Plainly.

The assessment form asks eleven questions across four steps. Three answer the substance — what's slowing the business down, where the team's time goes, and how much AI the firm uses today. Four describe the firm — industry, headcount, city or region, your role. Three are how to reach you — first name, email, language preference. The eleventh is consent to receive the assessment and an optional one-time follow-up.

We also record technical details that arrive automatically with any web request: the browser you used, the country resolved from your IP address, and where you came from if you arrived via a link. We do not record your full IP address, your name, or any other identifier you didn't type into the form.

The substance answers feed the assessment we generate for you. The firm-shape answers help us calibrate the response — a four-person studio gets a different read than a forty-person law firm. Your name and email are how we send the assessment back. Nothing more.

Submissions are stored in a Supabase database hosted in the EU-West region (Ireland), encrypted at rest. The website itself runs on Vercel's EU region. Email delivery uses Resend. We chose every one of these providers for their EU-region availability and their disclosed data-processing terms — no client data crosses the Atlantic for routine processing.

Indefinitely, unless you ask us to delete it. Most professional-services firms don't ask, and the answers people give us are part of how we keep getting better at this work. If you ever want yours removed, one email is enough — we delete the row, confirm we've done it, and that's the end of it.

Inside Phantom: the operator working with you, and no one else. Outside Phantom: only the providers above (Supabase, Vercel, Resend), each acting as a data processor under its own published terms, each pinned to the EU. We do not sell, share, rent, or syndicate the data — not to advertisers, not to data brokers, not to partners. There are no partners.

We don't use cookies for tracking. The site uses Plausible for page-view analytics — it's privacy-first, EU-hosted, and counts visits without identifying anyone. That's why this page has no cookie banner. There's nothing to consent to.

The information above describes the public assessment funnel only. When we sign an engagement with a client firm, the data architecture is set out in the engagement contract: by default, large-language-model calls and storage stay pinned to EU or Swiss regions, sensitive data is encrypted, access is logged, and nothing crosses borders without the client's written agreement. If you're considering an engagement and want to see the architecture stance ahead of time, ask. We'll send it.