Privacy Policy
Last updated: 1 January 2026
Sleak GmbH operates an AI-powered platform for skills development, workflow support, and assessment. Our services include our website (sleak.ai), web application, and all associated features, tools, and functionality (collectively the "Services").
This Privacy Policy informs you about what personal data we collect, how we use it, who we share it with, how long we retain it, and what rights you have.
For business customers: If you use Sleak via a Startup, Business, or Enterprise Workspace, your use is governed by our Master Services Agreement and Data Processing Agreement (DPA). In the event of any conflict between this Privacy Policy and those agreements, the latter shall prevail for the processing governed by them.
As a German company, we process your data in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG).
Table of Contents
- Controller and Contact
- Roles and Responsibilities
- What Data Do We Collect?
- How Do We Use Your Data?
- Who Do We Share Your Data With?
- Third-Party Logins
- How Long Do We Retain Your Data?
- International Data Transfers
- Data Security
- AI-Powered Assessments
- Minors
- Your Rights
- Changes to This Privacy Policy
1. Controller and Contact
The controller responsible for processing your personal data is:
Sleak GmbH
c/o Mindspace
Rosental 7
80331 Munich
General enquiries: info@sleak.ai
Privacy enquiries: privacy@sleak.ai
Phone: +49 162 974 5374
We strive to respond to all enquiries within a reasonable timeframe and to work with you to address any concerns regarding our handling of your personal data.
Data Protection Officer:
Kertos GmbH
Brienner Str. 41
80333 Munich
Email: dsb@kertos.io
2. Roles and Responsibilities
When is Sleak a Controller?
Sleak is an independent controller for:
- Account and billing data: Registration, authentication, subscription management, and payment processing
- Marketing and communications: Newsletters, product updates, and promotional communications
- Website analytics: Understanding website usage and improving our online presence
- Platform operation and security: Fraud prevention, security monitoring, and maintaining service integrity
- Applications: Processing applications for positions at Sleak
When is Sleak a Processor?
Sleak acts as a data processor on behalf of our customers (the controllers) for:
- Workspace data: All content, sessions, transcripts, and user activity within a customer workspace
- Recruiter assessment data: Recordings, transcripts, and scores of candidates, where the inviting employer is the controller
- Customer-driven integrations: Data processed via customer-configured integrations with third-party systems
Where we act as a processor, the processing is governed by a Data Processing Agreement (DPA) with the customer. If you access Sleak as an end user through your employer, your employer is the controller for your workspace data. Please direct data protection requests to them in the first instance.
3. What Data Do We Collect?
A. Data You Provide
Account data
When creating an account, we collect your name, business email address, mobile or telephone number, and company domain. Providing your account data is required to enter into a contract with us. Without this data, we cannot grant you access to our services.
Payment data
When making purchases, we collect payment information such as credit card number and security code. All payment data is stored by Stripe, Inc. Their privacy policy can be found at: https://stripe.com/de/privacy
Communications
When you contact us, we collect your name, email address, and the content of your messages. When signing up for newsletters, we collect your name and email address. We may track whether you open our emails in order to improve our communications.
Accounting information
We collect information about your purchases and payments to fulfil our accounting and tax obligations.
Applications at Sleak
If you apply for a position with us, we collect the information you provide in your application, such as education and work experience.
B. Session and Content Data
When using our AI features, we collect:
Text inputs and outputs
Your prompts, messages, and requests, as well as AI-generated responses in coaching conversations, simulations, and other interactive features.
Voice recordings and transcripts
When using voice-based features, we record your spoken inputs and transcribe them. Voice recording is based on your consent, which you provide when first using a voice-based session by confirming the recording notice. You may withdraw your consent at any time by contacting us at privacy@sleak.ai or by deleting your recordings in the account settings. Providing voice recordings is voluntary; if you do not provide them, certain voice-based features may not be available.
Session metadata
Information about your sessions such as timestamps, duration, features used, and interaction patterns.
Scorecards and assessments
Performance evaluations, feedback, and assessment data from our assessment and simulation features.
