Ways Of Being

Privacy Policy

Version 2026-04-25 — Last updated: 25 April 2026

This Privacy Policy explains how WaysOfBeing OÜ (Estonia) processes personal data on the WaysOfBeing platform, accessible via www.waysofbeing.ai and app.waysofbeing.ai. WaysOfBeing acts as a data controller under the EU General Data Protection Regulation (GDPR) for the processing described below.

1. Data we collect

  • Account & identity: name, email, hashed password, language, profile metadata. When you sign in with Google, your Google profile (email, name, subject ID).
  • Coaching content (special category under GDPR Art 9): psychometric-assessment answers and computed profiles (Innate Traits, AQAL, Free Personality, Leadership Style); coach↔coachee transcripts; voice recordings and their transcripts; AI-assistant conversation history.
  • Operational: IP address (hashed with a monthly salt for consent records, raw for short-window security logs), User-Agent, timestamps, request metadata, anomaly signals.
  • Billing (if you become a paying customer): identity, billing address, payment-method token, transaction history. Card data is handled by Stripe; we do not store it.
  • Marketing analytics on this site: only if you accept analytics cookies (see Cookies section). Pseudonymous client ID, page paths, scroll, conversions.

2. Lawful bases (Art 6 / Art 9)

The lawful basis we rely on depends on the processing:

  • Account, support, billing: contract (Art 6(1)(b)). Tax records also retained under legal obligation (Art 6(1)(c)).
  • Marketing emails: consent (Art 6(1)(a)) — opt-in only, withdrawable any time via the unsubscribe link.
  • Coaching content, assessments, voice: contract (Art 6(1)(b)) and explicit consent for special-category data (Art 9(2)(a)).
  • Sharing with employer HR (B2B engagements): only with your separate, freely-given explicit consent for the engagement concerned (Art 9(2)(a)). Aggregated anonymized insights (cohort ≥ 5) require no additional consent. Raw transcripts are never shared with your employer by default.
  • Safeguarding escalation (risk to life or serious harm): vital interests (Art 6(1)(d) and Art 9(2)(c)). This basis is independent of consent — we may act, including contacting emergency services, where this is necessary to protect life.
  • Security & abuse logging: legitimate interests (Art 6(1)(f)). Balancing test on file.

3. AI processing & automated decisions (Art 22)

We use AI models to generate coaching prompts, suggested practices, and reflections. These suggestions do not produce legal or similarly significant effects automatically — your assigned human coach remains the decision-maker. You may request human-only mode at any time via your privacy settings or by emailing your coach. We provide explicit notice and record consent for AI-assisted coaching at signup.

Coaching content (assessments, transcripts, voice, AI threads) is processed by Mistral AI SAS (France) on EU infrastructure via api.mistral.ai. Speech-to-text uses Mistral Voxtral (EU); text-to-speech uses OpenAI (US, SCCs + Transfer Impact Assessment). The payroll assistant (HR operational tool, separate from coaching) uses OpenAI. We have written contractual commitments from each provider that your data is not used to train their models.

4. Storage & encryption

All coaching data is stored on servers in the European Economic Area (Hetzner, Germany and Finland). Object storage (voice files, generated documents) lives in EU-pinned Cloudflare R2. Mission narrative, transcript, and voice fields are encrypted at rest with AES-256-GCM. Database backups are encrypted.

5. Who can see your data

  • You.
  • Your assigned coach.
  • Where your employer has contracted coaching for you (B2B engagement): only the aggregated, anonymized engagement-level metrics flow to a limited set of HR administrators within your own organisation, unless you have given separate explicit consent for individual reports.
  • A small WaysOfBeing operations team for support and incident response, under audited access controls.
  • Sub-processors strictly necessary to deliver the service — see our Sub-processors page for the full list.

6. International transfers

Coaching processing is EU-only. Where we use US-based sub-processors (OpenAI for the payroll assistant and TTS, Google for analytics on this site, Stripe fallback), transfers rely on Standard Contractual Clauses (2021) plus a documented Transfer Impact Assessment per Schrems II. Our Sub-processors page lists each transfer mechanism.

7. Retention & tiered erasure

Active account data is retained while your account is active. On account closure or deletion request, data is removed in stages:

  • Stage 1 (immediate): access revoked, account marked pending deletion, confirmation email sent with a 7-day reversal link.
  • Stage 2 (after 7 days): identifying personal data purged from user-facing records — name, email, voice files, profile picture, contact info, OAuth bindings deleted. Coaching records on the coach side are pseudonymized.
  • Stage 3 (pseudonymized retention): pseudonymized coaching records are retained on the coach side for the professional retention window applicable to coaching practice (currently up to 7 years per EMCC/ICF guidance and Estonian professional-records norms), under Art 17(3)(b) "compliance with legal obligation" carveout.
  • Stage 4 (hard delete): at end of the professional retention window, all records permanently deleted.
  • Tax records (invoices) are retained for the period required by Estonian law (10 years).
  • Security logs: 90 days. Backups: 30-day rolling.

8. Your rights under GDPR

You have the right to access, correct, export (Art 20 portability), and erase your personal data, and to object to or restrict processing. You also have the right to lodge a complaint with a supervisory authority — the Estonian DPA is the Andmekaitse Inspektsioon.

Self-service export and deletion are available from your account's Privacy Settings page (when signed in). Or email support@waysofbeing.ai. We respond within one business week and will fulfil within one month per Art 12(3).

9. Cookies & analytics

On app.waysofbeing.ai we use only first-party functional cookies strictly necessary to operate the service (authentication, language preference). No banner is required for these under ePrivacy.

On www.waysofbeing.ai we use Google Analytics 4 to measure marketing effectiveness — only with your explicit consent via the cookie banner. Default state is denied; choices persist for 12 months. See our Cookies page for the full list.

10. Children

WaysOfBeing is not currently offered to anyone under 18. We do not knowingly collect data from minors. If you become aware that a minor has created an account, please contact us so we can delete it.

11. Safeguarding (duty of care)

If your conversations with WaysOfBeing reveal a credible risk to your life or to others, we may act — including by contacting your assigned coach, our designated safeguarding lead, or, where there is imminent vital risk, emergency services — even without your prior consent. This processing is necessary to protect vital interests under GDPR Art 6(1)(d) and Art 9(2)(c). You acknowledge this at signup; it is operationally irreducible.

12. Breach notification

We notify the Estonian supervisory authority within 72 hours of becoming aware of a personal-data breach (Art 33). Where the breach is likely to result in high risk to you, we notify you without undue delay (Art 34).

13. Policy changes

We will notify you of changes that materially affect how we process your data — in-app at next sign-in, by email, and 30 days before the change takes effect. Material changes (new processing purpose, new data category, new non-EU sub-processor) require fresh consent.

14. Data controller & contact

WaysOfBeing OÜ, Tallinn, Estonia. Data-protection contact: support@waysofbeing.ai. For our full Data Processing Addendum (DPA) or sub-processor agreements, see our Trust & Data Protection page or contact us.

DemoProspectsMap