Privacy Policy

Last updated: 2026-05-18

PimsLead is designed around the principle of data minimization: end users (managers training on the mobile application) connect anonymously using a one-time access code, and no personal data identifying them is stored on our servers.

1. Data Controller

The data controller is OPIIM SARL — contact@opiim.com.

For client organizations, the customer entity acts as data controller for the mapping between an access code and the identity of one of their employees, since this mapping is kept exclusively by the customer (typically in an Excel file managed by the HR or training department).

2. Personal Data Processed

2.1 Administrators (backoffice access)

When an administrator uses the backoffice (super admin, organization admin or department admin) we process:

Professional email address
First name, last name, role
Organization and, where relevant, department
Authentication metadata (timestamps, IP address used for the magic link / OTP)
Activity logs related to the use of the backoffice

2.2 End users (mobile application)

End users connect anonymously through an access code (format A7K9-M2X4-P3Q1). We do not collect their name, email address, telephone number or any other identifier.

We process:

A randomly generated anonymous identifier (Supabase anonymous auth)
The access code used to connect
Device identifiers (linked anonymously to the account so the user can switch device)
Optional answers to personality assessments
Interactions with AI agents during training sessions (messages, choices, scores)

The mapping between an access code and the real identity of an employee is held only by the customer organization, outside of the PimsLead platform.

2.3 Marketing website and prospects

When you contact us via the marketing website or subscribe to a demo, we process the data you provide voluntarily (name, email, company, role, message).

3. Purposes and Legal Bases

Purpose	Legal basis
Provision of the training service to administrators	Performance of the contract with the customer organization
Provision of the training service to end users	Legitimate interest (training delivered by the employer)
Hosting AI conversations for quality audit and improvement	Legitimate interest
Aggregated and anonymized analytics for the customer organization	Legitimate interest
Sending account / service emails	Performance of the contract
Commercial prospecting (B2B)	Legitimate interest, with opt-out
Error monitoring (Sentry)	Legitimate interest (service reliability)

4. Recipients and Subprocessors

The data is accessed by authorized PimsLead employees and by the following subprocessors:

Supabase (database hosting, authentication, edge functions) — EU region
Vercel (frontend hosting for the backoffice and marketing website)
Resend (transactional emails for the backoffice — invitations, magic links)
Sentry (error monitoring — EU region de.sentry.io)
AI provider(s) (configurable per customer organization, including European-only options on request — e.g. Mistral) for the Scenariste, Personnage and Coach agents

The list of subprocessors is updated whenever it changes and is available on request at contact@opiim.com.

5. International Transfers

Data is processed primarily within the European Union. Transfers outside the EU only occur through certified mechanisms (Standard Contractual Clauses, equivalent decisions) and are documented with each subprocessor.

6. Retention

Administrator data: for the duration of the contract with the customer organization, then archived for the period required by applicable law.
Anonymous end-user data and AI conversations: for the duration of the contract, then anonymized or deleted within 12 months following the end of the contract.
Marketing prospect data: 3 years after the last contact.
Error logs (Sentry): 90 days.

7. Rights of the Data Subjects

In accordance with the GDPR, every data subject has the right to access, rectify, erase, restrict, port and object to the processing of their personal data, as well as the right to lodge a complaint with a supervisory authority (in France, the CNIL).

Administrators: rights can be exercised by writing to contact@opiim.com or directly from the backoffice settings.
End users: since we do not hold their identity, the request must in practice be addressed to their employer (customer organization), which holds the access-code / identity mapping. The end user can however delete their own data from the mobile application (account deletion: anonymous identifier and associated history are erased).

8. AI Processing

The training sessions involve calls to large language models (LLMs) operated by third-party providers (e.g. OpenAI, Mistral, Anthropic). The conversation content is sent to these providers solely to generate responses and may be processed in accordance with their respective policies.

Customer organizations can choose a European AI provider when the contract is signed. The list of prompts and AI providers used is administered in the backoffice and is transparent to the customer.

The content generated by AI agents is provided for educational purposes and never constitutes individual evaluation feeding back into the employee's professional file without their knowledge: scores reported to managers are aggregated and anonymized at the organization or department level.

9. Security

We apply technical and organizational measures aligned with the state of the art: TLS encryption for traffic, encryption at rest by the hosting provider, RLS (Row Level Security) policies on every table, principle of least privilege, multi-factor authentication for administrators, monitoring of access and errors, secure software development lifecycle.

10. Cookies

The marketing website and the backoffice only use cookies that are strictly necessary for the operation of the service (authentication session, language preference). No third-party advertising or tracking cookies are deployed without prior consent.

11. Contact

Questions relating to personal data: contact@opiim.com.