Privacy Policy

2. Who We Are / Contact Details

Controller (for our own data):

Concentrate AI, Inc.
Address: 1201 N Market St, Suite 200 Wilmington, Delaware 19801, USA
Email: [email protected]

Data Protection Officer (DPO):

Name: Shannon Gelson
Email: [email protected]
Address: Concentrate AI, Inc. Privacy Office, 1201 N Market St, Suite 200, Wilmington, Delaware 19801, USA

3. Roles

3.1 Customer as Controller

When your organization (our "Customer") uses the Services and sends us, through us, or to destinations configured in our platform any personal data: such as prompts, documents, user identifiers, or metadata: the Customer determines the purposes and means of processing. Under GDPR, that makes the Customer the Controller. Under CPRA and other U.S. state laws, that makes the Customer the Business.

3.2 Concentrate as Processor / Service Provider

For that same Customer Data, Concentrate:

• acts only on the Customer's documented instructions (including those embedded in the configuration of the Service),
• does not sell or "share" that data (as "share" is defined in CPRA),
• does not use that data for targeted advertising, model training, or profiling,
• and discloses it only to subprocessors and only to deliver the Services.

This is the behavior described in our DPA and is consistent with GDPR Articles 28–32.

3.3 When Concentrate is Controller

We act as an independent controller only for:

• running and securing concentrate.ai;
• creating and administering your account and billing;
• sending you product and security notices;
• sales and business development;
• HR and recruiting.

4. Laws We Align With

We designed this Policy to address or map to the following:

• GDPR / UK GDPR (including Arts. 5, 6, 13–14, 15–22, 28, 32, 44–49)
• CCPA/CPRA (incl. Notice at Collection; no sale/share; service provider duties; right to delete, correct, know; sensitive data limits)
• Colorado Privacy Act (CPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Delaware Personal Data Privacy Act (effective 2025)
• California TFAIA (automated decision tools)
• Colorado SB-205 (AI)
• EU AI Act (2024): current operations low-risk; transparency applied
• Cross-border rules (GDPR Ch. V; SCCs; UK IDTA; and EU–U.S. Data Privacy Framework application in progress)

Where a law isn't fully in force or doesn't apply to us yet, we still name it and say how we plan to address it: so you can show your own auditors and customers that the vendor (us) is paying attention.

5. What We Collect

5.1 Data We Collect as Controller

(a) Account & Business Contact Data

• Data Elements: Name, work email, organization, role, login identifiers.
• Purpose: to create and secure your account, to communicate about the Service, to manage the commercial relationship.
• Legal basis (GDPR): Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interest (B2B comms).

(b) Service Usage & Telemetry Data

• Data: IP address, device/browser type, timestamps, API call metrics, features used, error logs.
• Purpose: To operate, secure, and improve the Services; to detect misuse; to produce usage/billing metrics.
• Legal basis: Art. 6(1)(f) legitimate interest (security and service integrity).

(c) Billing & Transaction Data

• Data: Billing contacts, company address, tax/VAT IDs, transaction IDs.
• Purpose: to process payments and meet tax/audit obligations.
• Legal basis: Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation.

(d) Communications & Support Data

• Data: Messages you send to support@…, attachments, screenshots.
• Purpose: to respond to you and improve our product.
• Legal basis: Art. 6(1)(f) legitimate interest (customer service).

5.2 Customer Data We Process as Processor

"Customer Data" means any data (including personal data) that a Customer or its users submit to, route through, or store in the Services. Depending on how the Customer uses the Service, this may include:

• prompt text;
• identifiers of end users;
• documents;
• API payloads;
• model outputs;
• metadata about which model was used.

Important:

• We do not use Customer Data to train models.
• We do not sell Customer Data.
• We do not commingle Customer Data with other customers' data except in strictly aggregated, de-identified ways for security and performance, and only where allowed by the DPA.
• The Customer is responsible for having a lawful basis to collect that data from its own end users.

