Privacy Policy.

Dialogos International LLC

PRIVACY & DATA PROTECTION NOTICE

Last Updated: July 14, 2025

  1. Introduction

dialogos (“we,” “us,” or “our”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Notice explains how we collect, use, store, and protect your data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant regulations.

This Privacy & Data Protection Notice applies to all Dialogos operations, websites, and assessment-related platforms managed by dialogos International LLC and its approved vendors.

  1. Data Controller Information

Data Controller: dialogos International LLC
Registered Address: 23 Bradford St. Concord, MA, USA
Contact: support@dialogos.com | +1-6175767986
Data Protection Officer: Dalia Olshvang

Our Processing Partners
Dialogos uses selected technology partners to host and process assessment data securely. Our primary processing partner is Esperto B.V., based in the Netherlands, which operates the Espero.one platform. Esperto acts as a data processor under our written Data Processing Agreement, implementing EU-approved safeguards (Standard Contractual Clauses 2021/914).

  1. Information We Collect

We collect the following categories of personal information:

  • Identity Data: Name, username, title
  • Contact Data: Email address, telephone number, postal address, company
  • Technical Data: IP address, browser type, device information, operating system
  • Usage Data: Information about how you use our website and services
  • Marketing Data: Your preferences for receiving communications, how did you find us
  • Cookie Data: Information collected through cookies and similar technologies
  • Assessments: see addendum.

 

  1. Legal Basis for Processing

We process your personal data based on:

  • Your consent
  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests (where not overridden by your rights)
  1. How We Use Your Information

We use your information to:

  • Deliver the services you request
  • Improve your experience on our site
  • Send you updates (only if you’ve agreed)
  • Keep our site secure
  • Meet our legal obligations

Your Legal Rights

You can:

  • Access your data and get a copy
  • Correct any mistakes
  • Delete your information (in most cases)
  • Object to how we use your data
  • Move your data to another service
  • Opt out of marketing anytime
  • Complain to your data protection authority

To exercise these rights, email us at support@dialogos.com.

Once we receive your request, we will confirm receipt within a reasonable time and respond within 30 days, as required by data protection laws.
Where requests are complex or numerous, we may extend this period by up to 60 additional days and will notify you if that occurs.

How We Protect Your Data

We use industry-standard security measures including encryption and secure servers to protect your information from unauthorized access.

Access to Dialogos systems is granted on an individual basis and managed by Operations and IT. No shared credentials are permitted. Multi-factor authentication (MFA) is required for all admin-level systems, including Office 365, Dropbox, Airtable, and Esperto.
Passwords are stored in an encrypted password vault (such as 1Password), and all users must lock screens when inactive.
Dialogos also maintains an internal incident response plan. Any lost device, suspicious system activity, or unauthorized access is reported immediately and addressed through a 3-step protocol: assess impact, contain the issue, and notify affected parties if required.

How Long We Keep Your Data

We keep your information only as long as needed for our services or as required by law—typically 2-7 years depending on program type.

Sharing Your Information

We only share your data when necessary:

  • With trusted service providers who help run our website
  • When required by law – This may include responding to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • Never for sale to third parties

Some of our trusted processors are located in the United States, and data transfers to these vendors are governed by Standard Contractual Clauses (SCCs) to ensure equivalent protection under EU law.

All third-party vendors, including Esperto (our assessment platform) and technology partners, are required to sign confidentiality agreements (NDAs) and operate under Data Processing Agreements.

Vendor access is granted only for the duration of their engagement and revoked immediately upon completion. Operations reviews vendor access and software licensing quarterly to ensure ongoing compliance.

International Transfers

If we transfer your data outside your country, we ensure it’s protected through approved legal mechanisms like Standard Contractual Clauses.

For details on assessment data security, vendor safeguards, and sub-processor arrangements (including Esperto), see the Assessment Addendum and Standard Contractual Clauses Annex below.

Cookies

We use cookies and similar technologies to ensure our website functions properly and to analyze how visitors use it. We manage cookie consent and preferences through CookieYes, our consent management platform.
When you visit our site, you’ll see a banner that lets you choose which categories of cookies to allow or reject.

You can change or withdraw your consent at any time through our cookie banner. Essential cookies (required for site operation) are always active. Analytics and marketing cookies are used only after you provide consent.

