Back to Legal Center

Your Data Explained

A comprehensive guide on how we protect, manage, and respect your personal information with transparency and care.

How Your Data Flows Securely

This diagram shows the journey your personal information takes from your device to our secure systems, highlighting the multiple layers of protection at every step.

Your Device

• You enter information

• Data prepared for transmission

• Secure HTTPS connection

📱 Ready
1

Secure Transit

• TLS 1.3 encryption

• Secure HTTPS connection

• Protected during travel

🔒 Encrypted
2

Vercel Processing

• SOC 2 Type II certified

• Global edge network

• ISO 27001 compliant

✅ Certified
3

Secure Storage

• AES-256 encryption at rest

• HIPAA compliant database

• Regular security audits

🔐 Stored

Additional Security Measures

Access Controls: Your personal information is protected by strict access controls and authentication systems.

Only you and your explicitly chosen coaches can access your personal coaching information through authenticated, secure connections.

Authentication & Identity

Your login and identity information is managed by Clerk (SOC 2 certified) and protected under the EU-US Data Privacy Framework

Our Security Commitments

Encrypted in Transit

All data transmission is protected using TLS 1.3 encryption ensuring secure communication between your device and our servers

Industry-standard encryption protects your data while traveling over the internet

Enterprise-Grade Infrastructure

All our providers maintain SOC 2 Type II compliance and industry-leading security certifications

Vercel, Convex, and Clerk all meet the highest security standards

Global Data Protection

Full compliance with GDPR, CCPA, PIPEDA, and Data Privacy Framework regulations

Your rights are protected regardless of your location

Encrypted at Rest

Your stored data is protected with AES-256 encryption when saved in our secure databases

Multiple layers of encryption protect your information at all times

Frequently Asked Questions

Q:How is my data encrypted and protected?

A:We use multiple layers of encryption to protect your data: All data is encrypted in transit using TLS 1.3 during transmission between your device and our servers, and encrypted at rest using AES-256 when stored in our secure databases. Additionally, strict access controls ensure only authorized users can access your information.

Q:Where is my data stored and processed?

A:Your data is stored across secure, certified data centers: Static content (like our website) is delivered from the nearest global location via Vercel's edge network. Application processing happens in Frankfurt, Washington D.C., or Singapore. Database storage is currently in the US-East region (expanding to Europe in late 2025). Authentication data is stored in US-Central (Iowa).

Q:What certifications do your providers have?

A:All our infrastructure providers maintain enterprise-grade certifications: Vercel has SOC 2 Type II, ISO/IEC 27001, HIPAA, GDPR, CCPA compliance, and is certified under EU-US Data Privacy Framework. Convex is SOC 2 Type II compliant, HIPAA-compliant, and GDPR compliant. Clerk is SOC 2 Type II certified, HIPAA-compliant, and self-certified under the Data Privacy Framework.

Q:How do you comply with GDPR if some data is stored in the US?

A:We comply through the EU-US Data Privacy Framework (DPF) and standard contractual clauses. Our providers (Vercel, Convex, Clerk) are certified under DPF, which provides adequacy for transferring EU personal data to the US. Additionally, we use contractual safeguards and strong encryption both in transit and at rest to protect your data across all systems.

Q:Can I see, download, or delete my data?

A:Absolutely! You have full control over your personal data. You can request to see all data we have about you, download a copy of your information, request corrections, or ask us to delete your account and all associated data. Use our Data Subject Access Request form or contact us at connect@purposelabs.ai to exercise these rights.

Q:What happens to my data if I delete my account?

A:When you delete your account, we permanently remove all your personal data from our systems immediately. This includes your profile information, coaching data, assessment results, and any uploaded content. Some anonymized analytics data may be retained for service improvement, but cannot be linked back to you personally.

Q:How do you protect data during AI coaching sessions?

A:AI coaching interactions are protected through multiple security layers: Your inputs are transmitted securely using TLS 1.3 encryption, AI processing happens on secure, certified infrastructure, generated insights are encrypted during storage and transmission, and human coaches (when involved) access data through secure, authenticated connections only. Important: We do not use your data for AI training - your coaching interactions and personal information are never used to train, fine-tune, or improve AI models.

Q:Is my data used to train AI models?

A:No, absolutely not. We have a strict zero-training policy - your personal data, coaching interactions, uploaded documents, and any other information you share with us is never used to train, fine-tune, or improve AI models (ours or third-party). All AI processing is performed exclusively to provide you with immediate coaching insights and recommendations. Your data remains private and is only used for your direct benefit.

Q:Who has access to my personal information?

A:Access to your personal data is strictly limited: You have full access to your own data, assigned human coaches can only see information relevant to your coaching relationship, our support team has limited access only when you request help, and automated AI systems process encrypted data without human oversight. We never sell or share your personal data with third parties for marketing purposes.

Q:How often do you update your security practices?

A:We continuously monitor and update our security practices: Security assessments are conducted quarterly, all infrastructure providers undergo annual SOC 2 audits, we monitor for new threats and vulnerabilities daily, privacy policies are reviewed and updated as needed, and we stay current with evolving data protection regulations worldwide.

Q:What should I do if I'm concerned about my data security?

A:If you have any concerns about your data security, please contact us immediately at connect@purposelabs.ai. We take all security concerns seriously and will investigate promptly. You can also review our detailed privacy policy, submit a data access request to see what information we have, or request account deletion if you prefer to discontinue services.

Q:How do I report a security vulnerability?

A:If you believe you've discovered a security vulnerability in our platform or services, please report it to connect@purposelabs.ai and we'll respond within 24 hours. We request that you do not publicly disclose the issue until we have had a chance to address it. We appreciate responsible disclosure and take all security reports seriously.

Compliance & Certifications

Vercel (Hosting)

  • SOC 2 Type II
  • ISO/IEC 27001
  • GDPR & CCPA Compliant
  • EU-US Data Privacy Framework
  • HIPAA Compliant

Documentation:

→ Privacy Policy→ Security & Compliance→ Security Center

Convex (Database)

  • SOC 2 Type II
  • HIPAA Compliant
  • GDPR Compliant
  • AES-256 Encryption
  • Hosted on AWS

Documentation:

→ Privacy Policy→ Security Overview→ GDPR Compliance→ HIPAA Compliance

Clerk (Authentication)

  • SOC 2 Type II
  • HIPAA Compliant
  • Data Privacy Framework
  • CCPA Compliant
  • Secure Token Management

Documentation:

→ Privacy Policy→ Data Privacy Framework→ CCPA Compliance→ Cookie Documentation

Still Have Questions?

Our team is here to help you understand how we protect your data. Don't hesitate to reach out with any questions or concerns.

This guide is regularly updated to reflect our current data protection practices.
Last reviewed: August 18, 2025