Privacy Policy
TESTMYTEAM POWERED BY AI, S.L.
29th July 2025
Company: TESTMYTEAM POWERED BY AI, S.L.
Location: Spain
Effective Date: 29th April 2026
Data Protection Officer: Paul Desarnauts — paul.de@testmyteam.ai
Address: Calle Augusto Figueroa 37, 5C 28003 Madrid, Spain
CIF: B21860382
This Privacy Policy is issued by:
TESTMYTEAM POWERED BY AI, S.L., a company organized under the laws of Spain and registered under CIF number B21860382, with registered office at Calle Augusto Figueroa 37, 5C 28003 Madrid, Spain (“Testmyteam”, “we”, “us”, or “our”);
and addressed to any individual or entity that accesses or uses the Service, whether as a platform user or as an individual whose personal data is processed through the Service ("you" or "your").
Clients are solely responsible for ensuring that any personal data provided to Testmyteam as Client Data has been lawfully obtained and that all applicable legal obligations towards the individuals concerned have been fulfilled.
1. Definitions
1.1 “Service” means the services offered by the Service Provider, whereas AI models analyze Client Data uploaded by Client and generate analytical reports on employee efficiency.
1.2 “Client” means any individual or entity that has entered into an agreement with Testmyteam for access to the Service, whether under a free tier or a paid subscription.
1.3 “Client Data” means all data, files, content, and materials provided or made available by or on behalf of Client to the Service, including any personal data, such as call recordings, transcripts, and associated metadata.
1.4 “Account Data” means personal data collected directly from a Client at the point of account registration, including full name, work email address, company name, company website, team size, and job title.
1.5 “Output” means reports, analytics, insights, and other results generated by the Service from Client Data.
1.6 “Personal Data”, “Controller”, “Processor”, and “Processing” have the meanings set forth in the GDPR (Regulation (EU) 2016/679).
1.7 “Sub-processor” means any third-party processor engaged by Testmyteam to process personal data on behalf of a Client.
1.8 “SCCs” means Standard Contractual Clauses approved by the European Commission for the transfer of personal data to third countries, pursuant to Commission Decision 2021/914 of 4 June 2021.
2. Scope and Data Categories
This Privacy Policy covers two distinct categories of personal data processed by Testmyteam:
Account Data — personal data collected directly from Clients at account registration. For this data, Testmyteam acts as Controller.
Client Data — personal data contained within call recordings, transcripts, and related materials imported by Clients for AI analysis, typically relating to the Client’s employees (such as employee names and voice data). For this data, the Client acts as Controller and Testmyteam acts as Processor.
These two categories are governed differently, as set out in the sections below.
3. Account Data
When a Client creates an account on the Testmyteam platform, the following Account Data is collected directly from that Client:
- Full name
- Work email address
- Company name and website
- Team size
- Job title
Purpose: Account Data is collected solely to create and manage the Client’s account, provide the Service, and communicate with the Client regarding their account and the Service.
Google OAuth: Clients may register using Google OAuth. In this case, the Client’s name and work email address are transmitted from Google to Testmyteam solely for the purpose of account creation. No other data is retrieved from Google.
Client-side storage: Testmyteam uses browser localStorage solely for functional purposes, including maintaining your authenticated session and preserving onboarding state. No personal data is stored in localStorage beyond what is strictly necessary to deliver the Service.
Legal basis: Contractual necessity (GDPR Art. 6(1)(b)) — this data is required to deliver the Service requested.
Retention: Account Data is retained for the duration of the Client’s account and deleted upon account closure in accordance with Section 8.
Sharing: Account Data is never sold to third parties. It may be processed by Sub-processors listed in Section 5 solely for the purpose of delivering the Service.
4. Client Data
4.1 Nature and responsibility
Client Data is processed by Testmyteam solely on documented instructions from the Client, for the purpose of delivering the Service. The Client, as Controller, is solely responsible for:
- Ensuring that Client Data has been collected lawfully and that all required notices, consents, and authorisations have been obtained, including any applicable employee information obligations and works council consultations.
- Establishing and documenting a valid legal basis under whichever data protection laws are applicable to the Processing of personal data contained in Client Data.
- Ensuring that the use of Client Data and any resulting Outputs complies with applicable laws, including employment, labour, and privacy laws.
Testmyteam does not independently verify the lawfulness of Client Data provided by Clients.
4.2 AI-generated Outputs
The Service analyzes Client Data and generates Outputs including scores, ratings, and coaching insights relating to individual employees’ call performance. These Outputs are decision-support tools only. Testmyteam does not make automated decisions with legal or similarly significant effects on individuals. Any decisions based on Outputs remain the sole responsibility of the Client.
The Service is designed and operated with due regard to applicable EU regulations, including the EU AI Act. Clients are responsible for ensuring their own use of Outputs complies with applicable laws.
4.3 Use of Client Data
Client Data is used exclusively for AI-driven analysis, insights, and related services. It is not shared with or sold to third parties except as necessary to deliver the Service via the Sub-processors listed in Section 5.
