Privacy Policy
Last updated: May 18, 2026
1. Who We Are
Torchpass ("we," "us," "our") is a B2B SaaS platform that helps organisations capture, document, and transfer institutional knowledge from departing employees to their successors. This policy explains how we collect, use, store, and protect your personal data when you use our platform.
Data Controller: inSpring LLC
Data Protection Officer: privacy@torchpass.com
2. Data We Collect
2.1 Account Data
Name, email address, phone number, location (city/state), timezone, bio, LinkedIn URL, secondary email address, and avatar image.
2.2 Professional Profile Data
Job title, department, seniority level, industry, hire date, transition timeline, years at company, reporting structure, and compliance ownership indicators.
2.3 Content Data
Interview recordings (video/audio), transcripts, annotations, documents you upload (SOPs, process manuals, job descriptions, etc.), questionnaire responses, and AI-generated playbook content.
2.4 Usage Data
Login timestamps, last-active dates, feature usage patterns, and browser user-agent strings (collected with consent records only).
2.5 Technical Data
IP address (collected only when recording consent preferences), Supabase session tokens (essential cookies for authentication).
3. Legal Basis for Processing (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Processing necessary to deliver the Torchpass service under your organisation's subscription agreement.
- Legitimate interest (Art. 6(1)(f)): Platform security, fraud prevention, and service improvement.
- Consent (Art. 6(1)(a)): AI-assisted processing of your content, and contribution of anonymised data to improve our question bank. You may withdraw consent at any time from your profile settings.
- Legal obligation (Art. 6(1)(c)): Record-keeping for tax, audit, and regulatory compliance.
4. How We Use Your Data
- Deliver and improve the Torchpass platform
- Process recordings and documents through AI services (with PII redaction applied before transmission)
- Generate playbooks and knowledge transfer materials
- Send transactional emails (invitations, notifications)
- Process payments through Stripe
- Improve our question bank using anonymised, aggregated data (with your consent and your organisation's opt-in)
5. Sub-processors & Data Sharing
We share personal data only with the following categories of sub-processors, each bound by Data Processing Agreements:
- Supabase — Database hosting, authentication, and file storage (US/EU)
- Cloudflare R2 — Recording and document file storage (zero-egress, global)
- Anthropic (Claude) — AI content analysis (PII redacted before transmission)
- OpenAI — Text embeddings for search (PII redacted before transmission)
- Deepgram — Audio/video transcription
- Mux — Video hosting and adaptive streaming
- Stripe — Payment processing
- Resend — Transactional email delivery
We do not sell your personal data. We do not share data with advertising networks or data brokers.
6. AI Processing & PII Safeguards
Before any content is sent to external AI services (Anthropic, OpenAI), we apply automated PII redaction to remove email addresses, phone numbers, and LinkedIn URLs. All AI system prompts explicitly instruct models not to include personally identifiable information in their outputs. Every AI call is audit-logged with service, model, operation type, token counts, and processing status.
7. Data Retention
- Recording files: Retained for the period configured by your organisation (default 3 years), with automated warnings 30 days before expiry and automatic deletion thereafter.
- Transcripts and playbook content: Retained as long as the associated engagement is active.
- Account data: Retained until account deletion is requested.
- Audit logs: Retained for 7 years for compliance purposes.
- Consent records: Retained indefinitely as proof of consent.
8. Your Rights (GDPR Art. 15–22)
You have the right to:
- Access your personal data (Art. 15) — available via "Download My Data" in your profile settings
- Rectify inaccurate data (Art. 16) — edit your profile at any time
- Erasure (Art. 17) — request account deletion from your profile settings (30-day grace period applies)
- Restrict processing (Art. 18) — withdraw consent for AI processing or analytics in your profile settings
- Data portability (Art. 20) — download your data in machine-readable JSON format
- Object to processing (Art. 21) — contact our DPO
- Not be subject to automated decision-making (Art. 22) — AI-generated content is always reviewed by humans before publication
9. Cookies
Torchpass uses only essential cookies required for authentication and session management (Supabase auth tokens). We do not use advertising, tracking, or analytics cookies. You can manage your cookie preferences via the banner displayed on your first visit.
10. Security
We implement appropriate technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest, Row Level Security policies on all database tables, role-based access control, HMAC-SHA256 webhook signature verification, Content Security Policy headers, and regular security reviews.
11. International Transfers
Your data may be processed in the United States and European Union. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate.
12. Children
Torchpass is a B2B platform not directed at individuals under 16. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. Continued use after notice constitutes acceptance.
14. Contact
For any privacy-related questions, data requests, or complaints:
- Data Protection Officer: privacy@torchpass.com
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority.