Last updated: May 2026
Effective Date: May 1, 2026
Impact Yes, LLC, a Delaware limited liability company ("Impact Yes," "we," "our," or "us"), operates the GALA platform ("Platform"). We are firmly committed to protecting the privacy and security of our users' personal information. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in connection with your use of the Platform. By registering for or using the Platform, you acknowledge that you have read and agree to the practices described in this Policy.
The data controller responsible for your personal information is Impact Yes, LLC, incorporated under the laws of the State of Delaware, United States of America. For all privacy-related inquiries, requests, or concerns, you may contact us at: privacy@impactyes.com.
We collect the following categories of personal information: (a) Identity and Account Data — email address, username, hashed password, first name, family name, nickname, certificate name, and native name in your native script; (b) Profile and Demographic Data — gender, marital status, age group, date of birth, country of birth, country of residence, education level, professional title, organization name, department, industry, and years of experience; (c) Language Preferences — preferred language, locale, default language, and birth language; (d) Assessment and Diagnostic Data — self-assessment responses, 360-degree feedback scores, AI-generated outputs (summaries, gap analyses, growth paths, daily nudges, video summaries), and AI coaching chat history; (e) Network and Device Data — IP address and browser user agent, collected exclusively on 360-degree rater submissions for anti-fraud verification; (f) Contact Form Data — name, email, organization, title, and message; (g) Profile Media — profile picture URL.
We collect information you provide directly when you register, complete your profile, participate in assessments, interact with our AI coaching features, invite raters for 360-degree feedback, or submit contact inquiries. We also collect information automatically when you authenticate, including through social OAuth providers (Google, LinkedIn, Microsoft, X, Apple, GitHub, Facebook) which share authorized profile data with us upon your consent. Activity logs and email delivery logs are generated automatically as part of normal platform operations and audit trails.
We use your personal information to: (a) create and manage your account and verify your identity; (b) deliver leadership assessments, 360-degree feedback tools, and personalized diagnostic reports; (c) generate personalized AI coaching content — including summaries, gap analyses, growth paths, audio feedback, and video summaries — via third-party AI processing services; (d) send transactional emails such as one-time passwords (OTP), password resets, welcome messages, and rater invitations; (e) detect and prevent fraud, abuse, and manipulation of assessment integrity; (f) administer organizational multi-tenant deployments and their associated user management; (g) maintain activity audit trails and platform security; (h) improve and develop Platform features; and (i) comply with applicable legal and regulatory obligations.
To generate your personalized coaching content, your assessment data and relevant profile context are transmitted to the following external AI service providers: (a) DeepSeek — primary large language model for coaching summaries, gap analyses, and growth path recommendations; (b) Google Gemini — secondary large language model for supplementary analysis; (c) Google Cloud Text-to-Speech — audio generation for spoken feedback delivery; (d) Google Vertex AI (Veo) — AI video summary generation. Data transmitted to these services is used solely to fulfill your personalized output requests and is governed by the respective providers' terms of service and privacy policies. Impact Yes does not authorize or permit these AI providers to use your personal data for their own model training.
We engage the following categories of trusted service providers who process data on our behalf under strict data processing agreements: (a) Cloud Object Storage — Cloudflare, Inc. (R2, United States) for PDF assessment reports, issued certificates, and media files; (b) Email Delivery — PurelyMail (SMTP) for all transactional email communications; (c) AI Content Generation — DeepSeek and Google LLC (Gemini, Cloud TTS, Vertex AI); (d) Security and Bot Protection — Google LLC (reCAPTCHA Enterprise); (e) Social Authentication — Google, LinkedIn, Microsoft, X (Twitter), Apple, GitHub, and Facebook; (f) Caching and Session Infrastructure — Redis (in-memory store for OTPs, rate limiting, and session tokens); (g) Database — PostgreSQL (primary relational data store). All service providers are contractually bound to protect your data and prohibited from using it for independent commercial purposes.
We retain your personal data for as long as your account remains active or as otherwise necessary to provide the requested services. Upon account deletion request, your account is immediately deactivated and your personally identifiable information is anonymized within thirty (30) days pursuant to our soft-delete policy. Anonymized statistical records, stripped of all PII, may be retained indefinitely for platform analytics and legal compliance. Activity logs and email delivery records are retained for up to two (2) years. To submit a data deletion request, contact privacy@impactyes.com.
Depending on your jurisdiction, you may have the following rights with respect to your personal data: (a) Right of Access — to request a copy of the personal information we hold about you; (b) Right to Rectification — to request correction of inaccurate or incomplete data; (c) Right to Erasure — to request deletion of your personal data; (d) Right to Data Portability — to receive your data in a structured, commonly used, machine-readable format; (e) Right to Object or Restrict Processing — to object to or request restriction of certain processing activities. To exercise any of these rights, submit a written request to privacy@impactyes.com. We will respond to all verified requests within thirty (30) calendar days.
We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include: HTTPS/TLS encryption for all data in transit; encrypted object storage via Cloudflare R2; bcrypt-hashed password storage; Redis-based rate limiting and brute-force protection on authentication endpoints; Google reCAPTCHA Enterprise protection on all registration, login, and password-recovery flows; HTTP security headers (HSTS, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Permissions-Policy) on the web application; and JWT-based session tokens with 24-hour access token expiry. No security system is infallible, and we cannot guarantee absolute security against all threats.
Impact Yes, LLC is headquartered in the United States. Your personal data is primarily stored in the United States via our cloud infrastructure (Cloudflare R2). When your data is processed by AI providers such as DeepSeek or Google Cloud, it may be transmitted to and processed on servers located outside your country of residence. By using the Platform, you consent to such international transfers. Where required by applicable law, Impact Yes ensures that appropriate contractual safeguards (such as Standard Contractual Clauses) are in place for cross-border data transfers.
The GALA Platform is designed exclusively for professional use by individuals who are at least 18 years of age. We do not knowingly collect, solicit, or retain personal information from minors under the age of 18. If we discover that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such information. If you have reason to believe a minor has submitted personal information through the Platform, please notify us promptly at privacy@impactyes.com.
GALA authenticates sessions using JWT (JSON Web Tokens) with a 24-hour access token and a 30-day refresh token. Server-side session state, OTP tokens, and rate-limiting counters are managed via Redis with appropriate time-to-live (TTL) expiration. We do not deploy third-party advertising cookies, cross-site behavioral tracking pixels, or interest-based advertising technologies. Strictly necessary session cookies may be set to maintain your authenticated state during an active browser session.
If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) or the UK GDPR. Our legal bases for processing your personal data include: (a) Performance of Contract — delivering the services you registered for; (b) Legitimate Interests — fraud prevention, platform security, and audit logging; and (c) Consent — for optional demographic profile fields and AI coaching interaction features. You have the right to withdraw consent at any time and to lodge a complaint with your competent national data protection supervisory authority.
If you are a California resident, the California Consumer Privacy Act (CCPA) affords you additional rights: the right to know what personal information we collect, use, disclose, and sell; the right to request deletion of your personal information; the right to opt out of the sale of your personal information (note: Impact Yes does not sell personal information to third parties); and the right to non-discrimination for exercising your CCPA rights. To submit a CCPA rights request, contact privacy@impactyes.com with the subject line "CCPA Request."
We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the revised Policy on the Platform and, where reasonably practicable, by email notification to your registered address at least thirty (30) days before the changes take effect. Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of those changes.
For privacy inquiries, data subject requests, or concerns regarding this Privacy Policy, please contact: Impact Yes, LLC | 8 The Green, Suite B, Dover, DE 19901, USA | privacy@impactyes.com | support@impactyes.com