Your data, plainly.

Who owns what

You own all of it. In the language of the regulations, we're a processor and you're the controller. That means we only do things with your data that you've told us to do.

• Your product data. Descriptions, attributes, pricing, DPP fields, any catalogue you connect. It stays your intellectual property. We hold a copy so we can embed it and serve the pods, and we delete it when your contract ends.
• Embeddings and anything derived from your data. Ours to hold, yours to own. Deleted when the source data is.
• Conversation logs. Every question your customers ask a pod, and every answer it gives back, is yours. We process it on your behalf under the DPA.
• End-customer identifiers. Session IDs, WhatsApp sender phone numbers if that's a channel you've turned on, any personal details a visitor happens to share in a conversation. All of it sits under your control as the data controller.
• Account metadata. Billing, admin logins, configuration of the platform. That's a shared responsibility and it's covered by our privacy policy.

What we won't do

The "won't" list tends to matter more than the "will" list.

• We won't train any AI model on your data. Not ours, not our subprocessors'. It's written into our contracts with Anthropic and Voyage AI. If we ever wanted to do something different, it would need a new clause in your contract, not a quiet policy update.
• We won't sell your data. Not to anyone.
• We won't use one customer's questions to improve another customer's pod. There's no anonymised benchmark programme sitting in the background that could tempt us to. If we ever build one, it'll be opt-in and you'll sign for it.
• We won't share conversations between tenants. Isolation is enforced at the database on every query. Automated tests verify it on every change we merge, and a failing test blocks a merge.
• We won't keep your data once the contract ends. Product data, embeddings, logs, all of it gone within 30 days, at us and at our subprocessors.

Who processes data alongside us

These are the third parties who touch your data as part of delivering the service. If this list changes, customers hear about it 30 days before it does.

• Anthropic. Claude model inference. No training on API data. Zero Data Retention available on Enterprise plans.
• Voyage AI. Text embeddings. No training on API data.
• Neon. Postgres and pgvector hosting. EU region available. Encryption at rest (AES-256), in transit (TLS 1.3).
• Netlify. Hosting and edge compute. SOC 2 Type II, ISO 27001.
• Clerk. Authentication and organisation management. SOC 2 Type II.
• Fathom Analytics. Cookieless analytics for this marketing site. No personal data, no cross-site tracking.

Where data lives

Your product data sits in our primary region. EU residency is an option on Scale and Enterprise contracts, and on Enterprise we can route Anthropic inference through EU regions too.

Where data crosses a border, it does so under UK-EU adequacy and the Standard Contractual Clauses that sit inside our DPA.

Retention and deletion

• Product data. Held for the life of the contract. Refreshed when you sync. Deleted when the contract ends.
• Conversation logs. Kept for 90 days by default, anywhere from 30 to 365 if your contract sets a different number. Deleted when the contract ends.
• Operational backups. Up to 30 days past deletion for disaster recovery, which is standard across our infrastructure providers.
• Right to erasure. Available any time you ask. Propagates to every subprocessor. Written confirmation on request.

Security

• Encryption. At rest (AES-256) and in transit (TLS 1.3).
• Per-tenant isolation. Enforced at the database, on every read and every write.
• Authentication. Clerk Organizations. SSO available on Scale and Enterprise.
• Rate limiting. Layered per-IP and per-tenant, to protect against abuse and runaway cost.
• Audit logs. Admin actions are logged. End-customer conversation audit trails available for DPP provenance on request.
• Answer attribution. Every pod answer can be traced back to the source field it came from in your data. No free-running generative claims about regulated fields.

Compliance roadmap

This is where we are, not where we'd like to look like we are.

• Today. GDPR and UK DPA 2018 compliance. Data Processing Agreement available on request. Subprocessor list published. Privacy policy in place.
• Next six months. Cyber Essentials Plus certification. First external penetration test. PII detection and redaction in conversation logs.
• Year two. SOC 2 Type I, then Type II. Scoped for Enterprise procurement requirements. Timing depends on the first Enterprise contract landing.
• Ongoing. Quarterly review of access controls, subprocessor posture, and incident response readiness.

If something goes wrong

If there's a security incident, customers affected hear from us within 72 hours, as GDPR Article 33 requires. You'll get what happened, what data was involved, what we've done to contain it, and what we need you to do next. No silent fixes.

Digital Product Passport accuracy

When your pod answers a question about a DPP field, we can trace that answer back to the specific row and column in your data it came from. You stand behind the data, we stand behind the answer being drawn from it rather than invented.

There's a strict mode for regulated fields. Turn it on and the pod quotes from your dataset rather than rewriting it into its own words. Audit logs of every answer, and where it came from, are kept for the length of your contract. Regulators can have them on request.

Ask us anything

If you're in procurement, compliance, legal, or security and you need our DPA, subprocessor list, a completed security questionnaire, or anything else, email hello@thehumankind.co. We reply inside two working days.