InPolicy LLC ("InPolicy", "we", "us", "our") respects your right to privacy and is dedicated to securing and protecting any information we have about you. This Privacy Policy describes how we collect, use, and share information that relates to an identifiable individual ("Personal Data") and how you can exercise your rights under applicable privacy and data protection laws.
InPolicy provides an AI-powered policy compliance and violation detection platform (the "Service"). InPolicy is headquartered in the United States. This Privacy Policy applies to all users of the Service, visitors to our website, and any other individuals whose Personal Data we process in connection with our business operations. This Privacy Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your Personal Data as described herein.
If you have any questions or concerns about our use of your Personal Data, or if you wish to exercise any of your privacy rights, please contact us at privacy@inpolicy.ai.
1. Definitions
"Customer Data" means account and organizational data provided in connection with the Service — including user name, email address, role, and policy documents uploaded to configure the Service.
"Content" means Input and Output. Input is the text processed through the Service (documents, emails, or other communications). Output is the policy violation analysis and suggestions returned by the Service. InPolicy does not store Content.
"Policy State Summary" means a system-generated record of which policies are active and applicable to a given conversation, containing no message text or personal information. Policy State Summaries do not constitute Content.
"Tenant Knowledge Base" means the structured set of facts assembled and maintained by InPolicy for each customer organization solely to support effective policy enforcement decisions.
"Usage Data" means information reflecting how the Service is accessed and used — including frequency, duration, feature interaction signals, violation detection metadata, and statistical analysis. Usage Data does not include Content or Customer Data.
"Applicable Data Protection Law" means all applicable laws, regulations, and binding guidance relating to the processing of Personal Data, including without limitation the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code §§ 1798.100 et seq.) ("CCPA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), and any other applicable U.S. state privacy law.
"Data Controller" means the entity that determines the purposes and means of the processing of Personal Data. With respect to Customer Data and Content, the customer organization is the Data Controller.
"Data Processor" means the entity that processes Personal Data on behalf of and under the instructions of the Data Controller. InPolicy acts as a Data Processor with respect to Customer Data and Content processed on behalf of customer organizations.
"Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, data concerning sex life or sexual orientation, or any other category of data classified as "sensitive" under Applicable Data Protection Law. InPolicy does not knowingly collect or process Sensitive Personal Data.
2. Information We Collect
2.1 Information You Provide
When you create an account or use the Service, we collect: We collect this information on the basis of contractual necessity (to provide the Service), legitimate interests (to operate and improve our business), and, where required, your consent.
- Account information: name, email address, job title, and organizational affiliation
- Organization information: company name and any information provided when setting up your organization in the Service
- Policy documents: files, URLs, and other materials you upload to configure the Service's policy detection capabilities
- Communications: information you provide when you contact us for support or otherwise communicate with us
InPolicy also assembles and maintains a Tenant Knowledge Base for your organization — a structured set of facts drawn primarily from publicly available sources that InPolicy uses solely to make effective policy enforcement decisions. The Tenant Knowledge Base contains no Content and no employee communications. Your organization can review and correct it at any time by contacting security@inpolicy.ai. InPolicy processes the Tenant Knowledge Base on the basis of its legitimate interest in providing accurate and effective policy enforcement services. The Tenant Knowledge Base does not contain Sensitive Personal Data and is never shared with or accessible to other customers.
2.2 Information We Collect Automatically
When you use the Service, we automatically collect Usage Data, including: We collect this data on the basis of our legitimate interests in operating, maintaining, and improving the Service, and where applicable, on the basis of your consent.
- How often you use the Service and which features you interact with
- The volume and types of policy violations detected
- Whether and how you engage with violation suggestions (e.g., accepted, dismissed, resolved)
- Technical information about your browser and device used to access the Service
- Log data including IP address, access times, and pages viewed
Identity resolution data: where you visit our public marketing website, we may work with third-party identity resolution providers that match your IP address and device signals against their own data sources to identify the business or organization associated with your visit. This data is used for our own business and marketing purposes.
What we do not collect automatically:
InPolicy does not store Content. The text of documents, emails, or other communications processed through the Service is never written to persistent storage. All Content is processed transiently.
