LeaderCoreAI Privacy Notice

1. Introduction

Blue Horizon Training SRL, operating under the LeaderCoreAI brand ("we", "us", "our"), is committed to protecting your privacy and personal data. This Privacy Notice explains how we handle personal data in our dual roles as both a data controller and a data processor under the General Data Protection Regulation (GDPR) and applicable data protection laws.

This notice is divided into two sections:

• Section A: When we act as a controller
• Section B: When we act as a processor

Section A: LeaderCoreAI as Data Controller

2. Controller Information

Blue Horizon Training SRL (trading as LeaderCoreAI) operates the marketing website at https://leadercore.ai and the application platform at https://app.leadercore.ai.

Registered Office:
Blue Horizon Training SRL
Intrarea Biserica Albă 3, Ap. 6
010298, Sector 1, Bucharest, Romania

For privacy-related inquiries, please contact:
Email: office@leadercore.ai

3. Personal Data We Collect as Controller

3.1 Website Visitors and Platform Users

Important: We operate two distinct web properties with different data collection practices:

3.1a Marketing Website Visitors (https://leadercore.ai)

Our public marketing website uses Google Analytics for visitor tracking and marketing analytics:

• Google Analytics GA4: Measurement ID G-5YBQKN6B1D
• Cookies set: _ga (2 years), _gid (24 hours), _gat (1 minute)
• Data collected: Page views, session duration, referral sources, device type, approximate location (city/country level), browser type
• Purpose: Marketing analytics, website optimization, understanding visitor behavior
• Data retention: 14 months (Google Analytics default for GA4)
• Third-party processor: Google LLC (see Google's Privacy Policy)
• Cookie consent: Implemented via cookie consent banner (GDPR/ePrivacy compliant)

3.1b Application Platform Users (https://app.leadercore.ai)

Our application platform uses minimal, privacy-focused analytics:

• Firebase Analytics ONLY: First-party analytics for service improvement (NOT Google Analytics)
• No Google Analytics: We do NOT use GA4 or Universal Analytics on the application platform
• No third-party trackers: No advertising pixels, marketing cookies, or cross-site tracking
• Technical data (very limited): IP address and browser type (user agent) collected ONLY for demo request submissions (abuse prevention and technical support). NOT collected during normal authenticated usage.
• Authentication storage: Firebase SDK uses browser localStorage/IndexedDB (not traditional cookies)
• Cookies: Only essential cookies - sidebar_state (UI preference, 7 days) and Firebase Auth session cookies. No analytics, advertising, or tracking cookies.

3.2 Business Contacts (Partners, Resellers, Prospects)

• Identity data: name, job title, company name, registration numbers, VAT numbers
• Contact data: email address, telephone number, business address
• Communication data: your preferences in receiving marketing from us and your communication preferences
• Marketing data: your responses to marketing campaigns, event attendance

3.3 Customer Organizations (Billing Contacts)

Note: LeaderCoreAI operates on a B2B reseller/partner model. Direct payment processing is handled by our authorized resellers. We may receive billing contact information from resellers for service provisioning and subscription management.

• Identity data: name, job title, company name
• Contact data: email address (for service provisioning)
• Subscription data: subscription tier, start/end dates, authorized user count

Important: We do NOT collect or store payment card details, bank account information, or process payments directly. All financial transactions are handled by our reseller partners.

3.4 System Administration and Security

• Security logs: Authentication attempts, access logs, error logs (automatically anonymized using PII-safe logging utility that hashes email addresses with SHA-256, truncates user IDs to 8 characters, and sanitizes sensitive fields)
• Admin user data: Administrator account credentials (hashed), role assignments
• System usage data: Function call logs (anonymized), performance metrics, API response times

4. Legal Basis for Processing (as Controller)

We process your personal data on the following legal grounds:

• Contract performance: Processing necessary to perform our contract with your organization (billing, service delivery, account management)
• Legitimate interests: Our legitimate business interests in operating and improving our website, marketing our services, and maintaining security (balanced against your rights)
• Legal obligation: Compliance with tax, accounting, and regulatory requirements
• Consent: Where you have given explicit consent for marketing communications (which you may withdraw at any time)

5. How We Use Your Data (as Controller)

5.1 Website Operations

• To provide and maintain website functionality
• To analyze website usage and improve user experience
• To ensure network and information security

5.2 Business Development

• To communicate with partners, resellers, and prospects
• To send marketing communications (where consent given or legitimate interest applies)
• To conduct market research and customer satisfaction surveys

