LeaderCoreAI Privacy Notice

1. Introduction

Blue Horizon Training SRL ("we", "us", "our"), the company behind the LeaderCoreAI product, is committed to protecting your privacy and personal data. This Privacy Notice explains how we handle personal data in our dual roles as both a data controller and a data processor under the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and other applicable data protection laws.

This notice is divided into two sections:

• Section A: When we act as a controller
• Section B: When we act as a processor

Section A: LeaderCoreAI as Data Controller

2. Controller Information

Blue Horizon Training SRL is the company that develops and operates the LeaderCoreAI product. LeaderCoreAI is a product of Blue Horizon Training SRL — it is not a separate legal entity or trading name. Blue Horizon Training SRL operates the LeaderCoreAI marketing website at https://leadercore.ai and the LeaderCoreAI application platform at https://app.leadercore.ai.

Registered Office:
Blue Horizon Training SRL
Intrarea Biserica Albă 3, Ap. 6
010298, Sector 1, Bucharest, Romania

For privacy-related inquiries, please contact:
Email: office@bluehorizontraining.ro

Contact us

For any questions about our services, your account, or anything else, please contact us directly at office@bluehorizontraining.ro — this is the fastest way to reach us regardless of where you are located.

UK Data Protection Representative

Blue Horizon Training S.R.L. has appointed DataRep as its UK Data Protection Representative. UK data subjects may contact DataRep by:

• Email: datarequest@datarep.com (quote "Blue Horizon Training S.R.L." in the subject line)
• Web form: www.datarep.com/data-request
• Post: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom

If you are unsure whether your question is a data protection matter, please contact us directly at office@bluehorizontraining.ro first — we will be happy to help or direct you to the appropriate channel.

3. Personal Data We Collect as Controller

3.1 Website Visitors and Platform Users

Important: We operate two distinct web properties with different data collection practices:

3.1a Marketing Website Visitors (https://leadercore.ai)

Our public marketing website uses Google Analytics for visitor tracking and marketing analytics:

• Google Analytics GA4: Measurement ID G-5YBQKN6B1D
• Cookies set: _ga (2 years), _gid (24 hours), _gat (1 minute)
• Data collected: Page views, session duration, referral sources, device type, approximate location (city/country level), browser type
• Purpose: Marketing analytics, website optimization, understanding visitor behavior
• Data retention: 14 months (Google Analytics default for GA4)
• Third-party processor: Google LLC (see Google's Privacy Policy)
• Cookie consent: Implemented via cookie consent banner (GDPR/ePrivacy compliant)

3.1b Application Platform Users (https://app.leadercore.ai)

Our application platform uses minimal, privacy-focused analytics:

• Firebase Analytics ONLY: First-party analytics for service improvement (NOT Google Analytics)
• No Google Analytics: We do NOT use GA4 or Universal Analytics on the application platform
• No third-party trackers: No advertising pixels, marketing cookies, or cross-site tracking
• Technical data (very limited): IP address and browser type (user agent) collected ONLY for demo request submissions (abuse prevention and technical support). NOT collected during normal authenticated usage.
• Authentication storage: Firebase SDK uses browser localStorage/IndexedDB (not traditional cookies)
• Cookies: Only essential cookies - sidebar_state (UI preference, 7 days) and Firebase Auth session cookies. No analytics, advertising, or tracking cookies.

3.2 Business Contacts (Partners, Resellers, Prospects)

• Identity data: name, job title, company name, registration numbers, VAT numbers
• Contact data: email address, telephone number, business address
• Communication data: your preferences in receiving marketing from us and your communication preferences
• Marketing data: your responses to marketing campaigns, event attendance

3.3 Customer Organizations (Billing Contacts)

Note: LeaderCoreAI operates on a B2B reseller/partner model. Direct payment processing is handled by our authorized resellers. We may receive billing contact information from resellers for service provisioning and subscription management.

• Identity data: name, job title, company name
• Contact data: email address (for service provisioning)
• Subscription data: subscription tier, start/end dates, authorized user count

Important: We do NOT collect or store payment card details, bank account information, or process payments directly. All financial transactions are handled by our reseller partners.

