Your product data. Your control.

Who owns what

You own all of it. In the language of the regulations, we're a processor and you're the controller. That means we only do things with your data that you've told us to do.

• Your product data. Descriptions, attributes, pricing, DPP fields, any catalogue you connect. It stays your intellectual property. We hold a copy so we can embed it and serve the pods, and we delete it when your contract ends.
• Embeddings and anything derived from your data. We hold them to run the service. You own them, and they're deleted when the source data is.
• Conversation logs. Every question your customers ask a pod, and every answer it gives back, is yours. We process it on your behalf under the DPA.
• End-customer identifiers. Session IDs, WhatsApp sender phone numbers if that's a channel you've turned on, any personal details a visitor happens to share in a conversation. All of it sits under your control as the data controller.
• Account metadata. Billing, admin logins, configuration of the platform. That's a shared responsibility and it's covered by our privacy policy.

What we won't do

• We won't train any AI model on your data. Not ours, not our subprocessors'. It's written into our contracts with Anthropic and Voyage AI. If we ever wanted to do something different, it would need a new clause in your contract, not a quiet policy update.
• We won't sell your data. Not to anyone.
• We won't use one customer's questions to improve another customer's pod. There's no anonymised benchmark programme sitting in the background that could tempt us to. If we ever build one, it'll be opt-in and you'll sign for it.
• We won't share conversations between tenants. Isolation is enforced at the database on every query. Automated tests verify it on every change we merge, and a failing test blocks a merge.
• We won't keep your data once the contract ends. Product data, embeddings, logs, all of it gone within 30 days, at us and at our subprocessors.

Who processes data alongside us

These are the third parties who touch your data as part of delivering the service. If this list changes, customers hear about it 30 days before it does.

• Anthropic. Claude model inference. No training on API data. Zero Data Retention available on the Enterprise plan.
• Voyage AI. Text embeddings. No training on API data.
• Neon. Postgres and pgvector hosting. EU region available. Encryption at rest (AES-256), in transit (TLS 1.3).
• Netlify. Hosting and edge compute. SOC 2 Type II, ISO 27001.
• Clerk. Authentication and organisation management. SOC 2 Type II.
• Fathom Analytics. Cookieless analytics for this marketing site. No personal data, no cross-site tracking.

Where data lives

Your product data sits in our primary region. EU residency is available on Scale and Enterprise contracts, and on Enterprise we can route Anthropic inference through EU regions too.

Where data crosses a border, it does so under UK-EU adequacy and the Standard Contractual Clauses that sit inside our DPA.

Retention and deletion

• Product data. Held for the life of the contract. Refreshed when you sync. Deleted when the contract ends.
• Conversation logs. Kept for 90 days by default, or between 30 and 365 days if your contract specifies. Deleted when the contract ends.
• Operational backups. Up to 30 days past deletion for disaster recovery, which is standard across our infrastructure providers.
• Right to erasure. Available on request, any time. Propagates to every subprocessor. Written confirmation available.

Security

• Encryption. At rest (AES-256) and in transit (TLS 1.3).
• Per-tenant isolation. Enforced at the database, on every read and every write.
• Authentication. Clerk Organizations. SSO available on Scale and Enterprise.
• Rate limiting. Layered per-IP and per-tenant, to protect against abuse and runaway cost.
• Audit logs. Admin actions are logged. End-customer conversation audit trails available for DPP provenance on request.
• Answer attribution. The source records a pod drew an answer from are kept alongside the conversation. If you need the trace for a specific answer, we can produce it.

Tenant isolation and standards conformance

Two questions come up in every procurement conversation. Can the brand next to me on this platform see my data? And if I print a QR code today, will it still work in five years?

For the first: every query is scoped to your tenant ID at the database, not at the application layer. We'd rather refuse a query than let one slip across a boundary. Cross-tenant isolation tests run on every change we merge, and a failing test blocks the merge.

For the second: passport URLs follow the GS1 Digital Link URI syntax, grounded in ISO/IEC 18975, with schema.org and the GS1 Web Vocabulary as the semantic layer. The identifiers on your products belong to your brand, not the platform. If TalkPod changes, the URL on the box keeps resolving.

The GS1 Digital Link granularity hierarchy runs from GTIN at the model level, through GTIN-plus-batch for production runs, to GTIN-plus-serial for item-level tracking. Lifecycle events, repairs, resale, take-back, attach at the right level without disturbing the base record. EPCIS event capture is on the roadmap as item-level requirements land.

Compliance roadmap

This is where we are, not a projection.

• Today. GDPR and UK DPA 2018 compliance. Data Processing Agreement available on request. Subprocessor list published. Privacy policy in place.
• Next six months. Cyber Essentials Plus certification. First external penetration test. PII detection and redaction in conversation logs.
• Year two. SOC 2 Type I, then Type II, scoped for Enterprise procurement. Timing depends on the first Enterprise contract closing.
• Ongoing. Quarterly review of access controls, subprocessor posture, and incident response readiness.

If something goes wrong

If there's a security incident, customers affected hear from us within 72 hours, as GDPR Article 33 requires. You'll get what happened, what data was involved, what we've done to contain it, and what you need to do next. We don't do silent fixes.

Digital Product Passport accuracy

When a pod answers a question about a DPP field, the source record it drew the answer from is kept alongside the conversation. If your compliance team needs the trace for a regulated answer, we can produce it message by message. You stand behind the data, we stand behind the answer being drawn from it rather than invented. The public passport record works the same way.

A quote-only mode for regulated fields, where the pod returns the source line rather than paraphrasing, is something we'll build for any customer who needs it. Mention it in the pilot conversation and we'll have it ready before live traffic.

Where to go next

For the bigger picture on the platform, the how-it-works page covers the four-stage loop. For DPP timelines and category requirements, the DPP page has the detail. To start a conversation, the contact form is the fastest way.

For procurement, compliance, legal or security, email hello@talkpod.ai for the DPA, subprocessor list, or a completed security questionnaire. We reply within two working days.