate or incomplete data
- Erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
- Restriction (Art. 18) — Restrict processing while a dispute is resolved
- Data portability (Art. 20) — Receive your data in a machine-readable format
- Objection (Art. 21) — Object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)) — Withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing
To exercise any of these rights, email [privacy@masterhumanbehavior.com]. We will respond within 30 days.
You can also submit a request directly: Exercise Your Rights
You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD): www.aepd.es
9. Your Rights Under US State Privacy Laws (CCPA/CPRA)
If you are a California resident, or reside in another US state with comprehensive privacy legislation (Virginia, Colorado, Connecticut, etc.), you have additional rights:
- Right to know — What personal information we collect, use, and share (Cal. Civ. Code §1798.100)
- Right to delete — Request deletion of your personal information (§1798.105)
- Right to correct — Correct inaccurate personal information (§1798.106)
- Right to opt out of sale/sharing — We do not sell your personal information. If this changes, we will provide a "Do Not Sell or Share" mechanism (§1798.120)
- Right to limit sensitive PI — Voice data is classified as sensitive personal information under CPRA. You may limit its use to what is strictly necessary for the service (§1798.121)
- Non-discrimination — We will not discriminate against you for exercising your rights (§1798.125)
To exercise these rights, email [privacy@masterhumanbehavior.com] with the subject line "CCPA Request."
You can also submit a request directly: Exercise Your Rights
Do Not Track
As required by CalOPPA (Cal. Bus. & Prof. Code §22575), we disclose that our site does not currently respond to "Do Not Track" browser signals. We do not use third-party advertising tracking on the platform.
10. Voice Data & Biometric Information (US Users)
This section provides additional disclosures required under US state biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/), the Texas CUBI Act, and similar state legislation.
- What we collect: During voice practice sessions, your microphone audio is streamed in real-time to an AI provider for conversation purposes. We collect conversation transcripts (text), not audio recordings.
- What we do NOT collect: We do not create, collect, or store voiceprints, voice templates, speaker identification models, or any biometric identifiers or biometric information as defined under BIPA §10.
- Purpose: Voice audio is processed solely to generate real-time AI conversation responses and text transcription for session debriefs.
- Retention & destruction: Audio streams are processed in real-time and are not recorded or stored. Text transcripts are retained for the duration of your account and permanently deleted within 30 days of account deletion.
- Consent: Before your first voice session, we request your explicit consent to process your voice data. You may withdraw consent at any time from your account settings, which will disable voice practice modes.
- No sale or disclosure: We do not sell, lease, trade, or otherwise profit from your voice data. Voice audio is shared only with our AI processing providers (Google, ElevenLabs) under data processing agreements for the sole purpose of powering your training session.
11. Children's Privacy
Master Human Behavior is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly. This complies with COPPA (15 U.S.C. §6501) and GDPR Article 8.
12. Data Security
We implement appropriate technical and organizational measures to protect your data, including: encrypted data transmission (TLS/HTTPS), hashed passwords, access controls, regular security updates, and encrypted storage for sensitive data at rest. No system is 100% secure — if you discover a vulnerability, please contact us at [security@masterhumanbehavior.com].
13. Cookies
We use essential cookies to operate the platform. For full details on what cookies we use and how to manage them, see our Cookie Policy.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted on this page with an updated revision date. Continued use of the platform after changes constitutes acceptance.