3.4 System Administration and Security

• Security logs: Authentication attempts, access logs, error logs (automatically anonymized using PII-safe logging utility that hashes email addresses with SHA-256, truncates user IDs to 8 characters, and sanitizes sensitive fields)
• Admin user data: Administrator account credentials (hashed), role assignments
• System usage data: Function call logs (anonymized), performance metrics, API response times

3.5 Contact Form Submissions (leadercore.ai/contact)

When you submit our contact form on the marketing website, we collect and process your information as the data controller. The disclosures below describe this specific processing in full and are intended to satisfy Article 13 GDPR / UK GDPR.

Categories of personal data collected

• Information you provide: name, business email, company, role (if you provide it), and the free-text content of your message.
• Consent flags: the required privacy-notice acknowledgement, and (if ticked) the optional marketing opt-in.
• Submission metadata: the time of submission (ISO 8601 timestamp), your IP address, and your browser's user-agent string. These are captured server-side at the moment of submission.

Purposes and lawful basis

• Responding to your inquiry — to read your message and reply, schedule a call, or set up a free-trial account if you have asked for one.
  Lawful basis: Article 6(1)(b) GDPR / UK GDPR — pre-contractual measures taken at your request. Ticking the privacy-notice acknowledgement is not a consent under Article 6(1)(a); it confirms that you have read this notice before we process your inquiry.
• Sending occasional marketing communications (new scenarios, product updates, offers) — only if you have ticked the optional marketing checkbox on the form.
  Lawful basis: Article 6(1)(a) GDPR / UK GDPR — your consent. You can withdraw this consent at any time by clicking the unsubscribe link in any marketing email we send you, or by emailing us at office@bluehorizontraining.ro. Withdrawal is effective for future processing only and does not affect the lawfulness of processing carried out before withdrawal (Article 7(3)).
• Anti-spam screening — we run a minimal automated check on every submission, including a hidden honeypot field that filters out automated bot traffic.
  Lawful basis: Article 6(1)(f) GDPR / UK GDPR — our legitimate interest in preventing abuse of the contact form.

Recipients and where the data goes

• The form's server-side handler delivers your submission as an email to the internal mailbox office@bluehorizontraining.ro, hosted on Google Workspace (Gmail). Google Workspace acts as our processor for this storage.
• The marketing-site application itself does not persist your submission — once the email is sent, the in-process form data is discarded. There is no separate database, CRM, or third-party email service in this flow.

International transfers

The marketing-site application that handles the contact form runs on Firebase App Hosting in the us-central1 region (Iowa, USA). Your submission therefore briefly transits US infrastructure even when you submit it from the EEA or the UK, and it is subsequently stored in Gmail on Google's infrastructure. The safeguards for these transfers are: the Google Cloud Data Processing Addendum, the European Commission's Standard Contractual Clauses, the EU-US Data Privacy Framework, and the UK Extension to that Framework for UK data subjects.

Retention

• Inquiry messages: we keep the email in the recipient mailbox for as long as we have a legitimate business reason to do so (for example, an ongoing conversation or an open sales opportunity), and review the inbox annually to delete what we no longer need.
• Marketing-consent record: if you ticked the marketing opt-in, we retain the consent record (timestamp and IP from your form submission) for the duration of our marketing relationship with you plus six years after withdrawal of consent, to be able to demonstrate that we obtained your consent under Article 7 GDPR. This matches the limitation period under Romanian law.

Your rights

The data subject rights described in Section 9 (Your Rights as Controller) apply equally to information you have submitted via the contact form. If you ask us to delete your data, please include enough detail (the email address you submitted with, approximate date of submission) for us to find your record.

3.6 Demo Account Sign-up (app.leadercore.ai/demo-request)

When you sign up for a free demo on our application platform, we create a record in our internal demoRequests collection. We act as the data controller for this record. The disclosures below describe this specific processing in full and are intended to satisfy Article 13 GDPR / UK GDPR.

Categories of personal data collected

• Information you provide: your name, business email, company, role, and the free-text content of your reason-for-interest field.
• Submission metadata: your browser's user-agent string, captured server-side at the moment of signup and stored on the same demoRequests record. Your IP address is captured separately and retained on a different schedule (see Retention below).

