Skip to content
OneOnOneOneOnOneSign In

Privacy Policy

Last updated: April 2026

1. Data Controller

OneOnOne is operated by Fika It Solutions, Lda (NIF 518278530), with registered office at Parque de Ciência e Tecnologia da Ilha Terceira, 9700-702 Terra Chã, Angra do Heroísmo, Açores, Portugal.

For any privacy-related inquiries, you can contact us at fikaitsolutions@gmail.com.

2. Data We Collect

When you use OneOnOne, we collect and process the following categories of personal data:

  • Account information: name, email address, and hashed password (if you register with email). If you sign in with Google, we receive your name and email from Google.
  • Company information: your email domain is used to automatically associate you with a company workspace. Company name may be stored for billing purposes.
  • Session data: meeting notes, framework responses, happiness scores (including trend data and contextual notes), action items, prep notes, and icebreaker responses created during your 1:1 sessions.
  • Goals: SMART goals you create, including titles, descriptions, deadlines, progress updates, and check-in notes.
  • Retrospective data: tickets, notes, votes, reactions, action items, and ratings you contribute during team retrospectives. Your display name is visible to other participants.
  • AI-generated content: evaluations, session prep suggestions, and team pulse reports generated by our AI provider based on your session data (see Section 5).
  • Feedback: ratings, categories, and messages you voluntarily submit through the feedback feature.
  • Academy progress: your progress through Manager Academy learning content, including quiz results.
  • Billing data: if you subscribe to a paid plan, your billing email and company name are shared with our payment processor (Stripe). We do not store payment card details.
  • Technical data: essential session cookies required for authentication. We do not use advertising cookies. We use Vercel Analytics and Speed Insights to collect anonymised, aggregated performance and usage data (see Section 6).

3. Legal Basis for Processing

We process your personal data on the following legal grounds under the GDPR:

  • Consent: by creating an account and accepting our Terms of Service, you consent to the processing of your data as described in this policy.
  • Contract performance: processing is necessary to provide you with the OneOnOne service.
  • Legitimate interest: we may process aggregated, anonymised data to improve our service.

4. How We Use Your Data

We use the collected data exclusively to:

  • Provide, maintain, and improve the OneOnOne service.
  • Authenticate your identity and secure your account.
  • Associate you with your team and company workspace.
  • Display your meeting history, action items, goals, and progress.
  • Generate AI-powered insights, evaluations, session prep, and team pulse reports by transmitting relevant session data to our AI provider (see Section 5).
  • Facilitate real-time collaboration during retrospectives.
  • Process subscriptions and billing through our payment processor.
  • Process and respond to feedback you submit.
  • Send service-related communications such as invite links, retro summaries, and policy change notifications.
  • Collect anonymised performance and usage metrics to improve service quality.

5. Data Sharing, Third Parties, and Sub-Processors

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

To provide and operate the Service, we use the following third-party sub-processors. Each receives only the minimum data necessary for its function:

  • Microsoft Azure OpenAI (AI processing) — Receives session data including names, roles, framework responses, happiness scores, action items, and manager notes to generate AI-powered evaluations, session prep, and team pulse reports. Your data is processed under our agreement with Microsoft and is not used to train AI models.
  • Google (authentication) — Receives only the OAuth authentication request when you choose to sign in with Google. Your OneOnOne data is never sent to Google.
  • Stripe (payment processing) — Receives billing contact email, company name, and subscription metadata when you subscribe to a paid plan. Payment card details are processed directly by Stripe and never stored on our systems.
  • Pusher (real-time collaboration) — Receives event data during retrospective sessions, including participant display names and retro content (tickets, notes, votes), to enable real-time synchronisation between participants.
  • Resend (transactional email) — Receives recipient email addresses and message content for service-related communications such as invite links, welcome emails, and retrospective summaries.
  • Vercel (hosting and analytics) — Hosts the OneOnOne application (Frankfurt, EU region). Vercel Analytics and Speed Insights collect anonymised, aggregated performance and usage metrics. No personally identifiable information is collected by these analytics services.
  • Neon (database hosting) — Hosts the PostgreSQL database that stores all application data, within the European Union.

6. Cookies and Analytics

OneOnOne uses essential cookies required for authentication and session management. These cookies are strictly necessary for the service to function and cannot be disabled. We do not use advertising or tracking cookies.

We use Vercel Analytics and Vercel Speed Insights to collect anonymised, aggregated data about page visits and performance. These tools do not use cookies, do not collect personally identifiable information, and do not track individual users across sessions.

7. Data Retention

Your personal data is retained for as long as your account remains active. When you delete your account, all associated data (profile, sessions, action items, goals, happiness scores, retrospective contributions, AI-generated content, feedback, and academy progress) is permanently and irreversibly deleted from our systems.

Invite tokens expire automatically (30 days for direct report invites, 48 hours for transfer codes). Expired tokens are no longer valid but may remain in the database until the associated record is deleted.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access: you can view all your data within your OneOnOne account at any time.
  • Right to rectification: you can update your name and email through your account settings.
  • Right to erasure: you can permanently delete your account and all associated data from the account settings page.
  • Right to data portability: you may request a copy of your data by contacting us at the email address above.
  • Right to object: you may object to the processing of your data by contacting us.
  • Right to withdraw consent: you may withdraw your consent at any time by deleting your account.

To exercise any of these rights, you can use the in-app account settings or contact us at fikaitsolutions@gmail.com.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Passwords are stored using one-way hashing and are never stored in plain text.

10. International Transfers

Your data is primarily processed and stored within the European Union. Our application is hosted in Vercel's Frankfurt (EU) region and our database is hosted by Neon within the EU.

Some sub-processors (such as Microsoft Azure OpenAI, Stripe, and Pusher) may process data in facilities outside the EEA. Where such transfers occur, they are covered by appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by the GDPR.

11. Children's Privacy

OneOnOne is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the email address associated with your account. Your continued use of the service after such notification constitutes acceptance of the updated policy.

13. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD) or any other competent supervisory authority within the European Union.

14. Governing Law

This Privacy Policy is governed by the laws of the Portuguese Republic and the General Data Protection Regulation (EU) 2016/679 (GDPR).

© 2026 Fika It Solutions, Lda. All rights reserved.