Policy State Summaries — system-generated records of which policies are active and applicable to a given conversation, containing no message text or personal information — do not constitute Content and may be retained for the duration of an active enforcement session, subject to a maximum of 30 days.
2.3 Information from Cookies and Similar Technologies
We use cookies and similar technologies to operate and improve the Service, recognize returning users, and understand how the Service is used. A separate Cookie Policy is available at https://inpolicy.ai/legal/cookie-policy.
3. How We Use Your Information
3.1 To Provide and Operate the Service
We use Customer Data and Usage Data to deliver the Service, maintain your account, process policy violation detections, and provide customer support.
3.2 To Improve the Service
We may use aggregated, anonymized Usage Data to develop, improve, support, and operate the Service. We may also generate and retain anonymized analytical metadata derived from our processing, including system-generated categorizations of policy types. Such data cannot be used to identify any customer or individual. InPolicy applies industry-standard anonymization and aggregation techniques designed to ensure that anonymized data cannot reasonably be re-identified. InPolicy periodically reviews its anonymization processes to confirm their continued adequacy. Anonymized data is not considered Personal Data under Applicable Data Protection Law and may be used by InPolicy without restriction.
3.3 No Training on Customer Data
InPolicy will not train any AI models using Content or Customer Data. This commitment extends to all subprocessors. For the avoidance of doubt, InPolicy will not use Content or Customer Data for fine-tuning, reinforcement learning from human feedback (RLHF), embeddings generation for model improvement, or any other form of machine learning model development. This commitment applies regardless of whether the data is anonymized or aggregated. Subprocessors are contractually prohibited from using Content or Customer Data to train or improve their own AI models.
3.4 To Communicate With You
We use your email address to send service-related communications. We will only send marketing communications with your consent, where required by law. You may opt out of marketing communications at any time by following the unsubscribe instructions included in each marketing email or by contacting us at privacy@inpolicy.ai. Please note that even after opting out of marketing communications, we may continue to send you non-promotional, service-related communications, such as security alerts, account notifications, and transactional messages related to your use of the Service.
3.5 To Ensure Security and Prevent Fraud
We use information collected through the Service to detect, investigate, and prevent fraudulent transactions, abuse, and security incidents.
3.6 To Comply With Legal Obligations
We may process your Personal Data where necessary to comply with applicable law, legal process, or enforceable governmental requests.
4. How We Share Your Information
InPolicy shares Personal Data only in the circumstances described below. Some of these arrangements may constitute a “sale” or “sharing” of Personal Data under the California Consumer Privacy Act as amended by the CPRA. California residents have the right to opt out of such sale or sharing as described in Section 8.2, and InPolicy honors Global Privacy Control signals as a valid opt-out request where required by applicable law. InPolicy does not have actual knowledge that it sells or shares the Personal Data of consumers under 16 years of age.
4.1 Subprocessors
| Subprocessor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure and hosting | Customer Data, Usage Data | United States |
| Google Cloud (Vertex AI) | LLM inference | Transient Content only (not stored) | United States |
| RB2B | Website visitor identity resolution for marketing purposes | IP address, device signals, page view data | United States |
| Marketing analytics and advertising service providers | Website analytics, advertising measurement, and marketing campaign optimization | IP address, device identifiers, browsing activity on our marketing website, consent signals | United States |
The “Subprocessors” label is used in this section for convenience; certain providers listed above may alternatively be characterized as independent third parties or service providers under applicable data protection law.
We will provide at least 30 days' notice before adding or replacing any Subprocessor. All subprocessors are subject to data processing agreements that impose data protection obligations substantially equivalent to those set forth in this Privacy Policy and our Data Processing Agreement. InPolicy conducts due diligence on all subprocessors prior to engagement and periodically reviews their compliance with applicable data protection standards. InPolicy remains responsible for the acts and omissions of its subprocessors to the extent provided under Applicable Data Protection Law.
4.2 Legal Requirements
We may disclose Personal Data if required by applicable law, regulation, or legal process. Where legally permitted, we will notify you of such requests. InPolicy will use commercially reasonable efforts to minimize the scope of any legally compelled disclosure and will seek protective orders or confidential treatment where available. InPolicy will not voluntarily provide Personal Data to any government authority except as required by applicable law or a valid and binding legal process.