Purposes and lawful basis

• Post-trial follow-up — once your demo expires, we may contact you to ask for feedback on the experience and to check whether you intend to move to a paid subscription.
  Lawful basis: Article 6(1)(f) GDPR / UK GDPR — our legitimate interest in evaluating product-market fit and supporting potential customers after a B2B free trial, balanced against your rights and reasonable expectations.
• Fraud and abuse prevention — we retain your IP address separately to detect repeat-signup abuse and other misuse of the demo offer.
  Lawful basis: Article 6(1)(f) GDPR / UK GDPR — our legitimate interest in protecting the integrity of the demo system. See our Legitimate Interests Assessment, section 5.1.

Retention

• Demo signup record (name, business email, company, role, reason-for-interest, user-agent): retained until 60 days after your demo expires — approximately 67 days from signup, given the standard 7-day demo period — and then irreversibly anonymised.
• IP address: retained separately for 12 months for fraud-prevention purposes, and then deleted.

Your right to object

Because we rely on Article 6(1)(f) (legitimate interests) for the post-trial follow-up, you have the right under Article 21(1) GDPR / UK GDPR to object at any time. You can object by:

• Clicking the opt-out link included in every follow-up email we send you, or
• Emailing office+privacy@bluehorizontraining.ro.

We accept objections immediately and will stop further follow-up contact on receipt. The other rights described in Section 9 (Your Rights as Controller) also apply to your demo signup record.

What we will not do with this data

We do not share demo signup data with third parties, do not build profiles or take automated decisions about you on the basis of it, and will not contact you by SMS or telephone — only by email, and only as described above.

4. Legal Basis for Processing (as Controller)

We process your personal data on the following legal grounds:

• Contract performance: Processing necessary to perform our contract with your organization (billing, service delivery, account management)
• Legitimate interests: Our legitimate business interests in operating and improving our website, marketing our services, and maintaining security (balanced against your rights)
• Legal obligation: Compliance with tax, accounting, and regulatory requirements
• Consent: Where you have given explicit consent for marketing communications (which you may withdraw at any time)
• Pre-contractual measures: Where you have actively contacted us (for example by submitting the contact form) and we process your information to respond to your request — see Section 3.5

5. How We Use Your Data (as Controller)

5.1 Website Operations

• To provide and maintain website functionality
• To analyze website usage and improve user experience
• To ensure network and information security

5.2 Business Development

• To communicate with partners, resellers, and prospects
• To send marketing communications (where consent given or legitimate interest applies)
• To conduct market research and customer satisfaction surveys

5.3 Customer Relationship Management

• To manage customer accounts and subscriptions
• To provide customer support
• To send service-related communications

5.4 System Security and Administration

• To monitor system security and prevent unauthorized access
• To investigate and respond to security incidents
• To maintain audit trails for compliance purposes
• To optimize system performance

5.5 What We DON'T Collect - Our Privacy-First Approach

LeaderCoreAI is committed to data minimization. Unlike many platforms, we do NOT collect:

• No payment data: No credit card numbers, bank account details, or payment information (handled by reseller partners)
• No demographic data: No age, gender, race, ethnicity, or other demographic information
• No advertising trackers: No third-party advertising pixels, cookies, or tracking scripts
• No behavioral profiling: No cross-site tracking or behavioral advertising profiles
• No social media tracking: No Facebook Pixel, LinkedIn Insight Tag, or similar social tracking
• No unnecessary personal data: No home addresses, phone numbers (except business contacts), or social security numbers
• No sensitive categories: No health data, political opinions, religious beliefs, or union membership

Analytics Approach: Our application platform (app.leadercore.ai) uses Firebase Analytics (first-party only), NOT Google Analytics. Our marketing website (leadercore.ai) uses Google Analytics GA4 for marketing analytics only.

6. Data Sharing (as Controller)

We may share your personal data with:

• Service providers: Cloud hosting (Google Cloud Platform, Firebase, Vercel), email service providers (for transactional emails only)
• Analytics processors:
  • Google LLC (for leadercore.ai marketing website only): Google Analytics GA4 processes visitor data for marketing analytics. Data may be transferred to the US under Google's EU-US Data Privacy Framework certification and Binding Corporate Rules. See Google's Privacy Policy and Google Analytics Data Processing Terms.
  • Note: Our application platform (app.leadercore.ai) uses Firebase Analytics (Google-operated) but does NOT use Google Analytics.
• Professional advisers: Lawyers, auditors, insurers
• Regulatory authorities: When required by law or to protect our legal rights
• Business transferees: In connection with any merger, sale of company assets, or acquisition