5.3 Customer Relationship Management

• To manage customer accounts and subscriptions
• To provide customer support
• To send service-related communications

5.4 System Security and Administration

• To monitor system security and prevent unauthorized access
• To investigate and respond to security incidents
• To maintain audit trails for compliance purposes
• To optimize system performance

5.5 What We DON'T Collect - Our Privacy-First Approach

LeaderCoreAI is committed to data minimization. Unlike many platforms, we do NOT collect:

• No payment data: No credit card numbers, bank account details, or payment information (handled by reseller partners)
• No demographic data: No age, gender, race, ethnicity, or other demographic information
• No advertising trackers: No third-party advertising pixels, cookies, or tracking scripts
• No behavioral profiling: No cross-site tracking or behavioral advertising profiles
• No social media tracking: No Facebook Pixel, LinkedIn Insight Tag, or similar social tracking
• No unnecessary personal data: No home addresses, phone numbers (except business contacts), or social security numbers
• No sensitive categories: No health data, political opinions, religious beliefs, or union membership

Analytics Approach: Our application platform (app.leadercore.ai) uses Firebase Analytics (first-party only), NOT Google Analytics. Our marketing website (leadercore.ai) uses Google Analytics GA4 for marketing analytics only.

6. Data Sharing (as Controller)

We may share your personal data with:

• Service providers: Cloud hosting (Google Cloud Platform, Firebase, Vercel), email service providers (for transactional emails only)
• Analytics processors:
  • Google LLC (for leadercore.ai marketing website only): Google Analytics GA4 processes visitor data for marketing analytics. Data may be transferred to the US under Google's EU-US Data Privacy Framework certification and Binding Corporate Rules. See Google's Privacy Policy and Google Analytics Data Processing Terms.
  • Note: Our application platform (app.leadercore.ai) uses Firebase Analytics (Google-operated) but does NOT use Google Analytics.
• Professional advisers: Lawyers, auditors, insurers
• Regulatory authorities: When required by law or to protect our legal rights
• Business transferees: In connection with any merger, sale of company assets, or acquisition

We do not sell your personal data to third parties.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

• Google Cloud Platform services (Europe-central2 region primarily, with global CDN)
• Vercel hosting services (global deployment)
• Firebase services (Google's global infrastructure)

We ensure appropriate safeguards are in place:

• European Commission adequacy decisions (where applicable)
• Standard Contractual Clauses (SCCs) with service providers
• Binding Corporate Rules of our processors (Google, Vercel)

8. Data Retention (as Controller)

We retain personal data for as long as necessary to fulfill the purposes outlined in this notice:

• Website visitor data: 26 months (analytics), 12 months (security logs)
• Business contact data: Until you unsubscribe or request deletion, plus 3 years (legitimate interest period)
• Billing and financial data: 7 years (tax and accounting legal requirements)
• Security logs: 12 months (security monitoring period)
• Marketing data: Until consent withdrawn or 3 years of inactivity

9. Your Rights (as Controller)

Under GDPR, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data (subject to legal obligations)
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a structured format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Where processing is based on consent
• Right to lodge a complaint: Contact your local data protection authority

To exercise these rights, contact us at office@leadercore.ai

Section B: LeaderCoreAI as Data Processor

10. Processing on Behalf of Customers

When your employer or organization (the "Customer") subscribes to LeaderCoreAI's leadership training platform, we process personal data about you as a data processor on behalf of the Customer, who acts as the data controller.

11. What Data is Processed

When you use the LeaderCoreAI platform as an employee/end-user, we process:

• Account data: Name, email address, company name
• Training activity: Scenario selections, conversation sessions, completion status
• Performance data: Assessment results, scores, feedback, response quality
• Usage analytics: Session duration, message count, timestamp data, progress tracking
• Authentication data: Login credentials, session tokens

12. Purpose of Processing (as Processor)

We process this data solely to:

• Provide the AI-powered leadership training simulations
• Generate performance assessments and feedback
• Enable your employer to track training completion and effectiveness
• Provide analytics dashboards to your employer's administrators
• Maintain system security and service quality

13. Your Employer's Responsibilities (Controller)

Your employer is responsible for:

• Providing you with their own privacy notice explaining how they use LeaderCoreAI
• Obtaining any necessary consent for processing your training data
• Determining what data is collected and how long it is retained
• Responding to your requests to access, correct, or delete your data
• Ensuring lawful basis for processing your performance data

We are responsible for:

• Processing your data only according to your employer's documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting your employer in responding to your data rights requests
• Maintaining confidentiality and security of your data
• Deleting or returning your data when the service contract ends

14. Data Processing Agreement (DPA)

We have entered into a Data Processing Agreement with your employer that:

• Defines the scope, nature, and purpose of processing
• Specifies our obligations as a processor
• Requires appropriate security measures
• Restricts sub-processor engagement
• Provides for data breach notification
• Enables data protection audits

15. Security Measures (as Processor)

We implement industry-standard security measures:

Technical Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication (Firebase Authentication with token-based access)
• Access controls and role-based permissions
• Regular security monitoring and logging (PII-safe): All system logs automatically anonymize personal data using SHA-256 email hashing, user ID truncation (8 characters), and sensitive field sanitization
• Automated backup and disaster recovery
• Zero PII exposure in logs: Our logging utility prevents accidental logging of passwords, tokens, full email addresses, or conversation content

16. Sub-Processors

We engage the following sub-processors to assist in service delivery:

• Google Cloud Platform / Firebase: Cloud infrastructure and database hosting (EU region: europe-central2)
• Google AI (Gemini): AI model for conversation simulations and grading
• Vercel: Frontend hosting and CDN
• BigQuery: Analytics data warehouse (EU region: europe-central2)

All sub-processors are bound by written agreements requiring GDPR-compliant data protection.

We will notify customers of any changes to our sub-processor list in accordance with our DPA.

17. Data Location and Transfers

Employee training data is primarily stored in:

• Primary region: Europe-Central2 (Warsaw, Poland)
• Backup region: EU-based Google Cloud infrastructure
• AI processing: Google Gemini API (may process in multiple regions)

All international data transfers are protected by appropriate safeguards (Google's Binding Corporate Rules and EU-US Data Privacy Framework certification where applicable).

18. Data Retention (as Processor)

We retain employee training data according to your employer's instructions, with different policies for demo users vs. full subscription users:

18.1 Session and Conversation Data (All Users)

• Active sessions: Conversation transcripts retained during active training session for AI context and grading
• Session deletion timeline: When you end a training session, it is marked for deletion and automatically removed within 24 hours by our scheduled cleanup process (runs at 2:00 AM and 2:00 PM UTC daily)
• Purpose of retention: Enables AI to provide contextual responses and generate performance assessments
• Content privacy: Conversation content is NOT exported to analytics systems - only metadata and scores

18.2 Performance Results and PDF Reports

• Performance data: Assessment scores, feedback, and grading results retained per user type (see 18.3 and 18.4 below)
• PDF reports: Generated performance reports expire and are automatically deleted 30 days after creation
• Download tracking: We track download count and last download date for report management

18.3 Demo User Data Retention

For users with demo/trial accounts:

• Demo duration: Typically 7 days from signup (configurable by administrator)
• Data deletion: ALL performance data, results, and session history are automatically deleted when the demo subscription expires
• No grace period: Demo users do not receive a 30-day grace period - deletion is immediate upon expiration
• Purpose: Demo data is for evaluation purposes only and is not intended for long-term retention

18.4 Full Subscription User Data Retention

For users with paid/full subscriptions (managed by employer):

• Active subscription: All performance data retained while subscription is active
• 30-day grace period: When employer's subscription ends, performance data remains accessible for 30 days before deletion
• Employer control: Your employer determines the subscription duration and data retention policy (within our technical limits)
• Archival options: Employers can export data before subscription ends

18.5 Analytics and Anonymization

• BigQuery exports: Performance metrics are exported to our analytics warehouse for platform improvement
• User anonymization: Before export, user IDs are replaced with SHA-256 hashes (irreversible, 16-character identifier)
• Data minimization: Only metadata and scores are exported - NO conversation content, names, or email addresses
• Fields exported: Session ID, user hash, subscription key, scenario details, scores, duration, message count
• Retention: Anonymized analytics data retained for 26 months, then aggregated further or deleted

18.6 System Logs and Audit Trails

• Security logs: Authentication attempts, access logs, error logs retained for 12 months (automatically anonymized)
• Audit trails: Compliance and troubleshooting logs retained for 12 months
• PII protection: All logs use our PII-safe logging utility (email hashing, user ID truncation)

18.7 Contract Termination

Upon employer contract termination, we will delete or return all identifiable personal data within 90 days unless legally required to retain. Anonymized analytics data may be retained per section 18.5 above.

19. Your Rights (When We Are Processor)

To exercise your data protection rights regarding your training data, please contact your employer's HR or privacy team, as they are the controller.

