Privacy notice
Last updated: 17 May 2026
What we store and why
DigiBot 2.0 collects only what it needs to deliver the assessment and the personalised recommendations: your email, your profile (job role, industry / domain, years of experience, digital proficiency, primary tasks, and - optionally - your organisation's name and size), your assessment responses, your generated recommendations, and your training progress.
Data is stored in a Cloud SQL Postgres instance hosted in Switzerland (europe-west6). Access is restricted to the artefact backend and the thesis author.
Authentication uses a signed http-only cookie. Passwords are hashed with Argon2id. Magic links are single-use, expire in 15 minutes, and stored only as a SHA-256 hash.
We do not train any third-party model on your data. Personalisation calls to OpenAI send the item text plus a minimal role context; retrieval calls to Cohere send only the search-query text. Your raw responses are never sent to either provider.
You can delete your account yourself at any time under Profile -> Account -> Delete account. The deletion is reversible for 30 days via the link in the confirmation email; after that, all data tied to your account is permanently deleted. You can also request export or deletion of your data via digibot.bfh@gmail.com.
Google account data we access (Google Calendar sync)
If - and only if - you click "Connect Google Calendar" in your profile and grant consent on Google's screen, DigiBot 2.0 accesses two specific scopes on your Google account:
- Google Calendar events(https://www.googleapis.com/auth/calendar.events)
Lets DigiBot create training-session events in your primary calendar when you accept a training plan, and update those events if you later reschedule a session inside DigiBot. We never read events you did not create through DigiBot, we never delete events we did not create, and we never access other calendars on your account.
- Google account email(https://www.googleapis.com/auth/userinfo.email)
privacy.google_scope_email_body
OAuth refresh and access tokens are stored encrypted in the same Swiss-hosted Cloud SQL Postgres instance as the rest of your data. They are scoped to your DigiBot account and never sent to a third party, browser, or analytics tool.
You can disconnect at any time via the "Disconnect" button in your DigiBot profile (deletes our copy of the tokens) or by revoking access at myaccount.google.com/permissions (also revokes them at Google's end).
Limited Use Disclosure
DigiBot 2.0's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
The Limited Use requirements of the Google API Services User Data Policy mean DigiBot 2.0:
- uses Google user data only to provide or improve user-facing features that are prominent in the requesting application (here: writing training-session events to your calendar);
- does not transfer Google user data to others except as necessary to provide or improve user-facing features, or to comply with applicable law, or as part of a merger / acquisition / sale of assets where users will be notified;
- does not use Google user data for serving advertisements, including retargeted, personalised, or interest-based advertising;
- does not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or our use is for internal operations and the data has been aggregated and anonymised.
Contact
Questions, deletion requests, or anything else: write to digibot.bfh@gmail.com.