4.3 Business Transfers
If InPolicy is involved in a merger, acquisition, or asset sale, Personal Data may be transferred. We will notify you before Personal Data becomes subject to a different privacy policy. Any successor entity or acquirer will be required to comply with the terms of this Privacy Policy with respect to Personal Data collected prior to such transaction. In the event that the successor entity intends to use Personal Data in a manner materially different from this Privacy Policy, you will be given the opportunity to opt out of such use prior to the transfer becoming effective.
4.4 With Your Consent
We may share your Personal Data for other purposes with your prior consent.
5. Data Retention
| Data Type | Retention |
|---|---|
| Account and organization data | Retained for the duration of your relationship with InPolicy; deleted within 30 days of account closure upon request |
| Policy documents (Customer Data) | Retained until deleted by you or upon account closure |
| Content (documents, emails processed) | Never stored — not applicable |
| Policy State Summaries | Retained for the duration of an active enforcement session; maximum 30 days |
| Usage Data (anonymous violation metadata) | Retained for the duration of the customer relationship; deleted within 30 days of account closure upon request |
| Tenant Knowledge Base | Retained for the duration of the customer relationship; deleted within 30 days of account closure upon request |
6. Data Security
InPolicy implements and maintains appropriate technical and organizational measures to protect Personal Data, including: encryption in transit (TLS); access controls limiting production access to authorized personnel; hosting on GCP infrastructure in the United States; and authentication and logging of all internal access. InPolicy is in active preparation for SOC 2 Type I certification. Our current security posture report is available upon request at security@inpolicy.ai.
7. Data Residency and International Transfers
All Personal Data is hosted on GCP infrastructure in the United States. InPolicy does not transfer Personal Data outside the United States. For GDPR customers transferring Personal Data from the EEA, transfers are governed by the Standard Contractual Clauses (Module 2) in our Data Processing Agreement, published at https://inpolicy.ai/legal/dpa. For transfers of Personal Data from the United Kingdom, InPolicy relies on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. InPolicy has conducted and maintains a transfer impact assessment to evaluate the level of protection afforded to transferred Personal Data in the United States and has implemented supplementary measures where necessary to ensure an essentially equivalent level of protection as required under Applicable Data Protection Law. A copy of the relevant transfer mechanism documentation is available upon request at security@inpolicy.ai.
8. Your Privacy Rights
8.1 For All Users
Access, correct, delete, or port your Personal Data by contacting privacy@inpolicy.ai. We will verify your identity before processing any privacy rights request. We will not discriminate against you for exercising any of your privacy rights, including by denying you goods or services, charging different prices, or providing a different level of quality.
8.2 For California Residents (CCPA/CPRA)
California residents may know, delete, correct, and opt out of sale or sharing of Personal Data (to the extent any of our activities constitute “sale” or “sharing” under the CCPA). Contact privacy@inpolicy.ai. We will respond within 45 days, with one possible 45-day extension. California residents also have the right to request information about the categories of Personal Data collected, the purposes for which such data is used, the categories of sources from which the data is collected, and the categories of third parties with whom the data is shared. You may designate an authorized agent to submit requests on your behalf by providing written authorization and verification of the agent’s identity. InPolicy will not charge a fee for processing verifiable consumer requests unless the request is excessive, repetitive, or manifestly unfounded. For the purposes of the CCPA, the categories of Personal Data InPolicy collects and the business or commercial purposes for which such data is used are described in Sections 2 and 3 of this Privacy Policy, respectively. To opt out of any sale or sharing of your Personal Data, use the “Do Not Sell or Share My Personal Information” link in the footer of our website, update your cookie preferences, or contact us at privacy@inpolicy.ai. InPolicy honors Global Privacy Control signals as a valid opt-out request.