We do not sell your personal data to third parties.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

• Google Cloud Platform services (Europe-central2 region primarily, with global CDN)
• Vercel hosting services (global deployment)
• Firebase services (Google's global infrastructure)

We ensure appropriate safeguards are in place:

• European Commission adequacy decisions (where applicable)
• Standard Contractual Clauses (SCCs) with service providers
• Binding Corporate Rules of our processors (Google, Vercel)
• UK adequacy regulations and the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, where UK personal data is transferred outside the UK

8. Data Retention (as Controller)

We retain personal data for as long as necessary to fulfill the purposes outlined in this notice:

• Website visitor data: 26 months (analytics), 12 months (security logs)
• Business contact data: Until you unsubscribe or request deletion, plus 3 years (legitimate interest period)
• Billing and financial data: 7 years (tax and accounting legal requirements)
• Security logs: 12 months (security monitoring period)
• Marketing data: Until consent withdrawn or 3 years of inactivity

9. Your Rights (as Controller)

Under GDPR, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data (subject to legal obligations)
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a structured format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Where processing is based on consent
• Right to lodge a complaint: Contact your local data protection authority

To exercise these rights, contact us (see Section 2 above).

Section B: LeaderCoreAI as Data Processor

10. Processing on Behalf of Customers

When your employer or organization (the "Customer") subscribes to LeaderCoreAI's leadership training platform, we process personal data about you as a data processor on behalf of the Customer, who acts as the data controller.

11. What Data is Processed

When you use the LeaderCoreAI platform as an employee/end-user, we process:

• Account data: Name, email address, company name
• Training activity: Scenario selections, conversation sessions, completion status
• Performance data: Assessment results, scores, feedback, response quality
• Usage analytics: Session duration, message count, timestamp data, progress tracking
• Authentication data: Login credentials, session tokens

12. Purpose of Processing (as Processor)

We process this data solely to:

• Provide the AI-powered leadership training simulations
• Generate performance assessments and feedback
• Enable your employer to track training completion and effectiveness
• Provide analytics dashboards to your employer's administrators
• Maintain system security and service quality

13. Your Employer's Responsibilities (Controller)

Your employer is responsible for:

• Providing you with their own privacy notice explaining how they use LeaderCoreAI
• Obtaining any necessary consent for processing your training data
• Determining what data is collected and how long it is retained
• Responding to your requests to access, correct, or delete your data
• Ensuring lawful basis for processing your performance data

We are responsible for:

• Processing your data only according to your employer's documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting your employer in responding to your data rights requests
• Maintaining confidentiality and security of your data
• Deleting or returning your data when the service contract ends

14. Data Processing Agreement (DPA)

We have entered into a Data Processing Agreement with your employer that:

• Defines the scope, nature, and purpose of processing
• Specifies our obligations as a processor
• Requires appropriate security measures
• Restricts sub-processor engagement
• Provides for data breach notification
• Enables data protection audits

15. Security Measures (as Processor)

We implement industry-standard security measures:

Technical Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure authentication (Firebase Authentication with token-based access)
• Access controls and role-based permissions
• Regular security monitoring and logging (PII-safe): All system logs automatically anonymize personal data using SHA-256 email hashing, user ID truncation (8 characters), and sensitive field sanitization
• Automated backup and disaster recovery
• Zero PII exposure in logs: Our logging utility prevents accidental logging of passwords, tokens, full email addresses, or conversation content

16. Sub-Processors

We engage the following sub-processors to assist in service delivery:

• Google Cloud Platform / Firebase: Cloud infrastructure and database hosting (EU region: europe-central2)
• Google Cloud – Vertex AI: AI model for conversation simulations and grading (EU region: europe-central2)
• Vercel: Frontend hosting and CDN
• BigQuery: Analytics data warehouse (EU region: europe-central2)

All sub-processors are bound by written agreements requiring GDPR-compliant data protection.

We will notify customers of any changes to our sub-processor list in accordance with our DPA.

