Privacy Policy

Identification and contact data: Full name, email address, postal address, and phone number

Account credentials: Username, password, and security information to access your account

Payment information: Credit card details and billing address (processed through secure third-party payment processors)

Usage data: Information about how you use our Services, including features accessed, content viewed, and time and duration of activities

Device information: Device type, operating system, unique device identifiers, and IP address

Communication logs: Records of communications with us, including emails, support tickets, and chat logs

Note on location data: We do NOT collect precise geolocation data unless you explicitly consent for a specific feature that requires it.

User Inputs: Data, text, or other content you submit to our AI models

AI model interactions: Information about how you interact with our AI models

Generated content and results: Output generated by our AI models based on your User Inputs

Performance metrics: Data about the performance of our AI models

Inferred data: Our AI models may infer information about you. These inferences are probabilistic and may not always be accurate. We do NOT use inferred data to make automated decisions with legal or similarly significant effects without your explicit consent

We may receive information about you from third-party sources, such as social media platforms, only if you choose to connect your account to those services and with your explicit consent.

Provide and improve AI services - Legal Basis: Contract performance | Details: Necessary to fulfill our service agreement

Personalize your experience - Legal Basis: Consent | Details: Only with your explicit opt-in

Process payments - Legal Basis: Contract performance | Details: Necessary to process transactions

Service communications - Legal Basis: Contract performance | Details: Essential service updates

Marketing - Legal Basis: Consent | Details: Only with your explicit opt-in

Security and fraud prevention - Legal Basis: Legitimate interest | Details: Protect our services and users

Legal compliance - Legal Basis: Legal obligation | Details: Respond to legal requests

Enforce terms - Legal Basis: Contract performance | Details: Protect our contractual rights

Where we rely on legitimate interests as legal basis, we have conducted documented balancing assessments to ensure our interests do not override your rights and freedoms.

These assessments are available upon request by contacting privacy@enosislabs.com.

Our documented balancing assessments document: The specific business need for processing, Impact on user privacy rights, Safeguards implemented to minimize risk, Overall proportionality assessment

Encryption: Industry-standard encryption protocols (TLS/SSL) for data in transit and at rest

Access controls: Multi-factor authentication and role-based access for authorized personnel

Security audits: Regular vulnerability assessments and penetration testing

Monitoring: Intrusion detection systems and anomalous activity monitoring

Training: Regular privacy training program for all employees

Impact assessments: Data Protection Impact Assessments (DPIA) for high-risk processing

Backup and recovery: Robust data backup systems and disaster recovery

Framework compliance: Alignment with ISO 27001, NIST Cybersecurity Framework

By default, we DO NOT use your content to train our AI models. This is our standard position to respect your privacy and control over your data.

If you wish to contribute to the improvement of our AI models, you may opt to participate through:

Account settings: Control panel with clear opt-in options

Granular consent: Specific options for different types of training

Easy revocation: Ability to withdraw consent at any time

When users opt to participate:

Anonymization: We prioritize the use of anonymized or pseudonymized data

Minimization: We only use the minimum data necessary for the specific purpose

Limited purpose: Data is used only for specific agreed model training

No sale: We never sell or license user data to third parties

When users opt to participate in AI training:

Legal basis: Explicit consent according to GDPR Article 6(1)(a)

Withdrawal: Right to withdraw consent at any time

Impact of withdrawal: Withdrawing consent does not affect basic functionality of our services

Cloud infrastructure: AWS, Google Cloud, Azure

Payment processors: Stripe, PayPal

Analytics: Google Analytics (only with consent)

All providers have data processing agreements requiring them to protect your information

We only share data with business partners with your explicit consent and clear identification of the partner and purpose.

We may disclose information to legal authorities when required by law, such as in response to a subpoena or court order.

In case of merger, acquisition, or asset sale, your information may be transferred to the acquiring entity with prior notification.

We may share aggregated or anonymized data that does not identify you with third parties for research or analysis.

Minimization: We retain data only as long as necessary for stated purposes

Regular review: We evaluate and delete data that is no longer necessary

Legal compliance: Some data may be retained to comply with legal obligations

Active account data - While account is active - Justification: Provide services

Inactive account data - 3 years after last activity - Justification: Account reactivation

Billing data - 7 years - Justification: Legal and tax requirements

Communication logs - 2 years - Justification: Technical support and dispute resolution

Security logs - 1 year - Justification: Incident investigation

AI training data - Until consent withdrawal - Justification: Only if user opted to participate

We implement automated systems to delete data according to these schedules, with prior notifications when appropriate.

Right of access: Request access to personal information we hold about you

Right to rectification: Request correction of inaccurate or incomplete information

Right to erasure: Request deletion of your personal information (with certain exceptions)

Right to restriction: Request restriction of processing in certain circumstances

Right to portability: Receive your data in structured, machine-readable format

Right to object: Object to processing, including for direct marketing and AI training

Withdraw consent: Withdraw consent at any time without affecting lawfulness of prior processing

Granular control: Manage specific consents for different purposes

Non-discrimination: We do not discriminate for exercising CCPA/CPRA rights

No sale: We do NOT sell personal information as defined in CCPA/CPRA

Contact: privacy@enosislabs.com

Response time: 45 days for CCPA/CPRA, 30 days for GDPR

Verification: We may need to verify your identity before fulfilling requests

When you request data deletion:

Immediate deletion: We delete your active data immediately

Verification: We provide deletion confirmation within 30 days

No problematic retention: We do NOT retain data 'through legal loopholes' after valid deletion requests

Limited exceptions: We only retain data if required by specific and documented legal obligations

Our Services are NOT directed to children under 13 years old (or the relevant age of digital consent in your jurisdiction). We do NOT knowingly collect Personal Information from children without verifiable parental consent.

Age verification protocols to prevent unauthorized access by minors

No profiling or targeted advertising to children

COPPA compliance and other child-specific regulations

Immediate deletion if we discover we have collected data from minors without consent

If you are a parent or guardian and believe your child has provided us with personal information without your consent, contact us immediately at privacy@enosislabs.com.

Enosis Labs is based in the United States. If you access our Services from outside the United States, your personal information may be transferred, stored, and processed in the United States.

Standard Contractual Clauses (SCC) approved by the European Commission

Transfer assessments to ensure adequate protection

Local requirements compliance for cross-border transfers

GDPR (Where Applicable): Data protection by design and by default (Article 25), Data Protection Impact Assessments (DPIA) for high-risk processing, Enhanced data subject rights

CCPA/CPRA: Expanded definition of personal information including household data, Consumer request verification processes, CPRA amendments compliance including sensitive personal information requirements

Delaware Law: Delaware breach notification law compliance (6 Del. C. § 12B-101 et seq.), Reasonable security measures as required by Delaware law, Timely notification to affected individuals and Delaware Department of Justice

We maintain a comprehensive data breach response plan that prioritizes:

Immediate containment of the incident

Impact assessment on affected personal information

Timely notification to affected users

Damage mitigation and protective measures

In case of a data breach affecting your personal information:

User notification: Within 72 hours of discovery (per GDPR) or without unreasonable delay (per CCPA)

Notification content: What information was affected, how it occurred, what we're doing to prevent future incidents

Protection guidance: Steps you can take to protect yourself

Regulatory compliance: Notification to authorities as required by law

Incident documentation to improve security practices

Post-incident analysis to prevent future breaches

Policy updates based on lessons learned