Data Privacy Policy

PURPOSE

Andrena AI inc. (herein referred to as “Organization,” “Company,” “we,” “our,” or “us,” etc.) is committed to protecting the privacy of individuals who interact with us. This policy explains how we collect, use, store, and safeguard personal data to ensure transparency and build trust with our users, customers, and partners.

SCOPE

This policy applies to all personal data collected through the organization’s websites, applications, services, and other interactions with individuals.

DEFINITION

IP Address: A unique string of characters that identifies each computer using the Internet Protocol to communicate over a network.
Personal Data: Any information relating to an identifiable individual (e.g., name, email, IP address).
Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: The entity that processes data on behalf of the data controller.

RESPONSIBILITIES

The Head of Technology is responsible for developing, implementing, maintaining, and enforcing the policy.
Employees are responsible and/or accountable to ensure adherence to this policy’s terms during their job duties.

POLICY

Data We Collect
We may collect the following types of personal data:

  • Identification Information: Name, email, phone number, address, date of birth, etc.

  • Account Information: Username, account preferences.

  • Technical Data: IP address, device identifiers, operating system, cookies, and usage analytics.

How We Use Collect Data
We collect personal data through the following methods:

  • Directly from you: When you fill out forms, create accounts, or contact us.

  • Automatically: Through cookies

  • Third Parties: From business partners, service providers, or publicly available sources.

Legal Bases for Processing Personal Data
We process personal data only when permitted by law. The legal bases include:

  • Consent: When you provide explicit consent (e.g., marketing communications).

  • Contractual Necessity: To fulfill a contract with you (e.g., processing orders).

  • Legal Obligation: To comply with legal and regulatory requirements.

  • Legitimate Interests: For fraud prevention, improving services, or ensuring security.

How We Use Personal Data
We use personal data for the following purposes:

  • Providing and improving our services.

  • Processing transactions and managing accounts.

  • Communicating with you regarding updates, offers, and support.

  • Conducting analytics and research to improve user experience.

  • Ensure security, detect fraud, and comply with legal obligations.

Data Sharing and Disclosure
We may share personal data under these circumstances:

  • Service Providers: With vendors or contractors who perform services on our behalf.

  • Legal Compliance: To comply with laws, subpoenas, or other legal processes.

  • Business Transfers: In the event of mergers, acquisitions, or asset sales.

  • Consent: When you explicitly agree to share your data.

DATA RETENTION

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, unless a more extended retention period is required by law. Afterward, data is securely deleted or anonymized.

Retention Periods for Different Data Types

  • User Account Data: Retained for the duration of your use of Andrena AI inc. services. Once your account is closed, data will be securely deleted or anonymized within 90 days, unless otherwise required by legal obligations.

  • Usage Data: Includes information about your interactions with Andrena AI inc. platform, such as feature usage, onboarding quizzes, session replays, and product engagement metrics. This data is retained for the duration of your use of Andrena AI inc. services to provide personalized experiences, improve platform functionality, and support service optimization. Once your account is closed, usage data is securely deleted or anonymized within 90 days.

  • Backup Data: Retained for up to 30 days in secure backups, after which it is deleted or overwritten as part of routine maintenance.

Secure Data Deletion
When data is no longer needed for the purposes for which it was collected or required by law, it is securely deleted using industry-standard methods to ensure it cannot be recovered. This includes:

  • Secure overwriting for electronic data.

  • Secure destruction for physical records, if applicable.

Data Security
We implement industry-standard technical and organizational measures to safeguard personal data, including:

  • Encryption (at rest and in transit).

  • Access controls and authentication protocols.

  • Regular audits and security assessments.

Your Rights
Depending on your jurisdiction, you may have the following rights:

  • Access: Request access to your data.

  • Rectification: Correct inaccurate or incomplete data.

  • Deletion: Request deletion of your data.

  • Data Portability: Obtain a copy of your data in a portable format.

  • Restriction: Request a limitation on the processing of your data.

  • Objection: Object to certain processing activities (e.g., direct marketing).

  • Withdraw Consent: Withdraw your consent when processing is based on consent.

To exercise your rights, please contact us at [email protected].

Where We Store and Process Personal Data

Andrena AI inc. operates on Google Cloud Platform (GCP), utilizing its secure and reliable infrastructure located in the United States. GCP provides a robust and scalable environment that enables us to deliver our services efficiently while maintaining strong data protection measures. You can learn more about GCP at cloud.google.com.

Data Storage and Processing
Currently, all personal data collected by Andrena AI inc. is stored and processed exclusively in GCP data centers located in the United States. By centralizing data within the US, we ensure operational efficiency and compliance with applicable laws governing data storage and processing in this region.

