Overview & Scope
ChronoMind, Inc. is committed to protecting the privacy and security of personal information entrusted to us by our customers and users. This Privacy Policy applies to:
- Enterprise customers and their authorized users accessing the Platform
- Individuals who visit our website at chronomind.ai and related domains
- Individuals who contact us for sales, support, or partnership inquiries
- Trial users and demo participants
This Policy does not apply to third-party services linked from the Platform. For enterprise customers, this Policy is supplemented by the Data Processing Agreement (DPA) executed as part of the enterprise subscription agreement, which governs the processing of personal data on behalf of the customer as a data processor.
Data We Collect
2.1 Account & Identity Information
When you create an account or are invited to the Platform, we collect:
- Full name and professional title
- Business email address
- Organization name and industry
- Role and department within your organization
- Profile photograph (optional)
- Authentication credentials (passwords stored as salted hashes; never in plaintext)
- Multi-factor authentication configuration data
2.2 Subscription & Billing Information
For paid subscriptions, we collect billing information through our payment processor (Stripe). We do not store full payment card numbers. We retain billing contact name and address, payment method type and last four digits (tokenized by Stripe), subscription tier and transaction history, and tax identification numbers where required by law.
2.3 Platform Usage Data
We automatically collect usage information when you interact with the Platform:
- Feature usage patterns and session duration
- Pages visited, actions taken, and workflow completion rates
- API call logs including timestamps, feature used, and response times
- Error logs and performance metrics
- IP address, browser type, operating system, and device identifiers
- Referral URLs and navigation paths
2.4 Governance Content (Customer Data)
In the course of using the Platform, you may submit governance-related content including AI use case descriptions, risk assessments, governance policies, evidence files, audit logs, and organizational structure information. This content is Customer Data as defined in our Terms of Service. You retain ownership of all Customer Data. We process it only as necessary to provide Platform services.
2.5 Communications Data
When you contact us, we collect support ticket content, demo request information, feedback and survey responses, and email communication metadata.
How We Use Your Data
3.1 Platform Operation
We use collected data to provide, maintain, and improve the Platform, including authenticating users, processing governance workflows, generating AI-assisted outputs, sending transactional notifications, and providing customer support.
3.2 Billing & Account Management
Billing data is used to process subscription payments, issue invoices, manage subscription upgrades and downgrades, and comply with financial record-keeping requirements.
3.3 Platform Improvement
Aggregated and anonymized usage analytics are used to understand feature adoption, identify usability issues, prioritize product development, and improve Platform performance. Individual user behavior is not shared externally for this purpose.
3.4 Security & Compliance
We process data to detect and prevent fraud, unauthorized access, and security threats; maintain audit logs for compliance purposes; respond to legal requests and enforce our Terms of Service; and comply with applicable laws and regulations.
3.5 Legal Bases for Processing (GDPR)
| Processing Purpose | Legal Basis |
|---|---|
| Platform service delivery | Contract performance (Art. 6(1)(b)) |
| Billing & payment processing | Contract performance (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Product analytics (aggregated) | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
AI-Specific Data Handling
AI Training Data Commitment
Documents you upload for analysis and queries you submit to AI features are never used to train AI models. All AI processing occurs in real-time and your data is not retained by AI providers beyond the duration of the API request.
4.1 AI Feature Data Flow
When you use AI-powered features (Governance Chat, Policy Generator, Document Analyzer, Auto-Assessment, Compliance Checker), the following data handling applies:
- Real-time processing: Your inputs are transmitted to AI service providers (OpenAI, Anthropic) via encrypted API calls for real-time processing only
- No provider retention: AI service providers process your data to generate responses and do not retain your inputs or outputs beyond the API request lifecycle, pursuant to our data processing agreements
- No model training: Your data is explicitly excluded from AI model training, fine-tuning, or improvement under our enterprise API agreements with OpenAI and Anthropic
- Platform-side logging: We log AI feature usage metadata (feature used, token counts, timestamps, anonymized hashes) for billing, compliance, and audit purposes — not the content of your queries or documents
4.2 Document Analysis
Documents uploaded to the Document Analyzer feature are transmitted to AI providers for analysis using encrypted connections, not stored by AI providers after analysis completion, stored in your Platform account storage (Supabase) under your organization’s data isolation boundary, subject to your organization’s data retention settings (1, 3, 7 years, or indefinite), and accessible only to authorized users within your organization.
