Privacy Policy

01 Information We Collect

1.1 Information You Provide Directly

Account Information: Name, email address, phone number, company name, job title, business address, billing and payment information, and communication preferences.

Service Data: Data you upload or provide during engagements, configuration settings, content you create using our services, and support and communication records.

Professional Information: Industry, company size, use case requirements, business objectives, and technical specifications.

1.2 Information We Collect Automatically

Usage Analytics: Platform activity and feature usage, performance metrics, error reports, session duration, and interaction patterns.

Technical Information: IP address and geolocation data, device type, browser and operating system, referring websites, time zone, and language preferences.

02 How We Use Your Information

2.1 Service Delivery

• Provide and maintain our AI implementation and consulting services
• Process transactions and manage billing
• Deliver customer support and technical assistance
• Send service-related communications

2.2 Platform Enhancement

• Improve AI model accuracy and performance
• Develop new features and capabilities
• Conduct security monitoring and threat detection
• Optimize system performance and reliability

2.3 AI Model Training

We may use aggregated, anonymized data to improve our AI models. Individual client data is never shared or used to train models for other clients. Opt-out options are available for all AI model training programs, and strict data minimization principles are applied. No client-specific information is incorporated into our proprietary frameworks such as AMICA or IGNITE.

03 Information Sharing & Disclosure

3.1 We Do Not Sell Your Personal Information

3.2 Limited Sharing Scenarios

Service Providers: We may share information with trusted third parties who assist in cloud hosting and infrastructure management, payment processing, customer support, and security monitoring. All service providers are bound by strict confidentiality agreements and data processing limitations.

Legal Requirements: We may disclose information when required to comply with valid legal processes, respond to government investigations, protect INNOVIZZ's rights and property, or ensure user safety and security.

Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction, subject to equivalent privacy protections.

3.3 Client Data Isolation

Each client's data is isolated and segregated with no cross-client data sharing or access. Dedicated encryption keys are maintained per client, with independent backup and recovery systems.

04 Data Security Measures

4.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit, end-to-end encryption for sensitive communications, and regular key rotation
• Access Controls: Multi-factor authentication, role-based access permissions, regular access reviews and audits
• Infrastructure: Security architecture designed to support SOC 2 Type II and ISO 27001 standards, regular penetration testing and vulnerability assessments, 24/7 security monitoring

4.2 Organizational Safeguards

• Comprehensive privacy and security training for all staff
• Strict confidentiality agreements and background checks
• Defined data breach response procedures with notification protocols within 72 hours
• Forensic investigation and remediation capabilities

05 Data Retention & Deletion

5.1 Retention Periods

• Active Service Data: Retained while your account is active plus a reasonable period for business purposes
• Transaction and Billing Data: 7 years from transaction date (tax and accounting obligations)
• Communication Records: 3 years from last contact
• Usage and Analytics Data: Up to 26 months from collection
• Backup Data: Typically 30-90 days for operational backups

5.2 Data Deletion

Data deletion occurs within 30 days of account closure using secure deletion methods that prevent data recovery. A certificate of deletion is provided upon request. Users may request data deletion at any time, subject to a verification process and exceptions for legal compliance requirements.

06 Your Privacy Rights

• Access: Request copies of your personal information and view data processing activities
• Correction: Update or correct inaccurate information and modify account settings
• Portability: Export your data in machine-readable formats (JSON, CSV, XML) and transfer data to other providers
• Deletion: Request deletion of your personal data at any time
• Communication Preferences: Opt out of promotional emails and customize communication frequency. Critical security and service updates cannot be opted out of.

07 GDPR Rights (European Union)

For EU residents, we process data under the following legal bases: contractual necessity for service delivery, legitimate interests for business operations, consent for marketing and optional features, and legal compliance for regulatory requirements.

Enhanced Rights for EU Residents

• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to object to processing
• Right to restrict processing
• Right to lodge complaints with supervisory authorities

All data subject requests are processed within 30 days, extendable to 60 days for complex requests. Identity verification is required to protect your privacy. Contact our Data Protection Officer at: dpo@innovizz.com

08 CCPA Rights (California, USA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell data)
• Right to non-discrimination for exercising rights

California residents may submit verified requests and receive a response within 45 days. No charge for up to two requests per year. Contact: privacy@innovizz.com

09 Healthcare & Clinical Data

9.1 HIPAA-Ready Architecture

For healthcare and clinical engagements, our infrastructure is designed to meet HIPAA requirements, including administrative, physical, and technical safeguards, minimum necessary standards for data access, employee training on HIPAA requirements, and Business Associate Agreements (BAAs) available upon request for HIPAA-covered entities.

9.2 Clinical Research Data

Our Clinical Intelligence Consulting services, including work involving CertusAI and AxiomAI frameworks, are designed to support Good Clinical Practice (GCP) compliance, FDA 21 CFR Part 11 electronic signature requirements, complete audit trails for regulatory inspections, and data integrity aligned with ALCOA+ principles.

10 Cookies & Tracking Technologies

10.1 Types of Cookies

• Essential Cookies (Always Active): Authentication, session management, security, and CSRF protection. Required for platform functionality.
• Performance Cookies (Optional): Anonymous usage statistics, platform performance monitoring, error tracking. Can be disabled in cookie preferences.
• Functional Cookies (Optional): User preference storage, language and region settings, accessibility enhancements. Optional and controllable.

10.2 Cookie Management

You can manage cookies through your browser settings, our platform cookie preferences, or third-party opt-out tools. Session cookies are deleted when your browser closes. Persistent cookies are retained for 1-24 months depending on purpose. Analytics cookies are retained for up to 26 months.

10.3 Third-Party Cookies

We may use cookies from trusted analytics, support, and payment processing partners. Details of current third-party integrations are maintained in our cookie preference settings.

11 International Data Transfers

When transferring data internationally, we rely on EU Commission-approved Standard Contractual Clauses, adequacy decisions where applicable, additional safeguards assessments, and regular compliance monitoring. Regional data residency options are available for clients with specific jurisdictional requirements.

12 Children's Privacy

We do not knowingly collect personal information from children under 16. Our services are designed for business use by adults. If we learn that we have collected information from a child under 16, we will delete it immediately.

13 Policy Updates

We may update this Privacy Policy to reflect changes in our services, new legal requirements, enhanced privacy protections, or user feedback. Material changes will be communicated via email notification and a prominent website notice for 30 days. Minor updates will be posted with an updated effective date. Continued use of our services after changes constitutes acceptance.

14 Contact Information

INNOVIZZ Inc.