Neurion AI - Data Privacy Policy

Input Data

What We Collect: Data you directly provide through chat conversations, uploaded files, form submissions, API calls, and other direct interactions with the Platform.

How We Use It:

• To process your requests and generate responses
• To provide the services you have requested
• To maintain conversation history for context continuity
• To improve your experience within your own account

Retention: Input Data is retained in accordance with the Data Retention and Deletion section of this Policy. You may request deletion at any time subject to legal and contractual retention requirements.

Queried Data (Agent Operations)

What We Access: Data that our AI agents retrieve or modify from your connected systems, databases, and data sources through authorized integrations. All agent operations are performed using your configured permissions and access credentials.

How We Use It:

• To execute authorized CRUD operations on your behalf
• To provide context for AI-generated responses and recommendations
• To generate insights and analytics based on your data

Access Controls:

• AI agents operate strictly within the permission boundaries you configure
• Agent actions are scoped to your Tenant and cannot access other customers' data
• All agent operations are logged and auditable
• Agents cannot exceed the access permissions granted by your authentication credentials

Generated Data (Insights and Analytics)

What We Create: Metrics, visualizations, reports, recommendations, and other analytical outputs generated by our Insights Agent based on your Customer Data.

How We Use It:

• To provide you with actionable insights about your data
• To generate reports and visualizations you request
• To power recommendation features within your account

Ownership: Generated Data derived from your Customer Data is owned by you, subject to the terms of your service agreement.

Foundation Model Training

We do not use your Customer Data to train foundation models. The base AI models powering our Platform are provided by third-party services (such as AWS Bedrock) and your data is not transmitted to these providers for model training purposes.

Per our infrastructure providers' commitments:

• Your prompts and outputs are not used to train or improve base foundation models
• Your data is processed for inference only and is not retained by foundation model providers for training purposes

Platform Fine-Tuning

We may use aggregated, anonymized, or de-identified data derived from Platform usage to improve our services generally. However:

• Such data cannot be used to identify you or reconstruct your original Customer Data
• You may opt out of this usage by contacting us at [CONTACT EMAIL]

Customer-Specific Fine-Tuning

If we create fine-tuned models using your Customer Data (with your explicit consent):

• Such models are created exclusively for your use within the Platform
• Fine-tuned models are logically and technically isolated to your Tenant
• Your data used for fine-tuning is not commingled with other customers' data
• Fine-tuned models and associated training data are deleted upon termination of your service agreement, unless otherwise agreed in writing

Tenant Isolation Commitment

Our Platform operates on a multi-tenant architecture with strict data isolation controls. Your Customer Data is never accessible to, visible to, or commingled with other customers' data.

Technical Safeguards

We implement the following measures to prevent cross-tenant data exposure:

• Logical Data Separation: All Customer Data is tagged with unique Tenant identifiers and filtered at the application layer to ensure queries only return data belonging to your Tenant.
• Access Control Enforcement: Authentication and authorization controls verify Tenant membership for every data request and AI operation.
• Isolated Processing: AI inference requests are processed with Tenant-scoped context only; no cross-tenant data is included in prompts or retrieved context.
• Vector Database Isolation: If applicable, embeddings and vector data are partitioned by Tenant with access controls preventing cross-tenant retrieval.
• Session Isolation: Each user session is bound to a single Tenant with no ability to access resources outside that Tenant boundary.

AI-Specific Isolation Controls

• AI agents cannot access, query, or reference data from other Tenants
• Generated insights and recommendations are derived solely from your Customer Data
• Conversation history and chat context are isolated to your Tenant
• Any fine-tuned models are exclusive to your Tenant and not shared

Encryption

• In Transit: All data transmitted to and from the Platform is encrypted using TLS 1.2 or higher.
• At Rest: All stored Customer Data is encrypted using AES-256 encryption with keys managed through AWS Key Management Service (KMS).

Access Controls

• Role-based access controls (RBAC) limit internal access to Customer Data
• Access to production systems requires multi-factor authentication
• All access to Customer Data is logged and monitored

Infrastructure Security

Our Platform is hosted on AWS infrastructure, which maintains industry-standard security certifications including SOC 2 Type II, ISO 27001, and others. We inherit and extend these security controls with application-layer protections specific to AI workloads.

AI-Specific Security

• Input validation and filtering to prevent prompt injection attacks
• Output filtering to prevent unintended data disclosure
• Guardrails to block harmful or inappropriate content
• Monitoring for anomalous AI behavior patterns

Retention Periods

Deletion

Upon termination of your service agreement or upon your written request:

• We will delete or anonymize your Customer Data within 30 days
• Backup copies will be purged within 90 days
• Deletion certificates are available upon request
• Any Customer-specific fine-tuned models will be destroyed

Certain data may be retained longer if required by law, regulation, or legitimate business purposes (e.g., billing records, legal disputes).

We use the following categories of subprocessors to deliver the Platform:

A complete list of subprocessors is available upon request. We will notify you of material changes to our subprocessor list in accordance with your service agreement.

Subject to applicable law and your service agreement, you have the right to:

• Access: Request a copy of your Customer Data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your Customer Data
• Portability: Receive your data in a structured, machine-readable format
• Opt-Out: Opt out of anonymized data usage for Platform improvement
• Audit: Request audit reports and security documentation

To exercise these rights, contact us at [CONTACT EMAIL].

We are committed to maintaining compliance with applicable data protection regulations and industry standards, including:

• SOC 2 Type II (in progress / certified as of [DATE])
• GDPR (for applicable customers)
• CCPA (for applicable customers)

We conduct regular security assessments, penetration testing, and third-party audits to validate our controls.

We may update this Policy from time to time. We will notify you of material changes by posting the updated Policy on our website and, where required, by direct communication. Your continued use of the Platform after such notice constitutes acceptance of the updated Policy.

For questions about this Policy or our data practices, contact:

Zonar Systems Privacy Team
Email: [PRIVACY EMAIL]
Address: [COMPANY ADDRESS]

For data protection inquiries in the EU/EEA, you may also contact our Data Protection Officer at [DPO EMAIL].