Files and documents
Files or documents you upload for processing within the services.
Visibility of session data:
- Personal accounts: Your session data is private unless you choose to share it.
- Workspaces: Session data within a workspace may be visible to Workspace Owners, Administrators, or other roles as configured by your employer. Your employer, as the controller, determines access permissions and retention policies.
- Recruiter assessments: Your assessment data is shared with the inviting employer.
C. Cookies and Similar Technologies
We and our partners collect data via cookies, pixel tags, or similar technologies. This may include information such as unique identifiers, system information, IP address, browser type, device type, and pages visited.
We use functional, analytical, and marketing cookies only with your prior consent in accordance with TDDDG and GDPR. You may withdraw your consent at any time as easily as you gave it.
Strictly necessary cookies are required to provide our services (e.g. login functionality) and cannot be disabled. Functional cookies store your preferences. Analytics cookies help us understand how our services are used; we use PostHog for analytics (https://posthog.com/privacy). Marketing cookies enable relevant advertising.
You can adjust your cookie settings at any time via our cookie banner or your browser settings.
D. Data from Other Sources
Professional contact data
We obtain certain data from data providers, such as professional contact details and company information. Our legitimate interest (Art. 6(1)(f) GDPR) is to acquire new business customers through targeted B2B outreach. We process only professional contact data (name, business email address, company, position) and no private data. You may object to this processing at any time.
Third-party login data
If you create an account via a third-party provider (e.g. Google, Microsoft), that provider shares your name and contact details with us.
E. Special Categories of Personal Data
Voice Recordings and Voice Processing
Voice-based interactions are a core feature of our services. The legal basis for processing voice data depends on context:
Personal accounts (Sleak as controller):
- Contract performance (Art. 6(1)(b) GDPR): Where voice processing is necessary to provide the contractually agreed voice-based features (real-time transcription, session delivery, scorecard evaluation, results provision).
- Legitimate interests (Art. 6(1)(f) GDPR): Where voice recordings are processed beyond the immediate session delivery (e.g. session replay, quality assurance, progress analytics). You have the right to object to this processing at any time.
- Consent (Art. 6(1)(a) GDPR): For processing beyond service provision (e.g. use of anonymised voice data for product development). You may withdraw your consent at any time.
Workspace users (Sleak as processor):
If you access voice-based features via an employer workspace, your employer is the controller. The legal basis is determined by the relationship between you and your employer (typically the employment contract or the employer's legitimate interests). Sleak processes your voice data solely in accordance with your employer's instructions under the Data Processing Agreement.
Recruiter candidates:
For recruiter assessments, the inviting employer is the controller. Your consent to recording is obtained before the assessment begins. You may decline to participate.
No Biometric Identification
We do not use voice recordings for biometric identification. Voice processing is used solely for transcription, session replay, and performance evaluation based on content criteria. Since we do not process voice data to uniquely identify individuals, it does not constitute a special category of biometric data under Art. 9 GDPR in our use case.
No Emotion Recognition
Sleak does not perform emotion recognition or inference. Our systems do not analyse voice characteristics, tone, or other signals to infer emotional states. Evaluation is based solely on spoken content against defined competency criteria (scorecards).
Incidentally Captured Sensitive Data
Our services are not designed to collect special categories of personal data (such as health information, religious beliefs, or political opinions). You control what you discuss or share in sessions. If you disclose sensitive information, it may be incidentally captured as part of the transcript.
Recommendation: Do not share sensitive personal data in sessions unless you consent to its recording and processing.
