- Web Demo
- Get Started Now
Last updated September 2023
Private AI’s raison d’être is to render personal data safe when put to use for the many beneficial purposes it can serve. While our products are built to protect your customers’ data, this Privacy Statement is for you, our customer. This Privacy Statement explains to you how Private AI collects, uses, stores, and discloses your personal data. It is our commitment to live up to our name by not only respecting your privacy, but by acknowledging the fact that you have the right to remain in control of your data which you permit us to process in particular ways. Hence, you have a right to full transparency and to hold us accountable to what we say we will do with your data.
Depending on which of our products you use, different sections of our Privacy Statement will be of relevance to you. As concerns our Redact and PrivateGPT Headless product suites, which are deployed on your premises, Private AI has no access whatsoever to your data. We explain this in detail under Redact and PrivateGPT Headless. Our web demo and the PrivateGPT Chatbot solutions rely on data retained for a few seconds for the purpose of processing in the Microsoft Azure infrastructure. Find details under PrivateGPT Chatbot and Web Demo.
At Private AI, our CEO is the designated Privacy Officer and as such responsible for protecting your personal data.
Private AI’s Data Privacy Designate
428-192 Spadina Ave., Toronto, ON M5T 2C2
What is Personal Data?
Different privacy laws and regulations define personal data differently. At Private AI we hold ourselves to the highest standard and protect any data that is considered personal under any privacy law applicable to us.
Hence, we understand the term very broadly when we define it as information that relates to an individual and that can be used, directly or indirectly, to identify that individual.
How do we Collect your Personal Data?
We collect your personal data directly from you, with the exception of your journey and activity on our website, as described in more detail below. This information is collected from you automatically, but only if you provide your consent upon visiting our website.
Personal Data of Children
This website and our products and services are not directed, marketed, or meant to be used by persons under the age of eighteen (18). If you think your child might have created an account with us without your consent, you may request the deletion of the account and the data that we have about your child by writing to us at firstname.lastname@example.org.
What Personal Data do we Collect and for What Purpose?
Personal Data we Collect
Family and given name
Last four digits of your credit card
Marketing consents and preferences
With Whom and for what Purpose do we Share Your Personal Data?
Category of Third Party
Data we Disclose
Planning and documentation platforms
Company and customer names
Cloud service providers
Company and customer names, as well as email addresses
API metering tool
Customer profile incl. company name and email address; detected entities upon explicit opt-in
Last four digits of your credit card
Software development tool
Website analytics and lead identification
Software providing online surveys and marketing services ?
Marketing consents and preferences
Redact and PrivateGPT Headless
Our Redact and PrivateGPT Headless solutions are deployed on-prem, meaning that Private AI does not store or have access to the data our customers sent to the tool at any time. In fact, the container by means of which we deploy our solutions is stateless; it has no components that store data. When you send a request, the data gets processed and sent back to you right away. For purposes of processing, the data lives in memory for a few seconds and is then removed right away.
PrivateGPT Chatbot and Web Demo
When using our PrivateGPT Chatbot solution or our web demo, your prompt will be sent for processing to the Microsoft Azure environment. Similar to the Redact and PrivateGPT Headless solutions, the data contained in the prompt lives in memory in the Azure infrastructure for a few seconds and gets purged immediately after the compute is completed and the data is sent back to the customer.
The only data we retain are analytical data: usage metrics, entity types found in the prompts, and the categories of data we find the PII in. We have opted out of allowing Microsoft Azure to share this data with OpenAI. Microsoft Azure is furthemore prohibited from using and sharing with OpenAI model derivative output. This means that neither Microsoft nor OpenAI are able to use model enhancements that were made as a result of fine tuning.
The location of the Microsoft Azure data server on which you data is processed for a few seconds is in North Carolina by default. If you have a concern about this location, you can request for your data to be processed on an alternative server in a different region. As long as there is an Azure server instance in your preferred region, we can accommodate your request.
Private AI has taken all reasonable measures to protect against any access to the data at that moment of processing by using the Azure framework, including ID access management, permission policies based on least privileged access, 2-factor authentication, and access logging and monitoring. All of our processes are thus SOC2 compliant (certification coming soon!).
Some of the third-party service providers listed here may be located outside of the Province of Québec and Canada, including the United States, Germany or elsewhere in the European Union. As a result, your personal data may be accessible to law enforcement, courts, and regulatory authorities in accordance with the laws of these jurisdictions.
Even if our third-party service providers are not themselves located outside of Québec and Canada, they may have sub-service providers to whom they disclose your personal data in the course of the services they provide to us, which may in turn be located elsewhere.
We as the controller of your personal data require our third-party service providers to disclose to us whether they subcontract their services and to give us the opportunity to object. We are therefore in the position to, and we in fact do, carefully assess the subcontractors of our service providers, particularly with regard to their location and the privacy laws in place there.
Our third-party service providers are furthermore obligated to include in the contract with their subcontractor obligations under the GDPR and other privacy laws that protect your data, while they remain fully liable to us for the performance of their subcontractors.
How do we Share your Personal Data?
Before we share your personal data with any third-party service provider, and annually thereafter, we perform our due diligence on them to ensure that your data is safe. We take the following steps, where applicable and feasible:
- – Verifying the service provider is aware of the key requirements of data protection;
- – Researching whether high-profile data breaches recently occurred;
- – Checking whether the service provider is currently or has been under investigation for any breaches of data protection law;
- – Identifying other clients;
- – Clarifying whether the processor is accredited under ISO 27001, CBEST, PCI DSS, or any comparable regime for information security;
- – Reviewing the service provider’s policy framework for security and data protection;
- – Identifying the place of establishment;
- – Carrying out site visits and inspections;
- – Carrying out audits; and
- – Understanding the supply chain and subcontracting
We may be obliged to share your personal data with a court of law or other person(s) or entity / entities with jurisdiction to compel production of such information. We will not share your personal data with such authorities unless we are required by law to do so.
