Privacy Policy
Last updated: March 28, 2026
This Privacy Policy applies to the NegotiationEdge marketing website, waitlist, and iOS app operated by TK Media in Luxembourg. The app is intended for adults aged 18 and over. For a public summary of your available privacy controls, see our Privacy Choices page.
1. Controller and Operator Information
Controller / operator: TK Media
Location: Luxembourg
Contact: contact@tkmedia.lu
If a company registration number, VAT number, or additional mandatory Luxembourg trader identifiers become applicable to this activity, we will add them to this page and the footer legal notice.
2. Product Areas, Purposes, Legal Bases, and Retention
Website
Data we process.
- Basic technical data such as IP address, browser, device type, pages viewed, referrer, and security logs created when you visit negotiationedge.app.
Why we process it. To host and secure the website, serve pages reliably, prevent abuse, diagnose problems, and keep the service available.
Legal basis. Legitimate interests in operating and securing the website.
Retention. Infrastructure and security logs are kept only for operational, troubleshooting, and security periods, then rotated or deleted according to the hosting provider's operational retention settings.
Waitlist
Data we process.
- Email address, consent record, and the details included in the waitlist notification email.
Why we process it. To manage launch communications, respond to your request to hear from us, and maintain a record of your consent.
Legal basis. Consent for waitlist emails and related launch communications; legitimate interests in maintaining consent records and preventing misuse of the form.
Retention. We keep waitlist records until you unsubscribe, ask us to delete them, or the waitlist/launch campaign is concluded and the records are no longer needed.
App Account
Data we process.
- Account identifiers, email address, guest identifiers, authentication events, and password-reset metadata handled through Firebase Authentication.
Why we process it. To create your account, authenticate you, restore your access, and secure the app.
Legal basis. Performance of a contract and legitimate interests in account security, abuse prevention, and service integrity.
Retention. Account records are kept until you delete your account. Firebase may retain limited backup or security data for a short additional period under its own operational policies.
Practice Sessions
Data we process.
- Voice recordings, transcripts, prompts, AI responses, selected scenarios, message history, and custom scenario content needed to run the app.
Why we process it. To transcribe your speech, generate the AI counterpart conversation, synthesize speech output, and deliver the training experience you requested.
Legal basis. Performance of a contract because these processing steps are necessary to provide the core app service.
Retention. Practice history is stored primarily on your device until you delete it in the app, delete your account, clear the app, or uninstall. We do not use our own servers as a long-term store for session audio or transcripts.
Feedback & Scoring
Data we process.
- Transcript excerpts, tactic detections, summaries, coaching notes, score components, drill evaluations, and progress signals derived from your practice sessions.
Why we process it. To generate AI-based coaching, tactic counts, summaries, recommendations, and performance scores inside the product.
Legal basis. Performance of a contract and legitimate interests in improving the usefulness, safety, and reliability of the training experience.
Retention. Feedback, summaries, and scores follow the same local retention model as your session history unless provider-side short-term safety or abuse monitoring logs apply.
Subscriptions
Data we process.
- Subscription tier, entitlement status, purchase identifiers, transaction metadata, and restore-purchase state handled with RevenueCat and Apple.
Why we process it. To unlock paid features, restore purchases, manage subscription state, support refunds or billing questions, and maintain financial records.
Legal basis. Performance of a contract and compliance with accounting, tax, fraud-prevention, and consumer-law obligations.
Retention. Subscription records are kept for as long as needed to manage entitlements, support refunds or disputes, and satisfy accounting or legal retention obligations. Apple and RevenueCat may retain some records under their own obligations.
Support
Data we process.
- Messages you send us, identity details needed to verify your request, and the records we keep while resolving privacy, support, or legal requests.
Why we process it. To answer support requests, handle GDPR rights requests, investigate issues, and comply with legal obligations.
Legal basis. Legitimate interests and, where relevant, legal obligations.
