Valid AI respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, and safeguard your data.

Information We Collect

Account Information

• Name, email address, job title, and phone number
• Organization affiliation and membership category
• Login credentials (passwords are encrypted and never stored in plain text)
• Account activity including login times and frequency

Usage Data

• AI chatbot interactions and conversation history
• Media files and documents you upload to the platform
• System performance metrics and error logs
• Access patterns and feature usage analytics

Technical Information

• IP addresses and browser information for security purposes
• Session data and authentication tokens
• System logs for monitoring and troubleshooting

How We Use Your Information

• Service Delivery: Provide access to AI governance resources and chatbot services
• Access Control: Restrict content based on your organization's membership category
• Communication: Send newsletters and notifications (when enabled by admins)
• Authentication: Verify your identity and maintain login sessions
• System Operation: Basic logging for troubleshooting and performance monitoring

Information Sharing

We DO NOT sell or rent your personal information to third parties.

Limited Sharing Occurs Only For:

• Service Providers: Trusted third-party services that help us operate our platform
• Legal Requirements: When required by law or to protect our rights and safety
• Organization Members: Basic contact information may be visible to other delegates in your organization
• Aggregated Data: Anonymous, aggregated statistics for research and improvement purposes

Third-Party Services

Our platform integrates with the following third-party services that process your data:

• OpenAI: Your chatbot conversations are sent to OpenAI's GPT-4o API for processing. OpenAI has their own data handling policies.
• Amazon Web Services (AWS): File uploads are stored in AWS S3. AWS handles encryption and security.
• Gmail SMTP: Email delivery for newsletters and notifications through Google's servers.
• Hosting Provider: Application and database hosted on cloud infrastructure (likely Heroku based on configuration).

Data Storage & Retention

• Database: User data stored in PostgreSQL database on hosting provider
• Files: Uploaded media stored in AWS S3 buckets
• Retention: Data retained indefinitely while account is active (no automatic deletion implemented)
• Backups: Database backups maintained by hosting provider

Your Rights & Choices

• Profile Updates: You can update your name, job title, and phone number through your profile page
• Password Changes: You can change your password through the profile settings
• Data Access: Contact your organization's admin or support for data access requests
• Account Deactivation: Admins can deactivate accounts, but data deletion requires manual intervention

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it promptly.

Cookies & Tracking

• Session Cookies: Flask session cookies for authentication (stored in browser)
• CSRF Tokens: Flask-WTF generates CSRF tokens for form security
• Google Analytics: Usage analytics tracking for authenticated users (tracking ID: G-M5XEEZS5DQ)

Data Location

Data is processed and stored by third-party providers (hosting, AWS, OpenAI) which may be located in various countries. The application does not implement specific data residency controls or international transfer safeguards beyond what the service providers offer.

Policy Updates

This policy may be updated to reflect changes in the application or legal requirements. Updates will be posted on this page with a new "Last Updated" date. No automatic notification system for policy changes is currently implemented.