Privacy Policy

Effective Date: April 19, 2026  |  Last Updated: April 19, 2026
AI Transparency Notice (EU AI Act Art. 50): This website and our platform use AI systems. When you interact with the AI Advisor Lab platform, you are interacting with AI-generated content produced by large language models — not with human advisors. AI outputs may be inaccurate, incomplete, or biased and should be reviewed by appropriate licensed professionals before acting on them.

1. Introduction

AI Advisor Lab™ ("we," "our," or "us") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

2. Information We Collect

2.1 Personal Information

  • Contact Information: Name, email address, company name, phone number
  • Professional Information: Job title, industry, company size, business requirements
  • Communication Data: Messages, queries, and correspondence with our team

2.2 Technical Information

  • Device Data: IP address, browser type, device information, operating system
  • Usage Data: Pages visited, time spent, click patterns, session recordings
  • Cookies: Session cookies, preference cookies (see Cookie Policy below)

3. How We Use Your Information

  • Service Delivery: Provide AI advisory services and custom team generation
  • Communication: Respond to inquiries, provide updates, and customer support
  • Improvement: Enhance our services, website functionality, and user experience
  • Legal Compliance: Meet legal obligations and protect our rights
  • Marketing: Send relevant updates and promotional materials (with consent)

4. Data Sharing and Third Parties

4.1 Service Providers

Service Provider Purpose Data Shared
AI Processing Anthropic PBC (Claude API) AI content generation Query content, PII-redacted where feasible
Cloud Infrastructure Amazon Web Services (AWS), us-east-1 Hosting, storage, CDN, edge security (WAF) Technical data, IP addresses, stored content
Analytics Google LLC (Google Analytics 4) Aggregate usage measurement IP address, pseudonymous device/session identifiers — loaded only after you opt in via our cookie banner
Web Fonts Google LLC (Google Fonts) Typography delivery IP address at time of font fetch
Bot Protection Google LLC (reCAPTCHA v3) Contact-form anti-abuse IP address, device signals, interaction data
Payment Processing Stripe, Inc. Subscription billing and checkout Name, email, billing details (card data handled by Stripe, PCI-DSS scope)
Identity / Authentication Amazon Web Services (AWS Cognito) Platform login, TOTP MFA, session tokens Email, password hash, MFA secret
Email Services Professional transactional-email providers Platform and support notifications Contact information, message metadata

Note on analytics/advertising cookies under CPRA: We do not sell personal information for money. If the narrow CPRA definition of "sharing" (cross-context behavioral advertising) applies to any analytics configuration, we disable that configuration and honor Global Privacy Control (GPC) browser signals where present.

5. Data Retention

Data Type Retention Period Purpose
Contact Form Data 24 months Customer service, follow-up
Session Cookies Browser session only Website functionality
Analytics Cookies 2 years Usage analysis
AI Query Logs 30 days (anonymized) Service improvement
Communication Records 3 years Legal compliance, support

6. Your Rights (GDPR & CCPA)

6.1 European Union Residents (GDPR)

If you are located in the European Union, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Data Portability: Receive your data in a machine-readable format
  • Object: Object to processing of your personal data
  • Restrict Processing: Limit how we use your data
  • Withdraw Consent: Withdraw consent for processing (where applicable)

6.2 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of personal information we have collected
  • Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
  • Right to Non-Discrimination: Equal service and pricing regardless of exercising privacy rights
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use: Limit use and disclosure of sensitive personal information

Categories of Personal Information Collected: Contact information, professional information, internet activity, and inferences drawn from this information.

Sensitive Personal Information (Cal. Civ. Code §1798.140(ae)): We do not collect government identifiers, precise geolocation, account credentials for third-party accounts, genetic or biometric data, health or sexual-orientation information, or the contents of private communications through this website. If such information is ever submitted through the contact form or platform, we treat it as Sensitive PI and do not use it for inferring characteristics.

Your Privacy Choices / Do Not Sell or Share My Personal Information: AI Advisor Lab does not sell personal information for money. We do not "share" personal information for cross-context behavioral advertising as defined under the CPRA. You can submit a privacy request at privacy@aiadvisorlab.ai or via our contact form. We honor Global Privacy Control (GPC) signals as an opt-out preference where applicable.

To exercise your CCPA/CPRA rights, email privacy@aiadvisorlab.ai or info@aiadvisorlab.ai. You may also designate an authorized agent to act on your behalf.