Compliance and Security
Andrena AI inc. leverages GCP’s advanced compliance programs and certifications to ensure that your personal data is stored and processed securely. GCP is independently validated against a range of international and industry-specific standards, including:

  • ISO/IEC 27001: Information Security Management

  • ISO/IEC 27018: Protection of Personally Identifiable Information

  • SOC 1, SOC 2, and SOC 3: Service Organization Controls

  • GDPR Compliance: Ensuring compliance with the General Data Protection Regulation where applicable.

International Transfers
For users located outside the United States, the transfer of personal data to the US is managed in accordance with applicable laws and safeguards. While Andrena AI inc. currently uses GCP data centers exclusively in the US, we are committed to implementing measures such as encryption, pseudonymization, and compliance with data transfer frameworks to protect your data.
https://cloud.google.com/

For questions about how your data is stored, processed, or transferred, please contact us at [email protected]

SECURITY
We take reasonable measures to protect your personal information from unauthorized access, loss, or misuse. These measures include implementing industry-standard encryption, access controls, and regular security audits to safeguard your data.

However, no method of transmission over the Internet or electronic storage is entirely secure. In the unlikely event of a data breach, we have a detailed Data Breach Procedure in place to address such incidents swiftly and effectively, ensuring transparency and mitigation of potential risks to affected parties.

For more information on how we handle security and data breaches, visit our Data Breach Procedure.

International Transfers and the EU-US Data Privacy Framework
With the implementation of the EU-US Data Privacy Framework as of July 10, 2023, Andrena AI inc. ensures that personal data transfers between the European Union (EU) and the United States (US) are conducted in compliance with this framework. This means personal data transfers can now be performed without the need for additional Supplementary Measures, provided the framework’s provisions are met.

Andrena AI inc. adheres to the requirements of the EU-US Data Privacy Framework to safeguard your data during cross-border transfers. This includes implementing measures that align with the framework’s principles of accountability, transparency, and data protection.

Processing Activities with Andrena AI inc. and Sub-Processors
Processing activities conducted by Andrena AI inc. and its sub-processors remain unchanged; however, we have updated the tools and legal frameworks we rely on for international data transfers. Andrena AI inc. has decided to maintain Supplementary Measures (such as encryption and pseudonymization) to ensure continued data protection. Additionally, we rely on the EU-US Data Privacy Framework (DPF) as an added layer of security for transfers of personal data between the EU and the US.

Sub-Processors Participating in the Data Privacy Framework
The following Andrena AI inc. sub-processors are currently active participants in the EU-US Data Privacy Framework, and we will continue to review and update this list as necessary to ensure full compliance:

  • Google Cloud Platform (GCP)

  • OpenAI

  • SendGrid (Twilio)

  • Google Analytics

Transfers to Sub-Processors Not in the DPF
For US-based entities not listed in the Data Privacy Framework List, transfers cannot rely solely on the Adequacy Decision provided by the DPF. In such cases, Andrena AI inc. ensures that these transfers are supported by appropriate safeguards, as required under Article 46 of the GDPR. These safeguards include:

  • Standard Data Protection Clauses (SCCs)

  • Binding Corporate Rules (BCRs)

  • Additional technical and organizational measures, such as encryption and contractual obligations, to protect data subjects’ rights

Continuous Monitoring and Compliance
Andrena AI inc. is committed to ensuring that all sub-processors comply with the necessary data protection standards. We actively monitor the Data Privacy Framework List and conduct regular reviews of our sub-processors to ensure alignment with evolving regulatory requirements. For more information on how Andrena AI inc. ensures compliance with the EU-US Data Privacy Framework and manages international data transfers, contact us at [email protected]

Automated Decision-Making and Profiling
Andrena AI inc. utilizes AI-powered tools, such as Andrena AI inc.AI agent, to enhance user experiences and streamline platform functionality. In certain cases, automated decision-making and profiling may be employed as part of our services.

What Automated Decision-Making and Profiling Entail
Automated decision-making involves decisions made by AI systems without human intervention.
Profiling involves analyzing personal data to evaluate certain aspects of a user, such as preferences, behavior, or usage patterns. Examples of automated processes in Andrena AI inc. platform include:

  • Personalized Recommendations

  • Usage Analytics

  • Subscription Management

User Rights Regarding Automated Decision-Making and Profiling
As per the GDPR, users have specific rights:

  • Right to Object

  • Right to Explanation

Cookies and Tracking Technologies
We use cookies to enhance your experience. Types of cookies include:

  • Essential Cookies

  • Analytics Cookies (e.g., _eucid)

Consent for EU Users
Essential cookies do not require consent.
Manage preferences via browser settings.

Children’s Privacy
Not intended for users under 13. If data was collected, contact us for deletion.

Third-Party Links
We are not responsible for external privacy practices.

Updates to This Policy
We may update this policy as laws or practices evolve.

Contact Us
[email protected]