5. Sub-processors
In order to provide the Service, Testmyteam engages the following Sub-processors who may process personal data on its behalf:
|
Provider |
Legal Entity |
Purpose |
Location |
|
Supabase |
Supabase Inc. |
Database, auth, storage, edge functions |
EU — Ireland (AWS eu-west-1) |
|
AWS |
Amazon Web Services EMEA SARL |
Infrastructure provider for Supabase |
EU — Ireland |
|
Anthropic |
Anthropic, PBC |
AI call analysis |
USA — SCCs apply |
|
OpenAI |
OpenAI, LLC |
AI call analysis |
USA — SCCs apply |
|
Mistral AI |
Mistral AI SAS |
AI call analysis |
EU — France |
|
Dialpad |
Dialpad, Inc. |
Call data source via API integration |
USA — SCCs apply |
|
|
Google LLC |
OAuth authentication |
USA — SCCs apply |
|
Lovable |
Lovable Labs Incorporated |
Frontend hosting platform |
USA — SCCs apply |
|
Cloudflare |
Cloudflare, Inc. |
Frontend CDN delivery |
USA — global edge, EU PoPs |
Transfers of personal data to Sub-processors outside the European Economic Area (marked SCCs apply) are governed by SCCs incorporated into Testmyteam’s agreements with each such Sub-processor. This ensures personal data receives equivalent protection to EU standards regardless of where it is processed.
6. Legal Basis for Processing
Account Data: Processed on the basis of contractual necessity (GDPR Art. 6(1)(b)).
Client Data: Processed on the basis of contractual necessity (GDPR Art. 6(1)(b)) by Testmyteam as Processor, acting on the Client’s documented instructions. The Client as Controller is responsible for establishing the legal basis for processing personal data contained in Client Data.
7. Data Subject Rights
The following rights apply to Clients with respect to their Account Data, for which Testmyteam acts as Controller:
- Right of access (Art. 15) — to obtain confirmation of whether and how their data is processed.
- Right to rectification (Art. 16) — to request correction of inaccurate data.
- Right to erasure (Art. 17) — to request deletion of their data.
- Right to object (Art. 21) — to object to processing of their data.
- Right to data portability (Art. 20) — to receive data in a structured, machine-readable format.
- Right to restrict processing (Art. 18) — to request that processing be limited in certain circumstances.
For Account Data: requests may be submitted directly to Paul Desarnauts at paul.de@testmyteam.ai. Testmyteam responds within 30 days. All requests are logged for accountability.
Any Client has the right to lodge a complaint with a supervisory authority. Testmyteam recommends contacting the CNIL (Commission Nationale de l’Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr.
8. Data Retention and Deletion
Account Data: retained for the duration of the Client’s account and deleted upon account closure.
Client Data: retained only as long as necessary to provide the Service. Clients may delete their account and all associated Client Data — including call recordings, transcripts, and AI-generated results — at any time directly from within the Service. Deletion takes effect immediately upon request. Testmyteam may provide written confirmation of complete removal from all systems and backups within 60 days of the deletion request, upon Client’s written request. An exception applies to consent records: the email address and acceptance timestamp recorded at signup are retained for a minimum of 5 years following account closure as evidence of legal consent, as required by applicable data protection laws.
9. Data Processing Agreement
For the processing of Client Data, Testmyteam enters into a Data Processing Agreement (DPA) with each Client, setting out the respective roles of the parties, applicable security measures, breach notification obligations, and data deletion procedures. For self-serve accounts, the DPA is accepted electronically at the point of account creation and has the same legal effect as a signed agreement. The current DPA is available at testmyteam.ai/legal/dpa.
10. Security
Testmyteam implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- All data in transit is encrypted via TLS.
- Third-party integration credentials (such as VoIP provider API keys) are encrypted using AES-256-GCM before being stored in the database. The plaintext key is never persisted. The encryption secret is stored as a server-side secret, never in code.
- AI provider credentials are stored exclusively as server-side secrets and are never exposed to the frontend or stored in the database.
- Testmyteam’s database enforces row-level security, ensuring strict data isolation between tenants — each client can only ever access their own data.
- Infrastructure is hosted within the EU (AWS eu-west-1, Ireland).
- Regular security reviews are conducted to maintain appropriate protection standards.
11. Cross-Border Data Transfers
Certain Sub-processors listed in Section 5 are located outside the EU/EEA (Anthropic, OpenAI, Dialpad, Google, Lovable, and Cloudflare, all based in the USA). Any transfer of personal data to these Sub-processors complies with GDPR Chapter V via SCCs approved by the European Commission (Commission Decision 2021/914), ensuring adequate protection equivalent to EU standards.
12. Oversight and Compliance
TESTMYTEAM POWERED BY AI, S.L. has designated Paul Desarnauts as Data Protection Officer (DPO), responsible for overseeing privacy, security, and GDPR compliance. The DPO may be contacted at paul.de@testmyteam.ai.
Personnel handling personal data receive regular training on GDPR and data security requirements.
Any personal data breaches are documented and, where required, reported to the CNIL within 72 hours of becoming aware, and communicated to affected parties in accordance with GDPR Art. 33 and 34.
13. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of France. Any dispute relating to this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts within the jurisdiction of the Paris Court of Appeal (Cour d’appel de Paris).
14. Policy Review
This Privacy Policy is reviewed periodically to ensure ongoing compliance with GDPR, the EU AI Act, and evolving best practices in AI data management. The current version, together with a dated version history, is always available at testmyteam.ai/legal/privacy.