New | AI for CoachingGet the reportNew | AI for CoachingGet the reportEffective date: 16 April 2026
Last updated: 16 April 2026
This Privacy Policy explains how Whylab Trusted Solutions SARL, trading as 100facets ("100facets", "we", "us", "our"), collects, uses, stores, shares, and protects personal data in connection with our websites, applications, assessments, reports, coaching tools, journeys, diagnostics, and related services.
This Privacy Policy is intended to reflect applicable data protection requirements, including, where applicable, the EU General Data Protection Regulation (GDPR) and the revised Swiss Federal Act on Data Protection (FADP / nFADP).
Whylab Trusted Solutions SARL
Av. Victor Ruffy 18
1012 Lausanne
Switzerland
For legal or privacy-related questions, or to exercise your rights, you can contact us at: [email protected]
For general support: [email protected]Data Privacy Lead: Mohamad Razaghi
100facets has appointed a Data Privacy Lead to oversee privacy and data protection matters. Based on the nature, scale, and frequency of our current activities, we do not currently designate this role as a formal Data Protection Officer under the GDPR or Swiss law.
This Privacy Policy applies to personal data processed in connection with:
The role of 100facets depends on the service context.
Where you use 100facets directly, 100facets generally acts as the controller for personal data needed to provide, secure, support, and administer the service, including account, support, security, and direct service-operation data.
Where you use 100facets through an employer, educational institution, consultant, coach, or another sponsoring organization, that organization will often act as the controller for the relevant assessment, invitation, participation, reporting, or program data, and 100facets will act as a processor or service provider on its behalf.
Even where 100facets acts as a processor for a customer or sponsor, we may still act as an independent controller for limited purposes such as security, fraud prevention, legal compliance, billing, auditability, and enforcement of our rights.
If you are unsure which role applies in your case, you may contact us or the organization through which you access the service.
Depending on how you use the platform, we may process the following categories of personal data.
Such as your name, email address, phone number, job title, company, language preferences, country, profile image, login credentials, and account status data.
Such as survey responses, open-ended answers, ratings, participant details, invitation details, report access settings, generated reports, summaries, diagnostics, and analyses.
Such as messages you exchange through the platform, challenge descriptions, generated recommendations or journeys, progress data, and transcribed voice inputs where relevant.
Such as files and documents you upload for use within the platform, including materials submitted for analysis or reporting.
Such as log data, device or browser information, IP address, session data, and security-related information used to operate and protect the services.
Such as verification messages, service emails, SMS notifications, support exchanges, and related records.
We collect personal data:
We use personal data to:
Some features of the platform involve profiling — that is, automated processing of personal data to generate assessments, leadership profiles, behavioral insights, team diagnostics, organizational insights, or development recommendations. This profiling is used to deliver the core functionality of the service. Outputs are intended to support human judgment and are clearly identified as AI-generated where applicable. It does not produce legally binding decisions about individuals on its own. See also Section 15 (Automated Decision-Making).
Some features of the platform use AI systems to support analysis, text generation, recommendations, summaries, translations, transcription, and conversational experiences.
100facets does not use personal data, uploaded files, prompts, outputs, transcripts, assessment responses, feedback content, or other user or customer content processed through the services to train large language models or other foundation models.
Where we use third-party AI or LLM service providers to support the services, we configure or require those providers, in the applicable service configuration and contractual arrangement, not to use such personal data or service content to train their large language models or other foundation models.
Where voice input is enabled, audio you provide may be recorded in the client application, transmitted to our servers, and then sent to a third-party AI provider for transcription so the requested feature can function.
The resulting transcription is then used as input data for the relevant feature, such as collecting qualitative responses, supporting coaching interactions, or powering related workflows.
The raw audio is deleted from our servers after transcription is completed. We configure or require the relevant AI provider to process the audio for transcription only and to handle deletion after transcription is completed in accordance with the applicable service configuration, contractual terms, and provider processes.
Transcribed inputs may be retained as part of the relevant assessment, coaching, journey, or qualitative-input workflow for the duration of the applicable program or contract period, or for as long as the account remains active where no program period applies.
Certain features rely on third-party AI models and related AI services, which may change over time as part of our normal service operation and improvement. Where a change involves a new or different external provider for AI processing, we will update this Privacy Policy accordingly and, where required by applicable contract, notify enterprise customers in advance.
AI outputs may not always be accurate, complete, or appropriate for every context. They are intended as support tools and should not be relied on as the sole basis for important decisions.
Where you upload documents, including PDF files, we may store and process those files in order to provide the requested service. This may include extracting text or structured information from the uploaded document for analysis, report generation, summarization, or related platform features.
Where required for the relevant feature, uploaded files or extracted content may be processed by trusted third-party AI providers acting on our behalf. Uploaded files and related extracted content are retained in accordance with the applicable contract, program, or service relationship, or until the relevant user, project, or service data is deleted, unless a longer retention period is required by law.
Where applicable under the GDPR, we process personal data on one or more of the following legal bases:
Where we rely on legitimate interests, those interests may include maintaining service functionality, protecting the platform against misuse, ensuring security and reliability, improving service quality, supporting internal administration, and defending legal rights.
Where Swiss law applies, we process personal data in accordance with the revised Swiss Federal Act on Data Protection and other applicable Swiss legal requirements.
We may share personal data with trusted service providers and partners where needed to provide and operate the platform.
These may include providers supporting:
We may also share personal data with the organization sponsoring your use of the platform where that organization is responsible for the relevant assessment, program, or access rights.
We do not sell personal data.