Retention. Support and privacy-request records are kept for as long as needed to resolve the issue, demonstrate compliance, and handle any follow-up or dispute.
3. Third Parties, Roles, and Transfer Safeguards
We use third-party providers only where needed to host the website, run the app, process subscriptions, and respond to support or privacy requests.
| Provider | Role | Purpose | Transfer / safeguard note |
|---|---|---|---|
| Vercel | Processor | Website hosting, infrastructure, and operational logs. | Data may be processed in the EEA and other regions, including the United States. Vercel states that it participates in the EU-U.S. Data Privacy Framework and offers a DPA for customer data processing. |
| Resend | Processor | Waitlist and site email delivery. | Email metadata and content may be processed in the United States. Resend publishes a DPA that incorporates Standard Contractual Clauses for restricted transfers. |
| Google Analytics | Processor / independent Google service under your consent settings | Optional website analytics after opt-in. | Analytics data may be processed outside the EEA under Google's data processing and security terms and applicable transfer mechanisms. Analytics is off by default until you consent. |
| Firebase Authentication | Processor | App account creation, sign-in, guest access, and password reset. | Google generally acts as a data processor for Firebase customers. Data may be processed in Google-operated regions under Google's Data Processing and Security Terms and related transfer mechanisms. |
| Google Gemini | Processor | AI conversation, feedback analysis, drill evaluation, and custom-scenario interviews. | Audio and text sent to Gemini may be processed outside the EEA under Google's applicable data-processing terms and transfer mechanisms. For EEA user-facing products, Gemini access must be backed by a paid service configuration. |
| OpenAI | Processor | Speech-to-text and text-to-speech. | Unless we explicitly state that a given project is configured for European data residency, OpenAI processing may occur outside the EEA, including in the United States, under OpenAI's DPA and applicable transfer safeguards. OpenAI offers European data residency for eligible API projects. |
| RevenueCat | Processor | Subscription entitlements, purchase-state management, and restore logic. | RevenueCat processes subscription metadata under its DPA and applicable transfer safeguards, including SCC-based transfer terms where required. |
| Apple | Independent controller | App Store billing, receipts, and transaction processing. | Apple handles this data under its own privacy notice, platform terms, and international transfer arrangements. |
4. Automated Coaching, Evaluation, and Scoring
NegotiationEdge uses AI systems to generate transcripts, live counterpart responses, coaching summaries, tactic detections, drill evaluations, recommendations, and session scores. These features are part of the training product you request.
These outputs are designed to support negotiation practice. They are not intended for legal, employment, credit, insurance, housing, or other similarly significant decisions about you.
5. Your Rights and Privacy Choices
Depending on your situation, the GDPR may give you rights including the following:
- Request access to the personal data we process about you.
- Ask us to correct inaccurate or incomplete data.
- Request deletion of your data where the GDPR gives you that right.
- Object to or restrict certain processing where the GDPR allows it.
- Withdraw consent for optional analytics or waitlist communications at any time.
- Request a machine-readable copy of data where portability applies.
To exercise these rights, email contact@tkmedia.lu. We aim to acknowledge requests within 72 hours and complete them within 30 days, unless the GDPR allows a longer response period in the specific case.
You can also review the practical routes for access, correction, deletion, and consent withdrawal on our Privacy Choices page.
6. Cookies and Optional Analytics
The website uses essential technologies required to load pages and protect the service. Optional analytics through Google Analytics and Vercel Web Analytics are disabled by default and load only after you explicitly consent. You can withdraw that consent at any time through Cookie Preferences in the footer or on the Privacy Choices page.
7. Security
We use reasonable technical and organizational measures to protect data, including transport security, access controls, and limited data sharing with service providers. No internet or cloud-based service can guarantee absolute security.
8. Complaints
If you have concerns about how we process personal data, please contact us first at contact@tkmedia.lu. You also have the right to lodge a complaint with the Luxembourg supervisory authority, the CNPD, or with another competent supervisory authority in the EU where you live or work.