Legal
Privacy Policy
Pitchmaster processes account data, demo requests, training data, voice recordings and feedback data to provide the service, support customers and keep each workspace reliable. This policy explains what we collect, why we process it and which rights users have.
Last updated: 2026-06-24Who we are
PitchMaster is a product of Changemakers B.V., based in the Netherlands. We process personal data under the GDPR. The data controller is Changemakers B.V., contact via info@changemakersai.nl.
What data we collect
- Profile data (name, email, organization, team)
- Demo and contact requests (name, email, phone number and submission metadata)
- Training and practice-round data (transcripts, scores, feedback)
- Audio recordings of roleplays (in the "recordings" bucket)
- Onboarding progress (which steps were completed, which quiz answers given)
- Audit logs (administrative actions, retained for compliance)
- Technical data (IP address, session ID, browser type), including masked error-triggered replays via Sentry for debugging
Recording consent
Before you start a voice training for the first time, we ask for your explicit consent to record and process your audio. You can always decline or stop a training; without consent nothing is recorded. You can view (export) or delete recordings already made via your account.
Use of external AI services
For voice training we may process audio, transcript and exercise context through external AI and speech services: Google Gemini (real-time conversation and intonation analysis), OpenAI (written feedback and bot generation) and, where enabled, Deepgram (speech-to-text). For support chat and Bot Builder, prompts or messages may be processed through Anthropic.
We do not intentionally send your profile name or email address to AI services. Scenarios, bot copy or transcripts may still contain information that you or your organisation put into the training. Your recordings are not used to train AI models.
Legal basis: your explicit consent (GDPR Art. 9), given in-app before your first training and withdrawable at any time via Settings → Account & privacy.
These services may be located outside the EU. For transfers outside the EU we use appropriate transfer mechanisms, such as European Commission-approved Standard Contractual Clauses (SCCs) or an equivalent mechanism, and document this in our processor records. Retention follows each service’s applicable processing terms.
No automated HR decisions
Pitchmaster is intended for training, coaching and practice feedback. Scores and AI feedback may not be used as the sole basis for hiring, firing, promotion, salary, disciplinary measures or similar high-impact decisions.
Managers and organisations must always review feedback with human judgement and apply their own policies, employment-law obligations and non-discrimination rules.
Sub-processors and data residency
We use the following external services. Some are located outside the EU; for those parties we use appropriate transfer mechanisms, such as Standard Contractual Clauses (SCCs) or an equivalent mechanism. We maintain the current contract and evidence status internally and provide it to business customers on request.
| Processor | Region | Purpose | DPA |
|---|---|---|---|
| Hetzner + self-hosted Supabase | Hetzner EU infrastructure (primarily Falkenstein, DE) | Hosting infrastructure, database, auth, edge functions, file storage (recordings) and backups. | DPA ↗ |
| Sentry | sentry.io, US | Error tracking and masked error-triggered replays for debugging. | DPA ↗ |
| Resend | resend.com, US | Transactional email (invites, email verification, password reset, manager notifications). | DPA ↗ |
| Google Cloud (Gemini) | Google Cloud, US (multi-region) | AI feedback generation, real-time conversational agent (Gemini Live). | DPA ↗ |
| Deepgram | api.eu.deepgram.com, EU endpoint by default | Speech-to-text for live transcription in voice-relay where enabled. | Privacy / DPA on request ↗ |
| OpenAI | api.openai.com, US | Conversation evaluation model, AI feedback, and training-bot generation. | DPA ↗ |
| Anthropic | api.anthropic.com, US | Support chat and Bot Builder AI assistance for drafting or adjusting training bots. | DPA ↗ |
| Vimeo | vimeo.com, US | Hosting of training and course videos. Embeds run in do-not-track mode (no tracking cookies); Vimeo does receive your IP address to deliver the video. | DPA (Enterprise) ↗ |
| Stripe | stripe.com, US/EU | Payments, subscriptions, billing and related compliance where billing is enabled. | DPA ↗ |
| Calendly | calendly.com, US | Optional demo scheduling through the book-a-demo page. | DPA ↗ |
| Coolify (self-hosted) | Hetzner CPX32, Falkenstein (DE), EU | Frontend + voice-relay container orchestration. | self-hosted; processor agreement N/A. |
Retention periods
- Profile data: as long as the account is active. After a deletion request, a 30-day grace period, then permanently deleted.
- Training conversations, transcripts, feedback and recordings: automatically deleted or scrubbed after 30 days; earlier when the account is deleted.
- Uploaded library files: private storage with temporary signed URLs; retained while the linked library item is active.
- Audit logs: up to 7 years for compliance, 1 year for configuration changes.
- Sentry events: 90 days.
- Resend email events: 30 days.
Your rights
| Right to access | Settings → Account & privacy → Download my data. |
| Right to data portability | Same. The download is JSON, machine-readable. |
| Right to erasure | Settings → Account & privacy → Delete my account. 30-day grace period. |
| Right to rectification | Edit profile fields in Settings; team admin can edit org-level fields. |
| Right to object / restrict processing | Email info@changemakersai.nl. |
Cookies
We only use necessary cookies and browser storage for login, session security and interface preferences. No advertising cookies, retargeting pixels or third-party analytics cookies. Embedded services such as Vimeo or Calendly may receive technical information to deliver their content or scheduling tool. Stripe may process necessary payment data when you subscribe.
Privacy FAQ
For a short customer-facing answer about GDPR, retention periods, AI processing, processors and user rights, see our privacy FAQ. Open privacy FAQ ↗
Complaints
If you have a complaint about how we handle personal data, please contact support or file a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl.