Privacy Policy

1. Current Product Scope

CoManager is currently offered as a product for individual users, such as managers, team leads, engineering managers, founders, and professionals who want to organize their own leadership notes and prepare for management conversations.

CoManager is not currently offered as an employer-sponsored, company-wide, enterprise, HR, employee monitoring, or official performance management system.

You are responsible for ensuring that the information you enter into CoManager is lawful, permitted by your employer’s policies, and does not violate confidentiality, privacy, employment, or data protection obligations.

We strongly recommend that you minimize the personal data you enter into the Service and avoid entering sensitive or unnecessary information about other people.

2. Controller

For personal data related to your account and use of the Service, we act as the data controller. This means we determine why and how your personal data is processed for purposes such as account creation, authentication, service delivery, security, billing, product improvement, and communication.

If you enter information about other people into CoManager, such as notes about colleagues, direct reports, peers, candidates, or team members, you are responsible for ensuring that you have the lawful right to do so.

At this MVP stage, CoManager is not intended to be used as a formal processor for an employer, company, or HR department unless we have separately agreed this in writing.

3. Personal Data We Collect

We may collect and process the following categories of personal data.

3.1 Account Data

Examples: name; email address; password or authentication credentials; login method; account settings; subscription status; billing status, if paid plans are introduced.

Purpose: creating and managing your account; authenticating you; providing the Service; communicating service-related information; managing payments, if applicable.

Legal basis: performance of a contract; legal obligations, where applicable; legitimate interests in operating and securing the Service.

3.2 User Content

Examples: notes; meeting notes; 1:1 notes; agenda items; action items; feedback notes; prompts; summaries; goals; reflections; profile information you choose to enter; AI-generated outputs saved in your account.

Purpose: providing the core functionality of the Service; generating summaries, suggestions, agenda items, follow-ups, and other AI Output; storing and organizing your leadership context; allowing you to retrieve and manage your own notes.

Legal basis: performance of a contract with you; legitimate interests in providing and improving the Service; your responsibility to ensure that any third-party personal data you submit is lawful.

3.3 Technical and Usage Data

Examples: IP address; device information; browser type; operating system; log data; timestamps; pages visited; feature usage; error logs; session activity; approximate location based on IP address.

Purpose: operating the Service; maintaining security; detecting abuse; debugging errors; improving performance; understanding product usage; developing and improving MVP features.

Legal basis: legitimate interests in operating, securing, and improving the Service; consent where required for certain analytics or cookies.

3.4 Communication Data

Examples: emails you send to us; support requests; feedback; survey responses; early-access requests; product research conversations.

Purpose: responding to your requests; providing support; improving the Service; understanding user needs; managing early-access or beta participation.

Legal basis: performance of a contract; legitimate interests in supporting users and improving the Service; consent where applicable.

3.5 Payment Data

If we introduce paid plans, payment processing may be handled by third-party payment providers. We may process: subscription plan; billing address; payment status; invoices; transaction metadata. We do not intend to store full credit card details ourselves.

Purpose: processing payments; managing subscriptions; issuing invoices; complying with tax and accounting obligations.

Legal basis: performance of a contract; legal obligations; legitimate interests in managing billing and payment operations.

4. How We Use Personal Data

We use personal data to:

• create and manage your account;
• provide access to the Service;
• generate AI summaries, suggestions, agenda items, and follow-ups;
• save and organize your User Content;
• secure the Service;
• prevent misuse and unauthorized access;
• troubleshoot technical issues;
• communicate with you about the Service;
• respond to support requests;
• improve product quality and user experience;
• develop new features;
• manage payments, if applicable;
• comply with legal obligations;
• enforce our Terms.

We do not sell your personal data.

5. AI Processing

The Service uses AI and automated processing to provide features such as summaries, agenda suggestions, follow-up suggestions, note structuring, pattern detection, and other leadership productivity features.

AI Output may be inaccurate, incomplete, biased, or unsuitable for your situation. You must review and verify AI Output before relying on it.

We do not use your identifiable User Content, such as specific personal notes, names, private meeting notes, or workplace context, to train third-party foundation models in a way that would make your content available to other users.

Your User Content may be processed by AI service providers only as necessary to provide the Service to you, subject to appropriate contractual, security, and data protection safeguards.

If we introduce optional model-improvement features that use identifiable User Content beyond what is necessary to provide the Service, we will request your explicit opt-in consent where required.

6. No Automated Employment Decisions

CoManager is not intended to make automated employment, HR, disciplinary, hiring, firing, promotion, compensation, or performance decisions.

The Service may generate suggestions or highlight possible patterns based on User Content, but these outputs are not official decisions and must not be treated as facts or determinations.

You must not use CoManager as the sole or primary basis for decisions that legally, professionally, or materially affect another person.