17. Data Location and Transfers

Employee training data is primarily stored in:

• Primary region: Europe-Central2 (Warsaw, Poland)
• Backup region: EU-based Google Cloud infrastructure
• AI processing: Google Cloud Vertex AI (europe-central2, Poland, EEA)

All international data transfers are protected by appropriate safeguards, including: EU Standard Contractual Clauses (SCCs); the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs where UK personal data is involved; and EU-US / UK-US Data Privacy Framework certifications where applicable.

18. Data Retention (as Processor)

We retain employee training data according to your employer's instructions, with different policies for demo users vs. full subscription users:

18.1 Session and Conversation Data (All Users)

• Active sessions: Conversation transcripts retained during active training session for AI context and grading
• Session deletion timeline: When you end a training session, it is marked for deletion and automatically removed within 24 hours by our scheduled cleanup process (runs at 2:00 AM and 2:00 PM UTC daily)
• Purpose of retention: Enables AI to provide contextual responses and generate performance assessments
• Content privacy: Conversation content is NOT exported to analytics systems - only metadata and scores

18.2 Performance Results and PDF Reports

• Performance data: Assessment scores, feedback, and grading results retained per user type (see 18.3 and 18.4 below)
• PDF reports: Generated performance reports expire and are automatically deleted 30 days after creation
• Download tracking: We track download count and last download date for report management

18.3 Demo User Data Retention

For users with demo/trial accounts:

• Demo duration: Typically 7 days from signup (configurable by administrator)
• Data deletion: ALL performance data, results, and session history are automatically deleted when the demo subscription expires
• No grace period: Demo users do not receive a 30-day grace period - deletion is immediate upon expiration
• Purpose: Demo data is for evaluation purposes only and is not intended for long-term retention

18.4 Full Subscription User Data Retention

For users with paid/full subscriptions (managed by employer):

• Active subscription: All performance data retained while subscription is active
• 30-day grace period: When employer's subscription ends, performance data remains accessible for 30 days before deletion
• Employer control: Your employer determines the subscription duration and data retention policy (within our technical limits)
• Archival options: Employers can export data before subscription ends

18.5 Analytics and Anonymization

• BigQuery exports: Performance metrics are exported to our analytics warehouse for platform improvement
• User anonymization: Before export, user IDs are replaced with SHA-256 hashes (irreversible, 16-character identifier)
• Data minimization: Only metadata and scores are exported - NO conversation content, names, or email addresses
• Fields exported: Session ID, user hash, subscription key, scenario details, scores, duration, message count
• Retention: Anonymized analytics data retained for 26 months, then aggregated further or deleted

18.6 System Logs and Audit Trails

• Security logs: Authentication attempts, access logs, error logs retained for 12 months (automatically anonymized)
• Audit trails: Compliance and troubleshooting logs retained for 12 months
• PII protection: All logs use our PII-safe logging utility (email hashing, user ID truncation)

18.7 Contract Termination

Upon employer contract termination, we will delete or return all identifiable personal data within 90 days unless legally required to retain. Anonymized analytics data may be retained per section 18.5 above.

19. Your Rights (When We Are Processor)

To exercise your data protection rights regarding your training data, please contact your employer's HR or privacy team, as they are the controller.

Your rights include:

• Right to access your training records and performance data
• Right to correct inaccurate information
• Right to request deletion (subject to employer's legitimate interests and legal obligations)
• Right to object to processing of your data
• Right to restrict processing
• Right to data portability

We will assist your employer in fulfilling these requests.

If you believe your employer is not properly handling your data, you have the right to lodge a complaint with your local data protection supervisory authority.

Contact us

For any questions about our services, your account, or anything else, please contact us directly at office@bluehorizontraining.ro — this is the fastest way to reach us regardless of where you are located. Note that for matters concerning your training data, your employer is the controller and should normally be your first point of contact.

UK Data Protection Representative

Blue Horizon Training S.R.L. has appointed DataRep as its UK Data Protection Representative. UK data subjects may contact DataRep by:

• Email: datarequest@datarep.com (quote "Blue Horizon Training S.R.L." in the subject line)
• Web form: www.datarep.com/data-request
• Post: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom

If you are unsure whether your question is a data protection matter, please contact us directly at office@bluehorizontraining.ro first — we will be happy to help or direct you to the appropriate channel.