Where do we Store Your Personal Data?
We store personal data that we collect from you or about you on Google and Amazon Web Services Cloud Platform servers in the US. (Please see also the ‘PrivateGPT Chatbot and Web Demo’ section above for the location of the data contained in your prompt when you use these services.)
As noted, your personal data may be transferred to third parties outside of Canada to facilitate or provide certain services on our behalf. These (sub)service providers have access to your personal data only to perform the tasks we have instructed them to complete and are contractually bound not to disclose or use it for any other purpose.
Where personal data are transferred to and stored in a country not determined by the European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including entering into standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data as permitted under Article 46(2)(c) of the GDPR.
In the absence of an adequacy decision by the European Commission or of appropriate safeguards as referenced above, we will only transfer personal data to a location outside the EEA where one of the following applies (as permitted under Article 49 of the GDPR):
- – the transfer is necessary for the performance of our contractual engagement with you;
- – the transfer is necessary for the establishment, exercise or defense of legal claims; or
- – you have provided explicit consent to the transfer.
Your Legal Rights to Your Personal Data
Right to know
You have the right to request the categories and specific pieces of personal data we collect including:
Right to request access to your personal data
You have a right to request a copy of the personal data that we hold about you. To do so, please contact us at email@example.com.
Right to request the erasure of your personal data
You have the right to request that we delete or remove personal data where there is no good reason for us continuing to process it.
Erasure requests are subject to certain limitations, for example, we may retain personal data as permitted by law.
Right to request we transfer your personal data to you
Subject to certain limitations, you have the right to request that the personal data we hold about you is transferred to you or to a third party. We will provide you, or the third party you have chosen, your personal data in a machine-readable format.
Right to request correction of your personal data
You have the right to request that we correct the personal data we hold about you, although we may need to verify the accuracy of the new information you provide us. We may refuse to comply with a request for rectification if the request is manifestly unfounded, excessive or repetitive in nature.
Right to request restrictions on the processing of your personal data
You have the right to request that we suspend the processing of your personal data in the following scenarios:
We may refuse to comply with a request for restriction if the request is manifestly unfounded, excessive, or repetitive in nature.
Right to object to the processing of your personal data
In some circumstances, as an EU citizen, you have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party). We will tell you when we rely on legitimate interest as the basis for the processing of your personal data. We will inform you when we rely on a legitimate interest for the processing of your personal data. If you wish to object to the processing on this basis, you must provide specific reasons for why you object to the processing of your personal data.
EU citizens have an absolute right to object to the processing of personal data for direct marketing purposes if we rely on legitimate interest for that. However, we will usually rely on consent to use your data for direct marketing purposes, and we will tell you otherwise if that is the case.
Right to withdraw consent
You have the right to withdraw your consent at any time.
The withdrawal of consent will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent
Right to non-discrimination
Exercising your right to privacy does not result in different treatment by us or different quantities or qualities of product or service that we offer. Where we request your personal data in exchange for a valuable product or service, we will let you know at the time of the exchange.
Cookies and Similar Technologies
In addition, our website uses Google analytics services to help us understand non-personal facts and figures about users of the website such as:
- – Website traffic;
- – Number of visitors;
- – Location of visitors;
- – Information about the browser version and device type;
- – Referral sources to the website;
- – Demographics of visitors; and
- – Website usage.
Personal Data Retention
We will generally retain your personal data for as long as is necessary to meet our contractual obligations to you, to satisfy the purposes stated above, or as otherwise required by law.
When determining the relevant retention period, we consider:
- – Our contractual obligations and rights in relation to the information involved;
- – Legal obligation(s) under applicable law to retain data for a certain period of time;
- – Statute of limitations under applicable law(s);
- – Guidelines issued by relevant data protection authorities; and
- – Other legal purposes.
In addition to the above, your personal data may be anonymized and used in aggregate. Once it is determined that your personal data is no longer necessary to achieve the purposes we collected it for, we will securely erase your personal data.
You may also request the deletion of your profile by sending an e-mail to firstname.lastname@example.org. It may take up to twenty (20) business days to respond to your request.
Protection of Your Personal Data
We take appropriate technical, physical, and organizational security measures to protect personal data in our custody and control against unauthorized access, use, modification and disclosure, and accidental loss, destruction, and damage.
We are currently in the process of obtaining a SOC2 Type II Audit Report which we will provide upon request, and which will detail our security measures and their effectiveness from an independent party’s perspective. Stay tuned!
As mentioned above, the third-party vendors with whom we engage for specific tasks are required to have certain safeguards in place that comply with industry standards.
That having been said, we cannot guarantee the security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. Any transmission of information from you to Private AI is at your own risk. Where you have chosen a password that allows you to access our Website you are responsible for keeping this password confidential.
Updates To This Privacy Statement
This Privacy Statement and other service specific policies may change from time to time, in accordance with applicable laws. We will notify you of these changes by posting the updated Statement on our website. We may also notify you by sending you an e-mail or by any other reasonable means such as a pop-up notice, if available.
We encourage you to review our Privacy Statement periodically.
How to Report a Privacy Concern
We are committed to maintaining high standards for privacy. We want to hear from you about any concerns you may have with our privacy practices. If you wish to raise a concern or compliment us on our privacy practices, you can contact us at email@example.com.
If we are not able to address your privacy concerns to your satisfaction, you may contact the Office of the Privacy Commissioner of Canada
Office of the Privacy Commissioner of Canada
30, Victoria Street
Phone: (819) 994-5444
TTY: (819) 994-6591