7. Sensitive Data and Third-Party Personal Data

CoManager is designed for personal leadership productivity, not for storing sensitive employee records. You should not enter sensitive personal data into the Service, including:

• health information;
• medical information;
• psychological information;
• religious or philosophical beliefs;
• political opinions;
• trade union membership;
• sexual orientation;
• biometric data;
• disciplinary records;
• official employee records;
• information about minors;
• other sensitive or legally protected categories of data.

If you enter personal data about another person, you are responsible for ensuring that you have a lawful basis, permission, and authority to do so.

We recommend using anonymized, pseudonymized, or generalized notes where possible.

8. Sharing Personal Data with Service Providers

We may share personal data with trusted service providers that help us operate the Service. These may include:

• cloud hosting providers;
• database and infrastructure providers;
• AI model or AI infrastructure providers;
• authentication providers;
• analytics providers;
• error monitoring and logging providers;
• email and communication providers;
• payment processors, if paid plans are introduced;
• customer support tools;
• legal, accounting, or compliance advisors.

These providers may process personal data only as necessary to provide services to us and are subject to appropriate contractual, confidentiality, and data protection obligations.

We may publish and maintain a list of key subprocessors or service providers in the future.

9. Legal Disclosures

We may disclose personal data if we reasonably believe it is necessary to:

• comply with applicable law;
• respond to lawful requests from courts, regulators, or public authorities;
• protect our rights, users, systems, or property;
• investigate fraud, security incidents, or misuse;
• enforce our Terms;
• complete a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

10. International Data Transfers

We aim to process and store personal data primarily within the European Economic Area where reasonably possible. Some service providers may process personal data outside the EEA.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards, such as:

• adequacy decisions;
• Standard Contractual Clauses;
• additional contractual, organizational, and technical safeguards where required.

11. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

11.1 Account Data

Account Data, including your name, email address, account credentials, subscription information, and billing records, is retained for the duration of your active account. Following account deletion or termination, we may retain certain information for a limited period where required to comply with legal, tax, accounting, security, fraud prevention, or regulatory obligations.

11.2 Organizational Data

Organizational Data, including 1-on-1 notes, performance reviews, peer feedback, team structures, goals, and related management information, is retained only while your account remains active and the data is required to provide the Service. Upon account deletion, termination, or expiration of any applicable transition period, we will securely delete or anonymize Organizational Data from our active systems within a reasonable period, unless retention is required by law.

11.3 Inactive Accounts and Data Retention

To minimize the retention of personal information and Organizational Data, we may deactivate, anonymize, or permanently delete inactive accounts and associated data. An account may be considered inactive if no user associated with the account has logged into or otherwise actively used the Service for ninety (90) consecutive days.

Before deleting an inactive account, we will make reasonable efforts to notify the account owner using the email address associated with the account. If no action is taken following such notice, we may permanently delete or anonymize the account and all associated Account Data and Organizational Data.

This inactivity policy is intended to ensure compliance with data minimization principles and to avoid retaining personal information longer than necessary.

11.4 Backup Retention

Deleted data may remain temporarily in encrypted backup systems for operational, disaster recovery, and security purposes. Such backup copies are retained only for a limited period and are automatically removed in accordance with our backup retention procedures. Backup data is not restored except where necessary for disaster recovery, security, or legal compliance purposes.

12. Security

We use commercially reasonable technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Measures may include:

• access controls;
• encryption in transit;
• authentication controls;
• logging and monitoring;
• restricted access to production systems;
• backups;
• vendor security review;
• internal confidentiality obligations.

However, no system is completely secure. We cannot guarantee absolute security.

You are responsible for using a strong password, protecting your account, and avoiding unnecessary upload of sensitive or confidential information.

13. Cookies and Analytics

We may use cookies, local storage, and similar technologies to operate the Service, keep you logged in, remember preferences, secure the Service, understand usage, and improve the product. Some cookies or similar technologies may be essential for the Service to work.

For non-essential analytics or marketing cookies, we will request consent where required by law. You may be able to control cookies through your browser settings or through cookie preferences provided by the Service.

A separate Cookie Policy may be provided in the future.

14. Your GDPR Rights

Depending on your location and applicable law, you may have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object;
• right to withdraw consent where processing is based on consent;
• right to lodge a complaint with a data protection authority.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.

If your request concerns personal data about another person that you entered into the Service, we may need to assess the request carefully to protect the rights and privacy of all affected individuals.

15. Complaints

If you are located in the European Economic Area, you have the right to lodge a complaint with a data protection supervisory authority. If you are based in Berlin, the competent authority may be:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

You may also contact your local data protection authority.

16. Children

The Service is not intended for children or individuals under 18 years old. We do not knowingly collect personal data from children.

If you believe that a child has provided personal data to us, please contact us so we can take appropriate action.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you, such as by email, in-app notice, or website notice.

The updated Privacy Policy will apply from the effective date stated at the top of the document.

18. Contact and Legal Information

CoManager is currently not operated by a registered company, UG, GmbH, or other separate legal entity. CoManager is a product and trading name used by the individual operator named above.

Registration number: Not applicable · VAT ID: Not applicable