4.3 PII Handling in AI Features
The Platform implements automated PII detection and sanitization for AI feature inputs. Before transmitting data to AI providers, the Platform scans for and redacts common PII patterns including Social Security Numbers, financial account numbers, and personal contact information. Users are advised not to include unnecessary personal data in governance documentation submitted for AI analysis.
4.4 AI Compliance Logging
For enterprise compliance and audit purposes, we maintain logs of AI feature usage including: timestamp, user identifier (anonymized), organization identifier, feature used, AI provider and model, token consumption, and PII detection status. These logs are retained according to your organization’s audit retention settings and are accessible to authorized compliance personnel within your organization.
Data Sharing & Third Parties
We do not sell personal information. We share data only as described below:
5.1 Infrastructure & Service Providers
Supabase
Database & Authentication Infrastructure
Stripe
Payment Processing
OpenAI
AI Language Model Processing
Anthropic
AI Language Model Processing (fallback)
Resend
Transactional Email Delivery
Google Analytics
Website Analytics
Sentry
Error Monitoring & Performance
5.2 Legal Disclosures
We may disclose personal information when required by law, court order, or government authority; to protect the rights, property, or safety of Company, our customers, or the public; or in connection with legal proceedings. We will provide notice to affected customers where legally permitted.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of Company assets, personal information may be transferred to the acquiring entity. We will notify affected customers and provide options consistent with applicable law.
5.4 No Sale of Personal Information
We do not sell, rent, or trade personal information to third parties for their marketing purposes. We do not share personal information with advertising networks or data brokers.
International Data Transfers
6.1 Transfer Mechanisms
The Platform is hosted in the United States. If you access the Platform from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, your personal information will be transferred to and processed in the United States. We rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We use EU Standard Contractual Clauses (2021/914/EU) for transfers from the EEA to the United States with all sub-processors
- UK International Data Transfer Agreements (IDTAs): For transfers from the United Kingdom
- Data Processing Agreements: All sub-processors maintain DPAs incorporating appropriate transfer safeguards
6.2 EU-U.S. Data Privacy Framework
Where applicable, we rely on the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the DPF for transfers to certified U.S. organizations. Customers may request copies of applicable transfer mechanisms by contacting privacy@chronomind.ai.
6.3 Data Residency Options
Enterprise customers with specific data residency requirements may request regional data storage configurations. Contact enterprise@chronomind.ai to discuss available options and applicable pricing.
Data Retention
7.1 Platform Data Retention Settings
The Platform provides configurable data retention settings allowing organizations to align retention periods with their regulatory and operational requirements:
| Data Type | Default | Options |
|---|---|---|
| Governance documents & assessments | 3 years | 1 / 3 / 7 years / Indefinite |
| Audit logs | 7 years | 1 / 3 / 7 years / Indefinite |
| AI compliance logs | 3 years | 1 / 3 / 7 years / Indefinite |
| User account data | Subscription + 90 days | Not configurable |
| Billing records | 7 years | Per legal requirements |
| Support communications | 3 years | Not configurable |
7.2 Post-Termination Retention
Following account termination, Customer Data is retained for 90 days to allow data export. After the 90-day period, Customer Data is securely deleted from production systems. Backup copies are purged within 180 days. Billing records and legally required data are retained for the applicable statutory period.
7.3 Deletion Requests
Customers may request earlier deletion of Customer Data by submitting a written request to privacy@chronomind.ai. Deletion requests are processed within 30 days, subject to legal retention obligations and active subscription status.