6. Legal Basis for Processing

When we act as Controller, we rely on:

• Performance of a contract: to provide the Services you asked for.
• Legitimate interests: to secure our platform, prevent abuse, improve features, and grow our business in a B2B context.
• Legal obligation: to keep certain records, respond to lawful requests, or comply with financial/tax rules.
• Consent: only if we ever use optional cookies or send certain marketing where consent is required.

When we act as Processor, the Customer provides the legal basis; we just follow their instructions.

7. Sensitive and Special Category Data

Our Services are not designed for special category data under GDPR Art. 9 (health, biometrics, sexual orientation, etc.) or for CPRA "sensitive personal information." We instruct customers not to send such data unless their agreement with us expressly allows it and they have a lawful basis and appropriate safeguards. If such data is nevertheless routed through our platform, we will protect it using the same technical and organizational measures described below.

8. Cookies and Similar Technologies

On concentrate.ai we may use:

• strictly necessary cookies (to sign you in),
• performance/analytics (to understand usage),
• and security/session cookies.

Where required by law (e.g. in the EEA), we will present a consent banner and only drop non-essential cookies with consent.

9. How We Use Data

We use personal data to:

• provide, maintain, and improve the Services;
• secure and monitor the platform;
• detect, prevent, and investigate fraud or abuse;
• communicate updates, security notices, or changes to terms;
• comply with law and enforce our contracts.

We do not use Customer Data for advertising, profiling, or model training.

10. Sharing and Subprocessors

We don't sell personal data, and we don't "share" personal data for cross-context behavioral advertising under CPRA. We do use a small, named set of subprocessors to run the Service, all under written agreements that impose confidentiality, data-protection, and security obligations at least as strong as ours.

Current core subprocessors (illustrative):

• Amazon Web Services (AWS): primary infrastructure and hosting (U.S. regions, with regionalization available).
• Cloudflare: edge delivery, WAF, DDoS protection, security logging.
• Google Workspace: internal business communications and document management (limited personal data).

We may add or replace subprocessors over time; we will post changes at a dedicated URL (e.g. concentrate.ai/subprocessors) and, where your contract requires, notify you in advance so you can object under the DPA.

We may also disclose personal data to:

• our attorneys, accountants, and auditors (all bound to confidentiality);
• an acquiring entity in the event of a merger or sale;
• competent authorities where legally required, and where permitted we will give you advance notice.

11. International Data Transfers

We operate from the United States and may process data there. To lawfully transfer personal data from the EEA/UK/Switzerland to the U.S., we use:

• EU Standard Contractual Clauses (SCCs);
• UK IDTA / UK Addendum for UK data;
• Our application to the EU–U.S. Data Privacy Framework is in progress with the U.S. Department of Commerce; once approved, we will maintain and annually re-certify.

If you have a data-residency requirement, we can address that in the Order Form or DPA with region-specific hosting.

12. Security and Certifications

We maintain an information-security program consistent with GDPR Art. 32, NIST SP 800-53 principles, and common SaaS best practices. Our measures include:

• TLS encryption in transit;
• encryption at rest for customer content where supported by infrastructure;
• MFA and role-based access control for internal users;
• logging and monitoring of administrative actions;
• secure SDLC and vulnerability management;
• annual penetration testing;
• employee confidentiality and security training.

12.1 SOC 2

Concentrate has engaged Sensiba LLP, an independent audit firm, to perform SOC 2 Type I and Type II audits. These audits are in progress. Controls aligned with the SOC 2 criteria have been implemented and are undergoing independent evaluation, and evidence is being collected as part of the audit process.

A copy of Sensiba's Audit-in-Progress Engagement Letter can be provided to customers under NDA upon reasonable written request.