Security Governance & Policy Maintenance

This Privacy Notice is reviewed at least once a year, or sooner if there are significant operational, regulatory, or system changes.
We will notify you by email or a prominent website notice if we make any material changes to how we process personal data.
Security controls include network protections, secure configurations for administrative accounts, and periodic audits of access logs to ensure compliance with internal and legal requirements.

Children

Our services aren’t for anyone under 16. If you’re a parent and believe your child has shared information with us, please contact us immediately.

Updates

We’ll notify you if we make significant changes to how we handle your data.

California Residents (CCPA)

If you’re in California, you have additional rights including the right to know what data we collect and opt out of data sales (though we don’t sell data).

European Residents (GDPR)

If you’re in the EU/EEA, all rights listed above apply, and you can contact your local supervisory authority with concerns.

EU Supervisory Authority Contact
If you are located in the European Union, you may contact your local data-protection authority, or our lead EU supervisory authority:
Autoriteit Persoonsgegevens (AP), The Netherlands — www.autoriteitpersoonsgegevens.nl

Questions?

Contact us anytime:

Addendum – Assessments

What we collect and why

When you complete a Dialogos assessment, we collect:

  • Response data: answers to survey items, sliders/ratings, free-text reflections.
  • Derived data: computed scores, archetype/circuit/theme summaries, visualizations, and a narrative report.
  • Context data (optional): role, team, manager/coach, organization, session/date, and program name.
  • Support communications: emails/messages with our team about your assessment or report.

We use this data to (i) generate your individual report and deliver coaching/learning services, (ii) provide team/aggregate insights for your organization (where applicable), and (iii) improve the assessment (e.g., item calibration and analytics). Your individual report typically includes trait/thematic outputs (e.g., leadership archetypes, circuits, strengths/limits) similar to the Pathfinder report format.

Legal bases (GDPR)

  • Contract: to deliver the assessment/report you requested, or your employer commissioned.
  • Legitimate interests: to run, secure, and improve the assessment platform; to create de-identified benchmarks.
  • Consent: for optional questions, program evaluations, or where required by local law.
  • Special category data: We do not seek health data. If a free-text response inadvertently includes health information, we rely on explicit consent (where required) or we will redact it.

Who is the Controller?

  • If your employer sponsors the assessment: your employer is usually the Controller; Dialogos acts as Processor (or joint Controller where we set purposes jointly). This will be governed by a Data Processing Agreement (DPA).
  • If you purchase directly from Dialogos (public workshops, coaching): Dialogos is the Controller.

Automated scoring & “profiling”

We do not engage in automated decision-making that produces legal or similarly significant effects.

Scoring and grouping are partly streamlined (e.g., scale totals, norming). We do not make decisions with legal or similarly significant effects based solely on streamlined processing. Human coaches/facilitators interpret reports and co-create actions with you.

Sharing and disclosure

We share assessment data only as needed to deliver the program:

  • You (full individual report).
  • Your coach/facilitator and designated program staff (to support your learning).
  • Your employer/client sponsor:
    • Individual level: only with your consent or under the program’s stated rules.
    • Team/aggregate level: de-identified and aggregated results (no single individual is identifiable).
  • Vendors (hosting, forms, email/CRM, analytics, e-signature, payment) under DPA/SCCs as applicable.

We do not sell personal data.

Data retention

  • Raw responses: 3-7 years, depending on program type and contractual requirements.
  • Individual reports: 7 years for your access and coaching continuity, depending on program type and contractual requirements.
  • Aggregated/anonymized analytics: retained indefinitely (cannot identify you)
    We’ll delete or anonymize earlier on request where legally possible.

Your choices & rights

  • Access, rectify, download (portability), or delete your assessment data; restrict/ object to certain processing; withdraw consent (where used). If your employer is Controller, send requests to them; you may also contact us and we’ll coordinate.
  • If you don’t wish to share your individual report with your employer, tell us before the debrief (program rules may apply).

International transfers & security

Data may be processed in the U.S. and other countries using approved safeguards (e.g., SCCs). Reports typically include sensitive leadership insights; we advise you to store/share them carefully.

Program transparency

Before you begin, we’ll present a brief Assessment Information Sheet summarizing: what’s collected, who sees what, what’s shared at individual vs. aggregate levels, and how to exercise your choices.

