Teamistry - Privacy Policy

Version 1.0, effective 8 July 2026

This Privacy Policy explains how Teamistry Ltd, a company incorporated in the Republic of Cyprus (registration number HE 469419, registered office at 16 Konstantinopoleos, Aglantzia, Nicosia, Cyprus) ("Teamistry", "we", "us"), handles personal data in connection with the Teamistry platform (the "Service") and the website at teamistry.ai.

Teamistry is a team management platform used by organisations ("Customers") to support engagement, performance, leave management and related people processes for their teams. If you use the Service, it is most likely because your employer or organisation has chosen Teamistry and invited you to it.

Contact for privacy matters: alexandros@teamistry.ai
Data protection contact: alexandros@teamistry.ai. We have not appointed a Data Protection Officer; we keep this requirement under review as our processing activities grow (Article 37 GDPR).


1. The Two Roles We Play

Under the EU General Data Protection Regulation ("GDPR"), how we handle your data depends on our role:

a) When we act as a processor. For personal data processed within the platform: your profile, check-ins, performance records, leave, documents, calendar data and similar. Your employer (our Customer) is the data controller and Teamistry is the data processor. Your employer decides what data is collected, who within your organisation can see it (for example, which team leads see Sync-In responses) and how long it is kept. We process this data only on your employer's instructions, under a Data Processing Agreement. If you have questions about why your organisation collects certain data, or wish to exercise your data protection rights over platform data, your first point of contact is your employer. We will assist your employer in responding to such requests.

b) When we act as a controller. For a limited set of data, Teamistry decides the purposes and means of processing and acts as data controller. This includes: account and billing information for our Customers; data we collect through the teamistry.ai website (such as demo requests and newsletter sign-ups); support communications; and technical logs and security data we process to keep the Service safe. Sections 5-6 describe this processing.

The remainder of this policy describes both roles and we indicate which applies where relevant.

2. Personal Data Processed in the Platform (Processor Role)

Depending on how your organisation configures and uses Teamistry, we process the following categories of data on its behalf:

  • Profile data: name, work email, role, team membership, skills, interests, career background, photo and personal details you add during profile setup.
  • Sync-In (weekly check-in) data: your responses on mood, workload, planned office/remote attendance, priorities, challenges, shout outs and Weekly Buzz updates, together with response trends over time.
  • Performance data (Elevate): goals, progress, self-assessments and manager assessments and reviews.
  • Ideas and collaboration data (Spark Zone, Weekly Buzz): ideas, comments, likes and related activity.
  • Leave data: leave requests, types (which may include sickness absence), balances, history and approval records.
  • Documents: files uploaded to the Documents feature by or about you, which may include employment contracts, payslips and other HR documents. These can contain salary and financial information, identification details and contractual terms.
  • Calendar and meeting data: if you connect Google Calendar or Outlook, we sync events from your primary calendar to show availability, block out leave and calculate meeting-load analytics (Meet-O-Meter). We retain only the following event data: start and end times; the event's status (such as confirmed or tentative); whether the event has other attendees (as a yes/no flag); and your own response status (accepted, declined, or no response). To derive this, our systems briefly process the event data returned by your calendar provider; event titles, descriptions, locations and the identities of other attendees are discarded immediately after processing and are never stored, logged, or used for any other purpose.
  • Analytics and derived data: participation, morale, workload, attendance and meeting-load metrics at individual and team level, visible according to role-based permissions set by your organisation.
  • AI Assistant data: your messages to the assistant and the responses generated, which may draw on your platform data according to your permissions. Before data is sent to our EU-hosted AI model provider, we apply data minimisation measures, including removing or pseudonymising direct identifiers where feasible, so that the provider receives only the information necessary to generate a response. Assistant conversations are retained while your account remains active and are deleted when your account is deleted or when your organisation's agreement with us ends (see Section 10).
  • Notification and integration data: notifications delivered in-app, by email and via your organisation's connected Slack or Microsoft Teams workspace.
  • Usage data: log-ins, feature usage and device/technical information associated with your account.

Sensitive data. Mood and wellbeing responses and leave records referencing sickness, may reveal information about health, which is a special category of data under Article 9 GDPR. Documents may contain financial and identification data. Your employer, as controller, is responsible for establishing a valid legal basis and any required conditions for processing such data and for informing you about it. We apply heightened technical protection to this data as described in Section 9.

3. Purposes and Instructions (Processor Role)

We process platform data solely to provide the Service to your organisation, which includes: operating the features described above; generating role-scoped analytics and insights; delivering notifications; providing the AI Assistant; maintaining security, backups and support; and complying with law. We do not use platform data for our own marketing, we do not sell personal data and we do not use Customer personal data to train generalised AI models. Our AI model provider (TensorX) processes AI Assistant requests exclusively on infrastructure located in the European Union, with zero retention of prompts and responses by the provider, under terms that do not permit the use of our customers' data to train AI models.

4. Legal Bases (Controller-Role Processing)

Where Teamistry acts as controller (Section 1(b)), we rely on the following legal bases under Article 6 GDPR:

  • Contract performance: creating and administering Customer accounts, providing support and billing.
  • Legitimate interests: securing the Service, preventing fraud and abuse, maintaining technical logs, improving the Service using aggregated and anonymised information and business-to-business marketing to Customer representatives (with the right to object at any time).
  • Consent: newsletter subscriptions and non-essential cookies (see Section 11). You may withdraw consent at any time.
  • Legal obligation: retaining records required by tax, accounting and other laws applicable to us.

For platform data processed on your employer's behalf, the legal basis is determined by your employer as controller.

