Legal

Privacy policy

Last updated: 26 March 2026

1. Data controller

obqo is based in Amsterdam, the Netherlands. For privacy questions contact us at info@obqo.co.

2. What data we process

We process the following personal data:

  • Name and email address (on account creation and during coaching)
  • Organisation data (institution name, role)
  • Coaching session records and trajectory information
  • Flow responses and assessment results
  • Career data (applications, placements)
  • Contact form submissions

3. Purpose of processing

We process personal data solely to:

  • Deliver the coaching services
  • Manage user accounts
  • Generate reports and analytics for the institution
  • Respond to contact requests
  • Improve our services

4. Storage and security

All data is stored within the European Union (Frankfurt, Germany) via Supabase EU. No data is processed or stored outside the EU. We do not use delegated access to mailboxes or calendars, inbox scraping, or calendar integrations.

5. Retention period

Personal data is retained no longer than necessary for the documented purpose, in accordance with GDPR Article 5(1)(e). Key retention windows:

  • Coaching session notes: 3 years from graduation or early programme exit, then cleared (only aggregate metadata retained)
  • Alumni records: 10 years from graduation or early exit, then PII fields cleared (aggregate reporting data retained)
  • Audit logs: 12 months
  • After contract termination: 90-day export window, then deletion

The full retention schedule per data category is documented in the Data Processing Agreement (Bijlage D). See obqo.co/security for the complete retention policy.

6. Sharing with third parties

We share personal data only with the following subprocessors. All have signed a Data Processing Agreement with Van Moose.

  • Supabase Inc. (Frankfurt, EU) — database hosting & authentication
  • Vercel Inc. (EU edge, fra1 Frankfurt) — application hosting
  • Van Moose / Truncus (AWS eu-west-1, Ireland) — transactional email
  • Amazon Web Services EMEA SARL (eu-west-1, Ireland) — email infrastructure
  • Anthropic PBC (US) — AI features; engaged only when tenant explicitly enables AI (disabled by default)
  • OpenAI LLC (US) — session-recording transcription; engaged only when tenant explicitly enables recording (disabled by default)

We do not sell personal data to third parties. The complete subprocessor list with regions, transfer bases and certifications is published at obqo.co/security.

7. Your rights

Under the GDPR you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erasure of your data
  • Restriction of processing
  • Data portability
  • Object to processing

Contact us at info@obqo.co to submit a request. We will respond within 30 days.

8. Cookies

obqo uses only functional cookies required for the application to work (session authentication). We do not use tracking cookies, advertising cookies, or third-party analytics.

9. Complaints

If you have a complaint about the processing of your personal data, contact us at info@obqo.co. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Privacy policy — obqo | obqo