Privacy Policy
Privacy Policy
Last updated: 2026-05-18
PimsLead is designed around the principle of data minimisation: end users (managers training on the mobile application) log in anonymously via a unique access code, and no data directly identifying them is stored on our servers.
1. Data controller
The data controller is OPIIM SARL — contact@opiim.com.
For client organisations, the client entity acts as data controller of the mapping between an access code and the identity of one of its staff members, that mapping being held exclusively by the client (typically in a spreadsheet held by the HR or training department).
2. Personal data processed
2.1 Administrators (back-office access)
When an administrator uses the back-office (super admin, organisation admin or department admin) we process:
- Professional email address
- First name, last name, role
- Organisation and, where applicable, department
- Authentication metadata (timestamps, IP address used for the magic link / OTP)
- Activity logs relating to use of the back-office
2.2 End users (mobile application)
End users log in via an access code (format A7K9-M2X4-P3Q1). We collect no name, email address, phone number or other direct personal identifier. The data below, attached to a persistent identifier, constitutes pseudonymised data within the meaning of the GDPR: on its own it does not identify the person, but it may do so when combined with the mapping held by the client organisation.
We process:
- A randomly generated pseudonymous identifier (Supabase anonymous authentication)
- The access code used to log in
- Device identifiers (linked to the account to allow device switching)
- Optional responses to personality tests
- Interactions with the AI agents during training sessions (messages, choices, scores)
The mapping between an access code and a staff member's real identity is held solely by the client organisation, outside the PimsLead platform.
2.3 Website and prospects
When you contact us via the website or request a demonstration, we process the data you voluntarily provide (name, email, company, role, message).
3. Purposes and legal bases
Purpose => Legal basis
Providing the training service to administrators => Performance of the contract with the client organisation
Providing the training service to end users => Legitimate interest (training provided by the employer)
Hosting AI conversations for quality audit and improvement => Legitimate interest
Aggregated and anonymised statistics for the client organisation => Legitimate interest
Sending service / account emails => Performance of the contract
Commercial prospecting (B2B) => Legitimate interest, with right to object
Error monitoring (Sentry) => Legitimate interest (service reliability)
4. Recipients and sub-processors
Data is accessible to authorised PimsLead staff and to the following sub-processors:
- Supabase (database hosting, authentication, edge functions) — EU region
- Vercel (back-office and website frontend hosting)
- Resend (back-office transactional emails — invitations, magic links)
- Sentry (error monitoring — EU region de.sentry.io)
- AI provider(s) (configurable per client organisation, including fully European options on request — e.g. Mistral) for the Scriptwriter, Character and Coach agents
The list of sub-processors is updated with each change and available on request at contact@opiim.com.
5. International transfers
Data is processed mainly within the European Union. Transfers outside the EU take place only through certified mechanisms (Standard Contractual Clauses, adequacy decisions) and are documented with each sub-processor.
6. Retention periods
- Administrators' data: for the duration of the contract with the client organisation, then archived for the period required by applicable law.
- End users' pseudonymised data and AI conversations: for the duration of the contract, then anonymised or deleted within 12 months following the end of the contract.
- Prospect data: 3 years from the last contact.
- Error logs (Sentry): 90 days.
7. Rights of data subjects
In accordance with the GDPR, every data subject has the right of access, rectification, erasure, restriction, portability and objection to the processing of their personal data, as well as the right to lodge a complaint with a supervisory authority (in France, the CNIL).
- Administrators: rights are exercised by email at contact@opiim.com or directly from the back-office settings.
- End users: as we do not hold their identity, we cannot handle their request directly; it must in practice be addressed to their employer (client organisation), which holds the access-code / identity mapping. The end user may nonetheless delete their own data from the mobile application (account deletion: the pseudonymous identifier and associated history are erased).
8. AI processing
Training sessions involve calls to large language models (LLMs) operated by third-party providers (e.g. OpenAI, Mistral, Anthropic). The content of conversations is sent to these providers solely for the purpose of generating responses and may be processed in accordance with their respective policies.
Client organisations may choose a European AI provider when signing the contract. The list of prompts and AI providers used is managed in the back-office and transparent to the client.
Content generated by the AI agents is provided for educational purposes and never constitutes an individual assessment that would feed the staff member's professional file without their knowledge: scores reported to managers are aggregated and anonymised at organisation or department level.
9. Security
We apply technical and organisational measures aligned with the state of the art: TLS encryption of traffic, encryption at rest by the host, Row Level Security (RLS) policies on all tables, the principle of least privilege, multi-factor authentication for administrators, access and error monitoring, and a secure development lifecycle.
10. Cookies
The website and the back-office use only cookies strictly necessary for the operation of the service (authentication session, language preference). No advertising or third-party tracking cookies are placed without prior consent.
11. Contact
For any question relating to personal data: contact@opiim.com.