Security Measures
8.1 Technical Safeguards
We implement comprehensive technical security measures including:
- Encryption at rest: AES-256 encryption for all stored data via Supabase infrastructure
- Encryption in transit: TLS 1.3 for all data transmission between clients and servers
- Row-Level Security (RLS): Database-enforced policies ensuring strict multi-tenant data isolation — no organization can access another’s data
- Role-Based Access Control (RBAC): Granular permission system with principle of least privilege enforcement
- Multi-Factor Authentication (MFA/2FA): TOTP-based 2FA available and enforceable for all user accounts
- API Security: Rate limiting, request authentication, and input validation on all API endpoints
- Audit Logging: Immutable audit trail for all data access, modification, and administrative actions
8.2 Organizational Safeguards
- Background checks for employees with access to production systems
- Security awareness training for all personnel
- Vendor security assessments for all sub-processors
- Incident response plan with defined breach notification procedures
- Regular security assessments and penetration testing
8.3 Breach Notification
In the event of a data breach affecting personal information, we will notify affected customers within 72 hours of becoming aware of the breach (as required by GDPR Article 33), and will provide notification to affected individuals as required by applicable law. Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
GDPR Rights (EEA & UK Users)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
Right of Access (Art. 15)
Request a copy of the personal data we hold about you and information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data. Most account data can be corrected directly in Platform settings.
Right to Erasure (Art. 17)
Request deletion of your personal data where there is no compelling reason for continued processing. Subject to legal retention obligations.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller.
Right to Restriction (Art. 18)
Request restriction of processing in certain circumstances, such as while accuracy is contested or processing is unlawful.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling. You may opt out of analytics tracking at any time.
9.1 Exercising Your Rights
To exercise any GDPR right, submit a written request to privacy@chronomind.ai. We will respond within 30 days (extendable by 60 days for complex requests with notice). We may require identity verification before processing requests. There is no charge for exercising your rights, except for manifestly unfounded or excessive requests.
9.2 Supervisory Authority
If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For EEA users, this is the data protection authority in your EU member state. For UK users, this is the Information Commissioner’s Office (ICO) at ico.org.uk.
9.3 Data Protection Officer
For GDPR-related inquiries, you may contact our Data Protection Officer at: dpo@chronomind.ai
CCPA Rights (California Users)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.
10.1 Your California Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, purposes, and third parties with whom it is shared
- Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may submit a “Do Not Sell or Share” request to privacy@chronomind.ai
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by CCPA
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
10.2 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following CCPA categories of personal information: Identifiers (name, email, IP address); Commercial information (subscription and billing records); Internet or electronic network activity (usage logs, feature interactions); Professional or employment-related information (job title, organization); and Inferences drawn from usage data (feature preferences, engagement patterns).
10.3 Submitting California Requests
California residents may submit rights requests by emailing privacy@chronomind.ai with the subject line “California Privacy Request.” We will respond within 45 days (extendable by 45 days with notice). We will verify your identity before processing requests.
10.4 Authorized Agent
You may designate an authorized agent to submit requests on your behalf. We require written authorization and may verify your identity directly to confirm the request.
Children's Privacy
The Platform is designed for enterprise and professional use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact privacy@chronomind.ai.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this Policy
- Notify enterprise customers via email at least 30 days before material changes take effect
- Display a prominent notice within the Platform for active users
- For changes requiring consent under GDPR, obtain fresh consent before processing
Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy. If you do not agree to material changes, you may terminate your subscription in accordance with our Terms of Service.
Contact & Privacy Requests
For privacy-related inquiries, rights requests, or concerns, please contact us through the following channels:
General Privacy Inquiries
privacy@chronomind.aiData subject requests, policy questions, consent management
Enterprise Privacy
enterprise@chronomind.aiEnterprise DPA execution, data residency, custom requirements
Response Times
- General inquiries: Within 5 business days
- GDPR rights requests: Within 30 days (extendable to 90 days for complex requests)
- CCPA requests: Within 45 days (extendable to 90 days with notice)
- Data breach notifications: Within 72 hours of discovery (GDPR)
Document Version: 1.0 · Effective: March 3, 2026 · Last Updated: March 3, 2026
This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.