Privacy policy
Last updated: June 2026
This policy explains what information submove collects, why we collect it, how we store and protect it, who we share it with, and the choices and rights you have. We have written it in plain language. Where the law uses specific terms, we say so. If anything here is unclear, contact us and we will explain it.
Who we are and who controls your data
submove is a decision-intelligence diagnostic for organizational change, a flight simulator for organizational decisions. It is operated by SUBMOVE S.R.L, registered at Bd. Decebal 27, Romania. In this policy, "submove", "we", "us" and "our" refer to that entity.
For personal data you submit to us directly, such as your account details and intake information, the data controller is SUBMOVE S.R.L. For the organizational files a client provides for a simulation, the client is the controller of any personal data those files contain and we act as a processor on the client's instructions, under the terms of the engagement and the data processing addendum described below.
What we collect
We collect only the information needed to run an engagement. We do not buy personal data, and we do not collect anything beyond what is listed here.
Account information
When an organization is invited to the client portal, we store the account email address and the display name for each invited user. Sign-in is passwordless: we do not collect, store, or ever see a password.
Intake information
If you contact us through the intake form on our site, we collect the details you choose to send: typically your name, work email, organization, the type of change you are weighing, the approximate number of people affected, an optional timeline, and any notes you add. This is provided by you, voluntarily, to start a conversation.
Client-provided files
To build a model of an organization, a client provides files such as a reporting or org-structure export and similar context. These files may contain personal data about the client's own people. We handle them strictly on the client's instructions, store them in storage isolated to that engagement, and use them only to construct and run the simulation.
Intake self-assessments
An engagement may include short, structured self-assessments completed by participants the client identifies. These responses feed the model as inputs. They are governed under the same anonymisation and isolation rules described below.
Simulation runs
When a simulation runs, we store its inputs, configuration, and outputs, the stress, morale, trust and performance trajectories and related results, so the engagement team and the client can review them together.
We do not run advertising or visitor-profiling analytics on this site, and we do not track you across other sites or services.
Anonymisation: how we model people without using their identities
submove is built so that the simulation never needs to know who anyone is. People in a client's organization are resolved into anonymous, governed individual profiles placed inside the real reporting network. Personality is used as a moderator only, never as a verdict about a person.
- Profiles are referenced by role-coded labels and masked identifiers, not by name.
- No personally identifying information is used inside the model itself.
- Results describe trajectories across the network and where strain is likely to land, not judgments about named individuals.
submove is a rehearsal and decision-support tool. It is calibrated, not validated: it is designed to help leaders think, not to predict any individual's behavior. Its outputs are never used, and must never be used, for hiring, firing, promotion, discipline, or any other evaluation of a specific person.
Why we use it, and our legal bases
We use the information above only to set up, run, and discuss a simulation for your situation, to operate the client portal, and to communicate with you about your engagement. We never sell your information, and we never share it for marketing.
Where the EU and UK General Data Protection Regulation (GDPR) applies, we rely on the following legal bases under Article 6:
- Contract (Art. 6(1)(b))
- To set up your account, run an engagement, and provide the simulation and portal you have asked for.
- Legitimate interests (Art. 6(1)(f))
- To respond to intake enquiries, secure our systems, prevent misuse, and keep accurate records of our engagements, balanced against your interests and rights.
- Consent (Art. 6(1)(a))
- Where you voluntarily submit intake details or optional notes, and for any optional communication you ask to receive. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c))
- Where we must retain or disclose information to comply with a legal or regulatory requirement.
For personal data within client-provided files, the client determines the purpose and legal basis as controller; we process it under their documented instructions.
How it is stored and secured
Account data, intake details, files, self-assessments, and simulation runs are stored in our Supabase environment: a managed PostgreSQL database with object storage. We apply the following safeguards:
- Row-level security. Database access is governed by row-level security policies, so records are visible only to the accounts entitled to them.
- Per-engagement isolation. Client files and run data are kept in storage scoped to that engagement, separated from other clients.
- Passwordless, invite-only access. Sign-in uses a one-time magic link sent by email. Links are valid for about 60 minutes and accounts are created by admin invitation only; there is no public self-signup.
- Strict Content-Security-Policy. The site enforces a strict Content-Security-Policy and serves its scripts from our own origin rather than third-party content networks, reducing exposure to injected or external code.
- Encryption in transit. Traffic to the site and portal is served over HTTPS.
- Least access. Internal access is limited to the people who need it to run your engagement.
Sub-processors
We use a small number of trusted infrastructure providers to operate submove. We do not use advertising or marketing-analytics vendors. Our current sub-processors are:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Cloudflare | Hosting and delivery of the website and portal frontend (Cloudflare Pages). | Network-level request data needed to serve and protect the site. |
| Supabase | Database (PostgreSQL), file storage, and passwordless authentication. | Account email and display name, intake details, client-provided files, self-assessments, and simulation runs. |
We require each sub-processor to handle data under appropriate contractual and security commitments. If we add or change a sub-processor, we will update this list.
International transfers
Our sub-processors may store or process data in regions outside your own country, including outside the European Economic Area or the United Kingdom. Where that happens, we rely on appropriate safeguards for the transfer, such as the European Commission's Standard Contractual Clauses or an equivalent recognised mechanism, together with the technical protections described above.
Cookies and what we store on your device
We do not set advertising or tracking cookies, and we do not profile visitors. Because there are no non-essential cookies, there is no cookie banner to dismiss.
The only information stored on your device is what is strictly necessary to keep you signed in to the client portal. This is a session token held in your browser's local storage, not an advertising cookie. If you choose "keep me signed in", the token persists until it expires or you sign out; otherwise it is cleared when your session ends. You can remove it at any time by signing out or clearing your browser storage.
Retention and deletion
We keep information only as long as we need it for the purpose it was collected:
- Intake details are kept while we follow up and, if an engagement begins, for its duration; otherwise we delete or anonymise them once the enquiry is closed.
- Client-provided files and simulation runs are retained for the engagement and any agreed wind-down period, then deleted or returned in line with the engagement terms.
- Account details are kept while the account is active and removed after it is closed, subject to any record we must keep by law.
You can ask us to delete your data at any time, and we will do so unless we are required to keep it.
Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data ("right to be forgotten") where we have no overriding obligation to keep it.
- Port your data, receiving it in a portable, machine-readable format.
- Object to or restrict certain processing, including processing based on legitimate interests.
- Withdraw consent at any time where we relied on it, without affecting prior processing.
To exercise any of these rights, contact us using the details below. You also have the right to complain to your local data protection authority.
For California residents. Under the California Consumer Privacy Act (CCPA, as amended), you have the right to know what personal information we collect and how we use it, to request access to or deletion of it, to correct it, and not to be discriminated against for exercising these rights. We do not sell or share your personal information, and we have not done so in the preceding twelve months.
Data processing addendum
For organizations that need one, a data processing addendum (DPA) is available on request. It sets out our obligations as a processor, the sub-processors named above, the security measures we apply, and the terms for handling personal data within client-provided files. Ask us at the contact below.
Children
submove is a business tool intended for use by organizations and their authorised staff. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us information, contact us and we will delete it.
Changes to this policy
We may update this policy as submove evolves or as the law requires. When we do, we will revise the "last updated" date at the top of the page. If a change is significant, we will take reasonable steps to let affected clients know.
Contact
To exercise any of the rights above, to request our DPA, or to ask a question about this policy, email us at contact@submove.io. For security-specific reports, please see our security page or write to contact@submove.io.
You can also reach us by post at SUBMOVE S.R.L, Bd. Decebal 27, Romania.