4. How Do We Use Your Data?
We process your data only on the basis of a valid legal ground:
| Purpose | Description | Legal basis |
|---|---|---|
| Providing and improving the services | We may process your personal data to provide, maintain, improve, and expand our services, including developing and extending our products. | Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR) |
| Usage analysis and service improvement | We may use personal data we collect via the services to understand and analyse how you use our services, and to develop new products, services, features, and functionality. | Legitimate interests (Art. 6(1)(f) GDPR) |
| Sales and marketing | We may process your personal data for sales and marketing purposes, including marketing or promoting our services to prospective or existing customers and conducting product demonstrations. | Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR) |
| Communicating with you | We may use your personal data to contact you, including by email, phone, and text message, for administrative purposes such as providing information you request, responding to comments and questions, or asking for feedback and survey participation. | Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR) |
| Billing and accounting | We may process your personal data to facilitate transactions and payments, process payments you initiate, and for accounting purposes including recording your payments. | Contract performance (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR) |
| Fraud and incident prevention | We may use your personal data to detect security incidents and respond to trust and safety issues, protect against malicious, fraudulent, deceptive, or illegal activity, and pursue those responsible. | Legitimate interests (Art. 6(1)(f) GDPR); Legal obligation (Art. 6(1)(c) GDPR) |
| Providing technical support | We use personal data to provide technical support, including diagnosing and resolving issues you report. | Contract performance (Art. 6(1)(b) GDPR) |
| Creating aggregated data | We may process your personal data to create anonymised or aggregated data that we may use for any lawful purpose, such as publishing reports. | Legitimate interests (Art. 6(1)(f) GDPR) |
| Administrative and legal matters | We may use your personal data to handle administrative or legal matters relating to Sleak, including but not limited to copyright infringement, defamation, privacy issues, to enforce our Terms of Service, or as necessary to establish, exercise, or defend legal claims. | Legitimate interests (Art. 6(1)(f) GDPR) |
| Compliance | We may process your personal data to fulfil legal obligations to which we are subject, for example to comply with accounting and tax regulations or pursuant to a court order, legal proceeding, or regulatory authority. | Legal obligation (Art. 6(1)(c) GDPR) |
Legitimate Interests
Where we rely on legitimate interests as the legal basis, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. Summaries of our balancing tests are available on request at privacy@sleak.ai.
Our legitimate interests include in particular:
- Service operation and security: Operating, securing, and improving the services; detecting and preventing fraud and abuse
- Product development: Analysing aggregated and de-identified usage data to improve features and user experience
- Workspace functionality: Enabling workspace management by owners and administrators
- Recruiter assessments: Conducting recruiter simulations and providing assessment results to inviting employers
- Marketing: Contacting existing and prospective customers about products and services
- Legal compliance: Detecting and responding to legal requests, enforcing terms of service
You have the right to object to processing based on legitimate interests.
5. Who Do We Share Your Data With?
Service providers
We may share data with service providers that assist us in delivering our services, such as hosting, data analytics, IT infrastructure, customer service, email delivery, and payment processing.
AI model providers
To provide the AI features of our services – including coaching conversations, training simulations, recruiter assessments, transcription, and scoring – we transmit certain data to third-party AI model providers.
Data transmitted may include:
- Text inputs and prompts
- Voice recordings and audio data
- Session transcripts and context
- Uploaded files or documents
- Metadata required for processing
Our AI providers:
| Provider | Services | Processing location | Privacy policy |
|---|---|---|---|
| OpenAI (via Azure und direkte API) | Sprachmodelle, Chat, Reasoning | EU | openai.com/privacy |
| Microsoft (Azure AI Services) | Sprache-zu-Text, Sprachmodelle | EU | privacy.microsoft.com |
| ElevenLabs | Text-zu-Sprache, Sprachsynthese | EU (Standard); US möglich | elevenlabs.io/privacy |
| Deepgram | Sprache-zu-Text, Transkription | EU | deepgram.com/privacy |
Important notes:
- No cross-customer training: Sleak does not use identifiable inputs/outputs from one customer to train AI models that benefit other customers. Improvement activities use only anonymised and aggregated data.
- Processor obligations: All AI model providers act as sub-processors under our Data Processing Agreements and are subject to equivalent confidentiality and security obligations.
We may update this list when providers are added or changed, and will reflect material changes in this Privacy Policy.
Sleak users
If you participate in public Sleak competitions or make your Sleak profile public, we may make your display name and other data accessible to other Sleak users and the public.
Legally required disclosures
We may disclose your data where required to: (a) comply with legal proceedings such as court orders or subpoenas; (b) respond to your requests; or (c) protect your, our, or others' rights, property, or safety.
