Project: Interact - Employee Engagement & Gamification Platform
Last Updated: January 14, 2026
This document outlines data privacy practices, policies, and compliance measures for the Interact platform.
- Minimal Collection: Collect only necessary data
- Purpose Limitation: Use data only for stated purposes
- Transparency: Clear communication about data usage
- User Control: Users control their data
- Security: Protect data from unauthorized access
- Accountability: Clear data ownership and responsibility
- Company name
- Public activity descriptions
- Public leaderboards (if opted in)
- User names
- Department information
- Activity participation
- Points and badges
- Email addresses
- Employee IDs
- Performance data
- Private messages
- Passwords (hashed)
- Authentication tokens
- Payment information
- Health data
- Active Users: Data retained while active
- Inactive Users: Anonymize after 18 months
- Deleted Accounts: Hard delete after 30 days
- Analytics: Aggregated data retained indefinitely
- Backups: 90-day retention, then deleted
- Users can export their data
- Response within 30 days
- Users can update their data
- Changes take effect immediately
- Users can request deletion
- Complete within 30 days
- Data provided in JSON format
- Machine-readable and structured
- Users can opt out of certain processing
- AI features, analytics, marketing
- Consent: Optional features (marketing, analytics)
- Contract: Core platform features
- Legitimate Interest: Platform improvement, security
- Base44 (backend hosting)
- Cloudinary (image storage)
- OpenAI/Anthropic (AI features - anonymized)
- Email provider (notifications)
- All data stays in specified region
- No transfers outside EU/US (if applicable)
- Standard Contractual Clauses with processors
- Default settings prioritize privacy
- Encryption at rest and in transit
- Access controls (RBAC)
- Audit logging of data access
- Regular privacy impact assessments
Document Owner: Legal & Security Teams
Last Updated: January 14, 2026