← Back to Home

Legal

Privacy Policy

Last updated: May 2026

This policy explains what data PM Strategy Advisor collects, how it is used, and your rights under the General Data Protection Regulation (GDPR).

1. Data Controller

The data controller for PM Strategy Advisor is:

Deepak Kumar

PM Strategy Advisor

Belgium

Email: [email protected]

2. What We Collect

We collect the following categories of data:

Account Data

Email address, full name, and role level - provided at registration via email/password or Google Sign-In.

Conversation Data

Messages you send and receive in chat sessions, including any documents you upload for analysis. This data is stored to enable session continuity and the Digital Twin feature.

Journal Entries

Outcomes Journal retrospectives you submit - including what happened, what worked, and strategic impact ratings.

Digital Twin Facts

Structured facts extracted from your conversations (sector, sponsor names, programme context) that you explicitly confirm and save to personalise future advice.

Usage Metadata

Session counts, timestamps, scenario types selected, and session ratings - used to understand how the service is being used and to improve it.

Payment Data

Billing and payment processing is handled entirely by Paddle. PM Strategy Advisor does not store your payment card details. We receive confirmation of payment status only.

3. How We Use Your Data

  • To provide the service - processing your messages through our AI inference layer to generate strategic advisory responses
  • To personalise advice - storing and applying Digital Twin facts you have confirmed, so the advisor remembers your context across sessions
  • To enable session history - storing your past conversations so you can review and resume them
  • To improve the product - aggregated and anonymised usage patterns (never individual conversation content) inform product development
  • To communicate with you - transactional emails (account confirmation, password reset, billing notifications, material Terms updates)

4. Your Conversations Are Not Used to Train AI Models

Your conversation data is never used to train AI models - by us or our AI inference provider. Messages are transmitted to OpenRouter for real-time inference only. OpenRouter processes your messages transiently to generate a response; they are not stored by OpenRouter for model training purposes. For details, see OpenRouter's Privacy Policy.

5. Legal Basis for Processing (GDPR)

Contract performanceArt. 6(1)(b) GDPR - processing necessary to provide the service you signed up for (account data, conversation data, session history)
Legitimate interestsArt. 6(1)(f) GDPR - aggregated usage analytics to improve the product; fraud prevention
ConsentArt. 6(1)(a) GDPR - Digital Twin fact extraction (you explicitly confirm each fact before it is saved)

6. Third-Party Services

PM Strategy Advisor uses the following sub-processors:

Firebase (Google)

User authentication and frontend hosting

Privacy Policy →

Supabase

Database storage (conversations, profiles, journal entries)

Privacy Policy →

OpenRouter

AI inference - processes messages transiently to generate responses

Privacy Policy →

Paddle

Payment processing - handles billing; PM Strategy Advisor does not see card details

Privacy Policy →

Google Analytics

Anonymised usage analytics (IP anonymisation enabled)

Privacy Policy →

7. Data Retention

Account data and conversation history are retained for as long as your account is active. If you request account deletion, your personal data will be deleted within 90 days of the request, except where retention is required by law. Aggregated, anonymised usage data is retained indefinitely as it cannot be linked to any individual.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of AccessRequest a copy of the personal data we hold about you
  • Right to RectificationRequest correction of inaccurate or incomplete data
  • Right to ErasureRequest deletion of your personal data ('right to be forgotten')
  • Right to Data PortabilityReceive your data in a structured, machine-readable format
  • Right to RestrictionRequest that we limit processing of your data in certain circumstances
  • Right to ObjectObject to processing based on legitimate interests
  • Right to Withdraw ConsentWithdraw consent at any time where processing is consent-based (e.g., Digital Twin)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

We use the following cookies:

  • Session cookies - set by Firebase Authentication to maintain your login session. Strictly necessary; cannot be disabled without breaking the service.
  • Analytics cookies - set by Google Analytics with IP anonymisation enabled. Used to understand aggregate usage patterns. You can opt out via your browser settings or a browser extension.

10. International Data Transfers

EU-based (no international transfer):

  • Supabase (Frankfurt, EU) - all conversation data, Digital Twin facts, journal entries, and profiles are stored within the EU. No international transfer applies.

US-based (Standard Contractual Clauses apply):

  • Firebase (Google, US) - authentication and frontend hosting.
  • OpenRouter (US) - AI inference; messages are processed transiently and are not stored for training.
  • Paddle (US) - payment transactions only; no conversation, project, or Digital Twin data is shared with Paddle.
  • Google Analytics (US) - aggregated, anonymised usage analytics only.

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. A copy is available on request.

11. Right to Complain to the Belgian DPA

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit): www.dataprotectionauthority.be. We would appreciate the opportunity to address your concern directly before you contact the DPA.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

HomeTerms of Service