You may contact us at [email protected] if you would like more information about our current external provider set relevant to your service context.
Some of our service providers, including providers of hosting, AI processing, and related infrastructure, may process personal data outside Switzerland or outside the European Economic Area, including in the United States.
Where such transfers occur to countries that do not benefit from an adequacy decision under applicable law, we rely on appropriate safeguards such as Standard Contractual Clauses adopted by the European Commission, or equivalent mechanisms recognized under Swiss law, to protect the transferred personal data.
You may contact us for more information about the specific transfer mechanisms in place for a given service context.
We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer or different retention period is required or permitted by applicable law.
Where the platform is used by or through an enterprise customer, educational institution, consulting provider, coach, or other sponsoring organization, personal data will generally be retained for the period specified in the applicable contract, program terms, or documented instructions governing that service relationship.
Where no specific retention period is stated in an applicable contract, program framework, or legal requirement, we retain personal data for as long as the relevant user is actively using the service.
By way of example, where applicable and unless a contract or law requires otherwise:
For standard user accounts, we treat inactivity based on the last successful sign-in (login) to the account.
Where no contractual, legal, or regulatory retention obligation applies, we may run the following automated inactivity process, for example using the email address associated with the account where we are able to reach the user:
Signing in again before permanent deletion resets this timeline from the new successful sign-in date. Certain privileged or administrative account types may be excluded from automated removal for operational and security reasons.
For users who access the platform through an employer, educational institution, consultant, coach, or other sponsoring organization, inactivity handling and deletion may also depend on that organization's program rules, contractual arrangements, or instructions to us.
Subject to applicable law and the relevant controller-processor arrangement, users may request deletion of their personal data.
Where 100facets acts as the controller, we will assess and process deletion requests in accordance with applicable law.
Where 100facets acts on behalf of an enterprise customer, educational institution, or other sponsoring organization, the relevant organization may need to review, approve, or initiate the deletion request, and users may be directed to that organization.
When deletion applies, we will take reasonable steps to delete or irreversibly anonymize the relevant personal data from the systems we control, unless retention is still required for legal, regulatory, contractual, security, fraud-prevention, dispute-resolution, or other legitimate operational reasons.
Deletion may not always be immediate in every environment. Limited residual copies may temporarily remain in secure backups, logs, or restricted compliance records until they are overwritten, cycled out, or safely removed in the ordinary course of operations.
Where personal data has been shared with service providers acting on our behalf, we will take reasonable steps, as appropriate and required by law or contract, to instruct those providers to delete the relevant personal data or otherwise handle it in accordance with the applicable deletion request.
Subject to applicable law, users may have the right to:
Where 100facets acts as controller, we will handle such requests directly in accordance with applicable law and within the timeframes required by applicable law.
Where 100facets acts as processor on behalf of another organization, we may refer the request to the relevant organization or assist that organization in responding.
We may need to verify the identity of the requester before fulfilling an access, export, correction, or deletion request.
To submit a privacy request, please contact us at [email protected].
100facets does not use solely automated processing to make decisions about individuals that produce legal effects or similarly significant effects within the meaning of applicable data protection law.
Our AI-supported outputs — including assessments, leadership profiles, diagnostic reports, insights, and development recommendations — are intended to support human judgment and must not be used as the sole basis for employment, promotion, compensation, disciplinary, admission, or similarly significant decisions.
We may retain limited internal records of privacy-relevant actions, such as access requests, exports, corrections, objections, deletions, or account removal actions, where necessary to demonstrate compliance, maintain security, resolve disputes, or comply with legal obligations.
Such records will be limited to what is reasonably necessary for those purposes and will not be used for unrelated purposes.
We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures include secure transmission, access controls, infrastructure safeguards, monitoring, and security review practices.
No system can be guaranteed to be completely secure. If we become aware of a personal data breach, we will assess it and, where required by applicable law, notify the competent supervisory authority and affected individuals within the legally required timeframe.
Under Swiss law, the competent authority for such notifications is the Federal Data Protection and Information Commissioner (FDPIC) where applicable.
We use cookies and similar technologies for the operation, security, and functionality of our services.
These cookies are required for core functionality and security and do not require consent where applicable law permits. They may include:
We also use optional analytics cookies, including Google Analytics cookies such as _ga and related variants, to help us understand how visitors use the platform and to improve performance and user experience. These analytics cookies are used only where you provide consent, where consent is required by applicable law.
If our cookie practices materially change, we will update this Privacy Policy and provide any notice or consent mechanism required by applicable law.
For more detailed information about the cookies we use, including names, purposes, and durations, you may contact us at [email protected].
Our services are not intended for children unless explicitly supported in a lawful and properly governed program context. If you believe personal data has been provided unlawfully by a child, please contact us at [email protected].
If you believe your personal data has been handled unlawfully, you may have the right to lodge a complaint with the competent data protection or supervisory authority.
In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch
If you are in the European Union or European Economic Area, you may also have the right to complain to the supervisory authority in your place of habitual residence, place of work, or place of the alleged infringement, where applicable.
We would, however, welcome the opportunity to address your concerns directly before you contact a supervisory authority. Please reach out to us at [email protected].
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data practices. We will publish the updated version on our website and may provide additional notice where appropriate.
Where changes are material — including changes to our main external providers for AI processing — we will update this Privacy Policy and, where required by applicable contract or law, notify affected users or enterprise customers in advance.
Whylab Trusted Solutions SARL
100facets
Av. Victor Ruffy 18
1012 Lausanne
Switzerland
Legal and privacy enquiries: [email protected]
General support: [email protected]
English