13. AI Governance, TFAIA, SB-205, EU AI Act

We know some customers will need to show that their vendors are tracking emerging AI requirements even if the vendor doesn't yet deploy high-risk AI. Here is our position:

• No high-risk automated decision-making. Concentrate does not currently offer or deploy automated decision systems that make or materially influence decisions producing legal or similarly significant effects on individuals (as described in CA TFAIA and CO SB-205).
• Documentation & logging. Our orchestration platform maintains logs of routing, model selection, and usage sufficient to support audits or DPIAs that our customers may conduct.
• EU AI Act alignment. We classify our internal usage as low-risk and operate under documented risk-management, access-control, and data-minimization policies. If/when we introduce higher-risk AI features, we will update this Policy and our technical docs.
• "Not currently applicable." Where a law requires additional impact assessments or consumer-facing notices only when a covered automated decision tool is deployed, we will state "not currently applicable" because we do not deploy such tools today.

14. Retention and Deletion

We keep personal data only for as long as needed for the purposes described in this Policy or as required by law.

• Customer Data (processor): kept for the duration of the Services and typically deleted within 90 days of termination, unless a shorter period is agreed or longer retention is required by law or to resolve a dispute.
• Account, billing, and contract records (controller): kept for up to 7 years to meet tax, accounting, and audit requirements.
• Security and system logs: typically kept for up to 12 months for forensic, security, and continuity purposes, then deleted or anonymized.
• Support tickets: kept for as long as needed to track problems and improve the Service.

If you are the Controller and you ask us (in writing, through an authenticated admin) to delete Customer Data sooner, we will follow your instruction unless we are legally required to keep it.

15. Data Rights

Concentrate AI, Inc. is a privacy-protective infrastructure provider. We do not sell, share, enrich, broker, append, or commercially monetize Personal Data. Even so, privacy laws provide individuals with specific rights. The rights available to you depend on your jurisdiction.

15.1 Right to Access / Right to Know

You may request confirmation of whether we process your Personal Data and obtain a copy of it. You may also request information about the categories of Personal Data processed, the purposes of processing, and the categories of third parties to whom it is disclosed.

15.2 Right to Correction / Rectification

You may request correction of inaccurate or incomplete Personal Data. For enterprise deployments, we may direct your request to your organization's administrator if they control the data.

15.3 Right to Deletion

You may request deletion of Personal Data we hold about you. We will honor this request subject to legal, security, auditing, and fraud-prevention retention requirements. Because we operate with minimal retention, deletion requests generally involve limited data.

15.4 Right to Restriction of Processing (GDPR)

You may request that we restrict processing of your Personal Data in situations allowed under the GDPR, such as when you contest accuracy or when the data is no longer needed but you require us to retain it for legal claims.

15.5 Right to Data Portability

You may request a copy of Personal Data you provided to us in a structured, commonly used, machine-readable format. This right applies only to data you actively submitted to us.

15.6 Right to Opt-Out of "Sale" or "Sharing" (CPRA)

We do not sell or share Personal Data as those terms are defined under the CPRA. We do not engage in cross-context behavioral advertising. If you submit an opt-out request, we will record and honor your choice.

15.7 Right to Opt-Out of Targeted Advertising and Profiling

We do not use Personal Data for targeted advertising, automated profiling, or consumer scoring. You may still opt out of such uses, and we will record your preference.

15.8 Right to Object (GDPR/UK GDPR)

Where permitted, you may object to processing based on our legitimate interests or for research/statistical purposes. We will review your objection in accordance with applicable law.

15.9 Right to Appeal (CO/VA/CT)

If we decline a request, you may appeal our decision within the timeframe required by applicable state law. We will review and respond as required.

15.10 Non-Discrimination

We will not deny services, adjust pricing, degrade functionality, or impose penalties because you exercised a privacy right.

15.11 How to Submit a Request

You may submit a privacy request by contacting [email protected]. We may ask you to verify your identity. For enterprise customers, we may need to redirect your request to your organization if they control the underlying data.