Your rights include:

• Right to access your training records and performance data
• Right to correct inaccurate information
• Right to request deletion (subject to employer's legitimate interests and legal obligations)
• Right to object to processing of your data
• Right to restrict processing
• Right to data portability

We will assist your employer in fulfilling these requests.

If you believe your employer is not properly handling your data, you have the right to lodge a complaint with your local data protection supervisory authority.

20. Data Breach Notification

In the event of a personal data breach affecting employee training data:

• We will notify your employer within 72 hours of becoming aware
• We will provide details of the nature of the breach, affected data, and mitigation measures
• Your employer is responsible for notifying you and the supervisory authority as required by law

General Provisions

21. Cookies and Tracking Technologies

LeaderCoreAI operates two web properties with different cookie usage:

21.1 Marketing Website (https://leadercore.ai)

Our public marketing website uses cookies for analytics:

Google Analytics Cookies:

• _ga cookie: Distinguishes unique visitors (expires after 2 years)
• _gid cookie: Distinguishes unique visitors (expires after 24 hours)
• _gat cookie: Throttles request rate (expires after 1 minute)
• Purpose: Marketing analytics, visitor behavior tracking, website optimization
• Data retention: 14 months (Google Analytics GA4 default)
• Third-party processor: Google LLC
• Legal basis: Consent (required under GDPR/ePrivacy Directive)
• Cookie consent management: Implemented - consent banner allows you to accept/reject analytics cookies

Essential Cookies (Marketing Website):

• Next.js may use minimal technical cookies for routing and server-side rendering
• These are strictly necessary for the website to function

21.2 Application Platform (https://app.leadercore.ai)

Our application platform uses minimal browser storage for essential functionality:

Authentication Storage (Firebase SDK):

• Method: Browser localStorage and IndexedDB (NOT traditional cookies)
• Purpose: Maintain user authentication session and keep you logged in
• Data stored: Authentication tokens, refresh tokens, user session data
• Persistence: Managed by Firebase Authentication SDK (Google)
• Classification: Strictly necessary for service functionality
• No consent required: These are essential for the application to work

Next.js Framework Storage:

• Next.js may use minimal cookies for routing, server-side rendering, and framework functionality
• These are technical cookies necessary for the application to function

Functional Cookies:

• sidebar_state: Stores UI preference (sidebar expanded/collapsed), 7 days expiry, strictly necessary for user experience
• Purpose: Remembers your sidebar preference across sessions
• Classification: Essential functional cookie

Analytics (Firebase Analytics - First-Party Only):

• We use Firebase Analytics for service improvement (NOT Google Analytics)
• First-party analytics only - no third-party tracking scripts
• Client-side event tracking for performance monitoring and feature usage
• Important: This is different from Google Analytics GA4 used on the marketing site

21.3 What We DON'T Use (Both Domains)

• No advertising cookies: No ad targeting or remarketing cookies on either domain
• No third-party trackers on app: Application platform (app.leadercore.ai) has NO Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or similar trackers
• No cross-site tracking: No cookies shared between leadercore.ai and app.leadercore.ai
• No marketing cookies on app: Application platform does not use marketing or campaign tracking cookies
• No social media tracking: No social media pixels or tracking on either domain

22. Children's Privacy

LeaderCoreAI is a B2B service for professional leadership training. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware of such collection, we will delete the data promptly.

23. Automated Decision-Making

Our AI-powered grading system evaluates training performance using automated algorithms. However:

Results represent an invitation to reflect on your own performance during the simulation, and nothing further shall be construed from it.

24. Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. Material changes will be notified through:

• Email notification to registered customers and contacts
• Prominent notice on our website
• Updated "Last Updated" date at the top of this notice

We encourage you to review this notice periodically.

25. Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority:

• For EEA residents: Your national data protection authority (list available at: https://edpb.europa.eu/about-edpb/board/members_en)
• For UK residents: Information Commissioner's Office (ICO) - https://ico.org.uk

26. Contact Us

For questions or concerns about this Privacy Notice or our data practices:

Blue Horizon Training SRL
Intrarea Biserica Albă 3, Ap. 6
010298, Sector 1, Bucharest, Romania
Email: office@leadercore.ai
Website: https://leadercore.ai

For data subject rights requests, please email us at: office@leadercore.ai

27. Legal Framework

This Privacy Notice is governed by:

• EU General Data Protection Regulation (GDPR) 2016/679
• National data protection laws implementing GDPR
• ePrivacy Directive 2002/58/EC (for cookies and electronic communications)