8.3 For EEA and UK Residents (GDPR)
EEA and UK residents may also object to or restrict processing, and lodge a complaint with your local Supervisory Authority. Contact privacy@inpolicy.ai. We will respond within 30 days, with one possible 30-day extension. EEA and UK residents additionally have the right to: (a) request access to and a copy of their Personal Data in a structured, commonly used, machine-readable format; (b) request erasure of their Personal Data where there is no compelling reason for its continued processing; (c) withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal; and (d) request restriction of processing where the accuracy of the data is contested, the processing is unlawful, or InPolicy no longer needs the data but the data subject requires it for the establishment, exercise, or defense of legal claims. The legal bases on which InPolicy processes Personal Data of EEA and UK residents are: (i) performance of a contract (Article 6(1)(b) GDPR); (ii) legitimate interests (Article 6(1)(f) GDPR), specifically the operation and improvement of the Service; and (iii) compliance with a legal obligation (Article 6(1)(c) GDPR). InPolicy does not currently have a designated Data Protection Officer but can be contacted regarding data protection matters at privacy@inpolicy.ai.
8.4 Tenant Knowledge Base Correction
Your organization may request a review or correction of the Tenant Knowledge Base at any time by contacting security@inpolicy.ai.
9. Children's Privacy
The Service is not directed to individuals under 18. The Service is designed for use by business professionals and enterprise customers and is not intended for use by individuals under the age of eighteen (18). InPolicy does not knowingly collect, solicit, or maintain Personal Data from anyone under the age of eighteen (18), or knowingly allow such persons to register for or use the Service. If we learn that we have collected Personal Data from an individual under the age of eighteen (18), we will promptly delete that information and terminate any associated account. Contact privacy@inpolicy.ai if you believe we have inadvertently collected such information. If you are a parent or guardian and become aware that your child has provided Personal Data to InPolicy, please contact us immediately and we will take steps to remove such information.
9A. Do Not Track Signals
Some web browsers transmit "Do Not Track" ("DNT") signals. Because there is no common understanding of how to interpret DNT signals, the Service does not currently respond to browser DNT signals. You may, however, manage your cookie preferences through the mechanisms described in our Cookie Policy. We will update this section if an industry standard for DNT signals is established and adopted.
9B. Additional U.S. State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws may have additional rights under Applicable Data Protection Law, including the right to: (a) confirm whether InPolicy is processing your Personal Data; (b) access your Personal Data; (c) correct inaccuracies in your Personal Data; (d) delete your Personal Data; (e) obtain a portable copy of your Personal Data; and (f) opt out of targeted advertising, the sale of Personal Data, and profiling in furtherance of decisions that produce legal or similarly significant effects (to the extent applicable to our processing activities). To exercise these rights, contact privacy@inpolicy.ai. If InPolicy declines your request, you may appeal the decision by contacting us at privacy@inpolicy.ai with the subject line "Privacy Rights Appeal." InPolicy will respond to such appeals within the timeframe required by Applicable Data Protection Law.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting an updated policy with a new "Last updated" date. InPolicy will use commercially reasonable efforts to provide at least fifteen (15) days’ advance notice of material changes via email to the address associated with your account. Material changes include, without limitation, changes to the categories of Personal Data collected, changes to the purposes for which Personal Data is used, changes to the third parties with whom Personal Data is shared, and any reduction in the protections afforded to your Personal Data under this Privacy Policy. Continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you do not agree to any material changes, you must cease using the Service prior to the effective date of such changes. Your sole remedy for objecting to any material change to this Privacy Policy is to terminate your account in accordance with the Terms of Service.
Notwithstanding the foregoing, InPolicy will not update this Privacy Policy in a way that:
- begins storing Content that is currently processed transiently and never written to persistent storage;
- uses Content or Customer Data to train any AI model; or
- transfers Customer Data or Content outside the United States,
without your express written consent.
11. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of laws principles. Nothing in this provision limits any rights you may have under applicable mandatory data protection law in your jurisdiction, including the GDPR or CCPA. Any disputes arising out of or in connection with this Privacy Policy shall be resolved in accordance with the dispute resolution provisions set forth in the Terms of Service. To the extent Applicable Data Protection Law grants you the right to bring a claim before a court or supervisory authority in your jurisdiction of residence, nothing in this Privacy Policy shall be construed to limit or waive such right.
12. Contact Us
InPolicy LLC
901 Powell #8, San Francisco, CA 94108
Email: privacy@inpolicy.ai
Security and DPA inquiries: security@inpolicy.ai
If you are located in the EEA or the UK and have concerns about our data processing practices that we have not been able to resolve, you have the right to lodge a complaint with your local Supervisory Authority. A list of EEA Supervisory Authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For the UK, you may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.