Affiliated companies
We may share data with our current or future affiliated companies for the purposes described in this Privacy Policy.
Corporate transactions
In the event of mergers, acquisitions, or asset sales, your data may be transferred to advisors or transaction counterparties. Use of your data following such events is subject to the Privacy Policy in effect at the time of collection.
With your consent
We may also disclose your data in other cases with your consent.
6. Third-Party Logins
Our website allows you to register and sign in via third-party logins (e.g. Google, Microsoft). In doing so, we receive certain profile information from the third-party provider, typically your name and email address.
We use this information only for the purposes described in this Privacy Policy. We do not control the third-party provider's use of your data and recommend you review their privacy policy.
You are responsible for keeping your password and account information confidential and for controlling access to your email communications from Sleak.
7. How Long Do We Retain Your Data?
We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.
| Data category | Retention period | Reason |
|---|---|---|
| Account data | Account duration plus 2 years after deletion | Service provision and handling of subsequent requests |
| Your content (inputs/outputs) | Account duration; deletion within 30 days of account deletion | Linked to service provision |
| Payment and transaction data | 10 years from transaction date | Statutory retention obligations (§ 147 AO, § 257 HGB) |
| Communication records | 2 years from last communication | Dispute resolution and service quality |
| Usage data and analytics | 26 months (then anonymised) | Service improvement and analytics |
| Marketing consent records | Consent period plus 2 years after withdrawal | Proof of consent |
| Recruiter candidate data | Up to 6 months after assessment completion (unless employer specifies otherwise or candidate requests deletion) | Employment law requirements and employer review |
| Application data (positions at Sleak) | 6 months after hiring decision (unless longer consent given) | AGG requirements and potential legal claims |
| Server logs | 90 days | Security, troubleshooting, and fraud prevention |
| Anonymised data | Indefinitely | Can no longer be attributed to individuals |
Anonymisation vs. pseudonymisation: "Anonymised" data has been processed in such a way that it can no longer be attributed to an identified or identifiable individual. It is no longer subject to the GDPR. "Pseudonymised" data replaces identifiers with tokens but can be re-linked with additional information and remains personal data.
8. International Data Transfers
Our services are hosted primarily in the European Union (Microsoft Azure data centres in Germany and Sweden). However, some of our service providers and AI model providers are located outside the European Economic Area (EEA).
Transfers outside the EEA
When transferring personal data outside the EEA, we ensure that your data is protected by appropriate safeguards:
| Safeguard | Description |
|---|---|
| Adequacy decisions | Transfer to countries for which the European Commission has determined an adequate level of data protection |
| Standard Contractual Clauses (SCCs) | Use of the European Commission's standard contractual clauses with providers in countries without an adequacy decision |
| Supplementary measures | Implementation of additional technical and organisational measures where necessary |
Transfers to the USA
For transfers to the USA, we rely on:
- The EU–U.S. Data Privacy Framework (for certified recipients)
- Standard Contractual Clauses (for non-certified recipients), supplemented by additional safeguards
You may request a copy of the safeguards we use for international transfers by contacting us at privacy@sleak.ai.
9. Data Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, use, alteration, or disclosure.
Our security measures include:
- Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls: Role-based access controls and multi-factor authentication
- Infrastructure security: Hosted on enterprise cloud infrastructure (Microsoft Azure) with SOC 2 Type II and ISO 27001 certifications
- Regular audits: Periodic security assessments and penetration testing
- Employee training: Regular security training for all staff
- Incident response: Documented procedures for detecting, reporting, and responding to security incidents
- Data segregation: Workspace data is kept separate from personal account data
- Logging and monitoring: Comprehensive audit logging and real-time security monitoring
Your responsibility: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We recommend that you, where possible:
- Implement and enable SSO
- Use strong, unique passwords
- Enable multi-factor authentication
- Keep your login credentials confidential
- Notify us immediately at security@sleak.ai if you suspect unauthorised access
10. AI-Powered Assessments
When you use Sleak, you interact with AI-powered systems. This applies in particular to:
- Coaching and training sessions: You communicate with AI-generated virtual conversation partners (personas), not with real people.