7. Cookie Policy

7.1 Essential Cookies

These cookies are necessary for the website to function and cannot be disabled:

  • Session Management: Keep you logged in and maintain preferences
  • Security: Protect against cross-site request forgery (CSRF)
  • Load Balancing: Ensure optimal performance

7.2 Analytics Cookies (Optional)

These cookies help us understand how visitors use our website:

  • Usage Tracking: Pages visited, time spent, user flows
  • Performance Monitoring: Page load times, error rates
  • Feature Usage: Which features are most popular

8. International Data Transfers

Your personal information may be transferred to and processed in countries other than your own, including the United States. We ensure compliance with GDPR Articles 44-49 through the following appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (Decision 2021/914/EU) with all third-country processors
  • Adequacy Decisions: Where available, we rely on European Commission adequacy decisions under GDPR Article 45
  • Supplementary Measures: Additional technical and organizational measures as recommended by EDPB guidelines, including:
    • End-to-end encryption in transit and at rest
    • Pseudonymization and data minimization techniques
    • Regular assessment of third-country legal frameworks
    • Data localization where legally required
  • Transfer Impact Assessments: Regular evaluation of transfer risks and safeguard effectiveness under GDPR Article 35
  • Data Subject Rights: Full exercise of GDPR Chapter III rights regardless of processing location

Primary Transfer Destinations: United States (AWS us-east-1), with data processing agreements ensuring GDPR compliance standards.

9. Data Security

We implement layered technical and organizational measures to protect your information:

  • Encryption in transit: TLS 1.3 for all public endpoints.
  • Encryption at rest: AES-256 on S3, DynamoDB, and RDS; AWS KMS-managed keys.
  • Authentication: AWS Cognito with RS256-signed JWTs; mandatory TOTP multi-factor authentication (active platform-wide since April 5, 2026); httpOnly / Secure / SameSite=Strict session cookies.
  • Edge security: AWS WAF on the application load balancer — rate limiting plus AWS Managed Rule Groups (Common, Known Bad Inputs, SQL Injection); staged promotion to BLOCK in progress.
  • Tenant isolation: Three-layer enforcement (database partition keys, application-level tenant_id checks, runtime assertions) with audit logging of cross-tenant access attempts.
  • Audit logging: SHA-256 tamper-evident audit chain for privileged actions and notification delivery; CloudWatch log retention.
  • Monitoring & response: CloudWatch alarms, GuardDuty, documented Incident Response Plan aligned with NIST SP 800-61; 72-hour GDPR Art. 33 breach-notification commitment.
  • Compliance alignment: Controls mapped to SOC 2 (formal Type II audit planned), NIST CSF 2.0, OWASP ASVS L2, and AWS Well-Architected. We are not currently certified under ISO/IEC 42001 or SOC 2 Type II.
  • Data minimization: We collect only what is needed and redact PII before passing queries to AI sub-processors where feasible.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting a notice on our website
  • Sending an email to registered users
  • Updating the "Last Updated" date at the top of this policy

11. Contact Information

Privacy Contact

Privacy Email: privacy@aiadvisorlab.ai

General Email: info@aiadvisorlab.ai

Postal Address: Will be provided on written request to privacy@aiadvisorlab.ai. AI Advisor Lab™ is operated in the United States (primary processing region: AWS us-east-1).

EU / UK Representative (GDPR Article 27 / UK GDPR)

We are in the process of appointing a formal Article 27 EU representative. Until an appointed representative is published here, EU and UK residents may exercise their rights directly by emailing privacy@aiadvisorlab.ai with the subject line "EU/UK Data Subject Request." We will not rely on the temporary arrangement to limit any data-subject right.

General Data Protection Inquiries

General Email: info@aiadvisorlab.ai

Subject Line Required: "GDPR Data Subject Request — [Your Request Type]"

Response Time Commitment

We acknowledge privacy requests within 72 hours and provide a complete response within 30 days as required by GDPR Article 12. Complex requests may require an additional 60 days with justification.

Security / Breach Contact

Security Email: security@aiadvisorlab.ai

General Contact: info@aiadvisorlab.ai

12. Trademarks

AI Advisor Lab™ (U.S. Serial No. 99294530), Artificial Structured Intelligence™ and ASI (U.S. Serial No. 99294472), Decision Intelligence as a Service™ / DIaaS™ (U.S. Serial No. 99294491), and U.S. Serial No. 99294420 are trademarks of AI Advisor Lab. All third-party trademarks referenced on this site are the property of their respective owners; any such references are nominative fair-use and do not imply endorsement, sponsorship, or affiliation.

13. Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. For EU residents, you can find your local authority at: https://edpb.europa.eu/about-edpb/members_en

Document Version: 2.0
Legal Basis: GDPR Art. 6(1)(a) Consent, Art. 6(1)(b) Contract Performance, Art. 6(1)(f) Legitimate Interests
Last Review: April 19, 2026