Data Protection and Cookie Policy

Version: 2.1

Last Updated: December 18th, 2025

1. Introduction

Welcome to Refine. This Privacy Policy details our commitment to protecting the privacy of individuals who use our services ("Users"). It explains what Personal Data we collect, our legal basis for processing it, how we use and share it, and your rights under the General Data Protection Regulation (GDPR).

2. Data Controller and Processor Roles

Refine may act as either a Data Controller or a Data Processor under the General Data Protection Regulation (GDPR), depending on the context in which the Services are used.

Self-serve, demo, and trial use: When individuals or organizations use the Refine platform on a self-serve, demo, or trial basis, Refine determines the purposes and means of processing personal data necessary to provide and improve the Services. In this context, Refine acts as the Data Controller.

Enterprise or customer-managed deployments: When Refine provides the Services to an organization under a written agreement (for example, corporate training deployments with user management, analytics, or SSO integrations), the customer acts as the Data Controller and Refine acts as the Data Processor, processing personal data solely on the customer’s documented instructions pursuant to a Data Processing Agreement (DPA) or equivalent contractual terms.

Unless otherwise agreed in writing, the applicable role is determined by the contract governing the use of the Services.

The data controller for self-serve, demo, and trial use is:

Company: Refine Inc.
Contact for Data Protection Matters: cto@refine-skills.com

3. What Data We Collect?

Identity & Account Data: Full name, corporate email address, and job position.
Professional Context Data: Your industry, job role, and business cultures.
User-Generated Content: Includes audio recordings and text-based responses.
Service-Generated Data: Includes transcripts, AI-generated analysis, and roadmap progress.
Technical Data: IP address, browser type, and device data for security and troubleshooting.
Cookie Data: Details in Section 8.
SSO: Where single sign-on (SSO) is enabled, identity data is provided by the customer’s identity provider; Refine does not store user passwords.

4. Purpose and Legal Basis for Data Processing

We only process your personal data when we have a lawful basis to do so under Article 6 of the GDPR.

The legal bases below apply depending on whether Refine acts as a Data Controller or Data Processor, as described in Section 2, and where applicable are subject to customer instructions and contractual terms.

Purpose of Processing	Type of Data Used	Legal Basis
To create your account and personalize your learning roadmap.	Identity, Account, Professional Context	Performance of a Contract
To process your audio and provide AI-driven coaching feedback.	User-Generated Content, Service-Generated Data	Performance of a Contract
To provide analytics and progress reports to authorized customer administrators.	Usage Data (Aggregated/Anonymized)	Performance of a Contract
To improve the security and performance of our platform.	Technical Data, Usage Data	Legitimate Interest
To improve our core AI models (using anonymized data only, where permitted by contract).	Anonymized User-Generated & Service-Generated Data	Legitimate Interest
To send essential service emails (e.g., password resets).	Identity Data (Email)	Legitimate Interest

5. Data Storage and Sub-processors

Your data is stored and processed securely. Where Refine acts as a Data Controller or Data Processor, we have signed Data Processing Agreements (DPAs) with all our sub-processors.

Primary Infrastructure (Google Cloud Platform): All core data is stored in GCP's Frankfurt, Germany (`europe-west3`) region.
AI & Speech Processing (Google Cloud & Deepgram): Audio and text are processed by AI models within Google Cloud and by Deepgram.
Email Delivery (Resend): Transactional emails are sent via Resend.
Frontend Hosting (Vercel): Our web application is hosted on Vercel's global network.

All international data transfers are protected by Standard Contractual Clauses (SCCs).

6. Data Retention Period

Account Data: Retained for the duration of your organization's contract with us, or until your account is deleted.
User-Generated Content: Retained for a limited period (e.g., 180 days), unless otherwise configured or instructed by the customer under an enterprise agreement.
Anonymized Usage Data: May be retained indefinitely for statistical analysis.

7. Your Data Protection Rights

Under GDPR, you have the right to:

Access a copy of your personal data.
Correct any inaccurate information.
Delete your personal data ("Right to be Forgotten").
Request a portable copy of your data.

You can exercise these rights from your account settings page or by contacting our Data Protection Officer. For enterprise deployments where Refine acts as a Data Processor, data subject rights requests are handled in coordination with the customer, who acts as the Data Controller.

8. Cookie Policy

Essential Cookies: Required for the application to function, such as your authentication token (x-auth-token).
Analytics Cookies: Used for performance measurement. You can accept or decline these via the cookie consent banner.

9. Contact

For any questions about this policy, please contact our Data Protection Officer at: cto@refine-skills.com