- Recruiter assessments: You participate in simulated conversations with AI-powered personas. Your responses are recorded, transcribed, and evaluated by our AI scoring engine against defined criteria (scorecards).
- AI-generated content: Responses, feedback, scores, and coaching recommendations are generated by large language models and algorithms – not written by humans.
No Automated Decisions
Sleak does not make automated individual decisions within the meaning of Art. 22 GDPR that produce legal effects or similarly significantly affect you.
- Support, not decision: AI-generated scores and assessments serve as one factor among many for the organisation's decision-making.
- Human oversight required: Organisations using Sleak are contractually obligated to review scores in context and to make final decisions with appropriate human judgement. AI outputs are intended to inform decisions, not replace them.
No Emotion Recognition
Sleak does not perform emotion recognition or emotion inference. Our systems do not analyse voice characteristics, tone, or other biometric signals to infer emotional states. Evaluation is based solely on spoken content against defined competency criteria.
11. Minors
We do not knowingly collect data from persons under 16 years of age and do not direct our services at them. By using the website, you confirm that you are at least 16 years old.
If we learn that personal data of users under 16 has been collected, we will deactivate the account and take appropriate steps to delete such data promptly. If you become aware of data we may have collected from children under 16, please contact us at privacy@sleak.ai.
12. Your Rights
If you are located in Europe, you have the following rights with regard to your personal data:
Access, Rectification, and Data Portability
You may request an overview of the personal data we process and a copy of your data. You have the right to have incomplete, inaccurate, or outdated data corrected. Where provided by law, you may request the transfer of your data to another company.
Objection
You may object to any use of your personal data that is not (i) processed to fulfil a legal obligation, (ii) required for contract performance, or (iii) for which we have a compelling interest.
Erasure
You may request the erasure of your personal data to the extent permitted by applicable law. This applies for example where your data is outdated, processing is unnecessary or unlawful, you have withdrawn consent, or you have objected to the processing.
Restriction of Processing
You may request that we restrict the processing of your personal data while we handle a request regarding the accuracy of your data, the lawfulness of the processing, or our legitimate interests.
Withdrawal of Consent
Where we rely on your consent for processing, you have the right to withdraw it at any time, free of charge. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Changing or Deleting Your Account
You may update your account information at any time in your account settings or cancel your account by contacting us at privacy@sleak.ai Upon cancellation, we will deactivate or delete your account and information from our active databases. We may retain certain information for fraud prevention, troubleshooting, supporting investigations, enforcing our Terms of Service, and/or complying with legal requirements.
Data export: Upon written request within 30 days of account cancellation, we will provide your data in a structured, commonly used format for export.
Objection to Email Marketing
You may unsubscribe from our marketing email list at any time by clicking the unsubscribe link in our emails or by contacting us. We may continue to send you service-related emails necessary for the administration and use of your account.
How to Exercise Your Rights
To exercise your rights, please contact us at:
Email: privacy@sleak.ai
Subject: "Data Subject Request – Your Right"
Please provide sufficient information to verify your identity and specify which rights you wish to exercise. We will respond to your request within one month. This period may be extended by a further two months in cases of complexity.
There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive.
Workspace Members
If you access Sleak as an authorised user via your employer's team workspace and wish to exercise data subject rights regarding workspace data, you should first contact your Workspace Owner or Administrator, as they are the controllers for that data.
If you do not receive a response within 30 days, or if your request concerns data for which Sleak is independently responsible (such as your personal account information), you may contact us directly at privacy@sleak.ai.
Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Sleak GmbH is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Website: https://www.lda.bayern.de
Email: poststelle@lda.bayern.de
You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
When we make changes, we will:
- Publish the updated policy with a new effective date on our website
- Provide a prominent notice of material changes (e.g. a notification in our application or an email to registered users)
For material changes to data processing, we will ask you to review and confirm the updated Privacy Policy before continuing to use our services.
Thank you for trusting Sleak.