20. Data Breach Notification

In the event of a personal data breach affecting employee training data:

• We will notify your employer without undue delay, and in any event within 48 hours of becoming aware
• We will provide details of the nature of the breach, affected data, and mitigation measures
• Your employer is responsible for notifying you and the supervisory authority as required by law

General Provisions

21. Cookies and Tracking Technologies

LeaderCoreAI operates two web properties with different cookie usage:

21.1 Marketing Website (https://leadercore.ai)

Our public marketing website uses cookies for analytics:

Google Analytics Cookies:

• _ga cookie: Distinguishes unique visitors (expires after 2 years)
• _gid cookie: Distinguishes unique visitors (expires after 24 hours)
• _gat cookie: Throttles request rate (expires after 1 minute)
• Purpose: Marketing analytics, visitor behavior tracking, website optimization
• Data retention: 14 months (Google Analytics GA4 default)
• Third-party processor: Google LLC
• Legal basis: Consent (required under GDPR/ePrivacy Directive)
• Cookie consent management: Implemented - consent banner allows you to accept/reject analytics cookies

Essential Cookies (Marketing Website):

• Next.js may use minimal technical cookies for routing and server-side rendering
• These are strictly necessary for the website to function

21.2 Application Platform (https://app.leadercore.ai)

Our application platform uses minimal browser storage for essential functionality:

Authentication Storage (Firebase SDK):

• Method: Browser localStorage and IndexedDB (NOT traditional cookies)
• Purpose: Maintain user authentication session and keep you logged in
• Data stored: Authentication tokens, refresh tokens, user session data
• Persistence: Managed by Firebase Authentication SDK (Google)
• Classification: Strictly necessary for service functionality
• No consent required: These are essential for the application to work

Next.js Framework Storage:

• Next.js may use minimal cookies for routing, server-side rendering, and framework functionality
• These are technical cookies necessary for the application to function

Functional Cookies:

• sidebar_state: Stores UI preference (sidebar expanded/collapsed), 7 days expiry, strictly necessary for user experience
• Purpose: Remembers your sidebar preference across sessions
• Classification: Essential functional cookie

Analytics (Firebase Analytics - First-Party Only):

• We use Firebase Analytics for service improvement (NOT Google Analytics)
• First-party analytics only - no third-party tracking scripts
• Client-side event tracking for performance monitoring and feature usage
• Important: This is different from Google Analytics GA4 used on the marketing site

21.3 What We DON'T Use (Both Domains)

• No advertising cookies: No ad targeting or remarketing cookies on either domain
• No third-party trackers on app: Application platform (app.leadercore.ai) has NO Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or similar trackers
• No cross-site tracking: No cookies shared between leadercore.ai and app.leadercore.ai
• No marketing cookies on app: Application platform does not use marketing or campaign tracking cookies
• No social media tracking: No social media pixels or tracking on either domain

22. Children's Privacy

LeaderCoreAI is a B2B service for professional leadership training. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware of such collection, we will delete the data promptly.

23. Automated Decision-Making

Our AI-powered grading system evaluates training performance using automated algorithms. However:

Results represent an invitation to reflect on your own performance during the simulation, and nothing further shall be construed from it.

24. Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. Material changes will be notified through:

• Email notification to registered customers and contacts
• Prominent notice on our website
• Updated "Last Updated" date at the top of this notice

We encourage you to review this notice periodically.

25. Supervisory Authority

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority:

• For EEA residents: Your national data protection authority (list available at: https://edpb.europa.eu/about-edpb/board/members_en)
• For UK residents: Information Commissioner's Office (ICO) - https://ico.org.uk - Tel: 0303 123 1113

26. Contact Us

For questions or concerns about this Privacy Notice or our data practices:

Blue Horizon Training SRL
Intrarea Biserica Albă 3, Ap. 6
010298, Sector 1, Bucharest, Romania
Email: office@bluehorizontraining.ro
Website: https://leadercore.ai

For data subject rights requests, please email us at: office@bluehorizontraining.ro

27. Legal Framework

This Privacy Notice is governed by:

• EU General Data Protection Regulation (GDPR) 2016/679
• UK General Data Protection Regulation (UK GDPR)
• UK Data Protection Act 2018
• National data protection laws implementing GDPR
• ePrivacy Directive 2002/58/EC (and the UK Privacy and Electronic Communications Regulations 2003, where applicable)