15.12 Regulatory Rights

If you are in the EU, UK, or Switzerland, you may lodge a complaint with your Supervisory Authority. If you are in a U.S. state with a consumer privacy law, you may have the right to contact your state Attorney General.

16. Incident Response and Breach Notification

We maintain a written incident-response plan. If we become aware of unauthorized access to personal data that we host or process, we will:

• investigate and contain the incident,
• notify impacted Customers (Controllers) without undue delay, and
• provide information needed for the Customer to meet its own notification obligations to regulators or individuals (GDPR Arts. 33–34; CPRA §1798.82).

17. Children's Data

Our Services are B2B and not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

18. Changes to This Policy

We may update this Policy from time to time to account for new laws, new Services, or new security practices. If we make material changes, we will provide reasonable notice through email or the Services. We may implement changes immediately where required to comply with law, address security or abuse risks, or protect the integrity of the Services. We will date-stamp the "Last Updated" line at the top.

19. How to Contact Us

Data Protection Officer (DPO): Shannon Gelson
Email: [email protected]
Postal: Concentrate AI Privacy Office, 1201 N Market St, Suite 200, Wilmington, Delaware 19801, USA

You can also write to [email protected] for:

• a copy of our current subprocessor list,
• a copy of the Sensiba audit-in-progress letter (under NDA),
• or questions about this Policy.

20. Account Communications

We may send account-related communications (including service notifications, security alerts, verification messages, and administrative messages) via email, SMS, or other messaging technologies, including through third-party service providers such as Twilio. You may opt out of receiving non-essential account messages sent via Twilio at any time by emailing [email protected] with your request. You can also reply "Opt Out" to the message directly.

Please note that even if you opt out of certain account messages, we may still send communications that are necessary to provide the Services, protect the security of your account, or comply with legal obligations via email.

Addendum: Multimodal Content

1. Scope

The Services may process text, image, audio, and video inputs submitted by Customers or End Users ("Multimodal Content") solely to provide routing, inference, and orchestration functionality as configured by Customer.

For purposes of this Addendum, "Multimodal Content" means any non-textual or mixed-format input or output processed through the Services, including image, audio, video, binary files, structured data, or combinations of text and non-text formats submitted by Customer or its End Users.

Except where expressly agreed in writing, Concentrate processes Customer Data as a processor under applicable data protection laws, including Regulation (EU) 2016/679 ("GDPR"), and does not use Customer data to train proprietary or third-party foundation models.

Processing is limited to what is necessary for the service delivery and security, consistent with GDPR Article 5(1)(b) (purpose limitation) and Article 28 (processor obligations).

2. No General Monitoring Obligation

Concentrate does not proactively monitor or review all Customer Data transmitted through the Services. Nothing in this Privacy Policy creates a general obligation for Concentrate to monitor user content.

3. Unlawful Content

It is the responsibility of Customer to ensure that the Customer Data (including Multimodal Content) complies with applicable law.

If Concentrate obtains actual knowledge that specific content processed through the Services violates applicable laws or the Acceptable Use Policy, Concentrate may restrict access to such content, suspend the associated account, preserve records where legally required, and comply with valid legal process.

4. Child Sexual Abuse Material (CSAM)

The Services may not be used to create, upload, store, transmit, or in any way process Child Sexual Abuse Material or content that sexually exploits minors. If Concentrate becomes aware of apparent CSAM, it will act in accordance with applicable law, including preserving records as required by law and reporting the material and related parties to the appropriate authorities pursuant to 18 U.S.C. § 2258A.

5. Copyright

Customer is solely responsible for ensuring that content submitted to the Services does not infringe the intellectual property rights of third parties.

Concentrate responds to copyright complaints in accordance with the Digital Millennium Copyright Act, 17 U.S.C. § 512 as required by law. Upon receipt of legally valid notice of claimed copyright, Concentrate may disable access to the identified material and notify the relevant Customer as required by law.