About Assessments
We collect your answers and create a report (scores, themes, and insights). Coaches see your report to support you. Your company may receive aggregate results; your individual results are shared only as the program describes or with your consent. Parts of scoring are streamlined, but people (not algorithms) guide outcomes. Keep or delete your data at any time (where allowed by law). To ask for a copy, correction, or deletion, email support@dialogos.com

Standard Contractual Clauses (SCC) – Annex Template
(EU Commission Decision (EU) 2021/914, Module 2: Controller → Processor)

Annex I – Description of the Transfer

  1. Parties

Data Exporter (Controller):
dialogos International LLC
23 Bradford Street, Concord, MA 01742, USA
Contact: support@dialogos.com
Role: Assessment provider and data controller

Data Importer (Processor):
Esperto
Arthur van Schendelstraat 650, Utrecht 3511 MJ, Netherlands
Contact: Eric Vanvelzen
Role: Processing assessment data on behalf of Dialogos 

  1. Description of the Data Transfer
Field Description
Categories of Data Subjects Assessment participants, program facilitators, and organizational contacts (clients).
Categories of Personal Data Name, email address, organization, role, responses to assessment items, derived scores, report content, and metadata (timestamps, device, and session ID).
Special Category Data None intentionally collected; if free-text responses contain such data, they are processed under explicit consent or redacted.
Frequency of Transfer Continuous and as required by assessment and program operations.
Nature of Processing Hosting, storing, analyzing, and generating reports based on assessment responses; providing CRM, communication, and document management functions.
Purpose of Processing To deliver assessments, generate individual and team reports, and improve assessment instruments.
Retention Period Raw response data retained for 24 months; individual reports retained for up to 7 years; anonymized aggregates retained indefinitely.
Competent Supervisory Authority Autoriteit Persoonsgegevens (AP) – the Dutch Data Protection Authority.

 

Annex II – Technical and Organizational Measures

The data importer shall implement appropriate technical and organizational security measures, including:

  1. Encryption & Access Control
    1. All data collected through dialogos is transmitted securely over the internet using HTTPS encryption protocols or better. The data is stored in Espero.one database, on their secure servers in the Netherlands. Access restricted to authorized personnel with multi-factor authentication.
    2. Role-based access and least-privilege principles applied.
    3. dialogos has implemented security policies, rules and technical measures that match or exceed industry-standard protocols to protect your data. These security measures are designed to prevent unauthorized access, improper use or disclosure, unauthorized modification, unlawful destruction and accidental loss.
  2. Data Minimization & Purpose Limitation
    1. Data collected and processed only as needed for defined purposes.
    2. No unauthorized use, sharing, or secondary profiling.
  3. Vendor Management & Sub-Processors
    1. All sub-processors bound by equivalent SCCs or approved transfer mechanisms.
    2. Annual review of vendor compliance and security certifications.
  4. Incident & Breach Management
    1. Continuous monitoring, 24-hour breach notification to dialogos, and remediation plan.
  5. Data Subject Rights Support
    1. Mechanism to export, correct, or delete individual data upon request.
  6. Business Continuity
    1. Regular backups, disaster-recovery testing, and geographically redundant hosting.
  7. Training & Confidentiality
    1. All personnel receive data-protection training and sign confidentiality agreements. 

Annex III – Sub-Processors

Sub-Processor Function Location Safeguards
Airtable Assessment data hosting and database USA SCCs in place
HubSpot CRM and communication management USA SCCs in place
Dropbox File storage and collaboration USA SCCs in place
CookieYes Ltd. Consent management and cookie-tracking compliance United Kingdom / EEA servers SCCs in place

 

Additional Notes

  • dialogos and all vendors shall maintain an updated Data Processing Register documenting all transfers covered by these SCCs.
  • Dialogos will provide copies of the executed SCCs and sub-processor list upon request.
  • Where a sub-processor is added or changed, the vendor will notify Dialogos and ensure equivalent safeguards are applied.

Version: 1.0
Last Updated: July 14, 2025
Prepared by: Dalia Olshvang, PhD, MBA, Data Protection Officer
dialogos International LLC

You don’t have to know the right question to start the right conversation.

You don’t need perfect clarity to start to get unstuck—just the willingness to listen, and the courage to engage.

Open the conversation