Privacy Policy

Last Updated: December 2025

Effective Date: December 1, 2025

Introduction

At ComPSI(ψ) ("Company," "we," "us," or "our"), we are committed to protecting your privacy and maintaining the highest standards of data security. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the ComPSI AI Ethical Health Check Platform (the "Service").

This policy applies to all users of our Service, including web-based assessments and SDK integrations. By using our Service, you agree to the collection and use of information in accordance with this policy.

Our Core Privacy Commitment:

Your assessment results are strictly private and belong to you. We never share, sell, or use your assessment data for purposes other than providing the Service to you.

Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Organization details (if applicable)
  • Payment information (processed securely via Stripe - we do not store credit card details)
  • API keys and authentication credentials (encrypted)

3.2 Assessment Data

🔒 CRITICAL PRIVACY PROTECTION

All assessment data is strictly confidential and protected:

  • Your AI system prompts and configurations
  • Assessment parameters and settings
  • Assessment results, scores, and analysis
  • Conversational test interactions and responses

✓ Results are NEVER shared publicly without your explicit authorization
✓ Each organization's data is completely isolated in our multi-tenant architecture
✓ SDK-initiated assessments maintain identical privacy standards

3.3 Usage Information

  • API usage metrics and request logs
  • Billing and transaction history
  • Feature usage analytics (aggregated and anonymized)
  • Technical logs for system performance and debugging

3.4 SDK Integration Data

  • SDK-initiated assessment requests and configurations
  • Internal system integration metadata
  • Results delivered via webhook (encrypted in transit)
  • All SDK results maintain the same privacy protections as web-based assessments

How We Use Your Information

4.1 Service Delivery

  • Provide AI ethical assessments and health checks
  • Process and display assessment results securely
  • Manage user accounts and authentication
  • Process billing and subscription management

4.2 Service Improvement

  • Analyze platform performance using aggregated data only
  • Improve assessment accuracy and framework effectiveness
  • Develop new features based on usage patterns (anonymized)
  • Technical troubleshooting and system optimization

4.3 Communication

  • Service updates and platform notifications
  • Billing confirmations and payment receipts
  • Critical security alerts and notices
  • Feature announcements and product updates (you can opt-out)

Data Privacy and Security

5.1 Assessment Result Privacy

Your Results Are Yours Alone

  • Assessment results are private by default
  • Only your organization can access your results
  • Results are never used for marketing or shared with third parties
  • No public leaderboards or comparative analytics without explicit consent
  • SDK-initiated assessments maintain identical privacy standards
  • You control who sees your data at all times

5.2 Data Security Measures

  • Industry-standard encryption (TLS 1.3) for all data in transit
  • Encryption at rest for sensitive data and credentials
  • Secure authentication with bcrypt-hashed API keys
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance (in progress)
  • Multi-factor authentication available for enhanced security

5.3 Data Isolation

  • Multi-tenant architecture with strict organization-level separation
  • Row-level security policies enforced at database level
  • No cross-organization data sharing or access
  • Separate encrypted storage per organization

Data Sharing and Disclosure

6.1 We DO NOT Share

  • ✗ Your assessment results
  • ✗ Your AI system prompts or configurations
  • ✗ Your proprietary testing data
  • ✗ Individual usage patterns or behaviors
  • ✗ Personal information for marketing purposes

6.2 We MAY Share

  • Aggregated, anonymized usage statistics for platform improvement
  • Information required by law (subpoenas, court orders, legal obligations)
  • Data with trusted service providers under strict confidentiality agreements
  • Information necessary to prevent fraud, security threats, or protect rights

6.3 Service Providers

We work with select service providers who are contractually bound to data protection standards:

  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • Neon/PostgreSQL: Secure database hosting and storage
  • Vercel: Application hosting and edge infrastructure
  • All providers maintain SOC 2 compliance and execute Data Processing Agreements (DPAs)

Data Retention

7.1 Assessment Data

  • Results retained for the duration of your active subscription
  • Historical data available per your account retention settings
  • Option to delete individual assessments at any time
  • Bulk deletion available upon account closure request

7.2 Account Data

  • Account information retained while account is active
  • 30-day grace period after account closure for data export
  • Billing records retained for 7 years (legal requirement)
  • Anonymized usage data may be retained for analytics

7.3 Audit Logs

  • System audit logs retained for security and compliance purposes
  • Access logs encrypted and stored securely
  • Standard retention period: 90 days (extendable for Enterprise customers)

Your Privacy Rights

8.1 Access and Control

  • View all data associated with your account via dashboard
  • Download your assessment results (JSON/CSV export)
  • Update account information at any time
  • Delete specific assessments or test runs

8.2 Data Portability

  • Export all assessment data in standard formats (JSON, CSV)
  • API access for programmatic data retrieval
  • Bulk export functionality for Enterprise customers

8.3 Right to Deletion

  • Request complete account and data deletion
  • 30-day processing period for complete removal
  • Certain data may be retained for legal compliance (billing records)
  • Anonymized aggregate data may be retained for platform improvement

8.4 Marketing Communications

  • Opt-out of promotional emails via unsubscribe link
  • Control notification preferences in account settings
  • Essential service communications cannot be disabled

Cookies and Tracking

9.1 Essential Cookies

  • Authentication and session management
  • Security and fraud prevention
  • User preference storage
  • These cookies are necessary for Service functionality

9.2 Analytics

  • Aggregated usage analytics (no personal identification)
  • Performance monitoring and optimization
  • Error tracking and debugging

9.3 Third-Party Cookies

  • Stripe for payment processing only
  • No advertising or behavioral tracking cookies
  • No data sold to third parties

International Data Transfers

  • Data primarily stored in US-based cloud regions (AWS/Neon)
  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Full compliance with GDPR requirements
  • Enterprise customers may request specific data residency options

California Privacy Rights (CCPA)

If you are a California resident, you have the following rights:

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of your personal information (with certain exceptions)
  • Right to Opt-Out: We do not sell personal data
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

GDPR Compliance (EU Users)

  • Lawful Basis: Contract performance and legitimate business interest
  • Data Protection Officer: Contact privacy@gidanc.ai
  • Right to Complaint: You may lodge a complaint with your local supervisory authority
  • Cross-Border Transfers: Protected by Standard Contractual Clauses

Children's Privacy

  • Our Service is not intended for users under 18 years of age
  • We do not knowingly collect information from minors
  • If we learn we have collected data from a minor, we will delete it immediately
  • Contact us if you believe we have inadvertently collected minor's data

Changes to This Policy

  • We may update this Privacy Policy from time to time
  • Material changes will be notified 30 days in advance via email
  • Continued use of the Service after changes constitutes acceptance
  • Archive of previous versions available upon request

Contact Us

Privacy Questions or Requests

Data Subject Requests

Submit via email with subject line: "Privacy Request - [Type]"

Include: Account email, request type (access/deletion/portability), and verification information

⚠️ Legal Notice: This Privacy Policy must be reviewed by qualified legal counsel before publication. This is a comprehensive template but requires customization for your specific jurisdiction and business structure.