5. Website Data (Controller Role)

When you visit teamistry.ai, request a demo, or subscribe to updates, we collect the contact details you provide (such as name, work email and company) and technical data described in Section 11. We use this to respond to enquiries, arrange demos, send updates you have requested and understand website performance.

6. Account, Billing and Support Data (Controller Role)

For Customer organisations, we process administrator contact details, organisation information, subscription and billing records and support communications, in order to manage the customer relationship and comply with law.

7. Who We Share Data With

We do not sell personal data. We share personal data only with:

  • Subprocessors: service providers who process data on our behalf to run the Service, under contracts meeting Article 28 GDPR requirements. Our current subprocessors are listed at teamistry.ai/legal/subprocessors and in Annex 3 to our Data Processing Agreement and include: Railway Corporation (infrastructure, hosting and storage, EU region); Google Workspace (transactional email delivery); Mixpanel (product usage analytics, EU data residency); TensorX (AI model provider for the AI Assistant, EU-hosted, subject to the data minimisation measures described in Section 2); and Langfuse (AI Assistant observability and diagnostics, EU-hosted). We will update the list when subprocessors are added or replaced and, for Customers, provide notice of changes as set out in the DPA.
  • Integration providers you or your organisation connect: Slack, Microsoft (Teams, Outlook) and Google (Calendar). Data exchanged with these providers is governed by their own terms and privacy policies. Calendar integrations are connected by you individually via OAuth and can be disconnected at any time in your settings; disconnection stops the sync and previously synced data (limited to the fields described in Section 2) is retained subject to Section 10 and is deleted when your account is deleted or earlier on request. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Your organisation: platform data is visible within your organisation according to the roles and permissions your organisation configures (for example, team leads see their team's Sync-In responses and leave history; admins manage organisational settings without automatic access to check-in or performance data).
  • Professional advisers and authorities: where required by law, legal process, or to protect rights, safety, or security and to our advisers under confidentiality.
  • Corporate transactions: in connection with a merger, acquisition, or asset sale, subject to this policy and notice where required.

8. International Transfers

The Service is hosted on servers located in the European Union and platform data, including documents, is stored in the EU. AI Assistant processing (TensorX) and AI observability (Langfuse) take place entirely within the EU. Some of our other subprocessors are established in the United States: our product analytics provider (Mixpanel, operated with EU data residency) and our hosting provider's corporate entity (Railway). Processing by them may involve a transfer of personal data outside the European Economic Area. Where that is the case, we implement appropriate safeguards under Chapter V GDPR: reliance on the EU-US Data Privacy Framework where the recipient is certified (Google) and otherwise the European Commission's Standard Contractual Clauses together with supplementary measures. Details are available in the subprocessor list and on request.

9. Security

We apply technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS) and at rest, role-based access controls mirroring your organisation's permission structure, logical separation of customer data, data minimisation and pseudonymisation of identifiers where feasible before data is processed by our AI model provider, access logging and regular backups within the EU. Documents and special-category data receive heightened protection, with access restricted to the individuals authorised by your organisation. No system is completely secure; we will notify affected Customers without undue delay of any personal data breach affecting their data, as required by the GDPR and the DPA.

10. Retention

  • Platform data (processor role): retained for as long as your organisation maintains its account and instructs us to retain it. Your organisation may delete data through the Service or by instruction. Following termination of a Customer's agreement, data is available for export for 30 days and then deleted within 90 days, except for limited backup cycles (deleted within 90 days) and records we must keep by law.
  • Documents: retained on the same basis; note that your employer remains responsible for statutory retention of employment and payroll records outside the platform.
  • Website and marketing data (controller role): demo and enquiry data retained for 24 months after last contact; newsletter data until you unsubscribe.
  • Account and billing records: retained for the duration of the relationship plus periods required by Cyprus tax and accounting law (generally 6 years).
  • Technical logs: retained for 12 months for security purposes.

11. Cookies and Similar Technologies

The website and Service use: (a) strictly necessary cookies for authentication, security and core functionality, which do not require consent; and (b) analytics cookies and similar technologies (Mixpanel), used to understand how the website and Service are used, which are set only with your consent via our cookie banner and can be withdrawn at any time via the cookie settings on our website. The banner lists the specific cookies used and their durations.

12. Your Rights

Under the GDPR you have the right to access your personal data, rectify inaccuracies, request erasure, restrict or object to processing, receive your data in a portable format and withdraw consent where processing is based on consent. You will not be discriminated against for exercising these rights.

  • For platform data (profile, check-ins, performance, leave, documents, calendar data): please direct requests to your employer, who is the controller. We support Customers with tools and assistance to fulfil these requests and if you contact us directly we will forward your request to your organisation and inform you.
  • For data where Teamistry is the controller (Sections 4-6): contact us at alexandros@teamistry.ai. We will respond within one month, extendable as permitted by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Cyprus, that is the Office of the Commissioner for Personal Data Protection (dataprotection.gov.cy), or you can contact the authority in your EU member state of residence or work.

13. Automated Decision-Making

Teamistry provides analytics, insights and AI-generated assistance to support human decision-making by your organisation. The Service does not make automated decisions producing legal or similarly significant effects about you without human involvement. Decisions regarding your performance, leave, or employment are made by people in your organisation.

14. Children

The Service is designed for workplace use and is not directed at anyone under 18. We do not knowingly process data of children in the platform.

15. Changes to This Policy

We may update this policy from time to time. Each version is dated and numbered. For material changes, we will notify Customers and users by email and/or in-app notice before the changes take effect and prior versions are available on request.

16. Contact

Teamistry Ltd
16 Konstantinopoleos, Aglantzia, Nicosia, Cyprus
Registration no. HE 469419
Privacy enquiries: alexandros@teamistry.ai
Data protection contact: alexandros@teamistry.ai