Privacy Policy

Last updated: March 30, 2026

CharmWise ("we", "us", "our") is an AI-powered social intelligence platform that helps you practice social scenarios and develop interpersonal skills. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our service at charmwise.ai (the "Service").

We are the data controller for your personal data. If you have questions about this policy or your data, contact our Data Protection Officer at privacy@charmwise.ai.

1. Information We Collect

We collect the following categories of personal data, each with a specific legal basis under GDPR:

Account Data

Your email address and display name, collected when you create an account. If you sign in via Google OAuth, we receive your name and email from Google.

Legal basis: Contractual necessity (GDPR Art. 6(1)(b))

Profile Data

Your social goals, experience level, selected learning tracks, and assessment scores, collected during onboarding and as you use the Service.

Legal basis: Consent via onboarding (GDPR Art. 6(1)(a))

Practice Data

Chat messages from practice sessions, AI-generated scorecards with dimension scores and feedback, and personalized lessons. This data is generated through your use of the Service.

Legal basis: Contractual necessity (GDPR Art. 6(1)(b))

Billing Data

Your Stripe customer ID, subscription status, plan type, and billing period dates. We do not store your full payment card details — these are held by Stripe.

Legal basis: Contractual necessity (GDPR Art. 6(1)(b))

Usage Data

Analytics events such as page views, feature usage, and interaction patterns, collected via PostHog. This data is only collected if you provide consent through our cookie banner.

Legal basis: Consent (GDPR Art. 6(1)(a))

Technical Data

IP addresses and user agent strings, collected automatically for security monitoring, abuse prevention, and debugging.

Legal basis: Legitimate interest for security (GDPR Art. 6(1)(f))

2. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the Service: To operate your account, deliver AI-powered practice sessions, generate scorecards and lessons, and manage your learning paths. (Contractual necessity)
  • Payment processing: To manage subscriptions, process payments via Stripe, and maintain billing records. (Contractual necessity)
  • Communications: To send transactional emails such as account verification, password resets, data export links, and account deletion confirmations via Resend. (Contractual necessity)
  • Analytics and improvement: To understand how users interact with the Service and improve the user experience, via PostHog. (Consent — only with your permission)
  • Security and abuse prevention: To detect and prevent fraud, unauthorized access, and other malicious activity using technical data. (Legitimate interest)
  • Error monitoring: To identify and fix software bugs using minimal error context via Sentry. (Legitimate interest)

3. Data Sharing & Third Parties

We do not sell your personal data. We share data with the following third-party processors, each bound by data processing agreements:

Google Gemini (AI Processing)

Your chat messages are sent to Google's Gemini API for AI evaluation and response generation. Google processes this data under their data processing terms. Messages are sent for real-time processing and are not retained by Google for model training when using the API.

Stripe (Payment Processing)

Stripe processes your payment information, manages subscriptions, and handles billing. Stripe is PCI DSS Level 1 certified. We never have access to your full card details.

Resend (Email Delivery)

Resend delivers transactional emails on our behalf, including account verification, data export links, and deletion confirmations. Your email address is shared for delivery purposes.

PostHog (Analytics)

PostHog collects analytics events only when you have given consent via our cookie banner. IP addresses are anonymized. We do not use session recording.

Sentry (Error Tracking)

Sentry captures error reports to help us fix software issues. Minimal personal data is included — only your user ID is sent. Email addresses and names are scrubbed from error events.

Hetzner (Hosting)

Our application and database are hosted on Hetzner servers located in the EU. Hetzner provides the infrastructure but does not access your data.

Cloudflare R2 (File Storage)

Cloudflare R2 stores user-uploaded files such as avatars and temporary data exports. Files are encrypted at rest.

International data transfers: Some processors (Google, Stripe, Sentry) may process data in the United States. In each case, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable.

4. Your Rights (GDPR Articles 15–22)

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of all personal data we hold about you. Use the "Export My Data" feature in your Settings page to download a JSON export of your data.
  • Right to erasure (Art. 17): You can request deletion of your account and all associated data. Use the "Delete Account" option in your Settings page. Deletion includes a 14-day grace period during which you can recover your account by signing back in. After 14 days, all data is permanently and irreversibly deleted from our systems and third-party processors.
  • Right to rectification (Art. 16): You can correct inaccurate personal data at any time through your Settings page, including your display name, email, and profile information.
  • Right to restrict processing (Art. 18): You can request that we limit the processing of your data in certain circumstances. Contact us at privacy@charmwise.ai to make this request.
  • Right to data portability (Art. 20): You can receive your data in a structured, commonly used, machine-readable format (JSON). The "Export My Data" feature provides a complete JSON export organized by data category.
  • Right to object (Art. 21): You can object to processing based on legitimate interest. You can control analytics tracking via the cookie consent banner or your Settings page.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (analytics cookies, profile data collected during onboarding), you can withdraw consent at any time through your Settings page or the cookie consent controls. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, use the self-service options in your Settings page or contact us at privacy@charmwise.ai. We will respond to your request within 30 days as required by GDPR.

5. Cookie Policy

We use cookies and similar technologies to operate the Service and, with your consent, to collect analytics data.

Essential Cookies

These cookies are strictly necessary for the Service to function and cannot be disabled.

  • Authentication session cookie: Identifies your logged-in session. Expires when you sign out or after the session timeout.
  • Cookie consent preference: Stores your cookie consent choice, timestamp, and policy version. Expires after 365 days.
  • Locale preference: Stores your language preference for the application.

Legal basis: These cookies are exempt from consent under the ePrivacy Directive as they are strictly necessary.

Analytics Cookies

PostHog analytics cookies collect usage data to help us improve the Service. These cookies are only set if you give your consent through our cookie banner.

Legal basis: Consent (GDPR Art. 6(1)(a))

Managing Your Preferences

You can manage your cookie preferences at any time through the Privacy & Data section in your Settings page. You can also clear cookies through your browser settings. If you withdraw analytics consent, PostHog cookies and local storage data will be cleared immediately.

6. Data Retention

We retain your personal data for the following periods:

  • Account data: Retained until you delete your account, plus a 14-day grace period during which deletion can be canceled.
  • Chat messages and practice data: Retained until you delete your account.
  • Analytics data: Retained for 12 months from collection, then automatically deleted.
  • Database backups: Retained per our backup retention schedule. Individual user data within backups is not separately erasable — this is consistent with GDPR Recital 65, which recognizes that erasure from backups may be technically impractical. Backups automatically expire according to the retention schedule.
  • Data exports: Export files are automatically deleted 7 days after generation.

When you delete your account, all personal data is permanently removed from our active database and all third-party processors (Stripe, PostHog, Resend) within the processing period.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Database and file storage are encrypted at rest.
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Password security: Passwords are hashed using bcrypt and never stored in plaintext.
  • Session management: Authentication sessions are managed securely with automatic expiration.

8. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@charmwise.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email at the address associated with your account and update the "Last updated" date at the top of this page. If the changes affect cookie consent, your existing consent preference will be reset and you will be asked to review and accept the updated policy.

10. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

Data Protection Officer

CharmWise

Email: privacy@charmwise.ai

We aim to respond to all privacy-related inquiries within 30 days.